Digitisation of Health / Medical Records: Is the law keeping up?

By Smitha Krishna Prasad

Medical and health records are increasingly digitised, and ease of access is considered one of the key benefits of this trend. However, patient privacy and security of such records are important concerns that need to be addressed both under the existing legal framework, and in terms of development of new laws.

Earlier this month, news reports suggested that private medical records of over 35000 patients had been made publicly available through the website of a diagnostic laboratory based in Mumbai. Reports indicate that the website of the lab was hacked. However, other reports specify that the lab has disclaimed liability, stating that any requirement for confidentiality is limited in applicability to doctors only. Further, the lab suggested that since they were shortly to be moving to a different system, there was no urgency in remedying the security flaws.

While the above seems to be an internal security issue on the part of the lab, we have seen that health records are a favourite for hackers, across the world. These records are then either held for ransom or sold by such hackers.

The healthcare industry as a whole is seen as one of the least secure industries globally. At the same time, medical and health records of individuals are increasingly being digitised. Individuals and institutions in the healthcare industry are digitising records within their organisations to improve ease of access. The Ministry of Health and Family Welfare, Government of India, is in the process of setting up an Integrated Health Information Platform, and has issued Electronic Health Record Standards (EHR Standards). The EHR Standards are meant to provide for creation and maintenance of health records in a standardised manner that would allow for interoperability across platforms and institutions across the country. There are many pros and cons to undertaking such a digitisation effort – however, this post is limited to examining the legal framework surrounding such digitisation and the protection of privacy of patients.

Current Legal Framework in India

Today, India does not have a comprehensive privacy law, or an industry specific privacy regulation that focuses on the healthcare / medical industry. We do have the Information Technology Act, 2000 (“IT Act”), and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“IT Rules”), as well as the Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002 (“MCI Code of Ethics”).

The MCI’s Code of Ethics provides that physicians must maintain medical records pertaining to patients for a period of 3 years from commencement of treatment. Further, physicians must also make such records available to patients, authorised attendants and legal authorities upon request. Physicians are also required to make efforts to computerise such records. While there is no specific provision on maintenance of privacy and security of these medical records, the MCI Code of Ethics does provide that confidences entrusted by patients to physicians must be not be revealed, unless required by law or in public interest. However, the MCI Code of Ethics is applicable to physicians i.e. doctors with MBBS or equivalent qualifications only.

On the other hand, the IT Act and the IT Rules are wider in application. They deal specifically with electronic records and require any person dealing with certain defined types of sensitive information, including medical records, to undertake data protection and security measures.

Any violation of the MCI Code of Ethics calls for disciplinary action against the concerned physician which could include removal of the physician’s name from the register of qualified physicians. The IT Act however, does not provide for any direct action or penalty in the case of non-compliance with the IT Rules, and relies on the person affected by the non-compliance to take action.

In addition to the MCI Code of Ethics and the IT Act, there are a few other laws such as the Medical Termination of Pregnancy Act, 1971 which provide for maintenance of confidentiality of patient information. However, these are largely specific to certain circumstances and are not comprehensive.

Potential Developments

In the absence of a comprehensive privacy and data protection law in India, some regulators have taken to establishing basic rules to protect consumers and individuals in their respective industries. For instance, the RBI places certain restrictions on the circumstances in which customer information can be shared by banks. Insurance and telecom companies are restricted from transferring certain customer information outside India.

Given the highly sensitive nature of medical / health related information, and recent trends of commoditisation of such information in the black market, such laws are much needed in the healthcare industry.

The EHR Standards do deal with certain aspects of privacy of patients and security of healthcare records. They prescribe several international standards to be adhered to by members of the healthcare industry while dealing with electronic health records. However, they appear to default back to the IT Act as the legislation that would govern the implementation of any data protection measures in relation to such records.

The Human Immunodeficiency Virus and Acquired Immune Deficiency Syndrome (Prevention and Control) Bill, 2014 also provides certain safeguards to ensure the privacy of patients, specifically in relation to their HIV status. Some concerns regarding the provisions of this bill have previously been discussed here. However, this proposed bill is again limited in scope, and does not apply across the medical industry.

