Dr Chinmaya P Chigateri, Director & CEO, Healthminds Consulting talks about electronic health records and importance of data privacy
E-health data is currently regulated under the provisions of the Information Technology Act, 2000, read with, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
The objective of Section 43A is to stipulate that an entity that processes personal data or information on a computer must maintain adequate security practices and if its negligence causes any loss to any person, the entity shall be liable to pay damages by way of compensation.
What is sensitive data?
Rule 3 of Rules 2011 lists eight types of personal data as sensitive which includes medical records including history and biometric information.
Any document or other piece of data that contains the first six categories of sensitive personal data, that is provided to an entity for providing any service would also be sensitive personal data. Passwords are not considered to be sensitive personal data under the PDP Bill, 2019, though passwords are included under sensitive personal data under the Personal Data Protection Bill, 2018. The General Data Protection Regulation does not consider passwords to be sensitive personal data. Other than passwords, all other categories of sensitive personal data provided for in Rule 3 of the 2011 Rules are covered in the PDP Bill 2019 under the same head. The terms ‘medical records and history ’ and ‘physical, physiological and mental health condition’ are replaced by ‘health data’ in the PDP Bill 2019. 2011 Rules would apply only to personal data or information available in an electronic format and would not apply if any personal data is available in a non-electronic form, like a physical register or any other physical document.
As a reaction to the ever-growing medical AI landscape, the Digital Information Security in Healthcare Act (“DISHA”) proposal was brought in.DISHA is seen as the counterpart of the model legislation in the US that governs health data disclosure and usage called Health Insurance Portability and Accountability Act, (“HIPAA”) which was passed way back in 1996. The HIPAA law is what boomed the medical transcription and other health data businesses in India. It is a great example of how new industries and resulting careers are built with proactive legislation.
The National Electronic Health Authority and State Electronic Health Authorities are the regulators who will manage DISHA. The objective of NeHA is to ensure the promotion of a well-governed e-health ecosystem in India. This will help to organise and provide people-oriented health services to everyone in an efficient, timely and cost-effective manner. NeHA is also responsible for enforcing laws related to the privacy of health information and records.
When do data privacy laws apply?
Primarily data privacy laws come into play when health data needs to be shared with a third party, which may be medical colleges, pharma companies, medical devices companies and medical AI companies. However, in India, regulations and law is always reactionary and it is brought into force after a new market or business has been defined. Similarly, some legislations were brought into force after there was a great demand for electronic health data for purposes of medical AI product research and development.
Electronic Health Record Standards
The Ministry of Health and Family Welfare introduced the Electronic Health Record Standards in December 2016. The objective is to bring in standardisation and uniformity, ease of data capture, storage, transmission and use of healthcare information across Health IT systems. An electronic health record is a collection of medical records generated for an individual during a clinical visit or hospitalisation. With the rise in wearable medical devices, healthcare data is generated round the clock which may have medical relevance in the long term.
The purpose of setting up the Electronic Health Record Standards includes promoting interoperability of information, evolution and maintenance of adopted standards and promote technical evolution. It encourages adoption by all stakeholders keeping the implementation costs low, considering best practices and adopting modular standards.
DSCI sectoral privacy guide
Data Security Council of India (DSCI), an industry body that works to establish best practices in cyber security and privacy, has released the DSCI sectoral privacy guide applicable to healthcare. The guidelines are a list of best practices using which private and public healthcare service providers may realign their practices for handling health data.
The seven actionable points provided by the guidelines that can be used as a checklist include –
- Accurate data collection for patient identification
- Effective patient communication
- Informed patient consent
- Use or disclosure of patient personal data
- Securing patient personal data
- Enabling access and modification of personal data
- Maintaining patient anonymity
Conflicts in all the legislations, both proposed and enacted
In terms of the PDP Bill, health data being sensitive personal data requires the express consent of the individual for the data to be processed, whereas in terms of DISHA, any use of digital health data for commercial purposes has been prohibited. This creates ambiguity between the two laws. It is not clear which law will apply in terms of collection/use/processing of digital health data.
As per Rule 3 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, sensitive personal information inter alia includes “physical, physiological and mental health condition, sexual orientation and medical records and history”, hereinafter collectively referred as “Medical Records”. Rules 5 and 6 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 require the prior consent of the patient for any collection, use and disclosure of medical records of patients. However, the relevant provisions of the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002 and the Electronic Health Record Standards – 2016 permits the disclosure of the medical records of the patients for the purpose of medical research, without prior consent, provided all the personally identifiable information, as defined under the Electronic Health Records Standards – 2016, are removed prior to such disclosure. It is pertinent to note here that the Electronic Health Records Standards – 2016 states that the Information Technology Rules, 2011 prevails over the Electronic Health Records Standards – 2016.
Consequently, the existing laws on disclosure of medical records seem to be contradictory to each other. In other words, while the Information Technology Rules, 2011 prohibits disclosure of medical records to third parties without the consent of the provider of the information, the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002 and the Electronic Health Record Standards – 2016 permit the disclosure of the medical records of the patients for the purpose of medical research, without the prior consent of the provider of the information.
In our view, the applicable laws and regulations have to be given a harmonious interpretation which essentially means the medical records, classified as sensitive personal information, may be disclosed without the consent of the provider of information only if the personally identifiable information of the patient is removed, in its entirety, prior to such disclosure to third parties and such disclosure to the third party is for the sole purpose of conducting medical research by such third party. It is time that the various acts are aligned to provide a common interpretation of how data privacy is handled in healthcare.