Data Security Obligations

Are there any currently applicable codes of conduct on the use of telehealth systems and/or security of telehealth data in your jurisdiction?

Yes, as discussed in Availability of Telehealth, the Ministry of Health has published two guidelines: (i) "Recommendations for the use of telehealth: meeting between the health professional and the patient using real-time ICT"; and (ii) “Recommendations for the use of telehealth and good practices for healthcare providers”.

Last modified 3 Apr 2023

Health information is “sensitive information” for the purpose of Privacy Act, and is afforded greater protection (express and implied) than other types of personal information.  The guidance from the Office of the Australian Information Commissioner (the Privacy Act regulator) provides that online health services and telehealth providers are "health service providers” within the meaning of the Privacy Act.

Other government and regulatory bodies have issued guidance which addresses the security of telehealth data.  For example, the Federal Department of Health has issued a "Privacy Checklist for Telehealth Services".  This checklist provides high level guidance on key obligations, including obtaining patient consent, disclosure of cross-border transfers, privacy notices, and ensuring that other "relevant measures" (such as end-to-end encryption, multi-factor authentication, etc.) have been adopted in accordance with guidance made available by bodies such as the Australian Cyber Security Centre.

Last modified 20 Jun 2023

The TeleHealth Commission (see Availability of Telehealth) has presented a recommendation, which mainly comprises:

  • a catalogue of criteria for the evaluation of telehealth services in terms of prioritisation, including the application of these evaluation criteria to identify specific telemonitoring projects in the areas of diabetes and cardiovascular diseases that have the greatest potential for introduction into mainstream care, and
  • a list of questions on possible business or organisational models for the roll-out of telehealth services into mainstream care, including answers to these questions for the areas of diabetes and cardiovascular disease. A corresponding directive issued by the Ministry of Health has been adopted which deals with the technical implementation of telehealth.

Last modified 3 Apr 2023

Yes, please refer to Regulation of Telehealth.

Last modified 9 May 2023

Currently, there are no general codes of conduct on the use of telehealth systems and/or security of telehealth in Belgium. Telehealth is subject to the general ethical, legal and deontological rules inherent to the practice of medicine. However, the NCOP has issued specific guidelines with regard to teleconsultations, as described under the chapter about telehealth regulation.

Last modified 3 Apr 2023

Not yet. As mentioned above, the ANPD is now in operation and it is important to monitor its activities in relation to such matter.

Last modified 3 Apr 2023

No.

Last modified 14 Sep 2021

Provincial medical and / or dental Colleges may publish their own guidance documents or codes of conduct related to the use of telehealth systems in Canada.

For example:

  • the Royal College of Dental Surgeons of Ontario published "COVID-19: Guidance for the Use of Teledentistry", which includes requirements for the implementation of teledentistry in Ontario; and
  • the Royal College of Physicians and Surgeons of Canada (the "Royal College") has a helpful resource page providing links to telemedicine and virtual care guidelines for each province. The Royal College has also published a "Virtual Care Playbook" to help Canadian physicians introduce virtual patient encounters into their daily practices, including video visits through phone calls and patient messaging.

Last modified 17 May 2023

The Ministry of Health has issued several manuals and instructions for the implementation of the program in 20 Health Services throughout the country. Further, the Ministry of Health in 2018 published the Guide for the "National Program for Telehealth" (as discussed above).

Moreover, the regulations issued by the health emergency, such as Resolution No. 54/2020 or Circular No. 7/2020 (discussed above), have incorporated certain standards of conduct applicable to the provision of telehealth services, such as the information that must be given to patients when scheduling a time for care, the places where health personnel must provide telehealth to safeguard the confidentiality and protection of patient data, and the protection and safeguarding of patient clinical record and background, among others. Furthermore, it is necessary to keep in mind the principles of legislation 21180, which we have previously highlighted, when it comes to health data security.

