post-add

Data Protection And Privacy In Healthcare


The healthcare industry is seen as broadly consisting of two categories, namely, healthcare equipment and services and lifesciences/pharmaceuticals. The former category includes healthcare providers, facilities and services, with the latter category primarily covering the pharmaceutical sector. 

The entire healthcare industry sees a large number of individuals undergoing medical treatment. Large volumes of patient related data provide an opportunity for the data being used for furthering medical research and for improving the process for drug discovery and testing. For example, Big Data analytics may be used for finding correlations between seemingly uncorrelated data for determining impact or effect of a drug being developed. However, such data may be also prone to misuse such as profiling or for targeting advertisements by drugs/ medical device distributors. With the Supreme Court holding right to privacy as a fundamental right, medical or healthcare data also deserves to be protected. 

Present legislative framework 

One of the operative legislations which covers medical or healthcare data (referred to as health data) is the Information Technology Act, 2000 (the Act). The Act under section 43A specifically imposes a series of obligations onto corporations which maintain and store such sensitive personal data or information (i.e., medical history or records).  

The obligations under the Act make any corporate, including healthcare institutions/hospitals, liable for damages in the event of any breach of data security which may have occurred as a result of negligence in implementing reasonable practices and procedures as prescribed under the Act. 

Some of the key obligations under the Act and the corresponding rules are as follows: 

1. Privacy policies which in turn should be easily accessible on a corporate’s website and shall provide for a) statement of practice and policies, b) type and nature of sensitive personal information or data being collected, c) purpose of collection and; d) security practices and procedures implemented. 

2. Collection of such information should be for a lawful purpose and in relation to the service being provided and pursuant to consent. 

3. Information to be used only for the purpose it is collected and only retained till such services are being provided. Any individual, with whom the data pertains to, may refuse from sharing sensitive personal data. Additionally, DISHA provides such individuals the right to withdraw consent at a later stage. In some respects, the above-mentioned provisions of the Act do provide an adequate mechanism for securing the privacy related interests of an individual. For example, it casts positive obligations onto the entity, such as a healthcare institute, for securing the sensitive personal data (e.g., medical records and medical history) against misuse.  

However, the IT Act also lacks in the following aspects:

1. Does not provide a comprehensive legislation for medical records or health data — the medical records and health data are treated at par with other forms of sensitive personal data, 

2. Provides a general framework for protection of all forms of sensitive personal data, 

3. No specialized body for adjudicating breach in obligations, 

4. No mechanism specified which enables an individual to determine whether their sensitive personal data is being used. 

Providing  the Right Treatment In an attempt to overcome the above-mentioned generalities of the IT Act, India’s health ministry has proposed a law to govern data security in the healthcare sector. The Ministry of Health and Family Welfare issued a draft dated 21.03.2018 of the Digital Information and Security in Healthcare Act (DISHA) thereby proposing a legislative framework for protection, privacy, security and standardization of electronic health data. Through DISHA, the Ministry of Health has provided a specific legislation for ensuring privacy of digital health data. 

The proposed legislation is intended to establish central and state level regulatory authorities for enforcement of prescribed obligations. The central authority referred to as the National Electronic Health Authority or NeHA would be responsible for preparing the standards, operational guidelines and protocols for the generation, collection, storage, and transfer of digital health data. The state level authorities referred to as State Electronic Health Authority or SeHA, will be responsible for ensuring compliance at the institutional level. 

Some of the other key features which differentiate the proposed legislation are as follows: 

1. Health data is deemed to be owned by the patient/person to whom the data relates to. In the event of death, ownership of data passes onto the heir of the departed 

2. Applicable on all healthcare institutes and facilities 

3. Provides establishment of Health Information Exchanges which will enable exchange and access of health data 

4. All data and details of consent provided will be accessible by the individual. Has right to know which entities have access to the health data 

5. Right of rectification without delay in case of any error in record 

6. Transmission to any other individual or entity would be done only on consent of the owner of the data 

7. Right to be notified whenever the health data is accessed. The DISHA shares a lot of common principles as also provided in the Personal Data Protection Bill, 2018. Although, the Draft Bill provides for the protection of sensitive personal data which includes health data, the DISHA provides a more definitive framework which is specifically applicable to the healthcare industry. The possibility of overlap between the draft Bill and DISHA most certainly exists, which are likely to be resolved when the final legislations are formulated. 

Another  prominent issue which DISHA may not have addressed is the implementation of the tracking mechanism. DISHA proposes that any individual may determine which entities have access to the health data, and also have the right to receive a notification in case their health data is transmitted. However, a suitable technical mechanism would be required for implementing these aspects. It is clear that India is well intended to implement a digital regime on the foundations of data privacy and protection. However, enormity of data present and that the implementation under DISHA would require penetrating the most remote and rural, pose their own challenges. These would be resolved only as time progresses and as the proposed legislation takes a more definite step.


Also Read

Subscribe to our newsletter to get updates on our latest news