Integrating Trans-Atlantic Internet Medical Law

New Jersey Law Journal

 VOL. 211 - NO 5 FEBRUARY 4, 2013 ESTABLISHED 1878

Integrating Trans-Atlantic Internet Medical Law

American and European law have not changed at the same rate or in the same manner

 By Jonathan Bick   Bick is of counsel at Brach Eichler LLC in Roseland. He is also an adjunct professor at Pace and Rutgers law schools. He presented this topic in Paris, on Jan. 21, at the Conférence Nationale des Plaies et Cicatrisations.

 Both Europe and the United States are actively regulating the prac­tice of Internet medicine. Evidence of the extent of such regulation may be found in the California Telehealth Advancement Act. This legislation made it easier for health-care providers to use the Internet in the treatment of patients, especially in underserved areas of the state; in HIPAA’s Health Information Technology for Economic and Clinical Health Act; and in the enactment by the European Parliament of various privacy directives, which regulate the processing and use of the Internet for health-care transactions. These and a myriad of other statutes must be integrated to facilitate the lawful use of the Internet to support trans-Atlantic clinical health care, patient and professional health-related education, public health and health administration transactions.

 Technological developments such as videoconferencing, the Internet, store-and-forward imaging, streaming media and terrestrial and wireless com­munications have caused rapid changes in how electronic transmission of pa­tient information — i.e., telemedicine — is conducted. So, too, have legal de­velopments in America and Europe.

Telemedicine is no longer tied to any particular geographic region; the Internet has dramatically expanded the use of telemedicine throughout Europe and around the world. Consequently, international telemedicine legal difficul­ties must be considered by both mass health-care providers and individual practitioners. Individual practitioners of concierge medicine regularly use the Internet to assist their patients who have a propensity to travel across the Atlantic. Medical consortiums in Europe provide cost-effective medical-image reading to American health-care facilities.

Just as telemedicine has changed, so have laws to protect patients’ privacy in this Internet age. American and European law have not changed at the same rate or in the same manner, therefore they must be integrated to facilitate trans-Atlantic Internet medicinal transactions.

 In the United States, for the past hundred years, the states have regu­lated the practice of clinical care under the police power reserved by the Tenth Amendment to the U.S. Constitution. Since Goldfarb v. Virginia State Bar, 421 U.S. 773, 792 (1975), states have had the undisputed authority to regulate activities that affect the health, safety and welfare of citizens within their bor­ders. States have promoted so-called “face to face” health-care transactions at the expense of remote health care.

The federal government has pro­moted remote health care more liber­ally. It has also made the case that for the purposes of Internet medicine, the states’ power to regulate health care is neither absolute nor applicable in the event of conflicting federal and state statutes.

The Commerce Clause of the Con­stitution limits states’ ability to erect barriers against interstate trade. In par­ticular, Art. I, Sec. 8, cl. 3, grants Con­gress the power “to regulate Commerce among the several states.” The practice of health care has been held to be in­terstate trade and, as such, is subject to succeeding federal law. Consequently, health-care providers’ use of the Internet regularly results in conflicting federal and state legal difficulties, particularly related to the duties associated with pa­tient data. Thus, the integration of trans-Atlantic Internet medical law begins with federal rather than state statutes.

European telemedicine privacy laws are based on the concept that in­dividuals have personal autonomy with respect to their personal data. Both European countries and the European Union (EU) have enacted laws that allow citizens to decide for themselves what personal data is important to keep under their own control.

Europeans view privacy as an indi­vidual’s human right, consequently an in­dividual’s manifest of consent is general­ly the basis required for disclosure. This consent-based model raises issues in the telemedicine context because securing meaningful consent is often difficult.

European privacy law with respect to telemedicine sharply contrasts with American privacy law. American tele­medicine privacy law is constitutionally based. It focuses on the relationship be­tween the individual and the government. In particular, United States telemedicine privacy law establishes the appropriate permissible level of government intru­sion into an individual’s privacy sphere.

Consent is less of an issue for Amer­ican telemedicine privacy than it is for European telemedicine privacy. It is only when the federal or state government goes too far, compromising an individ­ual’s constitutionally protected right of liberty, that a privacy invasion arises.

