Personal Data Protection Issues in the Realm of Telemedicine. Blockchain, Civil Liability and other Methods to Overcome Them.

Марков Б.Б.

doi:10.25136/2409-7136.2023.4.40519

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

Back to contents

Legal Studies

Reference:

Markov B. Personal Data Protection Issues in the Realm of Telemedicine. Blockchain, Civil Liability and other Methods to Overcome Them. // Legal Studies. 2023. № 4. P. 1-10. DOI: 10.25136/2409-7136.2023.4.40519 EDN: ONXLKA URL: https://en.nbpublish.com/library_read_article.php?id=40519

Personal Data Protection Issues in the Realm of Telemedicine. Blockchain, Civil Liability and other Methods to Overcome Them.

Markov Boris

ORCID: 0000-0003-4106-3828

Postgraduate student, Chair of Civil and Business Law, The All-Russian State University of Justice (RLA of the Ministry of Justice of Russia)

117638, Russia, Moscow, Azovskaya str., 2, building 1

yoursailorsun@outlook.com

DOI:

10.25136/2409-7136.2023.4.40519

EDN:

ONXLKA

Received:

17-04-2023

Published:

24-04-2023

Abstract: The subject of this article is the legal regulation of personal data protection in the field of medical care with the use of telemedicine technologies and digital healthcare. Its purpose is to identify and analyze the problems of personal data protection and to find ways to overcome them. The relevance of the work is due to the presence of a large number of leaks of personal data, gaps in regulation, and the lack of an effective system of norms aimed at preventing the compromise of patient information. The author examines the main aspects of regulating the procedure for working with the patient's consent to the processing of personal data. Much attention in the article is paid to blockchain technology, traditionally considered in the Russian legal literature only within the framework of the use of cryptocurrencies. The article also analyzes the issues of the application of civil liability measures for offenses in the field of personal data protection of recipients of telemedicine services.The author criticizes the unreasonably strict regulation of the procedure for obtaining the patient's consent to the processing of personal data by a medical organization, emphasizes the need to introduce a flexible form of consent. This will reduce the amount of information at risk of leakage. In addition, the idea of creating a mechanism for revoking the patient's consent to the processing of personal data and securing the patient's right to demand from the medical organization the termination of their processing is put forward. The paper points to the prospects for the use of blockchain in the field of telemedicine, including for the protection of personal data. A regulatory division of blockchain systems into centralized and decentralized ones is proposed, suggesting their different regulation in relation to the protection of confidential information. In addition, the article notes the lack of elaboration of the norms on civil liability for offenses in the field of working with personal data in telemedicine, it is proposed to tighten regulation in order to increase the level of protection of patients' rights.

Keywords:

telemedicine, e-health, personal data, blockchain, telehealth technologies, civil liability, data protection, healthcare, healthcare digitalization, telemedicine consultation
This article is automatically translated.

The provision of medical care using telemedicine technologies is always associated with the transmission and processing of information in electronic form. Unlike other service industries, this information includes not only a limited list of frequently used personal data, but also information about the patient's health. This underlines the importance of comprehensive and effective protection of such information.

However, information subject to protection in accordance with the legislation is subject to significant risks, the effectiveness of which cannot be considered satisfactory. Thus, by the end of 2021, the fact of compromising about 80.5 million records of personal data and payment information was revealed, which is 20% more than in 2020 ^{[1, p. 6]}. According to the results of the first half of 2022, the situation deteriorated significantly: the number of leaks increased by 46% (305 against 209 in the first half of 2021), and the volume of compromised information showed an unprecedented growth of 1675% (187.6 million records against 11.2 million in the first half of 2021) ^{[2, p. 5]}. At the same time, it should be noted that in three cases out of four leaks occur as a result of "intentional violations of an internal nature", that is, through the fault of an employee or an official of the personal data operator ^{[2, p. 9]}. This may indicate significant gaps in the organization of work with protected data. This fact suggests that the reasons for the insecurity of information are primarily of an organizational and legal nature, and not technical. Database storage systems are obviously sufficiently protected or attempts to hack them are impractical due to the large labor and time costs, while imperfections in the organization of work with personal data and legal mechanisms of control and responsibility for violations in this area become a prerequisite for such massive leaks.

