Introduction
India’s private healthcare entities are increasingly participating in government initiatives, in a sector historically dominated by private players. This synergy is evident in public-private partnerships like the Ayushman Bharat National Health Protection Mission and the Pradhan Mantri Jan Arogya Yojana. The aim of the programmes is to expand healthcare access and affordability, reflecting a significant policy shift towards inclusive health coverage.
The 2024-25 Interim Union Budget marked another milestone in this evolution, unveiling plans to leverage existing hospital infrastructure to establish new medical colleges. This initiative is part of a broader strategy to address the shortage of medical professionals and enhance healthcare delivery across the nation. Additionally, the Budget extended the Ayushman Bharat Insurance Scheme to include ASHA and Anganwadi workers, acknowledging their crucial role in community health and support services.
Amid this burgeoning focus on healthcare, the significance accorded to health data has also surged. The potential to harness personal health data for large-scale research, personalised medicine, and precise targeting of medical services is unprecedented. However, this increased access to health data comes with heightened risks and a pressing need for robust data protection measures. The healthcare industry, while embracing digital transformation, faces a formidable challenge in safeguarding sensitive health information. Recognising this critical need, the Government of India introduced the Digital Personal Data Protection Act, 2023 (“DPDP Act”), in August 2023. This landmark legislation aims to regulate the processing of digital personal data, ensuring individual privacy and data security. But does the DPDP Act sufficiently protect health data, given its unique sensitivity and importance?
In contemporary times, health data protection has become increasingly relevant due to the proliferation of telemedicine or e-pharmacy platforms, Enterprise Resource Planning (“ERP”) software for hospitals and other healthcare institutions, which allow storage and tracking of patient data and health records, and medical devices. To understand the current landscape of health data protection under the DPDP Act, it is essential to explore how health data was managed and protected before the enactment of DPDP Act. This historical perspective will provide valuable insights into the advancements and remaining gaps in India’s health data protection framework.
Current Health Data Regulatory Framework
At present, protection of “sensitive personal data”[1], collected and stored on platforms, is regulated through the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), which were notified under the Information Technology Act, 2000 (“IT Act”). Additionally, the Electronic Health Record Standards for India, 2016 (“EHR Standards”), lays down principles in relation to protection, privacy, disclosure and preservation of Protected Health Information (“PHI”) and Electronic Protected Health Information (“ePHI”). Consent is the cornerstone for disclosures under the EHR Standards and the SPDI Rules. Also, the Data Security Council of India (“DSCI”) has formulated the DSCI Privacy Guide for Healthcare (“Guide”) for data protection in India. The Guide outlines various types of data as Personal Health Data or Information (“PHDI”), including demographic data, administrative data, health risk information and health status.
Other sector specific guidelines/ regulations governing health data, include:
- National Ethical Guidelines for Biomedical and Health Research Involving Human Participants include, inter alia, provisions for retaining data for external security audits; policies for data capture, data acquisition, management, sharing and ownership; privacy of individual and confidentiality of data; role of the Ethics Committee in ensuring confidentiality and appropriate use of accessed data; data privacy, data accuracy, and data security.
- Assisted Reproductive Technology (Regulation) Act, 2021, and regulations framed thereunder include, inter alia, provisions for making policies, guidelines and identifying new research areas and conducting research in assisted reproduction and other related fields in the country from the data generated by National Registry; and duty of assisted reproductive technology clinics and banks to protect confidential information and keep accurate records.
- ICMR Guidelines for Good Clinical Laboratory Practices, 2021, include, inter alia, provisions for data management, confidentiality/ data security (hardware, network, application and personnel security), disaster recovery plan and laboratory record.
- Telemedicine Practice Guidelines, 2020 include, inter alia, provisions for responsibility of the Registered Medical Practitioner (“RMP”) to be cognizant of the current data protection and privacy laws; maintenance of the patient’s confidentiality; duty of RMP to ensure that reasonable degree of care is undertaken during hiring of such services and to maintain patient records, reports, documents, images, diagnostics, data, etc. (digital or non-digital), utilised in the telemedicine consultation.
- Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002, include, inter alia, provisions for maintenance of medical records; duty of RMP to maintain a Register of Medical Certificates giving full details of certificates issued; computerisation of medical records for quick retrieval; and violations of the regulations.