Also, private organisations have been working on guides with good practices in telemedicine, particularly considering the fact the COVID-19 pandemic has provoked an increase on telehealth consultations. In this sense, in April 2020, the National Centre for Health Information Systems ("CENS") produced a document "Good practices and recommendations during the pandemic in Chile", which consists of:

  • clinical recommendations for teleconsultations;
  • basic recommended assets and safety of patients’ data;
  • operational recommendations, for providing a successful telemedicine service;
  • recommendations concerning the physical site where the telehealth service is going to be provided;
  • technical recommendations related to the quality of technological systems;
  • ethical and legal recommendations for the implementation of teleconsultations, and process for obtaining the patients’ consent during the pandemic; and
  • particular considerations for Public and Private Health Systems in Chile

Last modified 9 May 2023

No specific codes of conduct for medical professionals has been instituted for provision of internet healthcare services. The medical professionals are expected to comply with the general laws and regulations governing their profession, including PRC Law on Licensed Physicians and Regulation on Nurses.

Last modified 26 May 2023

Yes, Resolution 2654 of 2019 set general rules regarding the security of the platforms and communication mechanisms used for the provision of telehealth services (as mentioned in Regulation of Telehealth). Moreover, the data privacy regulation and medical records regulation mentioned in Cross-border data transfer shall be applied.

Last modified 9 May 2023

According to publicly available information, there are no official guidelines adopted by Croatian authorities exclusively for telehealth – i.e., on how to provide health services. Therefore, general guidelines on privacy and the code of ethics for health workers adopted by Croatian authorities and guidelines of EU authorities are most relevant.

Last modified 3 Apr 2023

There are no applicable codes of conduct on the use of telehealth systems and/or security of telehealth data in the Czech Republic.

Last modified 3 Apr 2023

The Danish Health Authority has issued codes of conduct regarding the criteria and requirements for operators of essential services within the healthcare sector. The Danish Health Authority has also issued a "checklist" and guidelines for evaluation of telehealth projects.

Separately, the Danish Health Data Authority has issued codes of conduct on how to gather telehealth data from citizens’ own measurements of health data at home.

Last modified 8 Jul 2021

Valvira and the Ministry of Social Affairs and Health ("STM") have issued guidance on telemedicine services, which includes e.g. the following:

  • Telemedicine service providers must have access to suitable premises and equipment (including telecommunications) as well as appropriately qualified staff.
  • The services must be clinically appropriate and take account of patient safety.
  • Systems used to transmit and store patient information must meet the relevant legal requirements on confidentiality as well as data protection and security. Service providers are responsible for ensuring that the appropriate data protection and security arrangements are in place for the purpose of transferring data and processing personal information.
  • Informed patient consent must be obtained.
  • Healthcare professionals must carefully assess whether the services they provide are suitable for delivery by telehealth / telemedicine. For example, telemedicine is not appropriate for healthcare purposes, including clinical investigations, where a physical examination is required or for consultations that may lead to the patient’s right to self-determination being curtailed.
  • Healthcare professionals are also required to assess whether telemedicine is appropriate for the patient as an individual.
  • The patient must be identified using a reliable method. One such method is "strong electronic identification", as set out in the Act on Strong Electronic Identification and Electronic Signatures (617/2009). It must be possible to verify the method used retrospectively.
  • Practitioners must keep appropriate records and maintain the patient register in accordance with relevant legislation.
  • Where required, the patient must be given the opportunity for a face-to-face consultation or they must be directed to an alternative service provider.
  • Healthcare service providers must compile and update a self-monitoring plan on their services as set out in the Order (3/2021, THL/4309/4.09.00/2021, only in Finnish) given by the Finnish Institute for health and welfare (Valvira). Private sector healthcare providers must compile and update a self-monitoring plan on their services as set out in the Order (2/2012, Dnro 7018/00.01.00.2012) given by Valvira.