These issues are also very relevant for the healthcare sector, including telemedicine. So, in 2020, there was a leak of personal data of 300,000 Muscovites who were ill with the new coronavirus infection COVID-19, which was monitored using telemedicine technologies.

The above gives rise to scientific interest in studying the problems of legal regulation of personal data protection in telemedicine and determines the relevance of this work.

By personal data, Russian legislation means any information that relates directly or indirectly to a specific or identifiable individual ^{[3, Article 3]}, that is, the range of such information is unusually wide. At the same time, processing of personal data, as a general rule, is possible only with the consent of this person – the subject of personal data. Obtaining the patient's consent to the processing of personal data is a mandatory procedure carried out by medical organizations when providing telemedicine services. The content of the consent is established normatively. Consent to the processing of personal data contains the surname, first name, patronymic of the patient, his address, the number of the identity document, and many other data. There is a natural question about the expediency of including all this information in the consent. The essence of telemedicine services is to overcome geographical barriers, territorial remoteness of subjects, because the patient's address is information that has no meaning. Information about an identity document is sometimes called superfluous ^{[4, p. 76]}. However, the medical organization must receive this information in any case, even if the patient is unwilling to transmit this information, otherwise the processing of personal data will be impossible, and the telemedicine consultation will not take place. It seems that the best way to protect personal data is the absence of such data. Therefore, the form of consent to the processing of personal data should be flexible. Telemedicine subjects should be able to independently determine the composition of the information indicated in it. In this case, the medical organization will be able to assess the need to obtain them and not take on an additional burden in the absence of expediency.

In addition, in order to provide telemedicine services, it is necessary to identify and authenticate participants in the Unified Identification and Authentication System (ESIA) ^{[5, Article 36.2]}. How does this requirement affect the possibility of anonymous consultations? Although there is no ban on their implementation using telemedicine technologies, there are no exceptions for such cases in the norms of legislation, which is noted by the Ministry of Health of Russia ^[6]. This makes it impossible to provide remote anonymous consultations. It is necessary to use all possible mechanisms to increase the coverage of medical care among people who do not want to disclose their identity. Telemedicine could be an effective mechanism for solving this problem, however, this is not possible with the current strict regulation. In addition, it should be noted that not all patients have a confirmed account in the ESIA, which means that telemedicine consultation will become an inaccessible form of receiving medical care for them, for which the current regulation has been repeatedly criticized in the literature ^{[7, p. 757],[8, p. 32]}.

If the subject of personal data fears for their safety, does not trust the operator of personal data or for any other reason does not want the information about him to be processed by the operator, he should have the right to demand their destruction. The legislation on personal data provides the possibility of revoking consent to processing and contacting the operator with a request to terminate processing ^{[3, Articles 9, 21]}. However, the law stipulates a number of exceptions, one of which grants the operator of personal data the right to continue processing them despite the withdrawal of consent to processing, if it is carried out by a person professionally engaged in medical activities and obliged to maintain medical secrecy in order to provide medical care. That is, even if the patient withdraws the previously given consent to the processing of personal data and demands that they stop processing them, the medical organization that provided him with telemedicine services can continue processing them. The compliance of this norm with the Constitution was also confirmed by the Constitutional Court of the Russian Federation, pointing out that this provision of the law grants such a right to medical organizations only for the realization of the right of citizens to health protection and medical care, while ensuring the protection of these data by legal norms, including provisions on medical secrecy ^[9]. Given the existence of facts of leaks of personal data, it can be stated that there is not a sufficient level of data security. Therefore, we believe that the possibility to withdraw consent to the processing of personal data and demand the termination of their processing, including the destruction of this information, should be an inalienable right of the patient. In this regard, it is necessary to establish the procedure for terminating the processing of personal data by a medical organization upon receipt of a withdrawal of consent for processing from a patient. At the same time, for the purposes of medical statistics, it should be possible to delete not all information, including diagnosis and prescribed treatment, but only information about the patient, information that will allow identifying a specific individual (name, phone number, place of residence, etc.). For example, it is sometimes proposed to designate the patient with letters ^{[10, p. 37]}. Such depersonalization of information will allow to adequately protect the rights of the consumer of telemedicine services.

