Quick search
CTRL+K
Quick search
CTRL+K
Since 2010, the Global Law Experts annual awards have been celebrating excellence, innovation and performance across the legal communities from around the world.
posted 2 weeks ago
Introduction to Telemedicine in Thailand:
Telemedicine has emerged as one of the most transformative innovations in healthcare. By leveraging modern communication technologies, telemedicine enables the delivery of medical services regardless of geographic barriers. As the global demand for accessible, efficient, and cost-effective healthcare increases, many countries have embraced telemedicine to overcome traditional challenges such as distance, cost, and limited access to medical expertise.
Thailand, with its rapidly developing digital infrastructure and progressive approach to healthcare, is becoming a prominent destination for telemedicine providers. However, alongside its tremendous growth potential, Thailand presents unique challenges, particularly in the realm of data protection and privacy. For both local and international telemedicine platforms, understanding and complying with the local legal environment is critical. The country’s evolving legal landscape, especially concerning data protection, patient privacy, and healthcare standards, requires providers to implement robust compliance measures. Doing so not only safeguards sensitive patient information but also builds trust with users, ensuring sustainable business growth in a competitive market.
In this guide, we delve into the key considerations for data compliance, discuss the relevant regulatory frameworks under Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”), and outline practical steps for telemedicine platforms to navigate these regulations. By doing so, telemedicine providers can effectively mitigate risks, secure patient data, and maintain a competitive edge in the Thai market.
Thailand’s regulatory framework for data protection has undergone significant evolution over recent years. Prior to the enactment of the PDPA in 2019, Thailand relied on a combination of the Thai Constitution, the Thai Civil and Commercial Code, and sector-specific regulations like the National Health Act B.E. 2550 (2007) (“National Health Act”). The National Health Act mandated that personal health information be kept confidential. Specifically, Section 7 of the National Health Act required that such information not be disclosed in a manner that could harm the data subject, except when authorized by the individual or required by law.
The Ministerial Regulation on the Protection and Management of Personal Health Information B.E. 2561 (2018) (“MR”) provided further details on the scope and nature of personal health information. Clause 4 of the MR defined personal health information as encompassing a variety of documents, case files, reports, and other materials capable of identifying an individual’s health status. Clause 11 offered an exhaustive list of items considered personal health information, such as:
Health History: Such as height, weight, blood type, and body shape.
Medical Records: Such as nursing records, laboratory examinations, and x-ray films.
Related Documents: Any documents or objects that relate to the above data.
Photographic Evidence: Images of medical personnel or actions during treatment.
Additional Information: Any further information as specified by the Personal Health Data Protection and Management Committee.
Before the PDPA’s enactment, violations regarding the unlawful or unauthorized disclosure of personal health information were met with penalties prescribed under the NHA. Under Section 49 of the National Health Act, such violations could result in imprisonment of up to six months, fines of up to 10,000 THB, or both. Moreover, wrongful use of personal data was addressed under Section 420 of the Civil and Commercial Code, which provided for civil liability in cases where data misuse resulted in harm to the data subject.
In 2019, the PDPA was published in the Royal Gazette, marking a significant shift in Thailand’s data protection landscape. With its comprehensive framework, the PDPA rendered the earlier MR obsolete. The Medical Council of Thailand subsequently issued a new Ministerial Regulation on the Revocation of the MR B.E. 2565 (2022). This evolution represents Thailand’s commitment to aligning its data protection standards with international best practices.
III. What Is Health Information?
As a result of MR revocation, Thailand no longer has a statutory definition of health information, which is crucial in terms of personal data protection and compliance with obligations under the PDPA. Telemedicine platforms need to understand the personal data in their possession and handle such data according to the PDPA.
In the absence of subordinate regulations, directives, or guidelines to clarify the extent and scope of health information under the PDPA, it is worth exploring the definition given under the European Union General Data Protection Regulations (2016/679) (“EU GDPR”), which was a core foundation of the Thai PDPA, containing many similar provisions tailored to Thailand’s contexts.
