While headlines like “India to become the world leader in Digital Health[i]” often catch one’s eye, it is hard to miss scare heads like “India’s health system is frail, inadequate and of inconsistent quality[ii].” With such diverging headlines, it is difficult to not be confused by the wide-ranging contrast and even more difficult to not wonder about the progress our healthcare is making. Is our digital healthcare secure? We have entered into a system of Dataveillance where digital health will undoubtedly influence the geopolitical and socioeconomic realities profoundly in the future. India, being an important global player has a responsibility to conduct itself skilfully around the conundrums and novelty surrounding it. It is time that the government takes a proactive approach towards digitising healthcare, all the while not disregarding crucial subjects like privacy.
This Blog-post will firstly, analyse the legal framework governing Electronic Health Records (“EHR”) in India, secondly scrutinize the Fundamental Right to Privacy concerning health data, thirdly, analyze the legal framework in other jurisdictions, and lastly, will provide suggestions that can be incorporated by different undertakings.
EHR IN INDIA
The Indian government has recognised that the health records must be available, longitudinally arranged as a time series, and must provide a summary of the healthcare events in the life of a person. [iii]With this in mind, the first definitive guidelines for EHR standards were released in 2013. Concurrently, the EHR Standards 2016 proposed guidelines for respecting the data privacy of the users, like the adoption of baseline security standards such as Security & Privacy Requirements of EHR Systems for Use in Conformity Assessment; Information Security Management in Health, etc. However, these Standards have been issued under section 52, the Clinical Establishments (Registration and Regulation) (“CE”) Act, 2010[iv], read with Rule 9(iv) the Clinical Establishments (Central Government) Rules, 2012[v] and apply only to “clinical establishments”. As per these standards[vi], even a single doctor may qualify to be a clinical establishment if he owns controls or manages an institution or clinic that offers treatment or care services for illness, as has also been upheld by the apex court of the country[vii]. But, the issue lies in the detail. ‘Health’ which is a state subject as per Entry 6, List II of the Seventh Schedule of our Constitution, provides the discretion to states to adopt the CE Act, and as of date, while sixteen states/UTs have adopted the CE Act, several have implemented or proposed their legislation, but some have done neither[viii]. Thus, even if the legislation is in place, there is a high probability of patient’s medical records not being legally protected, depending on their state’s practice. Furthermore, the existent Sensitive Personal Data or Information Rules which govern the collection and storage of sensitive personal data such as medical records, apply only to corporate bodies. As per Section 52 of the CE Act, a medical practitioner collecting and processing medical records will not constitute a ‘body corporate’[ix] and thus, such records are not afforded protection under the SPDI Rules. Therefore, even though the Information Technology Act, 2000; The Information Technology Rules, 2011; Data Protection Rules, 2000, etc. exist, no standards have been added to them yet to mandate the implementation of data protection and its security.
However, this has not immobilized the government. The Ministry of Health and Family Welfare has proposed the Digital Information Security in Healthcare Act (“DISHA”) bill to provide for electronic health data privacy, confidentiality, security, and standardisation. Additionally, the Integrated Health Information Platform has been suggested to address key issues like the lack of electronic silos, fragmented information systems, and most importantly, the lack of a common EHR System. Furthermore, policy action has been initiated towards healthcare digitisation through the 2020 National Digital Health Blueprint that enumerates sound principles for the creation of the EHR database and lists its privacy standards.
RIGHT TO PRIVACY IN INDIA
The Supreme Court of India[x], while writing the privacy judgment relied on the Canadian judgment Her Majesty, The Queen v. Brandon Roy Dyment[xi], which said, “The use of a person’s body without his consent to obtain information about him, invades an area of personal privacy essential to the maintenance of his human dignity”. Furthermore, in the case of Maharashtra University of Health Sciences v. Satchikitsa Prasarak Mandal[xii], it was held that the dignity of an individual is a core constitutional concept. Building upon this, the Court in N.M. and Others v. Smith and Others[xiii] held that “The personal and intimate nature of an individual’s health information, unlike other forms of documentation, reflects delicate decisions and choices relating to issues about bodily and psychological integrity and personal autonomy.” Additionally, the privacy judgment by relying on the judgment of S and Marper v. United Kingdom[xiv] held that information about the person’s health is an important element of private life, and therefore, “an unauthorized parting of the medical records of an individual which have been furnished to a hospital will amount to an invasion of privacy[xv]”. The jurisprudence points to the importance of health data in an individual’s life.
Moreover, the Aadhar Judgement relied on the privacy judgement for concepts like data minimization, privacy by design, purpose limitation, and storage limitation. Following this, a nine-judge bench[xvi] of the Supreme Court of India fleshed out the need for a strong data protection regime. Accordingly, the committee of experts constituted by the Ministry of Information and Technology (“MeitY”), headed by Justice B. N. Srikrishna submitted their report, and subsequently, the Personal Data Protection Bill (“PDP Bill”), 2019[xvii] was tabled in the Indian Parliament. Medical and healthcare information is a part of sensitive personal data under the PDP Bill, making it more susceptible if left unattended.
Interestingly, even though the EHR guidelines discussed above provide us with a proper framework of patient consent[xviii], they do not mandate the collection of patient consent for the storage, transfer, or processing of patient’s medical records and health information. According to a recent report[xix], the health data of over 120 million Indian patients are freely available on the internet[xx], making it vulnerable in the open space without any consent mechanism in place. All these problems point out to the non-implementation of these concepts and policies.