It is also necessary to touch upon the technical aspects of information protection. One of the most recently discussed ways to solve some problems in the field of data protection is the use of blockchain technology. Blockchain is a distributed database, which is a chain of connected blocks in which information is stored. Blockchain can be widely used in the field of e-health and telemedicine and solve the problem of insufficient data protection obtained, for example, as a result of data encryption ^{[11, p. 199]}. However, the regulation of blockchain in Russia is at an initial stage, it requires the development and adoption of the necessary norms, while a balanced regulation should be achieved, since excessive state intervention may interfere with the expansion of the use of this technology ^{[12, p. 91]}. At the same time, the use of blockchain in different sectors of the economy may have differences that require different approaches to regulation ^{[13, p. 66]}.

One of the most obvious uses of blockchain in the healthcare sector is electronic medical records. Thanks to its use, it is possible to ensure reliable storage and processing of any patient data, to organize a control system for the transmission of this data ^[14].

Blockchain can also be of great importance in the field of pharmaceuticals and telephony. Transparency of all stages of development, clinical research (which is of great importance for achieving the goals of evidence-based medicine), the production of medicines, their supply to pharmacy chains, the organization of electronic prescriptions and remote sale of prescription drugs provided by the blockchain will significantly increase the effectiveness of combating the production and sale of counterfeit medical products and other violations in this area ^[15]. As a result of amendments to the current legislation from March 1, 2023, remote sale of prescription drugs became possible in some regions of Russia as part of the experiment ^[16].

The influence of blockchain in such a component of telemedicine as remote monitoring of the patient's health can also be invaluable. Thanks to the use of this technology, it will be possible to optimize the system of remote collection of information about the patient's health status, simultaneous analysis of this information by several healthcare institutions and its reliable storage.

Thus, the use of blockchain technology will simplify the process of processing information, ensure a high level of its security, including from unauthorized access, ensure transparency and accountability ^{[17, p. 366]}. We believe that it is necessary to regulate in detail the possibility and necessity of using blockchain in the field of healthcare and telemedicine, and the legal literature emphasizes the need to regulate not only the relations within which the use of this technology is possible, but also the blockchain itself as an information storage technology ^[18]. One of the key problems may be the risk of recognizing each participant in the chain containing personal data as a personal data operator, which means that they will be subject to requirements corresponding to the status of a personal data operator, they will be forced to bear the obligations established by the legislation on personal data ^{[19, p. 114]}. We believe that the approach to regulation should be differentiated depending on the type of blockchain system. In the field of telemedicine, a centralized blockchain will obviously be widely used – the organization of a distributed registry within even one enterprise. In this case, the medical organization will be the operator of personal data. When building a decentralized system, specific rules must be applied, according to which a participant in the system will not be recognized as a data operator. Formally, each participant does store some part of personal data. But this part is not a sufficiently isolated component, having it, it is impossible to build specific information about a person (name, phone number, etc.), as well as to determine the individual to whom this information belongs. Therefore, the application of the current legislation on personal data (especially in their literal interpretation) to the participants of the blockchain system does not meet the interests of society and professional industry participants.

Another topical issue in the field of personal data protection is liability in case of failure to take sufficient measures to protect information and its leakage. The current legal regulation provides for a completely insignificant punishment for such violations – an administrative fine of up to 100,000 rubles ^{[20, Article 13.11]}. In the case of telemedicine, information that constitutes a medical secret may be leaked, which qualifies as a different offense. The punishment in this case can be twice as severe – an administrative fine of up to 200,000 rubles ^{[20, Article 13.14]}. It seems quite obvious that such a level of responsibility does not correspond to the public danger of these offenses and the severity of their consequences, does not encourage personal data operators to strengthen the information protection system, since paying such fines for the personal data operator will be less costly than creating a reliable system for their processing and protection. The ongoing discussions on the need to tighten administrative responsibility to date have not led to any result.

