Privacy aspects of telehealthcare in Russia
On 1 January 2018, amendments to the Federal Law No 323-FZ “On the Fundamentals of Protection of the Health of Citizens of the Russian Federation” dated 21 November 2011 came into force. They introduce various changes to the regulation of healthcare information systems and establish a legal framework for the use of telehealthcare technologies in Russia.
Telehealthcare technologies are defined as information technologies used to support remote interaction between healthcare professionals and patients or their representatives, the identification and authentication of healthcare professionals, patients and their representatives, and the recording of healthcare services and medical treatment provided. Therefore doctors will be allowed to consult patients remotely (e.g. using video conferencing). Importantly, however, the initial diagnosis and prescription of treatment must take place during the first offline visit to the doctor. Any further interaction (e.g. advice and prescriptions) can be then done online.
Obviously, the implementation of telehealthcare technologies is a major step in the development of the national healthcare sector. They take healthcare services to a new level, as they (i) allow providers to supply healthcare services remotely with the same quality, and (ii) even improve the quality of services, due to the integration of healthcare professionals practicing in different fields of medicine and the availability of information that was previously not easily accessible. However, telehealthcare services also raise certain privacy compliance issues. The new amendments specifically provide for additional requirements for dealing with personal data while providing telehealthcare services in Russia.
In particular, the following requirements should be noted when providing telehealthcare services:
when creating information systems containing information on patients, the type of medical treatment and the healthcare services supplied by healthcare providers, medical organizations have to observe general requirements for protecting personal data and medical confidentiality;
such healthcare information systems must be protected with the relevant organizational and technical measures to protect personal data and comply with the requirements for medical confidentiality;
telehealthcare providers need to keep a record of individuals who receive such services;
the personal data of patients must be kept confidential and stored securely;
the law specifies certain types of personal data which need to be stored in telehealthcare systems, in particular: first and second name, sex, date and place of birth, citizenship, passport details, educational information for healthcare professionals, disease, diagnoses, type of healthcare services provided and other data).
Authors: Vyacheslav Khayryuzov and Yulia Baimakova