Last modified 3 Apr 2023

French authorities have further published guidelines to facilitate the implementation of telehealth. In particular:

  • The French National Health Authority (Haute Autorité de Santé, the “HAS”) published a set of guidelines and specific information memo (e.g., a memo intended for professionals on teleconsultation and tele-expertise, a good practice guide on teleconsultation and tele-expertise, a good practice guide on tele-care, information sheet intended for patients regarding teleconsultation and tele-care);
  • The French National Health Insurance (Assurance Maladie) published a Charter of teleconsultation good practices.

Last modified 8 May 2023

The German Medical Associations ("BÄK") and the German Psychological Psychotherapists Association ("BPtK") have published the updated Model Professional Code for Physicians in Germany ("MBO-Ä") and the Model Professional Code for Psychological Psychotherapists and Child and Youth Psychotherapists ("MBO-P"), respectively, which now also include regulations relating to telehealth.

The German data protection supervisory authorities have not yet issued publications on the provision of telehealth services. The German Federal Commissioner for Data Protection and Freedom of Information ("BfDI") published two brief recommendations regarding telehealth services in the 28th Annual Activity Report on Data Protection (2019) of which only one is addressed to telehealth providers.

In the Activity Report, the BfDI recommends the implementation of a differentiated roles and rights management for electronic medical records. On a more general note, the BfDI comments that the processing of sensitive health data in large volumes in a digital environment requires a high level of data protection and data security and that patients must retain control of their own data. In his 29th Annual Activity Report, the BfDI expressed doubts about the lawfulness of some of the provisions of the German Social Code Book V ("SGB V") regarding the electronic patient record (“elektronische Patientenakte”), mainly due to the design of the access management and the access to the electronic patient record via mobile devices and the regulations on compulsory electronic medical prescriptions (“elektronisches Rezept”). The German Data Protection Conference (“Datenschutzkonferenz”), the coordinating body of all German supervisory data protection authorities, has already expressed similar concerns during the legislative procedures concerning the German Patients Data Protection Act (“PDSG”).

Last modified 3 Apr 2023

The Personal Data Protection Authority has not issued any specific code of conduct on the use of telehealth systems and / or the security of telehealth data in Greece.

Last modified 17 May 2021

The Medical Council of Hong Kong has issued the Guidelines, with supplemental Questions and Answers issued in March 2022 that should be read in conjunction with the Guidelines (the “Q&As”). The Guidelines and Q&As are not legislation in Hong Kong. However, doctors registered in Hong Kong are expected to adhere to them, and contravention of the Guidelines may render them liable to disciplinary proceedings.

Among other things:

  • Article 21 of the Guidelines provide that any telemedicine service must be provided as part of a structured and well-organised system and the overall standard of care delivered by the system must not be less compared to a service not involving telemedicine. A Hong Kong registered doctor should receive proper training on the use and operation of the system. The doctor must also ensure that the device to be used in the system is fit for its purpose and with high stability.
  • Articles 13 and 29 of the Guidelines provide that, when practising telemedicine, Hong Kong registered doctors owe the same professional responsibilities in respect of medical record keeping as for in-person consultation with patients, and should adhere to well-established principles and standards guiding privacy and security of records and informed consent.
  • Article 34 of the Guidelines expressly provides that Hong Kong registered doctors must aim to ensure that patient confidentiality and data integrity are not compromised. Data obtained during a telemedical consultation must be secured through encryption and other security precautions must be taken to prevent access by unauthorised persons.

Last modified 3 Apr 2023

We are not aware of any such code of conduct.

Last modified 3 Apr 2023

The use of videoconferencing with telehealth services must comply with the HSE IT policy and standards.

The Health Information and Quality Authority ("HIQA") is responsible for developing standards for information structures and assessing compliance with those standards. The HIQA has published a Guide to the HIQA’s review programme of eHealth services in Ireland in October 2019.

The HIQA has also created national standards which apply to certain treatments, and are compulsory. Further, a number of the HIQA’s publications are recommended best practice for telehealth services, including:

  • Recommendations for the national, community-based ePrescribing programme in Ireland (2018);
  • Recommendations regarding the adoption of SNOMED Clinical Terms as the clinical terminology for Ireland (2014);
  • Recommendations for a Unique Health Identifier for Individuals in Ireland (2009) Guidance;
  • Guidance on Terminology Standards for Ireland (2017);
  • Guidance on Messaging Standards for Ireland (2017); and
  • Overview of Healthcare Interoperability Standards (2013).

