Digitisation of Health / Medical Records: Is the law keeping up?

By Smitha Krishna Prasad

Medical and health records are increasingly digitised, and ease of access is considered one of the key benefits of this trend. However, patient privacy and security of such records are important concerns that need to be addressed both under the existing legal framework, and in terms of development of new laws.

Earlier this month, news reports suggested that private medical records of over 35000 patients had been made publicly available through the website of a diagnostic laboratory based in Mumbai. Reports indicate that the website of the lab was hacked. However, other reports specify that the lab has disclaimed liability, stating that any requirement for confidentiality is limited in applicability to doctors only. Further, the lab suggested that since they were shortly to be moving to a different system, there was no urgency in remedying the security flaws.

While the above seems to be an internal security issue on the part of the lab, we have seen that health records are a favourite for hackers, across the world. These records are then either held for ransom or sold by such hackers.

The healthcare industry as a whole is seen as one of the least secure industries globally. At the same time, medical and health records of individuals are increasingly being digitised. Individuals and institutions in the healthcare industry are digitising records within their organisations to improve ease of access. The Ministry of Health and Family Welfare, Government of India, is in the process of setting up an Integrated Health Information Platform, and has issued Electronic Health Record Standards (EHR Standards). The EHR Standards are meant to provide for creation and maintenance of health records in a standardised manner that would allow for interoperability across platforms and institutions across the country. There are many pros and cons to undertaking such a digitisation effort – however, this post is limited to examining the legal framework surrounding such digitisation and the protection of privacy of patients.

Current Legal Framework in India

Today, India does not have a comprehensive privacy law, or an industry specific privacy regulation that focuses on the healthcare / medical industry. We do have the Information Technology Act, 2000 (“IT Act”), and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“IT Rules”), as well as the Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002 (“MCI Code of Ethics”).

The MCI’s Code of Ethics provides that physicians must maintain medical records pertaining to patients for a period of 3 years from commencement of treatment. Further, physicians must also make such records available to patients, authorised attendants and legal authorities upon request. Physicians are also required to make efforts to computerise such records. While there is no specific provision on maintenance of privacy and security of these medical records, the MCI Code of Ethics does provide that confidences entrusted by patients to physicians must be not be revealed, unless required by law or in public interest. However, the MCI Code of Ethics is applicable to physicians i.e. doctors with MBBS or equivalent qualifications only.

On the other hand, the IT Act and the IT Rules are wider in application. They deal specifically with electronic records and require any person dealing with certain defined types of sensitive information, including medical records, to undertake data protection and security measures.

Any violation of the MCI Code of Ethics calls for disciplinary action against the concerned physician which could include removal of the physician’s name from the register of qualified physicians. The IT Act however, does not provide for any direct action or penalty in the case of non-compliance with the IT Rules, and relies on the person affected by the non-compliance to take action.

In addition to the MCI Code of Ethics and the IT Act, there are a few other laws such as the Medical Termination of Pregnancy Act, 1971 which provide for maintenance of confidentiality of patient information. However, these are largely specific to certain circumstances and are not comprehensive.

Potential Developments

In the absence of a comprehensive privacy and data protection law in India, some regulators have taken to establishing basic rules to protect consumers and individuals in their respective industries. For instance, the RBI places certain restrictions on the circumstances in which customer information can be shared by banks. Insurance and telecom companies are restricted from transferring certain customer information outside India.

Given the highly sensitive nature of medical / health related information, and recent trends of commoditisation of such information in the black market, such laws are much needed in the healthcare industry.

The EHR Standards do deal with certain aspects of privacy of patients and security of healthcare records. They prescribe several international standards to be adhered to by members of the healthcare industry while dealing with electronic health records. However, they appear to default back to the IT Act as the legislation that would govern the implementation of any data protection measures in relation to such records.

The Human Immunodeficiency Virus and Acquired Immune Deficiency Syndrome (Prevention and Control) Bill, 2014 also provides certain safeguards to ensure the privacy of patients, specifically in relation to their HIV status. Some concerns regarding the provisions of this bill have previously been discussed here. However, this proposed bill is again limited in scope, and does not apply across the medical industry.

Reports suggest that recognising the need for a more comprehensive law, the Central Government has taken up the initiative of drafting a healthcare industry specific privacy and data protection law.

Given that this law would be drafted from scratch, we suggest that it should be (a) holistic i.e. be applicable across the entire healthcare / medical industry, and not specifically to doctors / hospitals, and (b) technology agnostic, addressing medical / health information in any format, digitised or not.

The law should also take into account the internationally recognised privacy / fair information principles. These principles provide, among other things, for (a) collection of data by lawful means, and only when required (b) use of data for the purpose it is collected only, (c) adequate security measures to be undertaken to protect data, and (d) accountability and openness about policies in place for use and protection of data.

Further, to the extent that it provides for the digitisation of records, and implementation of EHR Standards, it should be ensured that, the principles of ‘privacy by design’ should be used. The concept of privacy by design stipulates that privacy and data protection measures must be built into any system as a default, taking a preventative approach to data protection rather than a remedial approach.

Another important concern is enforcement – our current laws such as the IT Act, do not provide for proactive enforcement in case of failure to protect privacy / data of individuals, and leave it up to the affected individuals to act. Ideally, a dedicated regulator with the ability to investigate and direct action against defaulters is required. Perhaps the role of the National e-Health Authority proposed by the Government could be expanded to deal with privacy and security of all health records and information.

While the idea of implementing a health privacy and data protection law is a welcome move, it remains to be seen how far this proposed legislation will go towards fully protecting patients’ rights.