Article 4 (15) of the EU GDPR defines ‘data concerning health’ as personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. Additionally, the European Parliament and the Council of the European Union opined that ‘personal data concerning health’ should include all data pertaining to the health status of a data subject, including information collected during registration or provision of health care services, testing results, disease history, clinical treatments, or physiological states.
By this principle, personal data that may not obviously qualify as health information could still be considered health information depending on the context of personal data processing activities.
The PDPA extends its reach not only to local businesses but also to international data controllers who process the personal data of Thai residents. This extraterritorial effect means that even telemedicine platforms headquartered outside Thailand must comply with the PDPA if they process the personal data of individuals located in the country.
According to Section 5, Paragraph 2 of the PDPA, foreign data controllers are subject to the PDPA if any of the following criteria are met:
Once the PDPA applies, telemedicine providers (whether local or international) must adhere to various obligations under the PDPA, some of which include:
Data Collection and Processing: Ensure that personal data is collected, used, and disclosed with legal bases supporting each processing activity.
Privacy Notices: Clearly communicate to data subjects how their personal data will be used.
Security Measures: Implement appropriate technical and organizational measures to safeguard personal data.
Data Subject Rights: Provide mechanisms for data subjects to exercise their rights (e.g., access, correction, deletion).
Breach Notification: Establish procedures to notify both the regulatory authority and affected data subjects in the event of a data breach.
Record-Keeping: Maintain a Record of Processing Activities (ROPA) to document data processing practices.
One of the foundational requirements under the PDPA is the preparation and dissemination of a comprehensive privacy notice or privacy policy. This document serves to inform data subjects about how their personal data is collected, processed, stored, and shared.
Under Section 23 of the PDPA, data controllers must notify data subjects of the purposes of data collection prior to or at the time of collection. Common practices include written notices, electronic pop-ups on websites or applications, or verbal communications as applicable.
For telemedicine platforms, drafting a privacy policy involves a deep understanding of the personal data flows within the organization. Understanding the customer journey is vital for telemedicine platforms in preparing the privacy policy, as each touchpoint involves the collection and processing of personal data.
During the initial sign-up process, users are generally required to provide basic personal data such as their name, age, contact details, and in some cases, initial health information, such as their height, weight, medical history, passport or national identification card, contact information, and information relating to personal allergies. This stage sets the foundation for subsequent interactions and must be handled with the highest level of security and clarity regarding data usage.
Know Your Customer (KYC) and Confirming the Identity of the Data Subject: To ensure compliance with Thailand’s PDPA and safeguard sensitive personal data, telemedicine platforms must implement robust KYC procedures during the sign-up phase. These procedures are designed to verify the identity of the data subject and establish trust between the platform and its users.
Verification of Identity: Platforms should require users to provide valid
identification documents, such as a national ID card, passport, or other government- issued IDs, to confirm their identity.
The verification process may involve uploading scanned copies of these documents or using digital identity verification tools that comply with Thai legal standards.
Biometric Verification (Optional):
For enhanced security, telemedicine platforms may opt to incorporate biometric verification methods, such as facial recognition or fingerprint scanning, where applicable and permitted by law.
Data Matching:
Once the user submits their identification details, the platform should cross-check this information against official databases (e.g., government records) to ensure accuracy and prevent fraud.
Explicit Consent:
During the registration process, explicit consent must be obtained from the user for the collection, use, and disclosure of both general personal data and sensitive personal data. This includes clear explanations of how their data will be processed, stored, and shared.
If the user is under 20 years of age, additional consent from their legal representative, guardian, or curator may be required under Section 20 of the PDPA.
Once registered, users schedule appointments with healthcare providers. The booking process may involve selecting a healthcare professional based on specialty, availability, or patient reviews. Additional forms might be used to capture medical history or current health conditions.