TAKING INSPIRATION FROM OTHER JURISDICTIONS
Getting implemented is not the only hurdle that the 2016 EHR guidelines face. If we look at Estonia’s eHealth, it uses special formats for interconnection and the data security layer is provided for by the middleware software itself, known as the privacy by design concept[xxi]. Next, in 1996, Finland created a secure state-wide EHR system by passing requisite legislation with few-to-no bumps, helping them in the proper maintenance of their health records. Additionally, the UK health care system has adopted a National Privacy by Design framework, in compliance with the GDPR[xxii]. Lastly, in the present pandemic, even for its privacy app Trace Together, Singapore has enacted privacy laws, which are specific to the current situation while India’s attempt at the same, the Aarogya Setu App has controversially failed. Having been made mandatory, its liability clause to indemnify the government on unauthorized access to information is considered invasive from a security and privacy viewpoint[xxiii]. Thus, India needs to buckle up and bring its privacy protection in line with global best practices as the rise in virtual consultations should not come at the cost of patient privacy.
India, to move towards a digitised India needs to incorporate the concepts of data minimization, privacy by design, purpose limitation, and storage limitation from the very onset. It is important, that the implementation of policies that apply uniformly be implemented by the government, to make the Acts like the CE Act more efficient.
By adopting concepts like pseudonymisation as a part of their privacy by design, which is data protection through technology design, the threat of identifiable variables is reduced and the policies can be made more user-friendly. Can every regulator make this a part of their assessment of data? Yes. By Firstly, having a proactive approach and anticipating the invasive privacy threats before they happen by constantly updating its anti-virus and anti-malware software, secondly, by ensuring visibility and accountability to stakeholders by moving eConsent from jargon based documentation to a more visual approach, thirdly, by keeping all the arrangements user-centric rather than government-centric by eliminating bias in design and the promotion of trustworthiness, fourthly, by providing end-to-end security throughout the lifecycle of the data involved by encrypting the identifiable user details and fifthly, by embedding privacy as default settings by making the data controller approve any request from a third party.
They often say that relying on the government to protect your privacy is like asking a peeping tom to install your window blinds[xxiv]. Let’s just hope that this is not the case for India in the arena of digital health, because this is not just an absolute right but also, an opportunity for India to turn privacy to its competitive advantage and make it an enabler of digital disruption.
[i] Rajendra Pratap Gupta, India to become the world leader in Digital Health, The Economic Times (May 1st, 2020, 10:05 AM), https://health.economictimes.indiatimes.com/news/health-it/india-to-become-the-world-leader-in-digital-health/55154100.
[ii] Sheetal Ranganathan, Towards a holistic digital health ecosystem in India, Observer Research Foundation (May 12th, 2020, 3:30 PM), https://www.orfonline.org/research/towards-a-holistic-digital-health-ecosystem-in-india-63993/.
[iii] Ministry of Health & Family Welfare Government of India, ELECTRONIC HEALTH RECORD (EHR) STANDARDS FOR INDIA 2016, Government of India, (May 15th, 2020, 6:30 PM), https://main.mohfw.gov.in/sites/default/files/EMR-EHR_Standards_for_India_as_notified_by_MOHFW_2016_0.pdf.
[iv] The Clinical Establishments (Registration And Regulation) Act, 2010, § 52.
[v] The Clinical Establishments (Central Government) Rules, 2012, Rule 9 (iv).
[vi] The Clinical Establishments (Registration And Regulation) Act, 2010, § 2©.
[vii] Sameer Kumar v. State of Uttar Pradesh through Principal Secretary Medical Health Department and Others, 2014 SCC OnLine All 14605.
[viii] Operational Guidelines For Clinical Establishments Act, 2017.
[ix] Asheeta Regidi, DISHA and the draft Personal Data Protection Bill, 2018: Looking at the future of governance of health data in India, Ikigai Law, Feb. 25, 2019.
[x] Justice K.S. Puttaswamy (Retd.) and Anr. v. Union of India and Ors,(2017) 10 SCC 1.
[xi] Her Majesty, The Queen v. Brandon Roy Dyment, (1988) 2 SCR 417 (1988).
[xii] Maharashtra University of Health Sciences & Others v. Satchikitsa Prasarak Mandal & Others, Civil Appeal No.2050 OF 2010.
[xiii] NM and Others v. Smith and Others,2007 (5) SA 250 (CC).
[xiv] S and Marper v. United Kingdom,  ECHR 1581.
[xv] Supra note “x”.
[xvii] The Personal Data Protection Bill, 2019.
[xviii] Supra note “iii”.
[xix] Sumanti Sen, Global Medical Data Breach:120 Million Indian Patients’ Details Available On Internet For Free, The Logical Indian, (May 20th, 2020, 6:00 PM), https://thelogicalindian.com/news/maharashtra-medical-data-leak-19603#:~:text=A%20recent%20report%20published%20by,freely%20available%20on%20the%20Internet.&text=After%20the%20US%2C%20India%20ranks,in%20the%20%22ugly%22%20category.
[xx] Autam S. Mengle, Maharashtra tops the list of States hit by global medical data leak, The Hindu, Feb. 05, 2020.
[xxii] Developing a National Privacy by Design & Default Framework, IG Smart (May 12th, 2020, 10:00PM), https://ig-smart.com/movies/developing-nhs-englands-privacy-by-design-framework/.
[xxiii] Andrew Clarance, Aarogya Setu: Why India’s Covid-19 contact tracing app is controversial, BBC News (May 12th, 2020, 8:00 PM), https://www.bbc.com/news/world-asia-india-52659520.
[xxiv] John Perry Barlow, Brainy Quote, (May 13th, 2020, 10:00 PM), https://www.brainyquote.com/quotes/john_perry_barlow_129891.
ABOUT THE AUTHORS
Aadya Bansal is a third-year law student at National Law Institute University, Bhopal.
Shreya Chandhok is a third-year law student at National Law Institute University, Bhopal.