This article has been written by Ashish Gajwani Law Student at Maharashtra National Law University, Aurangabad. The author here talks about the concept of Electronic Health Records, the rules governing it, Data Privacy issues in Electronic Health Records, Risks associated and future initiatives that are taken by the government to resolve the issue of Security and Privacy in Electronic Health Records.

Introduction

The contribution of technology can be seen in almost every sector working across the globe. It created a paradigm shift in the way a patient’s data is recorded, stored and used when the need arises. A task which was quite hectic and time taking once has become effortless these days. The records used to be handwritten by medical practitioners which took months to be finalised for every patient, piled up and stored in big rooms with almost no security for authorisation. These records are now maintained electronically, with minimal efforts through various software and electronic devices easy to store, available by just tapping some fingers. The things have changed on the positive side but the security breaches still remain; they have just changed their form.

Earlier with no authorisation procedures, files were stolen from the locker rooms in which all the data was stored. With the maintenance of data electronically data is stolen by hacking various websites and cloud-based storage software. This act of procuring a patient’s data without proper authorisation and permission of concerned persons and authorities is a breach of privacy of a particular individual as medical records contain sensitive information which must be kept secured. Recently, over a million medical records including X-ray images of patients were leaked from a high-end hospital due to lack of cybersecurity and absence of proper authorisations. These types of data breaches have been a problem since the inception of maintaining electronic health records which raises concerns over protecting such sensitive personal information.

Current scenario regarding Electronic Health Records

Electronic health records (EHR) were first introduced in the 1960s. It is defined as an electronic record system used to maintain various medical records that get generated during any clinical events. It records details like history, diagnosis, laboratory results, allergies, details of immunization, treatment etc in digital format. The Ministry of Health & Family Welfare (MoH&FW) first issued guidelines for Electronic Health Record in September 2013 which were based on the recommendations of the EMR Standards Committee. The guidelines provided recommendations for developing a uniform system for the creation and maintenance of EHR by healthcare service providers. The guidelines were revised and re-introduced in December 2016. 

The collection, transfer, recording and holding of Sensitive Personal Data or Information (SPDI) in electronic form is subject to the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, a set of rules formed under the Information Technology Act 2000. These rules apply to any corporate organisation or entity dealing with SPDI of a person. The establishment of National Electronic Health Authority of India in the year 2015 was a step taken by the government with the objective of laying down data management, privacy and security policies, guidelines and health records of patients in accordance with the statutory provisions.

One of the major steps taken by the Parliament was the Digital Information in Healthcare Security Act, 2018 (DISHA), which was introduced by the Parliament for promotion and adoption of e-health standards in India. The new law is still to become effective in India. NITI Ayog also came forward with a plan called ‘National Health Stack’ with an aim to create digital health records of all the citizens by the year 2022. 

Privacy and Confidentiality

How far is data secured?

According to the guidelines issued in 2016, the authorisation by the owner of the data is considered to be ‘privacy’, also, the trusted third party has to disclose his/her identity before authorisation. The guidelines also contain instructions related to ownership of the data recorded. The healthcare provider is a trusted party who holds the data for the patient. The medium of storage or transmission of such records is owned by the healthcare provider. All the ‘Sensitive Personal Information’ which is defined under Section 3 of Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011  or ‘Personal Information’ which is defined under section 2(i) of the same act of the patient is owned by the patient themselves. The healthcare service provider is to ensure the confidentiality of the patient’s records. Privileges provided to patients under these guidelines include inspection and access to their records without any time limit, restricted access to and disclosure of individually identifiable health information and a need to provide explicit consent to allow access and disclosures, which will be audited. The data is available to healthcare providers on an ‘as required on-demand’ basis. 

The guidelines provide for general consent of patients or next of kin before using their data for treatment, payments and other healthcare operations as defined in applicable laws by the Medical Council of India. Specific consent is required for fair use of non-routine and non-healthcare purposes. The information can be disclosed without the patient’s consent when a) there is a reporting of notifiable or communicable disease mandated by law, b) by court order and c) if it is totally anonymized data.  

Assessing and mitigating the risks of electronic health records

Although the concept of Electronic Health Records brings ease in maintenance and access of a Patient’s record, it has certain risks as well.  

