Medical information accumulated during therapeutic treatment over the years can have a tremendous impact on medical progress and treatment. Medical companies are using these data to develop advanced technological means to identify at-risk patients even prior to the outburst of an illness, adjust drug dosage to patients' characteristics, develop medical research more rapidly and efficiently, and derive medical insights and conclusions that could not have been reached by human thinking.
Naturally, this activity raises questions: who owns the medical information in the HMOs' and hospitals' data base? Can a researcher access these data bases and how? And how may we ensure that medical and scientific progress does not infringe on patients' privacy?
Questions arise especially when a company seeks access to medical data accrued in a medical institution for the purpose of developing their product. This post will address these questions according to Israel's regulatory regime.
This is a worthy question for which there is no unequivocal legal answer. Israeli legislation refers to the patients’ rights, such as the right to privacy of his medical data and his right to receive a copy of it. The legislation also requires receiving the patients’ consent for transferring his medical data, but also acknowledges cases in which it is not required. The digital medical data base belongs to the medical institution, which is also responsible, regulatory-wise, for protection of the stored data therein (According to the Privacy Protection Law and regulations deriving thereof).
In today's situation, the patients do not benefit from any part of the profit gained by their medical institution or the company using the data about themselves, but of course they do benefit from the fact that the profits revert to the medical institution to improve the medical care for the patients.
The right to privacy is a constitutional right according to the Basic Law of Human Dignity and Liberty. Moreover, medical information ensuing from an encounter between a healthcare provider and a patient is subject to the duty of medical confidentiality, according to the Patient’s Rights Act. To obtain access to a patient's medical information, a legal exception to the duty of medical confidentiality must be demonstrated. The two potential exceptions in this case are: first, patient's consent to share medical information; second, the medical information is used for research, on condition that identifying details of the patient are not divulged. In such a case, it is not required to receive the patient's consent. Without undue celebration, there is yet a long way to achieve this… I will explain below what constitutes anonymized medical information.
In many cases, the examination of medical data will be defined as "medical research" from a legal viewpoint, even if it does not involve clinical intervention, or even if it is only research based on questionnaires. According to the People’s Health Regulations (Medical Experiments Involving Human Subjects) and the Ministry of Health procedures, medical research must be approved by the Helsinki Committee of the medical institution and the latter's director. In certain cases, it may also require to be approved by a special committee of the Ministry of Health, and the Ministry of Health’s Director-General or its representative. In the research framework, the patient will be asked to sign an informed consent form for the use of medical information (unless it was anonymized).
How Does One Know?
In the information age, it is clearly insufficient to remove names and identity cards’ numbers to render medical information anonymized, and nowadays, an e-mail or computer IP can also serve as identifying parameters. It seems that information from which the patient's identity may be derived by reasonable efforts, for example, by cross-checking other data bases, is identifiable information (even if only someone other than the actual holder of the information has ability to ascertain the identity). For example, coded information whose key is in the hands of a different body in a medical institution is identifiable medical information. Identifiable data is not anonymized data.
Anonymized Medical Data
Should one wish to use anonymized medical data, one must get the medical data to undergo an anonymization procedure to ensure that patients’ identity cannot be uncovered. The Ministry of Health Director-General's Directive on secondary use of medical information requires that the anonymization mechanism be examined by a statistician, who will approve that the information was anonymized at a level that does not enable users to identify patients by employing reasonable means and resources available to the public, and on the assumption that they abide by their contractual obligations. (A similar arrangement was set in a draft of the Ministry of Health regulations still unpublished).
Identified or Identifiable Information
If identified or identifiable information is used (e.g., coded data), it will require the patient's approval for information transfer (in case of research, it will constitute part of informed consent).
Secondary use of medical data requires to adhere to strict data protection standards set in the Privacy Act, the Privacy regulations (data protection) which define it as sensitive information and the Ministry of Health procedures. Special regulatory approvals are required for transferring data between public bodies or to a third party outside of Israel. If genetic or biometric information is involved, there are additional regulations in specific legislation.
In addition, it is important to determine the parties’ rights of intellectual property – cooperation agreements with HMOs, hospitals, or in some cases, universities – are necessary. Each of these institutions has procedures governing cooperation of this sort, and it is important to be familiar with them, as well as with the relevant Ministry of Health Procedures. Additional issues arise in a company when an employed researcher is also employed by a public medical institution or is a government employee, thus possibly enabling the state to claim rights to the product emanating from the data.
For questions: firstname.lastname@example.org
This post is intended to present general information only. It should not be construed as legal advice or legal opinion and should not be relied upon.