Meanwhile, it is important to note that there is also no elaborated array of legal norms on civil liability ^{[21, p. 71]}, and this problem does not attract wide enough attention. Although, in our opinion, it is civil liability that should be the key, since only it is aimed directly at restoring the violated rights of the patient - the subject of personal data. We believe that it is necessary to establish the presumption of guilt of the personal data operator in the leakage of information, to release the subject of personal data from proving the fact of harm caused to him as a result of compromising information about him, and perhaps even to set some minimum compensation limits in case of leakage of specific types of information. Special attention should be paid to information about the health of patients, the compromise of which can cause much more harm than the leakage of other information.

Thus, there are significant problems in the field of personal data protection in the field of telemedicine and digital healthcare. To solve them, it is necessary, on the one hand, to soften the legal regulation regarding the work with the patient's consent to the processing of personal data, to make it more flexible. This will avoid burdening the medical organization with additional responsibilities for protecting information that is not required for conducting telemedicine consultations, and also legalizes anonymous telemedicine consultations, increasing the level of accessibility of medical care. On the other hand, it is necessary to tighten the rules on the responsibility of personal data operators. Particular attention should be paid to civil liability, as it will best be able to ensure the restoration of the violated rights of the patient-the subject of personal data. In addition, the use of blockchain technology can provide significant assistance in overcoming the above-mentioned problems of personal data protection. However, this requires the development of legal norms regulating the possibility and procedure for its use, dividing blockchain systems into centralized and decentralized, imposing different requirements on them.

References

1. Russia. Leaks of the information of limited access in 2021 / InfoWatch expert center report, available at: https://www.infowatch.ru/sites/default/files/analytics/files/rossiya-rost-latentnosti-intsidentov-i-vnutrennikh-utechek.pdf (accessed 02.04.2023);
2. Research report on the leaks of the information of limited access in the first half of 2022, available at: https://www.infowatch.ru/sites/default/files/analytics/files/otchyot-ob-utechkakh-dannykh-za-1-polugodie-2022-goda_1.pdf?ysclid=lai48y511l771866327 (accessed 02.04.2023);
3. Federal law of 27.07.2006 no. 152-FZ «On Personal Data». Collection of the legislations of the RF, 31.07.2006, no. 31 (part I), art. 3451;
4. Zhuravlev, M. S. (2016). Personal data protection in telemedicine. Law. Journal of the Higher School of Economics, 3, pp. 72—84. DOI: 10.17323/2072-8166.2016.3.72.84;
5. Federal law of 21.11.2011 no. 323-FZ «On the Fundamentals of Health Protection in the Russian Federation». Collection of the legislations of the RF, 28.11.2011, no. 48, art. 6724;