Consultations are the core of telemedicine services. Whether conducted via video calls, chat sessions, or telephone, these interactions involve real-time exchange of sensitive health information. Data from these sessions may include verbal communications, visual data, and records of diagnosis and treatment.
After the consultation, several processes may occur:
Payments: Patients make payments through integrated or third-party payment gateways. This process generally involves third-party service providers.
Insurance Claims: In some cases, patients may file insurance claims. Telemedicine platforms might assist in this process by forwarding relevant health information to insurers.
Medicine Delivery: If medication is prescribed, delivery logistics come into play. This may involve sharing personal data (such as address and contact information) with third-party courier services.
Follow-up Appointments: Follow-up consultations or treatment plans may be scheduled, requiring further data collection.
Feedback and Reviews: Post-consultation feedback is often solicited to improve service quality. While this may involve general data, any health-related feedback is treated with heightened sensitivity.
VII. Legal Bases for Each Activity:
Different stages of the customer journey require distinct legal bases under the PDPA. For example:
| Activity | General Personal Data | Sensitive Personal Data |
| Sign-up / Registration | Necessary to enter into / Performance of a contract (Section 24 (3)) |
Explicit Consent (Section 26) |
| Booking / Appointment | Necessary to enter into / Performance of a contract (Section 24 (3)) |
Explicit Consent (Section 26) |
| Consultation | Necessary to enter into / Performance of a contract (Section 24 (3)) |
Necessary for compliance with a law with respect to the provision of health or social care / Explicit Consent
(Section 26 (5)(a) / Section 26) |
| Payment and Billing | Necessary to enter into / Performance of a contract (Section 24 (3)) |
Explicit Consent (Section 26) |
| Insurance Claims | Legitimate interest (Section 24 (5)) |
Explicit Consent (Section 26) |
| Medicine Delivery | Necessary to enter into / Performance of a contract (Section 24 (3)) |
Explicit Consent (Section 26) |
| Feedback / Reviews | Legitimate interest (Section 24 (5)) |
Explicit Consent (Section 26) |
Important Remark: Please note that the table above shall only be used as a reference. The actual legal basis for each activity may differ based on the specific facts and circumstances.
VIII. Processing Personal Data of Minors, Quasi-Incompetent Persons, or Incompetent Persons:
Where a patient is under 20 years of age or is a quasi-incompetent person or incompetent person, Section 20 of the PDPA requires their consent to be accompanied by consent from their respective legal representatives, guardians, or curators. However, if the patient is under 10 years of age, sole consent from the legal representative is sufficient.
Section 24 of the Thai Civil and Commercial Code provides an exemption for acts deemed suitable for a minor’s reasonable needs. Therefore, a minor (between 10 and 20 years of age) may give sole consent for telemedicine consultation purposes, as it deems suitable and actually required for their reasonable needs.
The PDPA enshrines several rights for data subjects. Telemedicine platforms must have robust processes to facilitate these rights.
The PDPA grants data subjects the following rights:
Upon receiving a data subject request, telemedicine platforms should follow a set of protocols:
Maintaining a detailed ROPA is a regulatory requirement under Section 39 of the PDPA.
A comprehensive ROPA should include, (1) the collected personal data; (2) the purpose of the collection of personal data in each category; (3) details of the data controller; (4) the retention period of personal data; (5) rights and methods for accessing personal data, including conditions for exercising these rights; (6) the use or disclosure of personal data; (7) rejection or objection to the data subject’s rights request; and (8) explanation of the appropriate security measures.
However, SMEs may be exempt from maintaining a full ROPA if they employ fewer than 100 people and have annual revenue of no more than 300,000,000 THB. Nevertheless, telemedicine platforms handling sensitive personal data must maintain a full ROPA due to the risks involved.