• Privacy and Security Issues – A patient’s data flows through many servers because it is used for various purposes like treatment, medication, diagnosis etc. This data flow poses a potential risk of being hacked and used for unethical purposes. Electronic Health Records contain sensitive and personal information about a patient which can be sold easily for making a huge amount of money. These types of data breaches are common in each and every country, with the recent one which occurred in India in 2019 where almost 68 lakhs records containing patient and doctor information were stolen by hackers.
• Inaccurate Information – While recording data electronically the healthcare service provider needs to ensure that each and every patient’s data is updated regularly, as the same data is used by various operators providing healthcare services. If the data is not updated it might result in wrong treatment protocols.
• Liability – There is a great amount of liability on the Healthcare Service Providers because they are the ones storing and recording data of all the patients. The chances of data being stolen, hacked, unauthorised access are really high. They are also responsible if there is any misleading information recorded and transferred.
• Lack of Understanding – Lack of common understanding between the Healthcare Service Providers and Software development teams on the essential functionalities of electronic health records results in low efficiency of the treatment.
• Interoperability– Interoperability is one of the biggest advantages provided by the use of EHR as data can be easily transferred from one hospital to another, but due to lack of synergy between various hospitals, there is a lack of interoperability in the use of electronic health records. The healthcare service provider has also to ensure that it uses uniform software compatible with other software in order to ensure interoperability.
• Cost – The implementation of EHR software and the training of staff and employees for using the software might be really high. 

The risks associated with the use of Electronic Health Records can be mitigated with the introduction of better and efficient security and data privacy laws that will mandate the use of software with better protection. The guidelines provided by the Government in 2016 put the responsibility on the healthcare service provider of protecting and securing a patient’s data, but there should be a liability on the healthcare service provider to maintain strict protocols. All the staff and employees should be well trained in using the software in order to come out with better efficiency of Electronic Health Records. A security officer should also be employed for ensuring better security. Digital certificates for identification and signing should be deployed. The healthcare service provider should implement Standard Operation Procedure in relation to all the activities of recording data electronically. Security awareness training for the staff should be conducted. Plans should be formulated in advance for unexpected events and there should be a proper evaluation of the security standards.  

Integrity and availability of information

According to the guidelines issued in 2016, all recorded data is available to healthcare providers, on ‘as required on-demand’ basis. A patient has the privilege of amending the data but it is limited to the correction of errors in recorded medical details. There are responsibilities on the healthcare service provider of removing patients from identifying information if not necessary and informing the patient of policies related to their rights to health record privacy. The records may be deleted in two conditions firstly when a patient dies or secondly three years after the patient’s death, it is preferable to follow the three-year rule. A patient can demand a copy of his/her data held by the healthcare service provider, also, the option of withholding certain information temporarily or permanently is also available. 

Future implications

A firm step taken by the government in securing healthcare data of patients is The Digital Information Security in Healthcare Act (DISHA). It is a piece of legislation which aims to provide better healthcare data privacy, confidentiality, security and standardisation. It will create regulatory authorities both at central and state level, the National Electronic Health Authority (NeHA) and the State Electronic Health Authority (SeHA). NeHA will be the supreme authority in formulating policies and protocols for the generation, collection,  storage and transfer of digital health data. All the clinical appliances will have to comply with the rules prescribed by DISHA, it also proposes to establish Health Information Exchanges in order to provide better interoperability. Adjudicating authorities under the same will also be established. Breaches and non-compliance with the regulations will be dealt with seriously. The act also distinguishes between ‘a breach’ and ‘a serious breach’. A breach is one in which the regulations are not properly followed while a serious breach is one in which intentionally data is leaked in order to use it for commercial purposes. It also prescribes punishments to the entity entrusted with securing the data and compensation to the patient whose data is leaked. It also specifies the purpose for which the data can be used, collected, stored or transmitted. 

Conclusion

With the full implementation of the use of Electronic Health Records the treatment procedures and protocols will change drastically. In this current situation of the pandemic where most of the doctors are busy fighting the deadly coronavirus, many are there who are afraid to look after the patients having other types of health problems. Electronic health records can be a safe solution as the doctor can diagnose the patient from his home while looking at his health records. Every type of data which is stored and transmitted electronically is vulnerable to hacking and the data being used for commercial purposes. This does not imply that we should switch to traditional methods of recording patient’s data rather better security measures, rules and legislations should be implemented in order to curtail the risk of data being hacked and ensure safeguards to the data which is being recorded. The world is moving ahead with technology at a fast pace. For the betterment of individual growth, efficient means should be used. The Government’s move of introducing DISHA, specific legislation that deals with security and privacy of healthcare data of patients is a great step ahead, although some changes and clarifications are required in the Act itself, it will be a great step in fully implementing the use of Electronic Health records.

References

• https://www.mohfw.gov.in/
• https://ciso.economictimes.indiatimes.com/
• https://www.wipo.int/edocs/lexdocs/laws/en/in/in098en.pdf
• https://www.nhp.gov.in/
• https://inc42.com/buzz/india-healthcare-data-leak-over-120-mn-medical-images-exposed/ 
• https://ciso.economictimes.indiatimes.com/news/hackers-attack-indian-healthcare-website-steal-68-lakh-records/70782910#:~:text=Hackers%20attack%20Indian%20healthcare%20website%2C%20steal%2068%20lakh%20records,containing%20patient%20and%20doctor%20information.

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: