India’s health ministry has proposed a law to govern data security in the healthcare sector that would give individuals complete ownership of their health data. Individuals would have the absolute right to refuse or allow data to be generated, collected, accessed, transmitted or used. And data collectors such as hospitals would be prohibited from refusing treatment to those who do not want their data collected or used.
This would make India one of the world’s foremost jurisdictions in the regulation of healthcare data, at a time when governments around the world are scrambling to keep a check on who gets to generate and use data and how especially as citizens do not completely understand the data privacy and security implications of the innumerable applications they wittingly or unwittingly use.
The draft Digital Information Security in Healthcare Act was proposed by the health ministry on 11 March 2018. The period for stakeholder comment ended on 21 April, and a bill is currently being finalised. Experts say the health ministry is possibly waiting for a final verdict from the Supreme Court on petitions challenging the constitutional validity of Aadhaar—on which it has just completed the second-longest oral hearing in the history of the court. The ruling is expected in July or August.
The verdict will guide India’s data privacy framework, which is already being prepared by the Committee of Experts on a Data Protection Framework for India being chaired by Justice BN Srikrishna. It will also have implications for the health ministry’s proposed law.
Use of data
Digital Health Data (DHD), or electronic health records of individuals or the public (when aggregated), typically comprise information such as a patient’s age, contact information, vital signs, lab reports, medical history including immunisations, allergies, and current and past medications.
The use of DHD promises to revolutionise healthcare services by providing more comprehensive care using the most accurate records possible, possibly reducing costs and timelines for all involved.
The law would allow anonymised health data, which cannot be traced to individuals, to be used for specified public health purposes, such as early detection and rapid response to public health emergencies such as bioterror events and infectious disease outbreaks.
However, for data in the identifiable form, the draft stipulates that explicit prior permission would be needed from the digital data owner before each transmission or use. For instance, often companies offer free medical checkups to all employees. By revealing a pregnancy or a serious chronic condition, these tests could imperil an employee’s situation with their employer. With the proposed law, an employee could refuse to allow the pathology laboratory to share their data with the employer.
In recognition of the serious privacy and security concerns over the uses and misuses of digital health data, the proposed law would completely prohibit the use of digital health data for ‘commercial purposes’, whether in an identifiable or anonymised form.
This would mean that insurance companies, employers, human resource consultants and pharmaceutical companies would not be allowed to access or use health data, the law firm Trilegal said in an analysis posted on its website on 11 April 2018.
“Currently, employers can process health data for employee benefits, office records and insurance purposes under labour legislations like Maternity Benefits Act, Employee Compensation Act and Employee State Insurance Corporation Act and as part of their internal policies,” Trilegal said, adding that the proposed law would allow the use of digital data only to the extent required by these laws. “However, access, use or disclosure of [digital health data] to employers or human resource consultants for any other purpose is prohibited,” Trilegal noted.
Similarly, insurance companies and drug makers would not be allowed to access or use digital health data, although use for academic, clinical and public health research would be allowed.
The central government would be tasked with establishing ‘health information exchanges’ that would regulate the exchange of DHD between various clinical establishments—hospitals, clinics, diagnostic centres, pathology laboratories, etc—for purposes and in manners allowed under the law.
The responsibility for ensuring data security and privacy would lie with the entity that has custody of the data, which could be penalised for the data breach.
Currently, under Indian law, companies in India are not obligated to inform individuals of a data breach, with the exception of banks, which are obligated to inform the Reserve Bank of India within six hours. The result is that individuals are often not aware that their details may have been compromised.
The draft law proposes to make breach notification mandatory. Data breaches would be ranked by severity, and the more serious kind would be punishable with a fine of at least Rs 1 lakh and a jail term of up to five years.
Clinical establishments and health information exchanges would have to notify the owner in case of a breach within three days. Data owners could claim compensation from the person who breached the data, and no limit has been prescribed for the compensation amount. The draft also specifies punishment for various other offences such as unauthorised access and data theft of up to five years’ imprisonment.
The stringent provisions of the proposed law, particularly the blanket ban on the use of DHD by insurance and pharmaceutical companies, has raised concerns among these industries.
“Most data protection laws allow healthcare institutes to process data so long as there exists a legitimate interest in doing so,” Rahul Kumar, country manager and director with security solutions company WinMagic India said, adding that provisions debarring insurance and pharmaceutical companies, “while being protective in nature might be excessively harsh under certain circumstances”.
The stringent privacy provisions also put the future of wearable devices in doubt, Shweta Mohandas of The Centre for Internet and Society (CIS) told IndiaSpend, “Perhaps a revised draft of the law, or rules framed under the final law, would specify these details.”
The draft does not clearly define the security measures that must be followed to prevent a data breach, Mohandas and Amber Sinha, also of the CIS, told IndiaSpend. However, a National Electronic Health Authority proposed to be set up under the law could possibly define clear set standards for maintaining security, they said.
Also, the draft proposes to allow for the withdrawal of consent but does not say how data would be removed from the system, Sinha and Mohandas said, adding that the roles of the various bodies to be established must be clearly defined.
Most commentators expect the finalised bill, which will be drafted after taking into account stakeholder comment, will iron out these issues.
“This law in its current form and further in its revised version will go a long way to help the industry be more secure,” Kumar said, adding, “Compliance is known to bring in a level playing field for industries and also give the end user the confidence that the critical data is secure.”
Many commentators also have questioned the timing of the health ministry’s draft law, given that India is currently in the process of creating a framework and an overarching legislation on data privacy and security. “It is curious that the Ministry has chosen to not wait for the draft law, before framing and releasing their draft,” Sinha and Mohandas said, “This suggests a lack of coordination between the different ministries, and if due care is not taken, could lead to inconsistencies across sectoral regulations of data.”
However, they said, it is possible that the health ministry will wait for the Supreme Court verdict in the Aadhaar litigation before finalising the bill.