Integrating Trans-Atlantic Internet Medical Law
New Jersey Law Journal
VOL. 211 - NO 5 FEBRUARY 4, 2013 ESTABLISHED 1878
Integrating Trans-Atlantic Internet Medical Law
American and European law have not changed at the same rate or in the same manner
By Jonathan Bick Bick is of counsel at Brach Eichler LLC in Roseland. He is also an adjunct professor at Pace and Rutgers law schools. He presented this topic in Paris, on Jan. 21, at the Conférence Nationale des Plaies et Cicatrisations.
Both Europe and the United States are actively regulating the practice of Internet medicine. Evidence of the extent of such regulation may be found in the California Telehealth Advancement Act. This legislation made it easier for health-care providers to use the Internet in the treatment of patients, especially in underserved areas of the state; in HIPAA’s Health Information Technology for Economic and Clinical Health Act; and in the enactment by the European Parliament of various privacy directives, which regulate the processing and use of the Internet for health-care transactions. These and a myriad of other statutes must be integrated to facilitate the lawful use of the Internet to support trans-Atlantic clinical health care, patient and professional health-related education, public health and health administration transactions.
Technological developments such as videoconferencing, the Internet, store-and-forward imaging, streaming media and terrestrial and wireless communications have caused rapid changes in how electronic transmission of patient information — i.e., telemedicine — is conducted. So, too, have legal developments in America and Europe.
Telemedicine is no longer tied to any particular geographic region; the Internet has dramatically expanded the use of telemedicine throughout Europe and around the world. Consequently, international telemedicine legal difficulties must be considered by both mass health-care providers and individual practitioners. Individual practitioners of concierge medicine regularly use the Internet to assist their patients who have a propensity to travel across the Atlantic. Medical consortiums in Europe provide cost-effective medical-image reading to American health-care facilities.
Just as telemedicine has changed, so have laws to protect patients’ privacy in this Internet age. American and European law have not changed at the same rate or in the same manner, therefore they must be integrated to facilitate trans-Atlantic Internet medicinal transactions.
In the United States, for the past hundred years, the states have regulated the practice of clinical care under the police power reserved by the Tenth Amendment to the U.S. Constitution. Since Goldfarb v. Virginia State Bar, 421 U.S. 773, 792 (1975), states have had the undisputed authority to regulate activities that affect the health, safety and welfare of citizens within their borders. States have promoted so-called “face to face” health-care transactions at the expense of remote health care.
The federal government has promoted remote health care more liberally. It has also made the case that for the purposes of Internet medicine, the states’ power to regulate health care is neither absolute nor applicable in the event of conflicting federal and state statutes.
The Commerce Clause of the Constitution limits states’ ability to erect barriers against interstate trade. In particular, Art. I, Sec. 8, cl. 3, grants Congress the power “to regulate Commerce among the several states.” The practice of health care has been held to be interstate trade and, as such, is subject to succeeding federal law. Consequently, health-care providers’ use of the Internet regularly results in conflicting federal and state legal difficulties, particularly related to the duties associated with patient data. Thus, the integration of trans-Atlantic Internet medical law begins with federal rather than state statutes.
European telemedicine privacy laws are based on the concept that individuals have personal autonomy with respect to their personal data. Both European countries and the European Union (EU) have enacted laws that allow citizens to decide for themselves what personal data is important to keep under their own control.
Europeans view privacy as an individual’s human right, consequently an individual’s manifest of consent is generally the basis required for disclosure. This consent-based model raises issues in the telemedicine context because securing meaningful consent is often difficult.
European privacy law with respect to telemedicine sharply contrasts with American privacy law. American telemedicine privacy law is constitutionally based. It focuses on the relationship between the individual and the government. In particular, United States telemedicine privacy law establishes the appropriate permissible level of government intrusion into an individual’s privacy sphere.
Consent is less of an issue for American telemedicine privacy than it is for European telemedicine privacy. It is only when the federal or state government goes too far, compromising an individual’s constitutionally protected right of liberty, that a privacy invasion arises.
