This article is written by Raghav Goyal and Kshitij Dahiya, students of Campus Law Centre, University of Delhi.
Table of Contents
Introduction
The pervasive nature of modern technologies is going to bring a revolution in the healthcare industry. Technologies such as artificial intelligence (AI), natural language processing (NLP), Internet of Medical Things (IoMT), cloud computing, 5G technology and use of drones can help deliver health care services in ways that consumers prefer to receive them. Data as a Platform (DaaP) can be used as an opportunity area to extract insights from patient data.[i]
With the government’s agenda to introduce National Digital Health Mission (NDHM), the confluence of digitisation and privacy of patients will be an arduous task in a populous country like India where the personal data protection bill is yet to be passed; there exist no clear signs of enactment of Digital Information Security in Healthcare Act (DISHA) and finally the existence of Information Technology Act 2000 which does not meet the demands of the year 2020.
NDHM projects to reduce the prevailing gap between various stakeholders such as doctors, hospitals, pharmacies, insurance companies and most important citizens by interlinking them in an integrated digital health infrastructure system, within the ambit of the guidelines issued by the government, Personal Health Record (PHR) and Electronic Medical Record (EMR) solutions can be developed by private entities. Such solutions should satisfy the standards of security and privacy of the NDHM ecosystem.
With the arrival of the COVID-19 pandemic, home healthcare has taken prominence as consumer receptiveness towards out-of-hospital and at-home services across the care continuum – consultation, diagnostics, and in-patient care has increased.
Why the digitisation of healthcare variables?
The advantages of digitising healthcare variables are profound and contribute to the proficient use of technology to fast track medical care and which can be leveraged by the Government to commit to Universal Health Coverage for all citizens and to make healthcare affordable and accessible.
Cloud Computing ensures secure interfaces and almost unlimited storage capacity, it provides instant access to patient data by healthcare professionals. Information can be stored and accessed as fast as possible.
Today patients find themselves spending less time with physicians and more by themselves in the form of self-care. Digital devices are being used as diagnostic tools to achieve this, patient resort to technology to equip themselves with more medical information and use wearable and IoT connected devices for self-monitoring of BP, blood sugar etc. This requires the use of telemonitoring devices by remote patients.
Types of Healthcare Data Collected
According to the strategy document of the National Health Authority (NHA), directories of various capacities will be set up to collect data for establishing an online ecosystem such as the facilities directory will record and be a unique identifier for each health facility all across the country, it will include hospitals, clinics, diagnostic centres, pharmacies etc.
While the Doctors directory will consist of records of every doctor registered with the medical council and map them with the facilities they are associated with. The nurses and paramedical directory will include details of medical support staff and will also include their respective certifications.
The health workers directory will consist of health workers which work as an auxiliary workforce like those of ASHA workers who help enable home healthcare services. The allied professionals’ directory will include other important roles in the industry such as qualified administrators, health information technology specialists, disease coders, Pradhan Mantri Arogya Mitras, etc.
Health Registries
According to the strategy document, a separate health registry should be set up which should include the disease, blood and organ donor registries. The disease registry should record each incidence of disease in the population like that of the national cancer registry. The blood and organ donor registries contain protected health information for donors as well as recipients in line.
Health Information Exchange
The generation and accessing of health information is would be prevalent on the digital platform hence the establishment of dedicated information systems would be imperative. The Health Information Exchange would be responsible for authentication and authorization of all data exchange requests. The primary aim of such an exchange would be to route the requests to applications demanding the data. Such an exchange should be real-time by the implementation of open Application Programming interface. Each access application which needs to submit or retrieve any information from the set blueprint has to be registered with the Health Information Exchange (HIE).
Hence such a health information ecosystem would ensure that the health information by a visit to the public health facilities and those being recorded under health programmes such as Reproductive and Child Health, NIKSHAY (TB reporting platform) and Ayushman Bharat scheme will be included in the patient’s longitudinal health record. The government is also planning to build a database on Sickle Cell Disease, interlinking of such a database to an ID can increase the effectiveness of such a system.