The Data Protection Commission has not published any specific guidance on telehealth.

Last modified 8 May 2023

The MoH Guidelines only include a general statement concerning the need to comply with applicable privacy laws in using telehealth systems.

Moreover, the Italian Data Protection Authority issued Decision no. 55 of 7 March 2019 on ‘Clarifications on the enforcement of the rules for the processing of health data in the health sector’, which also mentions processing of health data in the context of telehealth services. 

Last modified 9 May 2023

Yes, Indonesian Doctors Association Regulation No. 74 of 2020 and the code of conduct of Indonesian medical code of ethics issued by the Indonesian Doctors Association.

Last modified 17 May 2021

Yes, the following guidelines are the main codes of conduct for telehealth service providers.

  • Guideline 1: "オンライン診療の適切な実施に関する指針" issued by MHLW;
  • Guideline 2: "新型コロナウイルス感染症の拡大に際しての電話や情報通信機器を用いた診療等の時限的・特例的な取扱いについて" issued by MHLW. This guideline is issued by MHLW in response to the COVID-19 pandemic and the measures stated in this guideline are temporary; and
  • Guideline 3: "医療情報を取り扱う情報システム・サービスの提供事業者における安全管理ガイドライン" issued by the Ministry of Economy, Trade and Industry. This guideline is intended for service providers, and provides guidance regarding the storage of medical information and risk management process.

All the above-mentioned guidelines are only available in Japanese.

Last modified 3 Apr 2023

The Kenya Standards and Guidelines for mHealth Systems require mHealth systems to ensure that clients' data is handled in a secure manner by putting in place mechanisms that will guarantee privacy, confidentiality, integrity, availability and non-repudiation at all times. Thus, the systems must be secure from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording and destruction. It is also a requirement that the data must be secure both, in transit and when archived.

In addition, the DPA requires all organisations to implement technical and organizational measures to ensure the security and integrity of personal data, which is broadly defined to include health data.

Last modified 3 Apr 2023

No competent authorities have published any codes of conduct on the use of telehealth systems and / or security of telehealth data in Kuwait.

Last modified 9 May 2023

As mentioned above, the Luxembourg government published specific rules relating to teleconsultation in the context of the COVID-19 pandemic and a code of conduct on the organisation of the health system during the COVID-19 pandemic.

Last modified 17 May 2021

Not that we are aware of. But, despite the fact that telehealth is not specifically regulated in Mexico, given the Data Privacy Law, those responsible for the processing of personal data must observe the principles of lawfulness, consent, information, quality, purpose, loyalty, proportionality and responsibility and personal data must be collected and processed in a lawful manner. Likewise, the Regulations of the General Health Law regarding the Provision of Medical Care Services, NOM-004-SSA3-2012 (concerning the clinical files), and NOM-035-SSA3-2012 (regarding health information), describe how the information contained in the clinical record is handled under the principles of discretion and confidentiality, principles that must also be followed in telehealth.

Last modified 17 May 2021

Not applicable.

Last modified 14 Sep 2021

No, there are currently no applicable codes of conduct on the use of telehealth systems and/or security of telehealth data in Namibia. 

Last modified 14 Sep 2021

On a EU-wide level, the Code of Practice for Telehealth Services in Europe has been launched, which provides a benchmark standard against which telehealth service providers could be accredited.

The EU-wide NIS2 Directive imposes stricter cyber security requirements across sectors that are vital for our economy and society and that rely heavily on ICT, such as healthcare. Operators of essential services in the vital sectors will have to take appropriate security measures and notify relevant national authorities of serious incidents.