Reports suggest that recognising the need for a more comprehensive law, the Central Government has taken up the initiative of drafting a healthcare industry specific privacy and data protection law.

Given that this law would be drafted from scratch, we suggest that it should be (a) holistic i.e. be applicable across the entire healthcare / medical industry, and not specifically to doctors / hospitals, and (b) technology agnostic, addressing medical / health information in any format, digitised or not.

The law should also take into account the internationally recognised privacy / fair information principles. These principles provide, among other things, for (a) collection of data by lawful means, and only when required (b) use of data for the purpose it is collected only, (c) adequate security measures to be undertaken to protect data, and (d) accountability and openness about policies in place for use and protection of data.

Further, to the extent that it provides for the digitisation of records, and implementation of EHR Standards, it should be ensured that, the principles of ‘privacy by design’ should be used. The concept of privacy by design stipulates that privacy and data protection measures must be built into any system as a default, taking a preventative approach to data protection rather than a remedial approach.

Another important concern is enforcement – our current laws such as the IT Act, do not provide for proactive enforcement in case of failure to protect privacy / data of individuals, and leave it up to the affected individuals to act. Ideally, a dedicated regulator with the ability to investigate and direct action against defaulters is required. Perhaps the role of the National e-Health Authority proposed by the Government could be expanded to deal with privacy and security of all health records and information.

While the idea of implementing a health privacy and data protection law is a welcome move, it remains to be seen how far this proposed legislation will go towards fully protecting patients’ rights.


Google Faces Legal Hurdles Under Brazilian Internet Law

By Raissa Campagnaro[1]

The Brazilian Federal Prosecution Ministry has brought civil proceedings against Google for flouting its data protection law. The suit challenges Google’s access to the content of emails exchanged by Gmail users on multiple grounds, including Google’s failure to obtain express consent.

In October, 2016, Brazil’s Federal Prosecutor filed a public civil suit against Google, claiming that the search engine had failed to comply with the country’s internet law, the Internet Bill of Rights. The suit argues that during a previous prosecution investigation, through a civil inquiry, Google had made it public that it scans the content of emails exchanged by Gmail users. According to the Federal Prosecutor, this violates Brazilian data protection standards.

The Internet Bill of Rights establishes data protection principles similar to those set up under the EU Data Protection Directive 95/46/EC. Under this law, any processing of data must be pursuant to express consent. The law specifically requires that the clause seeking consent be prominently displayed and easy to identify amongst other terms of the contract. The law also recognises a right to not have one’s data transferred to third parties without consent and a right to be informed about the specific purposes of the personal data collection, usage, storage, treatment and protection.

When asked about its compliance with the legislation, Google submitted that it analyses the email messages so it can improve consumers’ user experience by filtering the messages for unwanted content, spam, or other kind of malware. It also submitted that the scanning of messages is used to offer products and advertisement for the user and to classify emails into various categories such as ‘social’ ‘promotions’ etc. Finally, Google has contended that the scanning of emails is  consented to by the user at the time of signing up, by agreeing to the privacy policy within Gmail’s terms of service.

However, the Federal Prosecution Ministry considers these practices to be ‘profiling’ – a consequence of personal data aggregation that allows the creation of users’ profiles based on their behaviour, online habits and preferences. These can be used to predict their future actions and decisions. Profiling is frequently used for behavioural advertisements in which aggregated personal data is transferred to other ISPs, who use it to direct ads, products and services determined by the person’s past online activity. According to the Federal Prosecutor, this not only violates people’s right to privacy, especially their informational self-determination right, but also interferes with a consumer’s freedom of choice.

Several scholars and researchers have also opposed profiling and behavioural advertising, arguing that it has severe negative consequences. These include (i) denial of credit or loan concessions; (ii) offering different health insurance deals based on a person’s medical history or the nature of activities they engage in; and (iii) offers with adaptive pricing, based on a variety of criteria that involve some level of discrimination. This is problematic because online profiles are limited. A person’s life is based on several aspects apart from the online information which is collected and aggregated. As a result, personal data aggregation, processing and analysis can lead to an incomplete or incorrect picture of an individual, leading to wrongful interventions in their life. Even if the profile is a complete reflection of a person’s life, the choice to have one’s data collected and used for determined purposes must always be the users’.