Prospective and Current Regulatory environment in India
National Digital Health Mission
The National Digital Health Mission encompasses six key digital interface items – Health ID, DigiDoctor, Health Facility Registry, Personal Health Records, e-Pharmacy and Telemedicine. All of these digital products except telemedicine and e-Pharmacy have been deployed and are up and running and have been launched as a pilot program in six union territories.
The core building blocks of NDHM which include the Health ID, Digi-Doctor and Health Facility Registry shall be owned, operated and maintained by the government of India. The facility of building private platforms through the integration of these core blocks will be given to the private players. However, activities such as the generation of Health ID or approval of a doctor shall remain with the government.
It is imperative to understand that even if a person exercises his or her right to refuse a health ID, the treatment will be allowed then as well according to the strategy overview document, under the NDHM. Obtaining a health ID, however, does not mean that benefits of an incumbent scheme would be directly accessed by the holder. The government will first check for eligibility of the individual under the scheme and then link to the ID.
Digital Information Security in Healthcare Act (DISHA)
The draft bill for Digital Information Security in Healthcare Act (DISHA) was introduced in 2017. The main purpose of DISHA is to help establish a National eHealth Authority for the regulation of health information as well as standardize the process related to the collection of digital health data and to ensure the reliability for the same, it is pertinent to note that it remains whether DISHA will be enacted or not given that PDP is still under the consideration of the joint parliamentary committee.
Maintenance of Insurance records Regulations 2015
The IRDAI Maintenance of Insurance records Regulations 2015 consists of a data localization requirement, which pertains to all the policies issued and claims made in India, which are to be to be maintained and controlled in data storage centres present within the territorial boundaries of India. The insurance industry is highly susceptible to changes in the digital ecosystem, which could be leveraged to make the insurance market more transparent. Cyber Insurance is yet another opportunity that can be leveraged and taken into account by the industry and regulators alike.
Standard for Consent Management
Consent ensures that collection of data is consistent with the legal rights of the patients and it also ascertains the consequent use of the patient data to be within the legal framework. The International Standards Organisation has prescribed principles and data requirements for consent of personal health information in its ISO/TS 17975:2015 standard which is reviewed every 5 years. The Ministry of Electronics and Information Technology has also issued an electronic consent framework called Electronic Consent Framework (Technology Specifications v1.1)
Criticism and Suggestions
RIGHT TO HEALTH
While the government claims that the introduction of NDHM in the country will push the country one step closer to achieve United Nation’s Sustainable Development Goal of Universal Health coverage as it will be encompassing the key aspects of this goal of providing access to quality essential health care services, medicines and vaccines for all yet the government has failed to cover the first aspect of this goal. It was raised in the National Health Policy, 2015, where it asked the legislature to pass a Health Right Bill to make health a fundamental right similar to Right to Education. It directed the Centre and state governments to establish National Health Rights Act, after their due discussion, which will ensure health as a fundamental right, whose denial will be justiciable. Therefore, we must take baby steps to ensure Right to health for all so that it becomes a justifiable right.
ABSENCE OF PRIVACY LAWS IN INDIA
At present India lacks a specific data protection law. With the absence of Data Protection Law in the country, it will be hard for the government to convince the state that their data is secured and is not prone to any unscrupulous data breach.
PROPOSED PERSONAL DATA PROTECTION LAW
After the Supreme Court’s landmark judgment in the Justice KS Puttaswamy case the court observed that privacy of personal data is an essential aspect of the right to privacy. Following which the court asked the government to legislate a specific law on personal data privacy. A Committee of Experts, chairman Justice B. N. Srikrishna, was formed which after examining the issues of privacy and protection of data in India submitted its report along with a Draft proposing Personal Data Protection Bill, 2018 to the Ministry of Electronics and Information Technology.
Bill provides regulations concerning processing, collecting and storage of personal data of an individual. It governs the processing of personal data, once collected by both government and private entities incorporated in India. It also governs foreign entities as well, if they deal with personal data of individuals in India. It also provides individuals with certain rights over their data, which regulates and in some cases prohibit any processing or transfer of their data to different fiduciaries, without their consent. Bill also proposes setting up of data protection authorities and many more advantages taking inspiration from EU’s GDPR law.