Last modified 26 Jun 2023

Save for the general applicable laws on data protection (i.e. the NDPR), there are no specific codes of conduct in relation to telehealth systems and or the security of telehealth data in Nigeria. That said, health data constitutes sensitive personal data under the NDPR and the latter imposes more stringent measures where such data is concerned. For instance, organizations that process sensitive personal data in the regular course of their business are required to do the following:

  1. Develop security measures to protect the data being processed; such measures include but not limited to protecting systems from hackers, setting up firewalls, storing data securely with access to specific authorized individuals, employing data encryption technologies, developing organizational policy for handling personal data (and other sensitive or confidential data), protection of emailing systems and continuous capacity building for staff.
  2. Report any data breaches within 72 hours of becoming aware of such breach.

Also, entities that process such data must obtain explicit consent for undertaking processing and adhere to all other principles of data processing in accordance with the NDPR.

Last modified 9 May 2023

The Medical Council of New Zealand has issued a statement on telehealth which applies to doctors who are in New Zealand and / or overseas and provide health services to patients in New Zealand. Statements issued by the Medical Council have the status of standards for doctors. The Medical Council published updates on its COVID-19 response, including around prescribing and telehealth, and has published Use of the Internet and Electronic Communication guidance. The Medical Council also recently finished receiving submissions on a telehealth consultation, although the findings are yet to be released.

The New Zealand Ministry of Health has dedicated digital health information on its website including telehealth, and cloud computing health information. The Ministry has online tools to help manage patients and reporting obligations during COVID-19, and recently produced advice to help providers minimise information and technology risk while delivering health services via messaging, telehealth and virtual technology remotely.

The Health Information Standards Organisation (a committee operating under the authority of the Ministry of Health) is the governing body for health information standards in New Zealand.  Relevant to telehealth systems and/or security of telehealth data are:

Various professional bodies also publish guidelines and position statements on the use of telehealth in New Zealand.  This includes:

  • The Royal New Zealand College of General Practitioners (a non-regulatory professional body), which issued a position statement focused on specialised GP telehealth consultations through phone, video and secure messaging. The College has a page of telehealth resources in response to COVID-19.
  • The Royal Australian & New Zealand College of Psychiatrists has issued Professional Practice Guidelines for telepsychiatry. The College has provided updates for psychiatrists using telehealth for the first time in response to COVID-19, and has links to technification specifications for telepsychiatry.
  • The Dental Council of New Zealand, which issued telehealth guidelines in dentistry during the COVID-19 alert level response (with guidelines remaining in force).

The Telehealth Leadership Group (a non-regulatory group) which is part of the NZ Telehealth Forum & Resource Centre, has general privacy of patient information advice and has offered some initial guidance to health providers as they rapidly adapt to providing telehealth services due to COVID-19, with information on privacy and security. The forum provides ongoing updates.

Last modified 3 Apr 2023

The Directorate for eHealth regularly publish and update a reference catalogue which provides an overview of mandatory and recommended standards for the health and care service, as well as other requirement documents such as technical specifications.

In particular, we highlight Normen, which is the industry Code of Conduct for IT security prepared and managed by organisations and companies in the health sector. This is a code of conduct that has been developed over the years and is applied to healthcare systems in the public healthcare system and systems that interacts with the public healthcare system. However, please note that this code of conduct has not yet received official status as a code of conduct according to GDPR Art. 40.

Last modified 9 May 2023

N/A

Last modified 9 May 2023

here are no official codes of conduct; however, certain aspects of telehealth are regulated in the law, e.g. in the Regulation of the Minister of Health of 12 August 2020 on the organisational standard of teleporting in primary healthcare.

Last modified 17 May 2021

Not specifically for telehealth. However, a Health Sector Privacy Guide was made available by SPMS – Serviços Partilhados do Ministério da Saúde, EPE ("SPMS") in order to provide information to SNS entities in relation to health sector data protection main aspects and Teleconsultation ´s Best Practices Guides for health professionals and patients has been published.

Last modified 3 Apr 2023

No.

Last modified 9 May 2023

We are not aware of the existence of such public codes of conduct.