The United States’ and the EU’s approaches to data privacy result in different regulation of telemedicine. The EU takes a broader approach to data privacy protection than the United States. This differences may result in legal difficulties for practitioners of telemedicine, particularly, those in trans-Atlantic telemedicine.
The EU formally started to protect personal data, including medical data related to telemedicine, on Oct. 24, 1995. On that day, the European Parliament enacted Council Directive (EC) 95/46, entitled “The Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.”
Article 1 of the directive required all member states to adopt legislation to protect the fundamental rights and freedoms of natural persons, and their right to privacy with respect to the processing of personal data. Article 2(a) of the directive defines “personal data” broadly as any information relating to an identified or identifiable natural person. The directive does not provide specific examples of what information constitutes protectedpersonal data. Since this includes reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity, telemedicine activity is clearly covered.
Since Article 3 states that the directive applies to processing by “automatic (computer) means,” it is generally accepted that the directive applies to telemedicine, which, due to the advent of the Internet, normally requires a computer. According to Article 7(a) of the directive, personal data may only be processed upon the unambiguous consent of the individual. Thus, it may be concluded that any use of telemedicine in the EU requires the unambiguous consent of the patient.
Articles 16 and17 of the directive also contain requirements for the confidentiality and security of personal data during processing. This requirement also applies to the transfer of personal data to non-EU countries. The directive indicates that such transfers may take place only if the non-EU country in question ensures the same level of protection as an EU country. The directive even ensures that a citizen of the EU has a judicial remedy for damages that result from a breach of the protections guaranteed through the adopted laws of the member states (see Articles 22 and 23).
This requirement poses a problem when the violation occurs at the hands of an entity located outside the EU. This problem is usually solved by reliance on a bilateral treaty. For most European counties, such treaties exist with the United States.
While the directive and laws adopted in EU member states are intended to protect EU citizens, they also apply to any whose personal information is transferred to an entity located in the EU, even if the EU is not a primary location of outsourcing operations. Thus, the directive and laws adopted in EU member states may result in legal difficulties for trans-Atlantic telemedicine practitioners.
However, the directive created a safe harbor provision that is applicable to trans Atlantic telemedicine practitioners. In particular, Article 25 of the directive authorizes the Commission of the European Union to determine whether a third country meets the “adequate” standard for data protection. The EU Commission has broad discretion in making that determination. It may consider the domestic laws, as well as the international commitments of the non-EU country.
As a result of the discretion manifested in Article 25, it is likely that trans-Atlantic telemedicine practitioners will be able to avail themselves of a safe harbor. Just as in the case of the privacy of airline passengers’ data when a new U.S. disclosure
requirement conflicts in any fundamental way with the protective requirements of the European Union.
Additionally, if an entity outside of the EU cannot take advantage of a Commission-authorized safe harbor, the directive allows the transfer of telemedicine that result from private contracts. The directive’s Article 26(2) permits such transfers if each individual transaction provides its own adequate safeguards, which can be accomplished by appropriate contractual clauses. These clauses must include the protections required by the directive, including the individual’s right to access his data and to have a judicial remedy available if these rights are violated.
If the telemedicine practitioners are located in the United States and the EU, then they may be able to take advantage of the EU FTC Safe Harbor program. See, generally, http://www.export.gov/safeharbor. This program is designed to safeguard individual data privacy and allow for the efficient yet secure transfer of data between the EU and the United States. Compliance with this program is the equivalent of compliance with the directive.
This safe harbor establishes requirements for trans-Atlantic entities, including telemedicine convoys charged with handling medical data. The requirements include: notice to individuals about an organization’s data collection practices; certain choices to “opt-out” and to “opt-in” in the case of medical data; certain responsibilities of data-collecting organizations regarding the transfer of such data; data security and integrity obligations; the ability of individuals to access information collected about themselves; notice of data use; and enforcement procedures.<