Safeguards under DISHA and the DPDP Act
Unlike the Health Insurance Portability and Accountability Act (“HIPAA”) in the US, India does not have specific data protection law for health data. However, there were attempts to regulate health data through specific laws. The Digital Information Security in Healthcare Act (“DISHA”) was one such attempt to protect health data of patients in India. Key provisions of DISHA, inter alia, included setting up of Health Information Exchange, and creation of regulatory and adjudicatory authorities at the national and state level.
DISHA envisaged individuals owning digital health data at all times, but the medium of storage and transmission being owned by the clinical establishment or the Health Information Exchange. Digital health data is held in trust for the individual, who owns the data. Individuals should know when their data is being accessed or transferred. Right to withdraw consent at any time has also been given to the individual, along with the right to rectify mistakes in the digital health data. DISHA also imposes obligations on various stakeholders, like the collectors, generators and processors of digital health data. Maintaining privacy and confidentiality is the foremost responsibility of all stakeholders. Clinical establishments, diagnostic centres and individual clinics are supposed to comply with the requirements of DISHA. Moreover, DISHA also provides for imposition of fine, in case of a breach or serious breach of its provisions.
The Ministry of Health and Family Welfare (“MoHFW”) had drafted DISHA to ensure data privacy, confidentiality, reliability and security of digital health data. However, the framework envisaged under DISHA never saw the light of the day. MoHFW forwarded the draft legislation to the Ministry of Electronics and Information Technology (“MeitY”) to seek their inputs and guidance. In response, MeitY informed that it was in the process of enacting the ‘Data Protection Framework on Digital Information Privacy, Security & Confidentiality’ Act, which would be applicable to the health sector as well. Subsequently, MoHFW submitted DISHA to MeitY to be subsumed in the ‘Data Protection Framework on Digital Information Privacy, Security & Confidentiality’ Act to avoid duplicity of effort. This draft was eventually introduced as the Personal Data Protection Bill, 2019 (“PDP Bill”).
Protecting Health Data through the PDP Bill and DPDP Act
While the PDP Bill expressly defined ‘health data’[2] and included it within the ambit of ‘sensitive personal data’, the DPDP Act neither expressly defines ‘health data’ nor does it explicitly include it within the definition of ‘personal data’. Nonetheless, there are certain illustrations relating to the healthcare industry under Sections 6 and 7 of the DPDP Act, showcasing how the law is relevant when it comes to drawing limits of consent in healthcare. These illustrations are reproduced below:
- “X, an individual, downloads Y, a telemedicine app. Y requests the consent of X for (i) the processing of her personal data for making available telemedicine services, and (ii) accessing her mobile phone contact list, and X signifies her consent to both. Since phone contact list is not necessary for making available telemedicine services, her consent shall be limited to the processing of her personal data for making available telemedicine services”.
- “X, an individual, makes a purchase at Y, a pharmacy. X voluntarily provides Y her personal data and requests Y to acknowledge receipt of the payment made for the purchase by sending her a message on her mobile phone. Y may process X’s personal data to send her the receipt”.
- “X, a pregnant woman, enrols herself on an app or website to avail the government’s maternity benefits programme, while consenting to provide her personal data for the purpose of availing such benefits. The government may process X’s personal data to determine her eligibility to receive any other government prescribed benefits”.
Conclusion
Maintaining confidentiality of medical records is crucial, as privacy of such data is directly linked to public trust in the healthcare system. This trust is essential for effective health data sharing and management. Health data, due to its sensitive nature, demands higher protection because any breach can significantly impact the wellbeing and mindset of patients.
Given the recent cyberattacks targeting healthcare institutions like AIIMS and ICMR, enhancing the protection and regulation of health data in India is crucial. Strengthening the legal framework governing health data is essential. This could be achieved by either introducing a dedicated law for health data protection or amending the DPDP Act to provide special safeguards for sensitive health information. The government’s approach to addressing this issue will be critical in shaping the future of health data protection in the country.
For further information, please contact:
Biplab Lenin, Partner, Cyril Amarchand Mangaldas
biplab.lenin@cyrilshroff.com
[1] Personal information consisting of information relating to physical, physiological and mental health condition; and medical records and history.
[2] Section 2(21) of the PDP Bill defines health data as ‘data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associating the data principal to the provision of specific health services’.