6. Letter of the Ministry of Health of the Russian Federation of 09.04.2018 no. 18-2/0579, available at: https://www.garant.ru/products/ipo/prime/doc/71842326/?ysclid=lghwssjuwj640200587 (accessed 09.04.2023);
7. Barashkov, G. M., Eremina, M. G., Subbotina, V. G. (2021). Telemedicine in solving the problem of restricting the availability of medical care in remote areas: legal barriers of implementation and operation (review). Saratov Journal of Medical Scientific Research, 4, pp. 755—760;
8. Pospelova, S. I., Sergeev, Y. D., Pavlova, Y. V., Kamenskaya, N. A. (2018). The legal regime of application of telemedical technologies and introduction of the electronic document flow: the modern legal regulation status and development prospects. Medical Law, 5, pp. 24—33;
9. The Ruling of the Constitutional Court of the Russian Federation of 16.07.2013 no. 1176-O, available at: https://www.consultant.ru/cons/cgi/online.cgi?req=doc&base=LAW&n=152099&dst=100001#VSusUbTlcksifrR9 (accessed 11.04.2023);
10. Vinokurov, V. A. (2021). Compliance issues personal and medical secrets when providing medical services. Medical Law: Theory and Practice, 2021, 2 (14), pp. 33—40;
11. Blinov, S. V., Kuzmina, N. M., Revina, S. N., Sidorova, A. V. (2019). Medical secrecy in telemedicine. Bulletin of the Medical Institute «REAVIZ» (Rehabilitation, Doctor and Health), 2 (38), pp. 196—200;
12. Kovalyova, N. A. (2019). Practical aspects of government regulation of blockchain technologies application and its improvement on the basis of foreign experience. Economics, taxes & law, 4, pp. 87—93. DOI: 10.26794/1999-849X-2019-12-4-87-93;
13. Arkhiereev, N. V. (2022). Issues of the essence and legal regulation of blockchain. Proceedings of the Youth Science Forum / Ed. by Degtyarev, A. N., Kuznetsova, A. R. Ufa: Institute of Strategic Studies of the Republic of Bashkortostan, 2022, 454 p.;
14. Heston, T. F. (2017). Why Blockchain Technology Is Important for Healthcare Professionals, available at: https://ssrn.com/abstract=3006389 (accessed 13.04.2023);
15. Rejeb, A., Bell, L. (2019). Potentials of Blockchain for Healthcare: Case of Tunisia available at: https://ssrn.com/abstract=3475246 (accessed 13.04.2023);
16. Federal law of 20.10.2022 no. 405-FZ «On Amendments to the Federal Law “On circulation of medicines”». Collection of the legislations of the RF, 24.10.2022, no. 43, art. 7268;
17. Chistyakov, M. S., Chirkov, M. A., Shapovalova, A. V. (2022). Blockchain technologies in legal realities. Digital technologies and law, 5 / Ed. by. Begishev, I. R., Gromova, I. A., E. A., Zaloilo, M. V., Filipova, I. A., Shutova, A. A. vol. 5. Kazan: Kazan innovative university, 2022, 432 p.;
18. Bylinkina, E. V. (2020). Blockchain: legal regulation and standardization. Law and Politics, 9, pp. 143—155. DOI: 10.7256/2454-0706.2020.9.33614;
19. Savelyev, A. I. (2017). Some legal aspects of implementation of smart contracts and blockchain technologies under Russian law. Закон [Law], 5, pp. 94—117;
20. Code of the Russian Federation on Administrative Offenses of 30.12.2001 no. 195-FZ. Collection of the legislations of the RF, 07.01.2002, no. 1 (part I), art. 1;
21. Makareyko, N. V. (2022). Legal risks of digitalization of medical care. Legal science and practice: Journal of Nizhny Novgorod Academy of the Ministry of Internal Affairs of Russia, 1 (57), pp. 67—74. DOI: 10.36511/2078-5356-2022-1-67-74

