By: Nir Rabinovich
Israel has taken a significant step forward in empowering individuals over their health data.
In-line with global paradigm shifts in the realm of health information ownership and sharing, a newly enacted law introduces a comprehensive framework meant to allow patients interested in receiving health services to grant access to their personal health information found at various organizations and for such data to be readable and accessible in a timely and secured manner (i.e. - reaching semantic interoperability).
---
Key Provisions of the New Law
- Data Portability: Patients have the right to transfer their health data between different healthcare providers. The providers shall not condition such transfer on a preexisting agreement between them, nor shall they make monetary demands of the patient. This promotes continuity of care and empowers individuals to seek second opinions or alternative treatments.
- Patient Consent at the Core: The law places patients firmly in control of their health data. Individuals must provide explicit consent before any health information can be shared with other healthcare providers or organizations. This consent can be granted on a granular level, allowing patients to specify which data elements can be accessed. Consent can be given for single cases or for a prolonged period.
- Data Minimization and Retention: Healthcare organizations are required to share only the minimum amount of health data necessary to provide care and to retain data for the shortest period possible and patient will be able to instruct organizations to delete data about them.
- Standardized Data Formats: To facilitate data exchange between different healthcare systems, the law promotes the use of standardized data formats and terminologies. This is achieved by leveraging the HL7® FHIR® (Fast Healthcare Interoperability Resources) standard, using its local adaptation by the Israeli Core team.
- Regulatory Oversight and Certification: Data sharing is controlled via permits granted by the Israeli ministry of health to organizations. The permit is granted to organizations that
complete an extensive certification process and may be revoked based on predefined conditions.To receive certification, an organization must pass inspections to certify its infrastructure’s compliance with the law’s requirements on the following aspects: security, API compliance to the FHIR spec, data completeness and adherence to information bucket definitions (see: The Concept of "Information Bins").
- Data Security and Privacy: The law mandates robust security measures to protect patient data from unauthorized access, breaches, and misuse.
---
The Concept of "Information Bins"
A central feature of the new law is the concept of "Information Bins" (AKA "Information Buckets").
- Linking business definitions with the FHIR standard: Information bins define set data business domains (clinical & administrative), which are then mapped to FHIR profiles (defined by the Israel Core team) and are marked using predefined metadata tags. This ensures standardization of Resource structure and terminologies and promotes interoperability across the entire Israeli healthcare ecosystem.
For example – the business definition for the Pathology bucket is “all cytology or histology tests performed on samples taken from the patient”, and such tests are then represented by one of the following Israeli Core profiles: ILCore DiagnosticReport or ILCore DocumentReference.
- A standard for grouping information: Another aspect of information bins is that they standardized categories of health information. Each bucket manages certain information in such a way that produces useful business meaning. For example, all the medications a patient is currently using, patient demographics, allergies and intolerances, etc. (see table below).
- Information Bucket scoping: Information bins not only group data but also define the minimal set of attributes that are sufficient to enable effective and interoperable data exchange for this data entity. For example: Patient Demographics bucket will include, at minimum, a patient’s identifier, first & last name, date of birth, gender etc. Information bins also define the minimal historical depth an organization must make available.
- A key feature for permission management: By grouping related data entities together, patients can grant or revoke access to specific bins, providing the patient with greater control over their health information.
---
As is evident from the above list, information bins naturally group data as they were formulated around well-established data entities, they play nicely with care scenarios, and they offer a user friendly approach for permission control.
---
Technological Requirements
To support the implementation of the new law, healthcare organizations are required to meet certain technological requirements, including:
- FHIR-based APIs: To enable secure and efficient data exchange, healthcare systems must support the FHIR standard.
- Security: the regulations mandate the use of SMART2 and other standards (mTLS, X.509 certificates, etc.) meant to work in tandem to secure data at rest and insure proper control over its sharing.
- Performance: The law defines a minimal level of availability, response time and data latency requirements (i.e. - time between data updates in the source system and their availability via FHIR REST API.
- Terminology Servers: Organizations are encouraged to maintain terminology servers to ensure consistent and accurate use of medical terms, while providing semantic clarity, which is especially needed for local terminology.
- Profile Validation: To ensure compliance with standardized data profiles, healthcare organizations are encouraged to validate their data against national standards - as defined by the Israeli Core team - and to test their data for quality issues, as described in the certification program.
- Logging: Organization are required to record a minimal set of data attributes on each FHIR REST API data access event. They are also required to log all successful or failed authentication or authorization events for a minimum of two years.
---
This new law represents a significant advancement in patient-centered healthcare.
By empowering individuals with greater control over their health data, and by providing a regulatory environment that promotes secured data sharing we expect leaps in treatment quality, reduced administrative burden, improved research operation and an increase in innovation in the health domain. This is truly a new era for Israeli patients!