This article is written by Saket Bisani, pursuing Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.
Table of Contents
Technology has grown immensely in various sectors and contributed largely to India’s development. It is a significant contributor to the economy of our country. Crucial changes have been observed in sectors such as defence, space, manufacturing industry due to the booming technological advancements and adaptations. The healthcare sector has also entered the field of technological advancements with the intent to introduce a uniform system for maintenance of electronic medical records/electronic health records by the hospitals and healthcare providers in the country. The primary purpose of the electronic health record is to have life-long, effective, high quality, safe and integrated healthcare. The Ministry of Health and Family Welfare notified the Electronic Health Record (EHR) Standards for India in September 2013. Following which revised EHR Standards were notified in December 2016.
In this article, we will analyse the technological developments in the healthcare sector and the challenges it poses due to the dynamic changes. To begin with, we looked over what is an “Electronic Health Record” and its importance in the healthcare sector. Moving ahead, we analyse the statutory framework concerning the electronic health care system in India. It mainly consists of Information Technology Act, 2000 and IT rules, however, there is also the Personal Data Protection Bill, 2019 and Digital Information in Security Health Care Act (DISHA) which is not yet enacted by the Parliament but is a comprehensive compilation of regulation regarding healthcare. Further, we critically analyse EHR and its usability issues with specific regard to the Indian healthcare sector. Towards the end of this article, we will understand that digitalization in healthcare is fast-growing and how with any dynamic trend, there is a dire need for specific legislation adhering to the field. In addition to scrutinizing the electronic health record system in India, certain suggestions have also been brought forth in this article.
What are Electronic Health Records (EHR)?
Briefly speaking, ‘Electronic Health Record’ is a collection of various medical records that are generated during any clinical encounters or events. It is a digitized version of the patient’s medical history and contains patient-centred information in real-time and is easily accessible to medical professionals. Section 3(21) of the Personal Data Protection Bill 2019 defines ‘health data’ as related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associating the data principal to the provision of specific health services. Further, Section 3(e) of the Digital Information Security in Health Care Act (DISHA) defines ‘digital health data’ as “an electronic record of health-related information about an individual and shall include………clinical establishment by the individual”. However, both of these bills are not yet enacted.
Such electronic health records can collectively provide a summary of the various healthcare events in the life of a person digitally which is a much better option to avoid all hassles arising from tons of paperwork. Such a system is created with the aim that any person can go to any health service provider/practitioner, any diagnostic centre or any pharmacy and be able to access and have fully integrated health records in electronic format at any time. Apart from this, there are many benefits for the collection of medical records such as evidence-based care, increasingly faster and accurate diagnosis, avoid repetition of unnecessary tests, improved health policy decisions, improved personal and public health and so on.
EHR standards for India have been available since 2016 and adequate time has been provided to the hospitals for the implementation of the same. With any technological solution, we must be equipped with the fact that it is never a foolproof solution.
At present, there are no specific rules or guidelines which monitor health data. Nor does India have separate legislation for the protection of health data. However, the current legal framework on electronic health records emerges from cybersecurity laws which include the IT Act, 2000 and their amendments, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 and Information Technology (Intermediaries Guidelines) Rules 2011 which governs the electronic health data but are not updated with regards to the rapid development in this field.
Nevertheless, the government has introduced the Personal Data Protection Bill, 2019 to address the issue and it could be safe to say that it provides for the protection of the privacy of individuals relating to their ‘personal data’ which includes health data as well. The Personal Data Protection Bill, 2019 is undoubtedly a solution to the protection of health data however it could not be stated as an exhaustive solution as it provides the State too much power to surveillance without creating any checks and balances. Therefore, it could be argued that with the growing trend of technology, there is a dire need for separate legislation to monitor and safeguard health data. In addition to Personal Data Protection Bill, 2019, the government has also introduced the Digital Information Security in Healthcare Act (DISHA) which aims to standardize and regulate the process related to storing, transmission and use of ‘digital health data’ to ensure reliability, data privacy, confidentiality and security of digital health data along with the establishment of ‘National Digital Health Authority’ and ‘Health Information Exchanges’. Further, the government has also released a Health Data Management Policy for establishing minimum standards of data protection and ensuring security and privacy in the health system of India. Recently, in Balu Gopalakrishnan v. State of Kerala, the Kerala High Court while dealing with the protection of the personal data of individuals who were COVID-19 positive passed an interim order focusing on the breach of confidentiality issue and stated that it is the duty of the state government that all the information must be anonymized before sharing it with the third party and in future, the specific consent of the citizens is a must. Furthermore, the court also stated that once the contractual obligation ends, the third party must entrust such data back to the state government and was prohibited from advertising or representing that they have access to any such data. Following the court order, the State released certain guidelines to be followed in the collection of COVID-19 patient’s information. It is certain from this case that there are many loopholes that can be abused and need to be addressed at the earliest.
Another legislation that could provide a forum for patients to approach and put forth their grievances could be the Consumer Protection Act, 2019. In Indian Medical Association v. V.P. Shanta, the Supreme Court held that medical services would come within the purview of the Consumer Protection Act. Therefore, the Negligence of the hospital or the doctor due to lack of care in maintaining electronic records could be made liable under the nuances of the Consumer Protection Act, 2019.