Peer Review

Peer reviewers' evaluations remain confidential and are not disclosed to the public. Only external reviews, authorized for publication by the article's author(s), are made public. Typically, these final reviews are conducted after the manuscript's revision. Adhering to our double-blind review policy, the reviewer's identity is kept confidential.
The list of publisher reviewers can be found here.

REVIEW of an article on the topic "Problems of personal data protection in telemedicine. Blockchain, civil liability and other ways to overcome them." The subject of the study. The article proposed for review is devoted to the problems of "... personal data protection in telemedicine ...". The author suggests some of them: "Blockchain, civil liability and other ways to overcome them." The author has chosen a special subject of research: the proposed issues are investigated from the point of view of medical, informational, administrative-tort and civil law, while the author notes that "The provision of medical care using telemedicine technologies is always associated with the transmission and processing of information in electronic form." NPAs relevant to the purpose of the study are being studied. A large volume of scientific literature on the stated issues is also studied and summarized, analysis and discussion with these opposing authors are present. At the same time, the author notes: "... the information includes not only a limited list of frequently used personal data, but also information about the patient's health. This highlights the importance of comprehensive and effective protection of such information." Research methodology. The purpose of the study is determined by the title and content of the work: "... the reasons for the insecurity of information are primarily organizational and legal in nature, not technical. Database storage systems are obviously sufficiently protected or attempts to hack them are impractical due to the high labor and time costs, while imperfections in the organization of work with personal data and legal mechanisms for control and responsibility for violations in this area become a prerequisite for such massive leaks." They can be designated as the consideration and resolution of certain problematic aspects related to the above-mentioned issues and the use of certain experience. Based on the set goals and objectives, the author has chosen a certain methodological basis for the study. The author uses a set of private scientific, special legal methods of cognition. In particular, the methods of analysis and synthesis made it possible to generalize approaches to the proposed topic and influenced the author's conclusions. The most important role was played by special legal methods. In particular, the author used formal legal and comparative legal methods, which made it possible to analyze and interpret the norms of legislative acts and compare various NPAs. In particular, the following conclusions are drawn: "It seems that the best way to protect personal data is the absence of such data. Therefore, the consent form for the processing of personal data should be flexible. Telemedicine subjects should be able to independently determine the composition of the information indicated in it. In this case, the medical organization will be able to assess the need to receive them and not take on an additional burden in the absence of expediency," etc. Thus, the methodology chosen by the author is fully adequate to the purpose of the article, allows you to study many aspects of the topic. The relevance of the stated issues is beyond doubt. This topic is important in the world and in Russia, from a legal point of view, the work proposed by the author can be considered relevant, namely, he notes "... information subject to protection in accordance with legislation is subject to significant risks, the effectiveness of combating which cannot be considered satisfactory", "The above generates scientific interest in studying the problems of legal regulation of protection personal data in telemedicine determines the relevance of this work", "... an urgent issue in the field of personal data protection is liability in case of failure to take sufficient measures to protect information and its leakage." And in fact, an analysis of the opponents' work should follow here, and it follows and the author shows the ability to master the material. Thus, scientific research in the proposed field is only to be welcomed. Scientific novelty. The scientific novelty of the proposed article is beyond doubt. It is expressed in the specific scientific conclusions of the author. Among them, for example, is the following: "... it is necessary to establish the procedure for terminating the processing of personal data by a medical organization upon receipt of a withdrawal of consent for processing from a patient. At the same time, for the purposes of medical statistics, it should be possible to delete not all information, including diagnosis and prescribed treatment, but only information about the patient, information that will identify a specific individual." As can be seen, these and other "theoretical" conclusions "... it is necessary to establish the presumption of guilt of the operator of personal data in the leakage of information, to release the subject of personal data from proving the fact of harm to him as a result of compromising information about him, and perhaps even set some minimum compensation limits in case of leakage of specific types of information" can be used in further research. Thus, the materials of the article as presented may be of interest to the scientific community. Style, structure, content. The subject of the article corresponds to the specialization of the journal "Legal Research", as it is devoted to the problems of "... protection of personal data in telemedicine ...". The article contains an analysis of the opponents' scientific works, so the author notes that a question close to this topic has already been raised and the author uses their materials, discusses with opponents. The content of the article corresponds to the title, since the author considered the stated problems and achieved the goal of his research. The quality of the presentation of the study and its results should be recognized as improved. The subject, objectives, methodology, research results, and scientific novelty directly follow from the text of the article. The design of the work meets the requirements for this kind of work. No significant violations of these requirements were found, except for the bibliography. The bibliography is quite complete, contains publications, NPAs, to which the author refers. However, the editorial board's requirement is: "The list of references includes only peer-reviewed scientific sources (articles from scientific journals and monographs) that are mentioned in the text of the article. Sources (normative legal documentation, textbooks, publications of a non-scientific nature, etc.) are mentioned in the text of the article in parentheses, along with other comments and notes by the authors." The bibliography allows the author to correctly identify problems and put them up for discussion. The quality of the literature presented and used should be highly appreciated. The presence of scientific literature showed the validity of the author's conclusions and influenced the author's conclusions. The works of these authors correspond to the research topic, have a sign of sufficiency, and contribute to the disclosure of many aspects of the topic. Appeal to opponents. The author conducted a serious analysis of the current state of the problem under study. The author describes the opponents' different points of view on the problem, argues for a more correct position in his opinion, based on the work of opponents, and offers solutions to problems. Conclusions, the interest of the readership. The conclusions are logical, specific "... significant assistance in overcoming the above-mentioned problems of personal data protection can be provided by the use of blockchain technology. However, this requires the development of legal norms regulating the possibility and procedure for its use, dividing blockchain systems into centralized and decentralized, imposing various requirements on them," etc. The article in this form may be of interest to the readership in terms of the presence in it of the systematic positions of the author in relation to the issues stated in the article after the revision of the bibliography. Based on the above, summing up all the positive and negative sides of the article, "I recommend sending it for revision."

Journals

Books

Personal Data Protection Issues in the Realm of Telemedicine. Blockchain, Civil Liability and other Methods to Overcome Them.