The suit alleges that Google’s practices are not in consonance with the legal requirement of seeking express consent, including through prominent display within a policy. It suggests that Google be required to take specific consent in order to access the content of emails.

The case also  challenges the fact that Google’s privacy policy does not allow consumers to withdraw consent. This violates consumers’ control over their data. Further, it is also argued that consent should be sought afresh every time Google changes its privacy policy. The lack of clear and precise information around how data is processed is another issue that has been pointed out in the case, violating the right of Gmail users to information regarding the usage of their data.

To substantiate its case, the Federal Prosecutor is relying on an Italian case in which Google’s data processing activities had been challenged. The ruling was based on Italy’s Data Privacy Code, which establishes data protection guarantees such as i) fair and lawful processing of data; ii) specific, explicit and legitimate purposes and use of data; iii) processing to not be excessive in relation to the purposes for which it is collected or subsequently processed; and iv) that the data must only be kept for the amount of time truly necessary. In addition, the law stipulates that a data subject must receive notice about how their data will be processed, allowing them to make an informed decision. Furthermore, the Italian code also requires consent to be express and documented in writing.

In 2014, Garante’s (i.e. the Italian Data Privacy Authority, furthermore “the Authority”) decision held that Google had failed to comply with some requirements under the Italian legislation. Firstly, the information given by Google around how data processing was carried out was considered insufficient, as it was too general. Secondly, the consent format given through the privacy policy agreement was also held to be too broad. The Authority held that consent should be prior and specific to the data treatment. Although the decision condemned the company’s practices, it did not establish any guidelines for Google to adopt in this regard.

Through the present suit, the Brazilian Federal Prosecutor seeks (i) suspension of Google’s email content analysis, that is, scanning of emails of Gmail users where express consent has not been received ; (ii) an obligation to obtain express and consent from users before scanning or analysing the content of emails and (iii) ensuring the possibility of consent withdrawal. The suit seeks an order directing Google to change its privacy policy to ensure consent is informed and particular to content analysis.

This case demonstrates a new aspect of data protection concern. Apart from the most common cases over data breach situations, where the damage is usually too late or too massive to repair, the Brazilian and the Italian cases are great examples of proactive measures taken to minimise  future risks. Further, the importance of a legal framework that utilises data protection principles to guarantee consumers’ right to privacy is well recognised. Now, it appears that these rules are starting to be more effectively enforced and, in consequence, the right to privacy can be observed in practice.

[1] Raissa is a law student from Brazil with an interest in internet law and policy. Raissa has been interning with the civil liberties team at CCG for the past month.

E-Health, Digital India and Cyber (In)Security

By Shalini S

Under the government’s flagship initiative, Digital India, healthcare has been flagged as a sector awaiting reformation through enabling digital access. Across the world, the internet has increasingly come to serve as a platform for organized public healthcare delivery and has also demonstrated its potential in effectively increasing access to timely, specialized medical care in remote areas. Both e-health and m-health, public health models that use information and communications technology (ICTs) for the provision of both healthcare services and information, have been employed extensively to support physical healthcare infrastructure in several countries and is now finding its way into the Indian public health framework.[1]

The health initiative under the project, attempts to transform healthcare from an event-based intervention to an integrated, continuous delivery model by employing ICTs to remedy information asymmetry and substandard access. The initiative is also expected to partially remedy healthcare access issues extant due to insufficient healthcare infrastructure and manpower. However, the use of ICTs exposes the sector to a range of unique challenges that must be dealt with in order to harness the potential of ICTs for the healthcare sector. This brief post seeks to outline the dangers of digitally storing and transmitting electronic health records and suggests strengthening security and risk management capability to avoid breaches.

E-health Initiative

The health limb of the Digital India project aims to increase access to quality healthcare for all citizens by enabling information flow, facilitating collaboration through the use of ICTs and providing timely, economic health services. It seeks to do so by increasing transparency in healthcare delivery, eliminating structural opacity and multiple intermediaries. Additionally, it envisions the use of emerging technology in bridging the healthcare divide by connecting patients with specialized health professionals, who are geographically far-removed, for online diagnosis. E-health programs are expected to benefit those that have little access to quality healthcare services such as the urban poor and rural populations.

