Norway
Is the use of telehealth permitted?
Yes.
Norway
How is telehealth regulated?
Telehealth is not specifically regulated (yet, see Anticipated reforms), but must comply with the general legislation on providing healthcare services, including protection of sensitive personal data (see Fields of healthcare).
Telehealth development is primarily handled by two public bodies. The Norwegian Directorate of eHealth coordinates eHealth by cooperating with e.g. regional health authorities and local authorities, as well as develops and administers digital solution for the improvement and simplification of the healthcare sector. The Norwegian Health Network is a state-owned enterprise, owned by the Ministry of Health and Care Services, whose task is to develop, manage and operate national e-health solutions and infrastructure.
Norway
Are there specific fields of healthcare in relation to which telehealth services are currently available, and do they involve the use of proprietary technology or platforms?
Telehealth is primarily used in general practice, by dermatologists and psychiatrists, and also by physical therapists and chiropractors, as well as in issuing prescriptions, with a variety of platforms.
The authorities have also created Helsenorge which is a public website for residents of Norway. It provides information on a variety of health-related issues, and persons can also log in to use digital health services. Helsenorge allows persons to actively participate in decision-making and monitoring of their own health including vaccinations, medical appointments, medicines, critical information, next of kin and so on. The content is provided by various contributors in the healthcare sector.
Norway
Does the public health system include telehealth services, and if so, are such services free of charge, subsidised or reimbursed? Where the public health system does not include telehealth services, are such services covered by private health insurance?
Yes, the public health system includes several telehealth services, however generally on a voluntary basis. Telehealth services, where offered, are generally an integral part of the Norwegian healthcare system (where all residents are covered by the National Insurance Scheme (Folketrygden, NIS)), and some services are offered free of charge, some subsidised, some reimbursed and some must be paid privately in full.
Norway
Do specific privacy and/or data protection laws apply to the provision of telehealth services?
Regulation (EU) 2016/679 GDPR applies. GDPR has been implemented through the Norwegian Personal Data Act. In addition, there are several other sector specific laws and regulations relevant for telehealth and personal data.
The Health Registry (Filing System) Act applies for the processing of health data for e.g. statistical purposes, healthcare analysis, research and quality improvement, and contains requirements for the processing of health data in order to establish filing systems. These filing systems are thus not meant for treatment purposes.
A filing system is defined in GDPR Art. 4(1)(6), which the Health Registry Act references. Examples of Norwegian health filing systems are the Patient Registry, the Cause of Death Registry and the Cancer Registry. It is explicitly stated in the Act that data must be processed in accordance with GDPR Art. 5, and that the level of personal identification shall not exceed what is necessary for the concrete purpose. Data subjects have the right to access their health data in the filing systems.
The Medical Records Act applies for all processing of health data necessary for providing healthcare to individuals. This Act prohibits the acquisition of health data unless it is needed to provide healthcare to the individual, it is needed for administration purposes or there is a legal basis according to applicable legislation. The patient is allowed to access his own health data and medical records (cf. GDPR Art. 13 and 15). Furthermore, medical records systems must be designed in such a way to implement documented access control. Data subjects have a right to obtain information about who accessed their medical records (even within an organisation).
The Regulation on Electronic Software Standards in the Health Care Sector is implemented through the Medical Records Act, and contains requirements regarding use of software and application standards.
Further, the Health Care Profession Act is relevant for telehealth. This Act provides that healthcare professionals are obliged to erase patient data from patients’ medical records only if the data provides false information or if the data clearly is not necessary to provide healthcare. Unless a patient is opposed to it, healthcare professionals shall share health data with other healthcare professionals performing treatment on the patient. Healthcare professionals have a duty of confidentiality.
Norway
How should the cross-border transfer of personal information collected and processed in the course of telehealth services be carried out to ensure compliance with applicable privacy laws?
The cross-border transfer of telehealth data is regulated through GDPR. The general principle is that the data can only be transferred to states in which secure proper processing standards apply.
The processing of health data must comply with the requirements of GDPR Art. 6 and Art. 9. The latter Article applies as health data is a special category of personal data (cf. GDPR Art. 9(1)). In order for data from the health filing systems to be transferred, the transfer must be in accordance with the purpose of the filing system. To the extent that a cross-border transfer of telehealth data implies a transfer to third countries, such transfer must take place in accordance with GDPR Chapter V.
Following recent developments in EU Case law (Schrems II decision), special precautions should be taken for data transfers to third countries even if e.g. standard contractual clauses are applied.
Norway
Are there any currently applicable codes of conduct on the use of telehealth systems and/or security of telehealth data in your jurisdiction?
The Directorate for eHealth regularly publish and update a reference catalogue which provides an overview of mandatory and recommended standards for the health and care service, as well as other requirement documents such as technical specifications.
In particular, we highlight Normen, which is the industry Code of Conduct for IT security prepared and managed by organisations and companies in the health sector. This is a code of conduct that has been developed over the years and is applied to healthcare systems in the public healthcare system and systems that interacts with the public healthcare system. However, please note that this code of conduct has not yet received official status as a code of conduct according to GDPR Art. 40.
Norway
Are any specific laws, regulations, or self-regulatory instruments expected to be adopted in the near future?
The Norwegian Directorate of eHealth is currently in the process of developing a new cloud based common medical journal system called the Akson, to allow for increased access for patients to their own information as well as improve interaction between emergency services, GPs, home care services and health stations.