Last modified 3 Apr 2023

As discussed in Availability of Telehealth, on 30 November 2017, the Russian Health Authority adopted the Order No. 965n "On Endorsement of the Order of Providing Medical Assistance with the Aid of Telemedicine Technologies" which sets out the requirements for providing medical services with the aid of telemedicine technologies.

Last modified 17 May 2021

Yes, see Regulation of Telehealth.

Last modified 17 May 2021

No, there are currently no applicable codes of conduct on the use of telehealth systems in South Africa, however section 19 of POPIA regulates the security and confidentiality of personal information generally. In terms of section 19 of POPIA a responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information; and unlawful access to or processing of personal information.

In order to give effect to the above the responsible party must take reasonable measures to:

  • identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
  • establish and maintain appropriate safeguards against the risks identified;
  • regularly verify that the safeguards are effectively implemented; and
  • ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

Last modified 3 Apr 2023

Please refer to the guidelines set out in Regulation of Telehealth.

Last modified 18 May 2023

No.

Last modified 17 May 2021

According to publicly available information, there are no official guidelines adopted by Slovenian authorities exclusively for telehealth services. Therefore, general guidelines on privacy and code of ethics for health workers adopted by Slovenian authorities and guidelines of European Union authorities (such as European guidelines on confidentiality and privacy for health workers) shall apply.

Last modified 3 Apr 2023

No competent healthcare authority has published a code of conduct on a national basis. However, the Spanish Medical Association envisages telehealth in its Code of Ethics in the following terms:

  • Where the clinical practice through consultation exclusively by letter, telephone, radio, newspapers or the internet, is contrary to ethical standards. The correct practice inevitably involves personal and direct contact between doctor and patient.
  • In the event of a second opinion and medical check-ups, the use of email or other means of virtual communication and telehealth are allowed, whenever clear mutual identification and privacy are ensured.
  • Patient guidance systems through telehealth or telephone consultation are consistent with medical ethics when used exclusively to help decision-making.

Furthermore, given the exceptional health emergency resulting from the COVID-19 pandemic, the Central Deontology Commission of the General Council of Official Medical Associations has published a document titled "Telemedicine in the Medical Act", which states, among other things, that in certain circumstances, such as the current COVID-19 pandemic, medical e-consultation may substitute for and sometimes complete the face-to-face medical act if face-to-face is not possible.

Therefore, the use of telematic means will comply with Medical Deontology, provided that there is consent by the patient, it is adapted to the deontological precepts applicable to the doctor-patient relationship, and the rights and safety of the patient is considered.

Last modified 26 Jun 2023

Regulations which do not apply specifically to the provision of telehealth services, but i.a. regulate healthcare providers' processing of personal data apply. The National Board of Health and Welfare has issued "Regulations and general advice on record keeping and processing of personal data in healthcare" ("Socialstyrelsens föreskrifter och allmänna råd om journalföring och behandling av personuppgifter i hälso- och sjukvården (HSLF-FS 2016:40)"), which includes provisions on information security, as well as guidance on how to apply the aforementioned provisions ("Handbok vid tillämpningen av Socialstyrelsens föreskrifter och allmänna råd (HSLF-FS 2016:40) om journalföring och behandling av personuppgifter i hälso- och sjukvården"), available (only in Swedish) here and here.

Moreover, different regions may have issued guidance/policies regarding information security when providing telehealth services.

In addition, the Swedish Civil Contingencies Agency (Myndigheten för samhällsskydd och beredskap) ("MSB") has issued "Regulations and general advice on information security for operators of essential services" ("MSBFS 2018:8 föreskrifter och allmänna råd om informationssäkerhet för leverantörer av samhällsviktiga tjänster"), available (only in Swedish) here. These regulations apply to operators of essential services, as defined in Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (the so-called NIS1 Directive), and set out a framework for the systematic and risk-based information security work that must be carried out by such operators.

Last modified 3 May 2021

Other than those discussed above, there is currently no other applicable codes of conduct on the use of telehealth systems and/or security of telehealth data.