E-Health, Digital India and Cyber (In)Security

By Shalini S

Under the government’s flagship initiative, Digital India, healthcare has been flagged as a sector awaiting reformation through enabling digital access. Across the world, the internet has increasingly come to serve as a platform for organized public healthcare delivery and has also demonstrated its potential in effectively increasing access to timely, specialized medical care in remote areas. Both e-health and m-health, public health models that use information and communications technology (ICTs) for the provision of both healthcare services and information, have been employed extensively to support physical healthcare infrastructure in several countries and is now finding its way into the Indian public health framework.[1]

The health initiative under the project, attempts to transform healthcare from an event-based intervention to an integrated, continuous delivery model by employing ICTs to remedy information asymmetry and substandard access. The initiative is also expected to partially remedy healthcare access issues extant due to insufficient healthcare infrastructure and manpower. However, the use of ICTs exposes the sector to a range of unique challenges that must be dealt with in order to harness the potential of ICTs for the healthcare sector. This brief post seeks to outline the dangers of digitally storing and transmitting electronic health records and suggests strengthening security and risk management capability to avoid breaches.

E-health Initiative

The health limb of the Digital India project aims to increase access to quality healthcare for all citizens by enabling information flow, facilitating collaboration through the use of ICTs and providing timely, economic health services. It seeks to do so by increasing transparency in healthcare delivery, eliminating structural opacity and multiple intermediaries. Additionally, it envisions the use of emerging technology in bridging the healthcare divide by connecting patients with specialized health professionals, who are geographically far-removed, for online diagnosis. E-health programs are expected to benefit those that have little access to quality healthcare services such as the urban poor and rural populations.

Using hospital management information systems (HMIS), healthcare delivery limb of the Digital India Initiative’s online registration system (ORS) rightly attempts to simplify registration and appointment process. However, each new registrant is assigned a Unique Health Identification (UHID) number which is linked to their Aadhaar number used primarily to seek appointments at registered hospitals and subsequently to access their health records including lab reports. Under the initiative patient’s health records are digitized and uploaded electronically in order to better maintain records and make it easily accessible to health professionals. Further, these health records are to be integrated into a digital locker that can be accessed both by the government and private establishments.

As a part of the above-mentioned Digital India program, the Government of India also proposed to setup a National eHealth Authority (NeHA) under which a “centralized electronic healthcare record repository” containing comprehensive health information of all citizens could be fashioned.[2] While this proposed statutory authority will be vested with the responsibility of managing the complexities birthed by use of ICTs in the healthcare sector and also act as a regulatory authority to ensure privacy, confidentiality and security of patient information, it is yet to be created. In the absence of demonstrable, technical cybersecurity capability and regulatory or legislative cybersecurity framework, this statutory body might remain an insufficient effort. Further, the implementation of privacy and security norms evolved by NeHA by healthcare providers could take years and sensitive patient information might be stolen by persons who stand to benefit from the use or sale of such personal information.

Sensitivity of health records

Healthcare records are primarily attractive to criminals as they contain personally identifiable information and are therefore highly vulnerable. In addition to threat of stolen health data being misused in multiple ways, health records stored and transmitted online can be tampered with and this can have implications on patient health. With the E-health initiative, this holds especially true as the Aadhaar linkage connects health records to other personal information. The proposed healthcare record repository must also address these concerns. Hosting of personal information, especially healthcare records on any internet-based platforms without adequate cybersecurity measures in place is an invitation for large-scale breach.

Why digitize health records and information

Public health has arguably been raised as a national security priority and a centralized information database will undoubtedly be a prodigious healthcare intelligence tool that will allow researchers to engage in disease surveillance in order to better understand the state of public health in any nation. This information is critical to the medical fraternity and policymakers in ensuring medical preparedness and developing prevention and responsive capabilities.

Independently, most private healthcare providers have already made the move to digitizing health records that contain sensitive patient data and storing them electronically on often poorly-secured hospital networks, fueling pertinent privacy and security concerns. These health information systems are designed to host big data in a highly accessible manner in order to leverage speedy access to patient information for newer modalities of treatment that are time and cost effective.[3]

While the potential of information technology in radically transforming healthcare is indisputable, protecting healthcare data against misuse, without impeding healthcare professionals’ access to patient information, remains the biggest security concern.

Way forward

While it might not be necessary to view cybersecurity in healthcare delivery as a novel issue, patient information must be recognized as sensitive information that needs to be protected from breaches. Thus, the overarching Digital India initiative must necessarily account for vulnerabilities in digitally storing healthcare records and develop risk management capabilities as a part of its existing governance. Further, as the healthcare initiative under Digital India hinges on collaboratively partnering with private healthcare providers to bridge the gap in access to advanced medical technology and specialized care, a minimum standard of cybersecurity must be mandated to be followed by all participating private healthcare providers to prevent localized breaches.

[1] Sanjeev Davey & Anuradha Davey, m-Health- Can IT improve Indian Public Health System, 4 National Journal of Community Medicine (2013), http://njcmindia.org/uploads/4-3_545-549.pdf.

[2] The Indian Express, Digital India programme: Govt mulls setting up eHealth Authority, 2015, http://indianexpress.com/article/india/india-others/digital-india-programme-govt-mulls-setting-up-ehealth-authority/ (last visited Nov 7, 2015).

[3] How technology is changing the face of Indian Healthcare, The Economic Times, 2014, http://articles.economictimes.indiatimes.com/2014-04-02/news/48801172_1_indian-healthcare-collaborative-data-exchange-healthcare-information-technology-market (last visited Nov 7, 2015).