INTRODUCTION
The adoption of Information Technology (IT) in the healthcare industry is accelerating rapidly. Most healthcare facilities and organisations use paper to record health data, which has resulted in a large paper trail, and most organisations have expressed interest in switching from paper-based to Electronic Health Records (EHR).
In the recent decade, Healthcare Information Systems (HIS) have grown at an exponential rate. The treatments that a patient receives from multiple care-providers during his lifetime are segmented in a specific EHR which is a by-product of these systems.
An EHR is defined as an electronic version of a patient’s medical history kept by a healthcare professional for a period of time, and it includes all vital administrative clinical data related to the care given to an individual by a specific provider, such as demographics, progress reports, concerns, prescription drugs, important signs, medical history, immunisation reports, laboratory data, and radiology reports.
Confidentiality is a type of informational privacy that is common in some interactions, such as the one between a physician and a patient. Personal information gathered during that connection should not be disclosed to anyone unless the patient has been informed of the intention and has given his or her consent.
There is still enough room for security breaches in the EHR system, even with all the protection systems in place, such as firewalls, Intrusion Detection Systems (IDS), anti-virus software, encryption/decryption techniques, and role-based access permits. Many grey areas are disclosed by currently implemented HIS, which accumulate to security vulnerabilities and data breach or disclosure of health data, primarily by insiders.
This article shall delve into the data privacy scenario in the healthcare system in India amidst the expansion of EHR system.
IMPLEMENTATION OF EHR
As far as the subject of public health and sanitation is concerned in the Constitution of India, it is a part of the State List and hence it is up to State Governments to decide whether or not to carry out policies outlined by the Federal Government.
The Ministry of Health and Family Welfare (MoHFW) is mostly responsible for developing and implementing health-care policies. Additionally, the Government’s policy think tank, the National Institution for Transforming India (NITI) Aayog, assists the MoHFW in its efforts.
The MoHFW and the NITI Aayog jointly oversee a variety of initiatives, such as the “Ayushman Bharat Yojana.” The MoHFW’s National Digital Health Blueprint (NDHB) of 2019 and the NITI Aayog’s Health System for New India: Building Blocks are two significant policy and strategy documents that support the migration to EHR.
The NDHB lays out a strategy for achieving digital health. It recognises the necessity for the National Digital Health Mission (NDHM) to promote the implementation of NDHB and facilitate the creation of a national digital health ecosystem.
An interoperable architecture, a series of architectural principles, a five-layered framework of architectural building blocks, Unique Health ID (UHID), confidentiality and consent management, national portability, EHR, multiple access channels such as call centres for support, and the Digital Health India portal for increased data sharing between the Government and the private sector are among the blueprint’s key features.
While the NDHB lays out the framework for creating a National Health Exchange (NHE) that is accessible to all residents, the NITI Aayog examines the key difficulties facing digital health in India, as well as the components and standards that are essential for success.
In India, the research proposes six “pillars” of digital health, which includes:
- the creation of a health information infrastructure;
- the selection of a governance entity;
- health data registries;
- a strategy for the development of a unified health information system;
- design for health insurance information systems;
- EHRs.
THE UNDERLYING DIFFERENCE BETWEEN EHR and EMR
The use of EHR and Electronic Medical Records (EMR) has grown in popularity in India during the previous decade. All private hospitals maintain some sort of EMRs, however public hospitals claim that digital access is limited in villages and isolated locations and hence they rely on paper records.
Both the terms EHR and EMR are used interchangeably and almost synonymously; however, it is pertinent to note that there is an underlying difference between the two. EMRs are a digital version of the patient’s records and charts which are traditionally available in a doctor’s office and the same is used to monitor the health of the patients. On the contrary, EHRs go beyond the standard collection of health data and, collects and compiles the patient’s health information from more than one doctor or healthcare organization.
The information gathered through both EHR and EMRs are used for analysis, quality assurance, and identifying areas in which hospitals could improve. Even though EMRs provide for better patient tracking, they are not designed to be shared outside of a single practise, making them difficult to exchange between medical facilities such as labs, pharmacies, and specialists.
All the healthcare institutions aim to either upgrade their EMR systems to EHR or install a uniform EMR system throughout all the hospitals and healthcare institutions to make the process of capturing and sharing data easier and to use the information to enhance patient outcomes. However, due to inadequate hospital IT funding and other challenges, these goals and their implementations are still in the early stages.