Prescribed under Section 37 (1) of the PDPA, where a data controller is required to provide appropriate security measures to prevent unauthorized or unlawful loss, access to, use, alteration, correction, or disclosure of personal data. In this regard, the appropriate security measures for the telemedicine platforms shall focus on the maintenance of personal data’s confidentiality, integrity, and availability.
According to the PDPC’s Announcement on Security Measures for Personal Data, the security measures should contain at least the following mechanism: (1) access controls, allowing access to personal data only on a need-to-know basis provided that there shall also be an identity proofing, authentication, and authorization procedure; (2) user access management including registration and de-registration of access provision; (3) user responsibilities shall be prescribed; (4) implement an audit trail to enable the reviewing of access, change, alteration, or deletion of personal data.
The duty to implement appropriate security measures shall be extended to the imposition of obligations onto the data processor of the telemedicine platforms (such as medicine delivery service providers), to prevent unauthorized or unlawful loss, access to, use, alteration, correction, or disclosure of personal data.
XII. Personal Data Breach and Breach Notification Procedures:
Despite security measures, data breaches can occur. The PDPA requires prompt action in response to breaches.
A personal data breach is defined as a breach of security measures resulting in the loss, access, use, alteration, modification, or disclosure of personal data without authorization or unlawfully.
Assess the reliability of the breach report and investigate the facts.
Notify the PDPC within 72 hours if the breach affects the rights and freedoms of data subjects.
Notify affected data subjects without delay if the breach poses a high risk.
Mitigate the situation and review security measures to prevent future breaches.
XIII. Processing of Sensitive Personal Data by Data Processors:
Throughout the customer journey, a data processor may be involved in processes such as medicine delivery. A data controller must prepare a Data Processing Agreement (DPA) to control the activities of the data processor. Key provisions of a DPA include:
Restriction on use or disclosure of personal data.
Implementation of appropriate security measures.
Recording of personal data processing activities.
Notification of personal data breaches.
XIV. Designating a Representative and a Data Protection Officer (DPO) in Thailand:
Foreign telemedicine providers offering services to Thai residents must designate a representative in Thailand under Section 5, Paragraph 2 of the PDPA.
Telemedicine platforms are obligated to designate a DPO if their core activities involve processing sensitive personal data. External or outsourced DPOs may be appointed for SMEs.
Sensitive personal data cannot be used for marketing purposes without explicit consent. Instead, telemedicine platforms may rely on general personal data (e.g., email addresses) for mass communications, provided an opt-out mechanism is available.
XVI. Frequently Asked Questions (FAQs)
Q1: Does Weight and Height Qualify as Health Information?
Weight and height information may qualify as either general personal data or sensitive personal data depending on the context. For example, in telemedicine services, weight and height may play a vital role in medical analysis and thus could be considered sensitive personal data.
Q2: Can a Patient Request Deletion of Their Health Information?
Patients have the right to request deletion of their personal data under certain conditions. However, telemedicine platforms are required to retain medical records for at least 5 years in accordance with the National Health Act.
XVII. Conclusion
As telemedicine continues to revolutionize the healthcare industry, ensuring robust compliance with data protection laws like the PDPA is critical. Health information, being sensitive personal data, demands the highest level of security and compliance to protect patient privacy and maintain trust in digital healthcare services.
For telemedicine platforms operating in Thailand, navigating the interplay between local regulations and international frameworks necessitates a meticulous approach to data processing. Failure to comply can lead to reputational damage, regulatory penalties, and legal liabilities. By adopting best practices such as transparent privacy policies, strong security measures, and compliance with data subject rights, telemedicine providers can create a safe and legally compliant environment.
In conclusion, the landscape of health information regulation is complex and continuously evolving. Telemedicine platform providers must proactively update their policies and compliance strategies to align with changing regulations, ensuring that patient rights remain protected while fostering innovation in digital healthcare solutions. By doing so, they can contribute to a more secure, efficient, and globally compliant telemedicine ecosystem.
posted 3 days ago
Find the right Legal Expert for your business
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