Using hospital management information systems (HMIS), healthcare delivery limb of the Digital India Initiative’s online registration system (ORS) rightly attempts to simplify registration and appointment process. However, each new registrant is assigned a Unique Health Identification (UHID) number which is linked to their Aadhaar number used primarily to seek appointments at registered hospitals and subsequently to access their health records including lab reports. Under the initiative patient’s health records are digitized and uploaded electronically in order to better maintain records and make it easily accessible to health professionals. Further, these health records are to be integrated into a digital locker that can be accessed both by the government and private establishments.

As a part of the above-mentioned Digital India program, the Government of India also proposed to setup a National eHealth Authority (NeHA) under which a “centralized electronic healthcare record repository” containing comprehensive health information of all citizens could be fashioned.[2] While this proposed statutory authority will be vested with the responsibility of managing the complexities birthed by use of ICTs in the healthcare sector and also act as a regulatory authority to ensure privacy, confidentiality and security of patient information, it is yet to be created. In the absence of demonstrable, technical cybersecurity capability and regulatory or legislative cybersecurity framework, this statutory body might remain an insufficient effort. Further, the implementation of privacy and security norms evolved by NeHA by healthcare providers could take years and sensitive patient information might be stolen by persons who stand to benefit from the use or sale of such personal information.

Sensitivity of health records

Healthcare records are primarily attractive to criminals as they contain personally identifiable information and are therefore highly vulnerable. In addition to threat of stolen health data being misused in multiple ways, health records stored and transmitted online can be tampered with and this can have implications on patient health. With the E-health initiative, this holds especially true as the Aadhaar linkage connects health records to other personal information. The proposed healthcare record repository must also address these concerns. Hosting of personal information, especially healthcare records on any internet-based platforms without adequate cybersecurity measures in place is an invitation for large-scale breach.

Why digitize health records and information

Public health has arguably been raised as a national security priority and a centralized information database will undoubtedly be a prodigious healthcare intelligence tool that will allow researchers to engage in disease surveillance in order to better understand the state of public health in any nation. This information is critical to the medical fraternity and policymakers in ensuring medical preparedness and developing prevention and responsive capabilities.

Independently, most private healthcare providers have already made the move to digitizing health records that contain sensitive patient data and storing them electronically on often poorly-secured hospital networks, fueling pertinent privacy and security concerns. These health information systems are designed to host big data in a highly accessible manner in order to leverage speedy access to patient information for newer modalities of treatment that are time and cost effective.[3]

While the potential of information technology in radically transforming healthcare is indisputable, protecting healthcare data against misuse, without impeding healthcare professionals’ access to patient information, remains the biggest security concern.

Way forward

While it might not be necessary to view cybersecurity in healthcare delivery as a novel issue, patient information must be recognized as sensitive information that needs to be protected from breaches. Thus, the overarching Digital India initiative must necessarily account for vulnerabilities in digitally storing healthcare records and develop risk management capabilities as a part of its existing governance. Further, as the healthcare initiative under Digital India hinges on collaboratively partnering with private healthcare providers to bridge the gap in access to advanced medical technology and specialized care, a minimum standard of cybersecurity must be mandated to be followed by all participating private healthcare providers to prevent localized breaches.

[1] Sanjeev Davey & Anuradha Davey, m-Health- Can IT improve Indian Public Health System, 4 National Journal of Community Medicine (2013), http://njcmindia.org/uploads/4-3_545-549.pdf.

[2] The Indian Express, Digital India programme: Govt mulls setting up eHealth Authority, 2015, http://indianexpress.com/article/india/india-others/digital-india-programme-govt-mulls-setting-up-ehealth-authority/ (last visited Nov 7, 2015).

[3] How technology is changing the face of Indian Healthcare, The Economic Times, 2014, http://articles.economictimes.indiatimes.com/2014-04-02/news/48801172_1_indian-healthcare-collaborative-data-exchange-healthcare-information-technology-market (last visited Nov 7, 2015).