Last modified 3 Apr 2023

In addition to the AD DOH Standards and the Dubai HA Standards, there are also a number of policies and standards which apply exclusively within the DHCC:

  • DHCC Teleradiology Policy (7 May 2019);
  • DHCC Teleconsultation Policy (18 May 2019);
  • DHCC Telehealth Standard (6 December 2017); and
  • Dubai Health Care City Rule No. 1/2018.

The DHA has also issued a set of "Guidelines for Informed Patient Consent", which set out best practice for obtaining consent in the healthcare sector.

Last modified 9 May 2023

The UK’s Medicines and Healthcare Products Regulatory Agency is responsible for regulating apps, smartphone-connected devices and wearable technologies which constitutes a medical device and has published useful guidance which helps organisations distinguish between simply a technology-enabled care device and a medical device falling under the UK Medical Devices Regulations 2002 (as amended).

Last modified 3 Apr 2023

Under its Security Rule, HIPAA requires three types of safeguards to ensure data security—administrative, physical, and technical—which range from requirements surrounding risk assessments and staff training on security, to alarm systems for physical locations that contain protected health information, to data encryption, and audit controls of systems that contain protected health information.

Beyond these safeguards, which apply to both telehealth services and in-person care, HIPAA also requires covered entities and their business associates to report data breaches of unsecured protected health information to Department of Health and Human Services Office for Civil Rights, all impacted individuals, and in the case of large breaches (over 500 individuals), the media.

As noted above, the FTC has authority under Section 5(a) of the FTC Act (15 USC §45), which prohibits "unfair or deceptive acts or practices in or affecting commerce", which has included actions taken against companies for unreasonable security practices.  In addition to federal law, certain state laws may also set security standards as it relates to certain personal information.

Further, many state licensing boards have released policies or codes relating to the practice of telehealth, including with respect to privacy and security standards. For example, the Federation of State Medical Boards, which does not have any regulatory authority but generally supports the licensing policies and efforts of the various state medical and osteopathic licensing boards, released a Policy on the Appropriate Use of Telehealth, which includes informed consent requirements and privacy/security standards.

Last modified 3 Apr 2023

There is no specific code of conduct on the use of telehealth systems and/or security of telehealth data in Zambia. However, there are strict ethical demands placed on relevant parties under the Health Provisions Act No. 24 of 2009 which, undeniably, extend to telehealth systems and/or security of telehealth data.

Last modified 14 Sep 2021

Yes, the Policy on International Telemedicine PCC/35/14 provides the requirements for practitioners residing outside Zimbabwe who intend to provide telemedicine in Zimbabwe. A summation of this policy is that it requires practitioners to be registered with the MDPCZ for 12 months, be employed by an overseas facility that has a contract with a health provider in Zimbabwe, ensure that they are qualified and experienced in their specific clinical setting and be supervised by the Clinical Director of the Zimbabwean Health Facility employing them.

Moreover, the Policy on Telemedicine of July 2022 provides a more extensive scope covering consent, patient confidentiality, provision of clear advice, suitability of devices and software as well as standards of practice in Telemedicine. The policy also provides information on when a physical examination is necessary, the prescription of medication via telemedicine and the requirement of digital training is applicable to the usage of Telemedicine in general.

Last modified 3 Apr 2023

Argentina

Argentina

Is the use of telehealth permitted?

Yes, telehealth is permitted in Argentina.

Last modified 3 Apr 2023

Argentina

Argentina

How is telehealth regulated?

In 2019, the Argentine Ministry of Health published a guide of recommendations for the supply of ‘telehealth’ (Disposition No. 21/2019). The "Recommendations for the use of telehealth: meeting between the health professional and the patient using real-time ICT" guide was prepared by a group of healthcare providers, coordinated by the Ministry of Health, with the objective of creating a guideline for the provision of telehealth in a safe, efficient and ethical way.

