Pic Credits- www.chilangomadrid.com

LINK TO PART-I

Data Protection and Privacy Rights in India

The creation of a technologically advanced ecosystem in place of the existing archaic healthcare system, as envisaged by the National Health Policy, 2017, demands the presence of a sturdy privacy law regime. Section 43A of the Information Technology Act, 2000 and the Information Technology Rules, 2011, are the legal tools which deal with data protection. They basically require body corporates to safeguard data. The applicability of the aforementioned Section is restricted to body corporates and this renders hospitals and other healthcare service providers, which do not define themselves as companies, out of the scope of the existing data protection laws.

Indian healthcare regime has a lot of components which vary dramatically from each other. The way in which a private hospital records data varies from that of a general practitioner. EHR can help in striking a balance between these distinctions. This would only be possible if the implementation of EHR takes place pan-India, and is not scattered.

Individual privacy was held to be an intrinsic part of right to life under Article 21 of the Indian Constitution in the much-celebrated judgement of K. S. Puttaswamy v. Union of India.^[1] It was held to be a fundamental right of an individual. There are several legislations which determine the scope of individual privacy in India.

Throwing some light on the regulation of commercial flexibility of an individual, the court held that commercial flexibility had its genesis from the right of individual privacy. The court remarked that “right of individuals to exclusively commercially exploit their identity and personal information, to control the information that is available about them on the internet and to disseminate certain personal information for limited purposes alone emanates from this right”.

Sensitive Information and Health Data

“Sensitive Data” is something which is not easily available in the public domain and the invasion of which may lead to personal loss and gross harm to one’s reputation. Sensitive Data, as per the Personal Data Protection Bill 2019, consists of a wide spectrum of data which includes financial status of an individual, caste, health conditions ranging from physical, physiological and mental, sexual orientation, biometric information, passwords (credit, debit, and various other confidential cards) and medical records and history.^[2] Any details in relation to the aforementioned items, if provided to a body corporate for providing services; and any of the information in relation to the said items, if received by a body corporate for processing the data, which is stored or processed under lawful contract or otherwise, is according to the Personal Data Protection Bill, 2019, sensitive data.

Section 2(21), of the Personal Data Protection Bill, 2019, defines “health data”. It reads as: “health data” means the data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associating the data principal to the provision of specific health services”.^[3] Digital Information Security in Healthcare Act, 2018 and the Personal Data Protection Bill have different approaches to data governance and a synergic use of both will create a comprehensive data protection system. Digital Information Security in Healthcare Act has a consent-based approach. It allows a patient to withdraw his/her consent at various stages.^[4] On the other hand, Section 27 of the Personal Data Protection Bill, allows an individual to restrict or prevent disclosure of data, but the individual does not have a right to erasure.^[5]

The dilemma arises when we analyse the two laws separately. Both the aforementioned laws have a clause allowing them to override the provision of any other conflicting law. Adoption of harmonious construction is the general rule in such matters.^[6] If the maxim generalia specialibus non derogant is invoked, then the special law must be upheld. In this case, it is the Digital Information Security in Healthcare Act.

The Bill penalises (by way of imprisonment and fine) the disclosure of such sensitive data of the individual, or the transfer of such data, by any person alone or in a group.

Medical health data contains some sensitive information in relation to the individual, which is confidential in nature. Section 72A of the said Act mandates imprisonment and fine for the breach or disclosure of such sensitive and confidential information. Section 43A of the IT Act invigorates the privacy rights of an individual by restricting the scope of arbitrary control of data by the body corporate. The body corporate is to be held liable for any negligence in maintenance and implementation of reasonable security in the process of sharing the information. For any default on the part of the body corporate, the legal responsibility to compensate for damages lies on the body corporate itself. The body corporate, under Rule 8 of the IT Rules, must ensure compliance with practices and procedures while securing or retrieving personal information. Such information must be protected by incorporation of ‘managerial, technical, operational and physical security control measures’.

Recommendations and Suggestions

• Statistical analysis of distributed databases can be secured by involving special algorithms. The algorithms shall be complexly modeled with an intention to secure the disclosure of the sensitive personal data.^[7]
• If the data is anonymised or de-identified, a notification be sent to the patient about such sharing or transfer taking place.
• PIN protection of the medical record and accessibility through a specially curated AADHAR (Unique ID) Biometric System would be a fairly secure technique. Such a biometric system would restrict the accessibility of data only to the authorized individual. However, while programming such technologies, we must not sway away from various concerns of data leakages and medical identity theft. A proper legislation would work wonders in this regard. The Government is already mooting to use Aadhaar-based identification of patients for maintaining health records.^[8]
• “Encrypting” is another technique which would help in securing the health data. This makes data difficult to read and not easily understandable, alongside restricting accessibility to only those who have the decrypt key or password.
• Audit Trail is another unique technique of protecting data. It records information like; who accessed your information, what changes were made, last user and at what date the data was last accessed.^[9]
• The success of EHRs relies majorly on the clinicians using it. Lack of particular skill set and computer literacy amongst the clinicians in addition to the lack of user centred approach of EHR, renders EHR ineffective.
• Most EHRs lack a multilingual design to approach the public. While studying other nations and their success in implementing EHRs, we cannot ignore the diversity of our nation.
• EHRs, even after the release of EHR Standards 2016, lack uniformity. An integrated healthcare portal or platform can mitigate such practical problems effectively.^[10] Availability of Apps and other facilities to the patients to update their own data would further solve a lot of problems. However, privacy and safety of the individual should be the prime concern while implementing such a framework.

(This post has been authored by Aditya Shekhar and Abhishek Choudhary, second year law students at National Law University, Jodhpur)

References

1. K. S. Puttaswamy v. Union of India, (2017) 10 SCC 1. ↑

2. Personal Data Protection Bill, India, 2019. ↑

3. Personal Data Protection Bill, India, 2019, § 2(21). ↑

4. Digital Information Security in Healthcare Act, 2018, § 28. ↑

5. Personal Data Protection Bill, India, 2019, § 27. ↑

6. https://www.ikigailaw.com/disha-and-the-draft-personal-data-protection-bill-2018-looking-at-the-future-of-governance-of-health-data-in-india/#acceptLicense last visited 10/06/2020, 10:16 IST. ↑

7. Oren E. Livne et al., Federated Querying Architecture for Clinical and Translational Health IT, in Proceedings of the 1st ACM International Health Informatics Symposium 250, 251-54 (2010). ↑

8. Neetu Chandra Sharma, Govt plans Aadhaar-based identification of patients to maintain health records, https://www.livemint.com/news/india/govt-plans-aadhaar-based-identification-of-patients-to-maintain-health-records-1563198029440.html last visited at 13.:42 IST. ↑

9. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/consumers/privacy-security-electronic-records.pdf, last visited 10/06/2020, 10:20 IST. ↑

10. https://ehealth.eletsonline.com/2018/12/ehrs-in-india-challenges-and-opportunities-vis-a-vis-ayushman-bharat/ last visited 10/06/2020, 10:20 IST. ↑

Cite As: Aditya Shekhar and Abhishek Choudhary , ‘Covid-19 and Electronic Health Records: A dilemma for Privacy and Confidentiality (Part-II)’ (The Contemporary Law Forum, 21 June 2020) <https://tclf.in/2020/06/21/covid-19-and-electronic-health-records:-a-dilemma-for-privacy-and-confidentiality-(part-ii)> date of access.