The United States’ and the EU’s ap­proaches to data privacy result in differ­ent regulation of telemedicine. The EU takes a broader approach to data privacy protection than the United States. This differences may result in legal difficul­ties for practitioners of telemedicine, particularly, those in trans-Atlantic tele­medicine.

The EU formally started to protect personal data, including medical data re­lated to telemedicine, on Oct. 24, 1995. On that day, the European Parliament enacted Council Directive (EC) 95/46, entitled “The Protection of Individuals with Regard to the Processing of Per­sonal Data and on the Free Movement of Such Data.”

Article 1 of the directive required all member states to adopt legislation to protect the fundamental rights and free­doms of natural persons, and their right to privacy with respect to the processing of personal data. Article 2(a) of the direc­tive defines “personal data” broadly as any information relating to an identified or identifiable natural person. The direc­tive does not provide specific examples of what information constitutes protectedpersonal data. Since this includes refer­ence to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultur­al or social identity, telemedicine activity is clearly covered.

Since Article 3 states that the direc­tive applies to processing by “automatic (computer) means,” it is generally ac­cepted that the directive applies to tele­medicine, which, due to the advent of the Internet, normally requires a com­puter. According to Article 7(a) of the directive, personal data may only be pro­cessed upon the unambiguous consent of the individual. Thus, it may be concluded that any use of telemedicine in the EU requires the unambiguous consent of the patient.

Articles 16 and17 of the directive also contain requirements for the confi­dentiality and security of personal data during processing. This requirement also applies to the transfer of personal data to non-EU countries. The directive indi­cates that such transfers may take place only if the non-EU country in question ensures the same level of protection as an EU country. The directive even en­sures that a citizen of the EU has a judi­cial remedy for damages that result from a breach of the protections guaranteed through the adopted laws of the member states (see Articles 22 and 23).

This requirement poses a problem when the violation occurs at the hands of an entity located outside the EU. This problem is usually solved by reliance on a bilateral treaty. For most European counties, such treaties exist with the United States.

While the directive and laws adopt­ed in EU member states are intended to protect EU citizens, they also apply to any whose personal information is trans­ferred to an entity located in the EU, even if the EU is not a primary location of out­sourcing operations. Thus, the directive and laws adopted in EU member states may result in legal difficulties for trans-Atlantic telemedicine practitioners.

However, the directive created a safe harbor provision that is applicable to trans Atlantic telemedicine practitioners. In particular, Article 25 of the directive authorizes the Commission of the Euro­pean Union to determine whether a third country meets the “adequate” standard for data protection. The EU Commission has broad discretion in making that de­termination. It may consider the domes­tic laws, as well as the international com­mitments of the non-EU country.

As a result of the discretion mani­fested in Article 25, it is likely that trans-Atlantic telemedicine practitioners will be able to avail themselves of a safe har­bor. Just as in the case of the privacy of airline passengers’ data when a new U.S. disclosure

 requirement conflicts in any fundamental way with the protective re­quirements of the European Union.

Additionally, if an entity outside of the EU cannot take advantage of a Commission-authorized safe harbor, the directive allows the transfer of telemedi­cine that result from private contracts. The directive’s Article 26(2) permits such transfers if each individual trans­action provides its own adequate safe­guards, which can be accomplished by appropriate contractual clauses. These clauses must include the protections re­quired by the directive, including the in­dividual’s right to access his data and to have a judicial remedy available if these rights are violated.

If the telemedicine practitioners are located in the United States and the EU, then they may be able to take advantage of the EU FTC Safe Harbor program. See, generally, http://www.export.gov/safeharbor. This program is designed to safeguard individual data privacy and al­low for the efficient yet secure transfer of data between the EU and the United States. Compliance with this program is the equivalent of compliance with the di­rective.

This safe harbor establishes require­ments for trans-Atlantic entities, includ­ing telemedicine convoys charged with handling medical data. The requirements include: notice to individuals about an organization’s data collection practices; certain choices to “opt-out” and to “opt-in” in the case of medical data; certain responsibilities of data-collecting orga­nizations regarding the transfer of such data; data security and integrity obliga­tions; the ability of individuals to access information collected about themselves; notice of data use; and enforcement procedures.<