Pursuant to the General Resolution No. 282/2020 issued by the Superintendency of Health Services ("Superintendencia de Servicios de Salud"), all private health insurers must employ and promote the use of teleconsultation platforms in order to provide healthcare treatments. In all cases, they must guarantee that the data and information collected from the patient through the use of teleconsultation platforms is protected in the terms of the Personal Data Protection Law No. 25,326. Moreover, telehealth platforms are, in all cases, subject to a subsequent audit carried out by the Superintendency of Health Services.

In 2022, pursuant to the General Resolution No. 581/2022, the Argentine Ministry of Health published a new guide with recommendations in the telehealth field: “Recommendations for the use of telehealth and good practices for healthcare providers”.

It should be highlighted that these guides are recommendations provided by the Ministry of Health in order to ensure the good practices in the use of telehealth. Notwithstanding, each of the Argentine Provinces may complement these recommendations by issuing their own regulations and laws.

Last modified 3 Apr 2023

Argentina

Argentina

Are there specific fields of healthcare in relation to which telehealth services are currently available, and do they involve the use of proprietary technology or platforms?

Pursuant to Section 6 of the Law No. 27,553, the healthcare services currently available through telehealth methods are: general practice, dentistry and collaborative activities related to them, and psychology. In all cases, these activities should be previously authorised by the competent authority, and they should comply with the provisions of the Patient Rights Law No. 26,529. These services are available by proprietary platforms and general videoconferencing apps. As both forms are permitted, the platform used will depend on each particular case.

Last modified 3 Apr 2023

Argentina

Argentina

Does the public health system include telehealth services, and if so, are such services free of charge, subsidised or reimbursed? Where the public health system does not include telehealth services, are such services covered by private health insurance?

The public health system is free of charge but generally does not include telehealth services because it lacks the infrastructure to provide them. However, pursuant to the electronic prescriptions of medicines and healthcare treatments Law No. 27,553, all the healthcare providers of the public health system are empowered to do so, and can issue electronic prescriptions.

Most of private health insurers offer some telehealth services such as appointments with a medical doctor via videoconference. No additional fees are charged to the patient as this is typically covered in the health insurance policy.

Last modified 3 Apr 2023

Argentina

Argentina

Do specific privacy and/or data protection laws apply to the provision of telehealth services?

There are no specific data protection laws relating to telehealth services precisely. However, the Ministry of Health’s guides and recommendations include a section related to data protection and, in all cases, healthcare providers should comply with Law No. 25,326 of Personal Data Protection.

Last modified 3 Apr 2023

Argentina

Argentina

How should the cross-border transfer of personal information collected and processed in the course of telehealth services be carried out to ensure compliance with applicable privacy laws?

Pursuant to Law No. 25,326 of Personal Data Protection, the cross-border transfer of personal data of any kind is prohibited. However, this prohibition shall not apply in the following cases:

  • International judicial collaboration;
  • Exchange of medical data, when required by the treatment of the affected person, or an epidemiological investigation;
  • Bank or stock transfers;
  • When the transfer has been agreed within the legal framework of international treaties to which the Argentine Republic is a party; and
  • When the transfer is aimed at international cooperation between intelligence agencies to fight organised crime, terrorism and drug trafficking.

In all cases, for the transfer of data, the owner’s consent is required.

Last modified 3 Apr 2023

Argentina

Argentina

Are there any currently applicable codes of conduct on the use of telehealth systems and/or security of telehealth data in your jurisdiction?

Yes, as discussed in Availability of Telehealth, the Ministry of Health has published two guidelines: (i) "Recommendations for the use of telehealth: meeting between the health professional and the patient using real-time ICT"; and (ii) “Recommendations for the use of telehealth and good practices for healthcare providers”.

Last modified 3 Apr 2023

Argentina

Argentina

Are any specific laws, regulations, or self-regulatory instruments expected to be adopted in the near future?

The government has recommended that public and private healthcare providers implement and promote the use of teleconsultation platforms in order to provide essential health services.

Moreover, further regulations will be issued to implement Law No. 27,553 as discussed in Regulation of Telehealth.

Last modified 3 Apr 2023