You definitely prefer today to have your health information and medical history readily available on your mobile phone. You may also be comfortable knowing that all your health data are being saved by your hospital or the clinic that you go to.

What you might not be so comfortable with is the fact that time and again there have been serious breaches of health data. Each time it happens, there are some questions raised and some fingers pointed at people or at organisations, but rarely any concrete deterrent action is taken.

Data leakages

The recent reports of Aadhaar data leakage and the still recent breach of information by Facebook of its registered users have posed more questions on the significance of data protection and the need to have strict laws for the same.

In a serious breach of data safety, the health data of about 35,000 people in a pathology laboratory in Maharashtra was leaked in 2016. Notably, it was the EMRs (electronic medical records) that were leaked. As we use computers on a routine basis and depend on them to process the data of a large number of patients, we are increasingly susceptible to hacking attempts and data theft.

However we also need to understand that computer or IT technology is no longer a luxury or value addition, it has become a necessity. ‘Big Data Analytics’ is the new buzzword in the field of healthcare with data analysis being used by healthcare providers to record, share and study a number of parameters associated with diseases, their types and demography.

In healthcare, IT is being increasingly used today for analysing, simplifying and applying algorithms to data collected from patients for further productive purposes.

This practice is also duly included in the Clinical Establishments (Registration & Regulation) Act 2010, which mandates maintenance and provision of EMR for every patient by clinical establishments. Maintenance of data in electronic form provides several benefits to the hospitals for clinical establishment.

It also helps the government in analysing mass data and formulating public policies. So obviously the solution lies not in doing away with IT but to have strong data protection laws with sufficient deterrent against theft and hacking attempts. The question is where are we today at data protection?

Data protection

The need for data security is recognised in Indian healthcare to save the data of patients from being misused or leaked. For example, under the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002, doctors are required to maintain confidentiality of all patients during various stages of the medical treatment and procedures and also of the information provided by them .

However, it failed to clearly define the time-line for accessing data of patients. It also failed to include URLs and IP addresses as sensitive information, something which is of paramount significance in the internet driven world today.

Certain sections of the Information Technology Act also provide a basic framework for the protection of personal information in India, but these suffer from a number of flaws.

For example, Section 43(a) is applicable only to a ‘body corporate’ and leaves out individuals and legal entities like trusts or NGOs and many others from its purview.

To overcome some of these shortcomings, the government came out with ‘Electronic Health Records Standards for India’ in 2013. The provisions of this were further revised in February 2016. These standards safeguard patients’ data in many ways and require safeguarding of financial information of patients like bank account and credit/debit card details.

These standards also require healthcare providers to designate “a privacy officer (preferably external, may be internal) who will be responsible for implementing privacy policies, audit and quality assurance”.

It also has a provision for patients “to request a healthcare organisation that holds their health records, to withhold specific information that he/she does not want disclosed to other organisations or individuals.”

DISHA paves a new path

Recently, the government put in place the draft of a new law that makes any breach punishable with up to five years’ imprisonment and a fine of ₹5 lakh. The new Digital Information Security in HealthCare Act (DISHA), as it is called, redefines personal information of the patients.

It adds, “use of narcotic or psychotropic substances, consumption of alcohol, human immunodeficiency virus status, sexually transmitted infections treatment, and abortion” related information of the patient to the list of sensitive information.

DISHA also defines a ‘clinical establishment’ as well as the term ‘entity’ clearly and unambiguously to includeindividuals, trusts, private and public establishments, hospitals, diagnostic centres, pathological laboratories, radiology laboratories, etc.

It also accords great significance to “informed consent” of individuals and emphasises on obtaining explicit consent before transfer and use of digital health data.

With the government inviting public comments on the draft, one of the noteworthy feedbacks received is the demand for creation of one State level adjudication authority and one Central level adjudication authority for data in general for better protection of data.

While it is yet to be seen what will be the final shape of this new law, it is definitely a move in the right direction as it ensures protection of digital health data at every step, including at the time of their generation, collection, storage and transmission.

However, as it is true for any law, the devil lies in implementation. Unless implemented effectively, no law, howsoever stringent, can have the desired impact. It will be pertinent to look at actual cases of data theft after DISHA is implemented and other emerging trends to revise and replenish this legislation from time to time.

The author is MD, Paras Healthcare.

Related Topics
comment COMMENT NOW