Covid-19 and Electronic Health Records: A Dilemma for Privacy and Confidentiality (Part-I)


Technological advancements have bridged the gap between vision and reality. Health sector has magnanimously improved in toto but certain appendages need a quick upgrade. Discarding conventional systems might sound the most feasible option in the times of COVID-19, however, we must not turn a deaf ear to the privacy concerns which come along with the adoption of upgraded systems. If information is computerised, it is vulnerable to privacy breaches resulting from hacking and the medical records which are integrated and available at different healthcare institutions alongside other important data, can be accessed from different places by different users and this increases the risk of invasion of privacy. The authors aim to provide an analysis of the existing legal framework and the methods which can help us achieve a uniform digital healthcare system. The linguistic diversity and the shades of class differentiation make implementation of a digital healthcare system a unique case in itself.

Interoperability- Privacy Conundrum

In U.S, the Health Insurance Portability and Accountability Act 1996 is the piece of legislation which governs interoperability and confidentiality of the electronic health records of the patient, but HIPAA serves for the greater public interest, i.e., when the patient information is very valuable for medical research and study over diseases, doctors and medical professionals are authorized to take the health information. Patient authorization is required in case the information is shared or transferred to corporate bodies and business entities like drug manufacturers. HIPAA originally regulated protected health information (PHI) in the hands of “covered entities”, defined as health plans, health care clearinghouses, and health care providers who transmit health information electronically in certain health information transactions.[1] This is the drawback of HIPAA; it does not absolutely and universally protect the privacy rights of the person and thereby has a limited scope.

This limitation has potential to infringe the privacy of the patient. Medical Identity Theft (MIT) is the theft of a person’s identifiable health records by which one can gain access to better medical treatment and medicinal goods or to reimburse less medical cost on the other account.[2] This can be done by medical staff of the hospital or the internal employees. Potential sale of information to third parties could lead to the invasion of privacy of the individual.

There are several cases in which the issue of confidentiality and privacy was raised and various courts have had similar views regarding the issue. The Court of Appeals for the Third Circuit, in the case of United States v. Westinghouse Electric Corp.[3], dealt with the question of whether the National Institute for Occupational Safety and Health (NIOSH) was entitled to direct an employer to produce documents under the Occupational Safety and Health Act of 1970.[4] The issue held importance since the court attempted to attune the privacy interests of employees in their medical records with the public interest in research designed to improve occupational safety and health.[5] The court through this case asserted that where a person leads a private life within a private enclave, he as an individual, is entitled to retain the information pertaining to one’s body and health. The conflict between the dominance of privacy and public interest forms the locus of the dilemma. Several other factors including presence of express statutory mandate, public policy, type of record requested, the necessity to safeguard unauthorized disclosure and various public interest discouraging access, play a crucial role in shaping the discourse on this issue.

Derogation of Anonymised Data

The Court of Appeal in R v. Department of Health[6], dealt with the issue of breach of privacy in relation to sharing anonymised data. The court was of the opinion that in relation to fully anonymised data, no duty of confidence arose. However, the court emphatically stated that the information must be used only for scientific research purposes.

De-personalisation of the anonymised health data before disclosure was clearly laid down in the case of Common Services Agency v. Scottish Information Commissioner.[7] Under the second data protection principle, the individual whose data is being anonymised is entitled to a notification. The notification pertains to the purposes of such ‘processing’ and must be notified by the data controllers.[8]

The Data Protection Act, 1998 of the United Kingdom states that health data cannot be processed arbitrarily. Explicit consent is necessary to process health data considering its sensitive nature. The health data can be processed in the absence of explicit consent when it is to be used for medical purposes or when a duty of confidentiality is owed by the professional in that particular circumstance.[9] Mere anonymisation of data is not the solution. The Data Protection Directive (EU) states that anonymised data should be de-personalised to strengthen the privacy of the individual.

India vis-à-vis Electronic Health Records

In India, doctors are more inclined towards conventional paper health records and the information is only shared with the patient and his family. There lies an obligation of confidentiality between the doctor and the patient as per the Indian Medical Council Regulations.[10] If the medical professional transfers or discloses the health information, then he would be guilty of professional misconduct.[11] Doctors and medical professionals are permitted to disclose and transfer data only to public health authorities in rare circumstances, i.e., when the interest of the public at large is involved or in the case of serious and identified risk.[12] The Government of India has introduced a uniform system of Electronic Health Records to be followed by the Hospitals and healthcare providers across the nation. The Ministry of Health and Family Welfare (MoH&FW) had notified the EHR Standards for India in 2013. These were revised in December 2016. A standard system of identification and naming is envisaged by SNOMED CT. India has put its faith in the evolution of a common global language for health terms.

National Resource Centre for EHR Standards (NRCeS), a program of the Ministry of Health and Family Welfare (MoHFW), can play a pivotal role in fighting the pandemic. Government of India released India COVID-19 Extension for SNOMED CT. This was a praiseworthy step since this was done to document essential clinical information for managing the spread of the disease in India.

There is no uniform healthcare setup in India. There is no common method of using drug codes and this lack of a uniform format of documenting information, leads to input errors, misinformation and a plethora of other practical problems. Thus, it is imperative to analyse the existing legal framework and plan further actions accordingly. The authors have tried to debunk existing data protection laws and our tools to deal with sensitive information and health data.

India has been rapidly digitizing its healthcare system and information management. Thus, this demands a codification of this piece of information, which must be made available across all systems. This would make exchange of health data an errorless activity. These common drug codes are being provided by the National Resource Centre for EHR Standards (NRCeS).


(This post has been authored by Aditya Shekhar and Abhishek Choudhary, second year law students at National Law University, Jodhpur)




  1. Department of Health and Human Services, 45 C.F.R. (2010), § 160.103,

  2. Janine Hiller, Matthew S. McMullen, Wade M. Chumney & David L. Baumer, Privacy and Security in the Implementation of Health Information Technology (Electronic Health Records): U.S. and EU Compared, 17 B.U. J. Sci. & Tech. L. 1 (2011).

  3. United States v. Westinghouse Electric Corp., 638 F.2d 570 (3d Cir. 1980).

  4. Id.

  5. Id.

  6. Court of Appeal in R v. Department of Health, (1995) 4 All ER 185.

  7. Common Services Agency v. Scottish Information Commissioner, (2008) UKHL 47.

  8. Data Protection Act, 1998, United Kingdom, § 1(1) (This implementing legislation ensures compliance with the data protection principles enunciated in the Data Protection Directive).

  9. Data Protection Act 1998, United Kingdom.

  10. The Indian Medical Council (Professional Conduct, Etiquette and Ethic) Regulations, 2002 (102 of 1956). (‘Medical Council Regulations’).

  11. The Medical Council Regulations, Chapter 8 (Disciplinary action may be taken against physicians for any offences committed in violation of the regulations).

  12. Department of Health and Human Services, 45 C.F.R. (2010), § 164.506(a),


Cite As: Aditya Shekhar and Abhishek Choudhary , ‘Covid-19 and Electronic Health Records: A dilemma for Privacy and Confidentiality (Part-I)’ (The Contemporary Law Forum, 21 June 2020) <> date of access.  

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.