This article has been written by Preetham Kumar, pursuing an MBA with Specialisation in Data Protection and Privacy Management (From Swiss School of Management) from LawSikho. It has been edited by Zigishu (Associate, Lawsikho).
It has been published by Rachit Garg.
Table of Contents
Perceiving digitalization as a transformational energy
“The future of Healthcare is Digital – not just in Digitally enabled care delivery such as telehealth and Remote monitoring, but in the use of data as a Strategic Asset”
~ ECG Management Consultants
Digitalization is Transformational – it’s not just about making existing data digital but also harnessing the ability of digital technology to capture and collect data, process it, establish insights and trends, make better business decisions, and also enable new business models (Digitization, on the other hand, is a process of converting existing data and processes from analog to digital). Digital Technologies are used to alter and change a business model to increase revenue and find new value-producing opportunities.
The larger objective or the long-term idea of digitalization is to enable automation processes, increase data quality, efficient collection, and being able to structure all types of data such that the application of advanced technology can create better and smarter software infra and systems.
Understanding digitalization in healthcare
With the emergence of Digitalization, traditional processes of collecting data were no longer viable. Simply put, no one wanted to use a long manual register to make data entry with a pen anymore. Digitalization therefore invented easy processes that made every organization’s “burden of maintaining data” easy. The privilege is not just limited to data-collection, rather it extends to every cohort that uses data for one or the other purpose – storing, retrieving, accessing, transferring etc.
Processes powered by digitalization are like a backbone to service sectors, especially in a country like India. Medical sector is one such service vertical where digitalization can create wonders. As a trillion-dollar industry, the medical sector houses hospital care, clinical services, dental care, nursing homes, home healthcare, medications, pharmacy, research and development to say the least. And in many ways, digitization is already enabling medical practitioners and experts from all these areas to reach out to people in need with authentic information – may it be consultation, service, creating awareness etc. Infusing social media channels with proper medical information and enabling doctors to connect with their current and potential patients goes a long way in creating an efficient and affordable healthcare system. To say the least, it can potentially make healthcare accessible to remote places free of cost.
Benefits of such a digitized health care system are priceless
In an overview –
- It establishes better coordination between health care professionals and patients. Patients no longer have to carry a booklet of their medical history with them wherever they go. Simply uploading them on to a drive or a cloud can help any professional get access to their health condition.
- A patient’s willingness to comply with a protocol influences recovery and well-being. In the long run, this will reduce healthcare costs as well.
- With wearable medical gadgets, access to vital information such as a person’s heart rate and physical activity such as walking can be tracked. All these gadgets are connected to a smartphone which is then connected to the internet. All this vital information is connected to a cloud, and/or be routed to your doctor in real time. Therefore, digitization has made it easier to monitor progress and identify alarming situations proactively.
All these applications and more are for sure a boon to mankind. But healthcare data is largely real-time with a short retention span. For example, a man’s abnormal heartbeat today can cost him his life in a matter of hours. A diabetic person’s chronic illness can be managed efficiently only if he gets access to medical information at the right time. From such examples it is easy to understand that ‘Time’ and ‘data,’ are crucial for the success rate of a digital healthcare management system. However, access to these two can probably expose patiens’ s data to risk, compromising their privacy.
Understanding health data
Health data that contributes to the above includes – inpatient-outpatient history, pharmacy-related data, enrollment details (name, address, age, dob, email, telephone number), financial transaction through payments, investments made through insurances, recovery time, most-suitable medicines, most purchased medicines, interests and preferences, brand affinity, ethnicity, gender, most visited departments and so on.
All these data sets are categorized as PII [Personally Identifiable Information] or in other words are classified as Sensitive Information that can identify a person. In the Health care sector, this is otherwise called as patient’s Protected Health Information [PHI].
In the wrong hands, data of this type can be exploited for commercial purposes.
Impact of breach in health data
Hackers usually target such PII for financial and insurance information. Using the two, anyone can commit financial identity theft (stealing money from someone else’s account) or medical identity theft (for example, a drug trafficker might use fraudulent insurance information to purchase prescription drugs or someone may use this information to submit fraudulent claims to Medicare and other health insurers without your authorization, disrupting your medical care.
In some instances, fraudsters mine this data to understand the preferences and demand of certain brands and medicines. Knowing this can lead a manufacturer to establish monopoly, kill competition and charge exorbitant amounts of money for a generic drug which may be in demand.
Alternatively, specific consent is required for fair use of non-routine and non-healthcare purposes. The information can be disclosed without the patient’s consent when
a) there is a reporting of notifiable or communicable disease mandated by law,
b) by court order and
c) if it is totally anonymized data.
Privileges provided to patients include inspection and access to their records without any time limit, restricted access to and disclosure of individually identifiable health information and a need to provide explicit consent to allow access and disclosures, which will be audited.
Accessing and mitigating risks of Electronic Health Records [EHR]
Inaccurate or incomplete information about a patient can potentially lead to misdiagnosis of a condition. This can severely impact a patient’s life. Provision to update data within the existing digital process (or EHR) should be made.
Cost is another major factor- Creating a digital system can be expensive. Digitalization is not only about installing software that can collect and store data. It is about creating an infra that supports interoperability, privacy, authorization, security, and encryption. A lot of service providers do not invest in data privacy due to its cost. Investing in a digital solution which supports both operations and security can save an entity in the long run.
The Department of Health and Human Services [HSS] in India does not recognize Health data privacy Acts like HIPAA (Health Insurance Portability and Accountability Act) directly, but indirectly derives many aspects/elements from it such as Privacy, Security, and Breach Notifications. HIPAA compliance addresses operations like (1) Self-audits (2) Gap identification and remediation (3) Policies and procedures (4) Employee training (5) Business associate management (6) Incident management. Therefore, it may not be a bad idea to develop a software system bearing all the above compliance programs in mind.
Data privacy regimes in India
Electronic health records (EHR) were first heard of in the 1960s. Although it was in an ideation phase, the intent was to have records that could hold details like patient history, diagnosis, laboratory results, allergies, details of immunization, treatment etc. in digital format.
The Ministry of Health & Family Welfare (MoH&FW) first issued guidelines for Electronic Health Record in September 2013 based on the recommendations of the EMR Standards Committee. The guidelines were revised and re-introduced in December 2016. The guidelines contain instructions related to ownership of the data recorded. To that extent, the healthcare provider is identified as a trusted party who holds the data for the patient. The medium of storage or transmission of such records is also owned by the healthcare provider.
The collection, transfer, recording and holding of Sensitive Personal Data or Information (SPDI) in electronic form is detailed out under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011. It is a set of rules formed under the Information Technology Act 2000. These rules apply to any corporate organization or entity dealing with SPDI of a person.
In 2018, the Parliament introduced the Digital Information in Healthcare Security Act, 2018 (DISHA), for promotion and adoption of e-health standards in India. It is a legislation which aims to provide better data privacy, confidentiality, security and standardization. The idea extends to create regulatory authorities both at central and state level, the National Electronic Health Authority (NeHA) and the State Electronic Health Authority (SeHA).
In 2019, the Personal Data Protection Bill or PDP Bill was also introduced by the Parliament. It applies to processing of personal data where such data has been collected, disclosed, shared or otherwise processed in India and processing of personal data by the State, any Indian company, any Indian citizen or any person or body of persons incorporated or created under Indian law. The scope is wide enough to also apply to foreign companies processing personal data in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India.
Conclusion
The rise of digital health data has opened up various avenues for third parties who want to abuse it. In many countries there are laws and regulations issued in order to provide data privacy for digital health and to prevent health records being misused and stolen. However, in India, both the bills, DISHA and the PDP, have not been passed by the Parliament as of yet and await enactment. NITI Ayog (National Institution for Transforming India) formulated a plan called ‘National Health Stack’ with an aim to create digital health records of all the citizens by the year 2022. It will be interesting to see how this concept evolves in India.
| “The future of Healthcare is Digital – not just in Digitally enabled care delivery such as telehealth and Remote monitoring, but in the use of data as a Strategic Asset”~ ECG Management Consultants |
Perceiving digitalization as a transformational energy
Digitalization is Transformational – it’s not just about making existing data digital but also harnessing the ability of digital technology to capture and collect data, process it, establish insights and trends, make better business decisions, and also enable new business models (Digitization on the other hand is a process of converting existing data and processes from analog to digital). Digital Technologies are used to alter and change a business model to increase revenue and find new value-producing opportunities.
The larger objective or the long-term idea of digitalization is to enable automation processes, increase data quality, efficient collection, and being able to structure all types of data such that the application of advanced technology can create better and smarter software infra and systems.
Understanding digitalization in healthcare
With the emergence of Digitalization, traditional processes of collecting data were no longer viable. Simply put, no one wanted to use a long manual register to make data entry with a pen anymore. Digitalization therefore invented easy processes that made every organization’s “burden of maintaining data” easy. The privilege is not just limited to data-collection, rather it extends to every cohort that uses data for one or the other purpose – storing, retrieving, accessing, transferring etc.
Processes powered by digitalization are like a backbone to service sectors, especially in a country like India. Medical sector is one such service vertical where digitalization can create wonders. As a trillion-dollar industry, the medical sector houses hospital care, clinical services, dental care, nursing homes, home healthcare, medications, pharmacy, research and development to say the least. And in many ways, digitization is already enabling medical practitioners and experts from all these areas to reach out to people in need with authentic information – may it be consultation, service, creating awareness etc. Infusing social media channels with proper medical information and enabling doctors to connect with their current and potential patients goes a long way in creating an efficient and affordable healthcare system. To say the least, it can potentially make healthcare accessible to remote places free of cost.
Benefits of such a digitized health care system are priceless
In an overview –
- It establishes better coordination between health care professionals and patients. Patients no longer have to carry a booklet of their medical history with them wherever they go. Simply uploading them on to a drive or a cloud can help any professional get access to their health condition.
- A patient’s willingness to comply with a protocol influences recovery and well-being. In the long run, this will reduce healthcare costs as well.
- With wearable medical gadgets, access to vital information such as a person’s heart rate and physical activity such as walking can be tracked. All these gadgets are connected to a smartphone which is then connected to the internet. All this vital information is connected to a cloud, and/or be routed to your doctor in real time. Therefore, digitization has made it easier to monitor progress and identify alarming situations proactively.
All these applications and more are for sure a boon to mankind. But healthcare data is largely real-time with a short retention span. For example, a man’s abnormal heartbeat today can cost him his life in a matter of hours. A diabetic person’s chronic illness can be managed efficiently only if he gets access to medical information at the right time. From such examples it is easy to understand that ‘Time’ and ‘data,’ are crucial for the success rate of a digital healthcare management system. However, access to these two can probably expose patiens’ s data to risk, compromising their privacy.
Understanding health data
Health data that contributes to the above includes – inpatient-outpatient history, pharmacy-related data, enrollment details (name, address, age, dob, email, telephone number), financial transaction through payments, investments made through insurances, recovery time, most-suitable medicines, most purchased medicines, interests and preferences, brand affinity, ethnicity, gender, most visited departments and so on.
All these data sets are categorized as PII [Personally Identifiable Information] or in other words are classified as Sensitive Information that can identify a person. In the Health care sector, this is otherwise called as patient’s Protected Health Information [PHI].
In the wrong hands, data of this type can be exploited for commercial purposes.
Impact of breach in health data
Hackers usually target such PII for financial and insurance information. Using the two, anyone can commit financial identity theft (stealing money from someone else’s account) or medical identity theft (for example, a drug trafficker might use fraudulent insurance information to purchase prescription drugs or someone may use this information to submit fraudulent claims to Medicare and other health insurers without your authorization, disrupting your medical care.
