Telehealth Services

-Automatic translation

According to Article 6 of the Medical Director of Health and Public Health Act, the Directorate of Health must be notified of the operation of health services. The Directorate of Health then has to confirm whether the operation meets the professional requirements and other conditions in the health legislation. Because the same professional requirements apply to telehealth services as other health services, such operations must be notified to the office.

In the case of telehealth services, the notification must include a description of the technical solutions, privacy terms, and use terms related to the service. It is not permitted to start the operations of health services or telehealth services without confirmation from the Directorate of Health.

If an operation involves several contractors, it is sufficient for the person in charge of the premises/health institution to apply. Attached should be an Excel document with the names, ID numbers (kennitala), and job titles of the contractors involved in telehealth services.

-Automatic translation

A healthcare practitioner who provides telehealth services must either be located at the premises mentioned in the notification to the Directorate of Health or be securely connected to the system used to provide telehealth services.

If the system is only accessible to healthcare professionals on a secure network, the healthcare practitioner must securely connect to it (for example, a VPN connection). A healthcare practitioner cannot use an open or shared wireless network, such as at airports or hotels.

The healthcare practitioner must also secure their environment while the treatment is taking place so that the patient's privacy is guaranteed and that no unauthorised person can observe or disturb the treatment while it is in progress.

-Automatic translation

One of the Directorate of Health's requirements for technical solutions to be used in telehealth services is that the solution be based on a three-layer design where the web server, processing server, and database server are installed on separate hardware in separate network areas that are separated by firewalls. No data may be stored on the web server, but all data must be stored on a separate database server. Identifiable data must be encrypted with a minimum of 256-bit ES encryption or equivalent protection.

An independent and recognised expert in cyber security must perform a security audit of the system before it is put into use.

-Automatic translation

All communications between the healthcare practitioner and patient should be encrypted, such as HTTPS with the encryption communication standards SSL/TLS. A third party may not store them, and it must be ensured that no other than the patient and healthcare practitioner has access to the communication.

-Automatic translation

Yes, but health data may not be transferred outside the European Economic Area unless the conditions of Chapter 5 of the General Data Protection Regulation are met. If information is stored abroad, there are stricter requirements for risk assessment.

-Automatic translation

Technical solutions used in telehealth services must meet stricter requirements for security and access control than is generally the case, especially in light of the provisions of the Act on Personal Protection and Processing of Personal Information and the general privacy regulation.

Special consideration must be given to the security of personal data when programming and installing communication solutions for telehealth services. Furthermore, a risk assessment must be carried out and security measures defined before a communication solution is put into use.

If an impact assessment indicates that data processing would entail high risk, the responsible party must consult with the Data Protection Authority before the processing begins.

Whenever possible, use Hekla to send data. Hekla is a closed electronic communication network with health data that can be used to send information between health institutions. Origo is responsible for Hekla's operation.

-Automatic translation

An entirely valid electronic ID must be used when logging in, and at the start of the treatment, the user must accept the terms of use. At the same time, the patient must be informed about privacy terms on general internet security, the use of the software, and the communication solution used in each case. If there is no communication for 15 minutes, the patient is automatically logged out.

The use of electronic IDs is required because they meet the requirement for the highest level of assurance according to the international standard ISO/IEC 29115:2013.

If the patient is a minor and does not have an electronic ID, a parent or guardian must initiate the service with their electronic ID on behalf of the patient. It is also permitted to authorise others to log in to the service on behalf of the patient, for example, a teacher at a school or kindergarten, who logs in with their electronic ID and identifies the patient to the healthcare professional who will provide the service.

Messages to patients by text or e-mail must not contain sensitive personal information.

Healthcare professionals can identify themselves on the operator's closed network by traditional login with a username and password. Suppose the system is open to the Internet and runs a web server that is accessible to anyone connected to the Internet. In that case, the login of healthcare professionals with fully valid electronic IDs is required.

ÍST 146 Content of general electronic identity cards (Icelandic)

-Automatic translation

The Directorate of Health's instructions on information security in telehealth services were issued in January 2019 (Icelandic).  At the end of the instructions, you can find information about the assurance level of electronic IDs and the primary IDs in Iceland and neighbouring countries.

The Minister of Health appointed a working group to promote telehealth services in November 2017. The group submitted its report (Icelandic) in August 2018, containing recommendations for the continued development of telehealth services in Iceland.