Challenges in the usability of EHR
Electronic Health Records are unquestionably an upgrade to the traditional system of paper-based tracking. Nevertheless, the success of this technology is entirely based upon its effective implementation. For the longest time, there was paperwork to maintain records of patients but with new methods, there is a challenge in adapting to the new technologies. For example, in general, there is doctor-patient confidentiality but with electronic records, much of the sensitive information is on the internet and vulnerable to breach. Therefore, in this segment, we’ve tried to understand the challenges in the usability of EHR. Usability is the extent to which a specific technology can be used by specified users efficiently. The main concern with respect to the usability of EHR is that any error in such technology will directly result in patient’s harm.
Documentation of the patient records need to be carefully entered and managed. While EHR is advantageous in many ways we cannot rule out the fact that it is a huge responsibility. Since the data entry is manualized there is always room for errors in medical administration which could lead to adverse drug reactions, wrong dosage or duration, concentration etc. Any mishap would result in a huge blunder considering the fact that in the future the medical professionals will rely completely on EHR’s to treat patients. For example, if the data entered is with regard to the administration of medicines and even the slightest change in the decimal points of such entry would change the dosage from 4.2 mg to 42 mg which could potentially lead to the patient’s ill health or could even result in death. According to a study conducted for a research article, it was found that out of 9000 patient safety reports, approximately 36% of the patients had a usability issue that contributed to the medication event and 18.8% of whom had incurred harm and the most common medication error was improper dosing.
It is for one to wonder as to whether this would constitute medical negligence and attract tortious liability. According to Winfield, negligence can be defined as a breach of the legal duty to take care which results in damage, undesired by the defendant to the plaintiff. Medical professionals owe such legal duty of care towards their patients which extends to all clinicians, paramedics, nursing staff etc. In such instances, accountability is not drawn upon yet. It is an imperative situation that either the Ministry of Health and Family Welfare or the Medical Council of India make rules or guidelines which administer a stringent technique to ensure that much care and diligence is done while entering patient records.
EHR also poses a problem of adaptability. Initial implementation of the EHR can be manageable but it will also dynamically change with the coming time. There could be a variety of new features that the clinician is not well equipped with and the users may not be aware of the same. It may undergo a variety of changes from the inception of its implementation to the continuing future. Hence, quality training regarding EHR is of utmost importance to ensure that the users, as well as clinicians, are well equipped with the new technology. An effective training program is quintessential to improve EHR usability so as to improve customer satisfaction.
EHR is growing rapidly but it is not always suitable and accessible to everyone. Before making compulsory implementation of EHR, one has to consider whether such a system is easily accessible and available to each one. In the Indian context, many patients who hail from rural areas may not be aware of technicalities and access to the internet is another issue. While the urban areas are adapting to such changes, the rural population is left behind. Hospitals in remote areas lack the infrastructure or the adequate staff to handle such highly equipped technology. Thus we could say that mandatory implementation of EHR is not suitable in every part of the country.
Availability of information
Firstly, it is essential that information must be entered and stored accurately, however it is also important that the information entered is in the precise location and within a prescribed time. Delay in feeding information could potentially lead to delay in medical assistance and pose harm to the health of the patients. For example, if the e-prescription has not been duly uploaded on time, the patient may not have the medicines at apt timing. Even inaccessibility of information in EHR poses a similar threat. Secondly, there is a problem with interoperability. Communication of information in electronic health records has to be smooth. On failure of which, the medical professionals cannot treat a patient effectively if they cannot even access the patients’ medical history. Without any paperwork, complete reliance is placed upon electronic records and it has to be accessed completely. There needs to be an agency that could verify and ensure that the electronic health records are interoperable and also to update standards for adequate implementation.
Privacy as we know it is a very complicated concept. The right to privacy was recognized as a fundamental right by the Apex Court in Justice K.S. Puttaswamy v. Union of India. Individual’s medical information which relates to past, present or future physical or mental conditions are created, stored, transmitted or received electronically and are called Protected Health Information (PHI). As the name suggests it is supposed to be protected but the information stored electronically is vulnerable and susceptible to a security breach. Sensitive information such as passwords, financial information, physical or psychological or mental health condition, sexual orientation, medical records and history, biometric information, any information relating to that is received, stored or processed by the body corporate under a lawful contract or otherwise.
It is further provided that it will be the responsibility of the healthcare provider to protect and secure the health information and disclosure of any protected or sensitive information is possible only with the consent of the patient or the next of kin. However, information can also be disclosed without the patient’s consent in certain cases wherein it is mandated by law to report notifiable diseases or on court order or totally anonymized data. Electronic Health Record Standards provided by the government are not sufficient alone to protect the information stored.
It is estimated that by the year 2025, the delivery of healthcare in India could potentially be transformed through complete remote health services and digitally-enabled healthcare workers. By bringing about the technological advancements in the healthcare sector to remote areas, it can be made beneficial to even the poor and disadvantaged sections of society. However, for effective implementation and smooth working, it’s necessary to ensure, (i) patient’s safety and monitors his health conditions frequently (ii) conduct surveys (iii) conduct training programs. Nevertheless, in reality, even after the safeguards, there’s a possibility that the reports may not always capture the actual number of incidents. Therefore, the government, as well as the hospital authorities, must work towards improving electronic healthcare as it has a direct impact on public health. EHR usability can be optimized through training and a team of health IT professionals who can help overcome complications with the evolution of technology. It would be safe to say that to prevent such errors there should be a balance between paperwork and electronic records as placing complete reliance on just technology may not resolve the issue, due to the difference in the ground reality and the manner in which the technology is implemented. Further, it is pertinent to note that both the Digital Information Security in Healthcare Act (DISHA) and Personal Data Protection Bill, 2019 have not been passed by the Parliament yet but it is indeed a need of the hour.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: