“It is my belief that industry and government around the world should work even more closely to protect the privacy and security of Internet users, and promote the exchange of ideas, while respecting legitimate government considerations” – Bill Gates
Over, 43,000 patient’s electronic medical records including HIV reports were leaked from the Health Solutions pathology laboratory, Thane by a hacker which came to the light in December 2016.[i] Such news are not new in the dailies. It only goes on to show how vulnerable we are to data breaches. With the advancement of technology in the healthcare domain, health records are becoming increasingly digitalized. While healthcare institutions such as hospitals, healthcare centres, etc. are busy digitalizing their health records, the Ministry of Health and Family Welfare, Government of India, is in the process of building an Integrated Health Information Platform, and has issued Electronic Health Record Standards (EHR Standards).[ii] These Standards are intended to provide for creation and maintenance of health records in a standardized manner so that interoperability of EHR’s can be made possible throughout the country. Similarly, even the rules of Clinical Establishments (Registration and Regulation) Act, 2010, notified on 23rd May, 2012, mandates that the “clinical establishments shall maintain and provide Electronic Medical Records or Electronic Health Records of every patient as may be determined and issued by the Central Government or the State Government as the case may be, from time to time”.[iii] Also, the Ministry of Health and Family Welfare in its National Health Policy 2017, has supported the digitalization of medical records and it aims to establish an integrated health information system with a view to link systems across public and private health providers at state and national levels.[iv] The nature of Electronic Health Records being extremely sensitive in nature and to implement a mechanism supporting the interoperability of digital health records it becomes very important to regulate such a mechanism. In the view of this, The Personal Data Protection Bill entails a wider implication and importance in the healthcare domain.
Meaning of Electronic Health Records (EHR)
The Electronic Health Record Standards (EHR Standards) as notified by the Ministry of Health and Family Welfare, Government of India, states that “An Electronic Health Record (EHR) is a collection of various medical records that get generated during any clinical encounter or events”. Electronic Health Record (EHR) is defined by the International Organization for Standardization (ISO) as “a repository of information regarding the health status of a subject of care, in computer processable form”.[v] Thus, it is a digital version of a patient’s comprehensive medical details such as history, diagnosis and prognosis as maintained by a health organization in its database.
General Data Protection Regulation and EHR
European countries have always taken the lead when it comes to ensuring privacy and protection of data. A recent example of the same is the General Data Protection Regulation (GDPR) which has ensured data protection and privacy for all individuals within the European Union. The GDPR has put regulatory teeth in EU to the longstanding governmental guidance about how to deal with the personally identifiable information. Because GDPR is a regulation and not merely a directive, it becomes directly applicable on the national governments in EU. The passing of GDPR has ensured more rights and control to the citizens of EU over their personal data. Its scope is wide enough to cover any non-European company or institution handling personal data of any EU citizen. This now means that, higher level of protection is to be accorded to the EHRs produced in EU. GDPR now expressly includes “genetic data” and “biometric data” and lays down safeguards and obligations that need to be carried out while processing the personal data. Any breaches occurred due to non compliance of any of the provision stated in GDPR may attract a penalty that can cost companies up to 20 million Euros or up to 4 percent of their annual global turnover. The high standards set by GDPR are unprecedented for and will require highest level of compliance to be carried out by companies and other nations including India in order to be able to do any business with the nations of EU.
Personal Data Protection Bill, 2018 and EHR
The Supreme Court in Justice K.S. Puttaswamy (Retd.) & Anr v Union of India held the right to privacy as a fundamental right under the Constitution of India.[vi] Thereafter a committee under the chairmanship of Justice BN Srikrishna submitted a draft Personal Data Protection Bill, 2018. The bill to a large extent has been drafted in line with GDPR and is first of its kind to bring a regulatory framework for data protection in India by conferring multiple rights on the owners of the personal data. It has also created mandates for the organizations and institutions which will handle or process such data. Health data, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, etc. has been included under the category of sensitive personal data. This is different from the international data protection laws, which have provided a much narrower definition for sensitive personal data. This would mean that the foreign companies or MNCs would require a higher compliance under this bill as compared to GDPR. This may hamper the ease of doing any business in India but in my opinion is a positive move in terms of protecting the privacy of such sensitive information of patients. On the contrary, this bill has introduced certain provisions from GDPR such as putting limits on collection, use, and storage of data, meaningful notice, transparency, and, critically, the requirement to be able to “demonstrate accountability”.[vii] Significantly, in case of any contraventions of the provisions, the data fiduciary or a data processor shall be liable to a penalty which is just as high as GDPR, i.e it may extend from Rupees five crore to fifteen crore or two per cent to four percent of its total worldwide turnover of the preceding financial year, whichever is higher. Thus, serious consequences may be incurred which will force the organizations to ensure the privacy of personal data such as electronic health records. The bill surely has many grey areas which are needed to be taken into account by consulting various stakeholders. But it is a welcome step which will be effective in ensuring rights of the people over their personal data. This bill will definitely be a landmark in the legislative history of India and it will be interesting to see its evolution during the process of its enactment since it will take data protection on a whole new level.
Digitalization of the world inevitably requires the protection of personal data. Without a doubt, an integrated electronic health care system will facilitate an efficient healthcare delivery all over India. But executing such an ambitious mechanism for EHR which can be interoperated by all healthcare institutions i.e public or private would require digitalizing health records of 1.35 billion people which seems like a daunting task. Before this can be done, the Personal Data Protection Bill, which is set to be tabled in the Indian parliament in its recent winter session will go a long way in ensuring privacy and confidentiality of EHRs. It will also provide a framework to a comprehensive law on EHR if at all one is formulated in the near future.
[i]HIV patient’s data in 43,000 path lab reports leaked online, Times of India (3/12/2016), available at https://timesofindia.indiatimes.com/city/mumbai/HIV-patients-data-in-43000-path-lab-reports-leaked-online/articleshow/55761372.cms, last seen on 20/11/2018.
[ii] Ministry of Health and Family Welfare, Government of India, Electronic Health Record Standards for India, 2016, available at https://mohfw.gov.in/sites/default/files/17739294021483341357.pdf, last seen on 5/12/2018.
[iii] Rule 9 (iv), Clinical Establishments (Central Government) Rules, 2012.
[iv] Ministry of Health and Family Welfare, Government of India, National Health Policy, 2017, available at https://mohfw.gov.in/sites/default/files/9147562941489753121.pdf, last seen on 6/12/2018.
[v]Health Records Systems in India, Swaniti Initiative, available at http://www.swaniti.com/wp-content/uploads/2016/02/Health-records-system-in-India.pdf, last seen on 10/12/2018.
[vi] Justice K S Puttaswamy (RETD) and anr v. Union of India and ors, WP (Civil No) 494 of 2012.
[vii] Amba Kak, The Emergence of the Personal Data Protection Bill, 2018: A Critique, 54 Economic and Political Weekly, 2018, available at https://www.epw.in/journal/2018/38/commentary/emergence-personal-data-protection-bill.html?0=ip_login_no_cache%3D0878fca07e140b271228bf538f06e6b0, last seen on 12/12/2018.