The threat of electronic data misuse is growing, with incidents of sensitive data lying unprotected, and data theft and hacking becoming routine. These concerns assume significance in the context of recent government efforts to introduce a system for electronic health records.

Medical information -- Details such as bodily functions, physical anatomy, sexuality, a history of substance abuse, psychological issues or any diagnosis or prognosis --- can be of an extremely sensitive nature. Patients expect that such information will not be readily known to third parties, including even the closest of relations, and are willing to expose only as much information as is necessary for self-benefit, and not for purposes that fall outside it.

The lack of safeguards risks their being socially isolated or discriminated against. Apprehension over lack of safeguards can result in patients not revealing the correct information, leading to inaccurate medical treatment. Instances of non-physicians improperly viewing the e-health records of celebrities without any legitimate reasons, health records being found on hard-drives being sold on e-bay, and medical information being stolen from desktops and laptops are common in the West.

It has also been reported that medical records are worth more to hackers than financial information, and they are misused to buy drugs and medical equipment for resale and for making false insurance claims.

In the last few years, the Indian government has taken steps to digitise the health records of patients across the country. This has many potential benefits, including streamlining the interaction between doctors and patients, more accurate diagnosis and therapy due to the availability of complete medical history, creating a repository of up-to-date health data, avoiding repeated medical investigations and reducing paperwork.

However, in light of the major security issues that digitisation poses, before such a system can be implemented nationwide, adequate safeguards need to be put in place to ensure the privacy of patients and data security.

Digitising health records

The government is in the process of setting up an Integrated Health Information Platform (IHIP), which will ensure the interoperability of health records in any corner of the country.

A National e-Health Authority (NeHA) has been proposed to develop the IHIP, encourage the adoption and promotion of e-health standards and enforce the laws and regulations relating to the privacy and security of patient health information and records.

The government has begun the process of updating infrastructure in district and sub-district hospitals under the National Health Mission; 36 large government hospitals are currently registering patients online.

To operationalise these measures, the government notified the Electronic Health Record Standards (EHRS) in 2013 which introduced a uniform system for the maintenance of Electronic Medical Records/Electronic Health Records by healthcare providers in the country.

This included standards for interoperability, guidelines for hardware, networking and connectivity as well as specifications on data ownership of electronic health records, data privacy and security. The EHRS were recently revised and opened for public comments and an attempt has been made to take into account new forms of technology and upgrade the standards in line with international best practices.

Problems in the proposed EHRS

However, a few legal issues still remain to be addressed in the revised standards in light of prevalent international best practices, apart from those arising from unsatisfactory drafting. To begin with, a notice and consent requirement before or at the time of collection of sensitive data like passwords, financial information, physical, psychological and mental health condition, sexual orientation and biometric information of the patient needs to be put in place.

Presently, it appears that sensitive data can be collected at large without any identified purpose and without the consent of the patient, and only when the data is being put to use for a specified purpose is the consent of the patient taken. Further, for use in “treatment, payments and other healthcare operations”, a general consent of the next of kin of the patient is considered to be sufficient.

Next, the standards need to be made stricter as they mention that all recorded health data will be available to health care service providers on an “as required on demand” basis, and has not been limited to healthcare purposes.

Further, a provision for revocation of consent once data has been collected and the right to amend data on grounds other than correcting errors, is necessary. As per the current standards, a patient cannot ask for data to be deleted once it has been recorded as the standards require them to be preserved for the entire lifetime of the patient and three years after his death. Finally, to increase the accountability of health care service providers, it should be mandated that patients are informed if a privacy breach has occurred; currently there is no such requirement. This may be facilitated by appointing a ‘privacy officer’ who would notify such breaches to the patient within a specified time, along with the course of remedy available.

Giving teeth to the EHRS

The health secretary of the ministry of health and family welfare recently announced that the standards will be implemented by the end of this year. While this is commendable, care also needs to be taken to rectify the loopholes in the standards.

Further, while the standards specify that the provisions of the Information Technology Act, 2000 (IT Act), and consequently the safeguards it incorporates, will prevail, it is important to note that the IT Act and the relevant rules under it have also been the subject of criticism for being vague and imprecise. Therefore, it may be prudent on the part of the government to mitigate the flaws in the IT Act by strengthening the EHRS.

For the standards to be effective and enforceable, sufficient powers to implement and enforce them must be vested in the NeHA, proposed to be set up through an appropriate legislation. This legislation also proposes to deal with issues relating to privacy and confidentiality of patients’ electronic health records.

If that is done, it would require the rights and obligations under the EHRS to be made more clear and concrete. This would facilitate better implementation and provide patients with enhanced security and privacy with respect to their medical records.

The writers are Research Fellow and Junior Research Fellow respectively at Vidhi Centre for Legal Policy