In some instances, fraudsters mine this data to understand the preferences and demand of certain brands and medicines. Knowing this can lead a manufacturer to establish monopoly, kill competition and charge exorbitant amounts of money for a generic drug which may be in demand.
Alternatively, specific consent is required for fair use of non-routine and non-healthcare purposes. The information can be disclosed without the patient’s consent when
a) there is a reporting of notifiable or communicable disease mandated by law,
b) by court order and
c) if it is totally anonymized data.
Privileges provided to patients include inspection and access to their records without any time limit, restricted access to and disclosure of individually identifiable health information and a need to provide explicit consent to allow access and disclosures, which will be audited.
Accessing and mitigating risks of Electronic Health Records [EHR]
Inaccurate or incomplete information about a patient can potentially lead to misdiagnosis of a condition. This can severely impact a patient’s life. Provision to update data within the existing digital process (or EHR) should be made.
Cost is another major factor- Creating a digital system can be expensive. Digitalization is not only about installing software that can collect and store data. It is about creating an infra that supports interoperability, privacy, authorization, security, and encryption. A lot of service providers do not invest in data privacy due to its cost. Investing in a digital solution which supports both operations and security can save an entity in the long run.
The Department of Health and Human Services [HSS] in India does not recognize Health data privacy Acts like HIPAA (Health Insurance Portability and Accountability Act) directly, but indirectly derives many aspects/elements from it such as Privacy, Security, and Breach Notifications. HIPAA compliance addresses operations like (1) Self-audits (2) Gap identification and remediation (3) Policies and procedures (4) Employee training (5) Business associate management (6) Incident management. Therefore, it may not be a bad idea to develop a software system bearing all the above compliance programs in mind.
Data privacy regimes in India
Electronic health records (EHR) were first heard of in the 1960s. Although it was in an ideation phase, the intent was to have records that could hold details like patient history, diagnosis, laboratory results, allergies, details of immunization, treatment etc. in digital format.
The Ministry of Health & Family Welfare (MoH&FW) first issued guidelines for Electronic Health Record in September 2013 based on the recommendations of the EMR Standards Committee. The guidelines were revised and re-introduced in December 2016. The guidelines contain instructions related to ownership of the data recorded. To that extent, the healthcare provider is identified as a trusted party who holds the data for the patient. The medium of storage or transmission of such records is also owned by the healthcare provider.
The collection, transfer, recording and holding of Sensitive Personal Data or Information (SPDI) in electronic form is detailed out under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011. It is a set of rules formed under the Information Technology Act 2000. These rules apply to any corporate organization or entity dealing with SPDI of a person.
In 2018, the Parliament introduced the Digital Information in Healthcare Security Act, 2018 (DISHA), for promotion and adoption of e-health standards in India. It is a legislation which aims to provide better data privacy, confidentiality, security and standardization. The idea extends to create regulatory authorities both at central and state level, the National Electronic Health Authority (NeHA) and the State Electronic Health Authority (SeHA).
In 2019, the Personal Data Protection Bill or PDP Bill was also introduced by the Parliament. It applies to processing of personal data where such data has been collected, disclosed, shared or otherwise processed in India and processing of personal data by the State, any Indian company, any Indian citizen or any person or body of persons incorporated or created under Indian law. The scope is wide enough to also apply to foreign companies processing personal data in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India.
Conclusion
The rise of digital health data has opened up various avenues for third parties who want to abuse it. In many countries there are laws and regulations issued in order to provide data privacy for digital health and to prevent health records being misused and stolen. However, in India, both the bills, DISHA and the PDP, have not been passed by the Parliament as of yet and await enactment. NITI Ayog (National Institution for Transforming India) formulated a plan called ‘National Health Stack’ with an aim to create digital health records of all the citizens by the year 2022. It will be interesting to see how this concept evolves in India.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:
Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.