The bill yet to be passed is still on the table, it was to be passed in the monsoon session of Parliament, 2020 but has been delayed due to unforeseen circumstances of Covid-19.
REDUNDANCY OF CURRENT DATA PROTECTION LAW
Due to inexistence of any specific data protection law, the usage and transfer of personal data of citizens are regulated by the Information Technology (IT) Rules, 2011, under the IT Act, 2000, whereas at the time of introduction of regulations the aforementioned acts were a novel step at data protection but with the pace of time and advancement in digital technologies, these regulations have become narrow and stand outdated[ii], for instance:
- Data covered under the definition of Sensitive Personal Data is too narrow in today’s context.
- Some provisions can be overridden by the contract between the parties.
- This law provides only compensation, only when a wrongful gain or loss results from the failure to observe reasonable security practices and procedures (RSPP), which is nothing but only a mere codification of the law of negligence.
- Basic privacy rules have been issued by the government to highlight what constitutes RSPP, which should be more comprehensive.
- The IT Act applies only to the companies and not to the government.
Recommendations concerning the collection and processing of health care data include:
- The Government must seek to establish National registries that are trusted and have wide participation.
- The structure of the health information exchange should be such that multi-channel solutions by participating entities to ensure cross channel capabilities must be present to ensure an open market ecosystem.
- Health analytics data should which is sent mandatorily to one or more government-controlled analytics systems should be shared with private entities on request for such data.
The government finally must launch the proposed National Policy on Security of Health Systems and Privacy of Personal Health Records. The implementation of NDHM without requisite safeguards is a recipe for disaster.
International Perspective
UNITED KINGDOM
Initially, the United Kingdom parliament passed The Data Protection Act 1998 (DPA 1998), which defined how data about living people may be legally used, processed and handled. The main intention was to protect individuals against misuse or abuse of their personal information. However general UK citizens trusted the NHS to protect their confidentiality of personal information, there’ve been certain cases where breaches of security or inappropriate sharing of confidential information occurred, eroding the trust of citizens. In response, the UK government updated the NHS Constitution in 2013 which introduced a new right for patients to request that their information is not shared beyond their care and specific items of information not to be shared with others involved in providing the care as well.[iii]
USA
The United States has introduced multiple statutory laws to regulate the privacy of digital healthcare variables. Acts such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), The Genetic Information Non-discrimination Act of 2008 (GINA). The former established national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge, while the latter prohibits genetic discrimination in health insurance and employment. GINA renders decisions made by health insurance providers based on genetic information is illegal.
EUROPE
The European Union has enforced General Data Protection Rules (GDPR) in 2018, which replaced the Data Protection Directives of 1995. It is a legal framework which is comprehensive in nature and deals with all kinds of Personal Data processing while delineating the obligations and rights of parties in details. It lays down the fundamental rules and norms to protect the private data of Europeans, in all its facets. This legal framework has been adopted by as many as 67 countries outside Europe, due it’s both technological and sector-agnostic protection of privacy.[iv]
We must learn from the failures of existing data regulation laws and Personal Data Protection Laws of other countries. It showcases that safeguards are required to be enacted otherwise the fear of vulnerability of Personal Health data will discourage people of the country from their voluntary registration for the National Health ID.
Conclusion
India is much sought after for Medical Tourism due to its cost-effective treatment techniques and hence could rise as a major player by using digitisation of healthcare to its advantage by providing telemedicine and digital diagnostics to foreign citizens as well.
As all players of the healthcare industry such as laboratories, hospitals, insurance companies, online pharmacies and telemedicine firms will be active participants in the health ID system. The information exchange system will be seamless to ensure equitable accessibility.
But all these advantages will only be realised when we as the citizen or beneficiary of the scheme are ensured that there exist prudent laws to safeguard our personal data in the universe of Health Information Exchanges or Are Indians willing to volunteer for a Health ID without the existence of a stringent law structure to protect our sensitive personal information? This is a question we all must ask ourselves.
References
[i] Global health care sector issues in 2020 by Deloitte
[ii] https://www.prsindia.org/theprsblog/personal-data-protection-bill-2019-all-you-need-know
[iii]https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/535024/data-security-review.PDF
[iv]https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join:
