Data privacy regulation in the Indian healthcare sector

Akarsh Singh, CEO and CoFounder, Tsaaro talks about healthcare data privacy

The dynamics of the healthcare sector has transformed due to COVID-19 pandemic. The unprecedented situation led to critical changes in the Indian healthcare infrastructure. To achieve services effectively, doctors collect, process and store personal and sensitive data of patients. It includes names, age, sex, phone number, medical history, and health conditions. Furthermore, hospitals and diagnostic centres collect, process and store an enormous amount of medical data which are stored for years before they are finally deleted.

Let us find out specific regulations that doctors and hospitals are required to adhere to  safeguard patients’ privacy:

Doctors: Doctor-patient confidentiality is the term used for the protected relation between a doctor and his patient. This protected relation makes all information exchanged between them privileged. The Medical Council of India can revoke the license of the doctor who breaches the confidentiality.

In India, various provisions deal with doctor-patient confidentiality –

• The personal information of a patient is part of the right to privacy (Article 21). Privacy requires that doctors keep the information related to their patients confidential.
• The Indian Medical Council (Professional Conduct, Etiquettes and Ethics) Regulations, 2002. Rule 7.14 of the Regulation states that no registered medical professional is allowed to disclose the information about a patient, which he learnt during exercise of his profession.

The Electronic Health Record Standards 2016 (“EHR Standards”) is the other key guideline that is applicable to the protection of medical records. It provides for the adoption of certain baseline security standards to strengthen the privacy standards and protect against cyber-attacks. EHR standards are issued u/s 52 of Clinical Establishments (Registration and Regulation) Act, 2010 (CE Act) read with Rule 9 (iv) of the Clinical Establishment (Central Government) Rules, 2012 (CE Rules).

The relevant part of the provision provides that “clinical establishments shall maintain or provide Electronic Medical Records or Electronic Health Records (EHR) as may be determined and issued by the Central Government. Although EHR Standards were only applicable to clinical establishments, in Sameer Kumar v State of Uttar Pradesh, Allahabad High Court stated that every single doctor is obliged to follow provisions contained in the CE Act.

Clinical Establishment

Clinical establishment includes a wide range of organisations and institutions such as hospitals, clinics, nursing homes. In terms of data sharing, these establishments collect, store and process the maximum amount of data throughout the country. But still there is no single legislation that specifically caters to healthcare sectors. This reflects how development of healthcare infrastructure was greatly neglected during pre-COVID era. In 2017 MoHFW drafted a bill catering to the healthcare sector, namely, Digital Information Security in Healthcare Act (DISHA) with the purpose to enable secure exchange of health information of individuals between hospitals and clinics. It would greatly help in maintaining the privacy, confidentiality, and security of electronic  healthcare data and in regulating the storage and exchange of electronic health records. But it has not been passed yet and therefore not enforceable. Similarly, draft Personal Data Protection Bill extensively deals with the data protection and privacy of Indian citizens. It was drafted to meet the international standards of cyber security and data protection but sadly it has not been passed yet.

In 2019, India was ranked second most affected country due to cyber attacks. According to the US based cyber security firm FireEye, attackers from China compromised an Indian health care website and breached more than 68 lakh health records which contained information of patients and doctors. These developments reinforce the need to pass a separate legislation to strengthen the healthcare sector in India. Let us find out the regulations applicable to clinical establishments in order to safeguard patients’ privacy.

• Indian Medical Council Regulations
• Important Provisions of IT Act related to Data Protection

1. Section 43A of the Information Technology Act, 2000  (IT Act) explicitly provides that whenever a corporate body (for our research corporate body means clinical establishments) possesses or deals with any sensitive personal data or information, and is negligent in maintaining a reasonable security to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, then such body corporate shall be liable to pay damages to the person(s) so affected.
2. Further, Section 72A provides for the punishment for disclosure of information in breach of lawful contract and any person may be punished with imprisonment for a term not exceeding three years, or with a fine not exceeding up to five lakh rupees, or with both in case disclosure of information is made in breach of lawful contract.

• Electronic Health Records standards are applicable for the protection of medical records and issued u/s 52 of the Clinical Establishment (Registration and Regulation) Act, 2010 (CE Act) read with Rule 9 (iv) of the Clinical Establishment (Central Government) Rules, 2012 (CE Rules).

Present situation

Telemedicine: Many governments, hospitals, e-pharmacies and even corporate have adopted telemedicine in their employee wellness strategies. The surge in teleconsultations follows the long-pending telemedicine guidelines which were finally issued by the ministry of health and family welfare (MoHFW), in collaboration with NITI Aayog and Board of Governors (BoG) Medical Council of India (MCI)

(Problems with telemedicine guidelines to be incorporated in challenges section)

AIIMS e-ICU programme: The new digital programme also helps Physicians who manage Covid-19 patients including those in the ICUs to raise queries, present their experience and share knowledge with other physicians and experts from AIIMS, New Delhi on the digital platform. The digital programme also acts as a platform for the doctors to discuss critical Covid-19 cases and the use of proning, high flow oxygen, non-invasive ventilation and ventilator settings for advanced disease. The shared learning regarding various treatment strategies has helped doctors to deal with critical cases. Furthermore, because COVID-19 is a notifiable disease, respective health government agencies, municipal corporations, police stations and other executive departments possess health data of infected patients. Hence the vulnerability of medical data has enormously increased in the present situation.

More surprisingly, the Government of India created National Critical Information Infrastructure Protection Centre (NCIIPC) under section 70 of IT ACT, 2000 but it does not recognise the health sector as critical infrastructure. NCIIPC has broadly identified the six ‘Critical Sectors’ namely, (i) Transport, (ii) Power & Energy, (iii) Telecom, (iv) Banking, Financial Services & Insurance, (v) Government and (vi) Strategic & Public Enterprises.

Therefore, there is a desperate need to amend the present regulation or pass the pending bills as stated above to counter all the challenges present to data safety and privacy of Indian citizens.