SECURITY AND PRIVACY CONCERNS REVOLVING EHR
Security and privacy concerns have hindered the adoption of EHR systems and digitization procedures in the healthcare business in several nations. Security breaches continue to highlight the need of safeguarding healthcare data.
The digital economy comes with security dangers. Along with the potential security breach threats, cyberwar is also a real threat in today’s world. In the backdrop of the same, it is essential to safeguard the medical records and personal data available on the cyberspace.
Nowadays people access several applications and websites, wherein they also submit their personal data and sensitive personal data; therefore, leaving a trail of their personal information on the Internet. The widespread growth of IT and the increasing demand for mobile and mobility are important facets of the digital era, just as security issues are.
The rise of EHRs, increased use of mobile devices such as smartphones, identity theft, and the exchange of data between and among organisations, clinicians, federal agencies, and patients are the biggest contributing factors to the concerns of privacy and security of health records.
In order for a patient to have faith in a physician, the doctor’s office records must be safeguarded. Protecting patient and practise data requires medical professionals to be informed of the proper security measures that must be followed.
In today’s digital age everyone uses a mobile phone or a smartphone and usually sending messages to each other is an extremely common way of communicating. In the light of the above, it should be noted that a mobile phone’s encryption or safety cannot be regulated or assured, and it is almost always impossible to track what information is transferred or how much information is sent.
Data can be stolen, manipulated, or destroyed by internal or external users, which is why all users must be made aware of security protocols and continuing educational activities. Regardless of the method utilised, a comprehensive security procedure must be in place to protect the data’s integrity, as well as an audit trail system.
IMPLICATIONS OF GDPR VIS-À-VIS SECURITY CONCERNS AND BREACH OF EHR
When it comes to safeguarding privacy and data protection, European countries have long led the way. The General Data Protection Regulation (GDPR), which ensures data protection and privacy for all individuals within the European Union (EU), is a current example of this.
The GDPR has given the long-standing Governmental instructions on how to handle personally identifiable information in the EU regulatory teeth. Because GDPR is a regulation rather than a directive, it applies directly to National Governments in the EU.
Personal Health Records are extensions of EHRs. The GDPR appears to be far more equipped to address the issues of protecting personal health data in the digital health era. GDPR gives people more control and responsibility over their health data, and it aims to define the rights and protection of personal health data in digital healthcare exchanges.
The GDPR provides a more detailed definition of “data concerning health”, referring to personal data relating to a natural person’s physical or mental health, including all data about that person’s past, current, or future health status collected in the course of registering for or providing healthcare services to him or her.
More crucially, it introduces new health-related data protection requirements and strengthens the obligations of Data Controllers and Processors.
The GDPR, in particular, establishes greater criteria for informed consent and notification obligations. As stated in Article 7, a Data Subject, in the case of EHRs a patient must be notified of the potential dangers of data collection “in a clear and understandable form, using clear and plain language.”
Furthermore, because excessive data collection can invalidate consent, the Data Controller must state whether the provision of personal health data is required by law or contract, or whether it is a necessary condition of entering into a contract, whether the patient has an obligation to provide personal data, and the potential consequences if such data is not provided, prior to data collection and the same is stipulated in Article 13 of the GDPR.
The GDPR also advises for the use of short language with standardised iconography to aid prompt understanding of the intended data processing to reduce the inefficiency of long and convoluted privacy warnings.
The GDPR further increases the protection of personal health data access rights. Healthcare organisations now have a shorter (30-day) timeframe to respond to patient access requests than they did previously (40 days).
The GDPR introduces the responsibility of Data Protection Impact Assessment (DPIA) to improve transparency between patients and healthcare service providers. Before processing sensitive health information, data controllers must conduct a DPIA to identify potential risks of data processing and discover means to mitigate them.
To increase openness, the GDPR includes cybersecurity provisions. The general idea of honesty and confidentiality is stated in Article 5 of the GDPR. Articles 33 and 34 make it mandatory for the Data Controllers to notify the supervisory authority within 72 hours of a data breach, and they must also notify patients if the data breach becomes a severe threat.
The stringent standards set by GDPR are unprecedented, and will necessitate the highest level of compliance from corporate bodies functioning in the EU and various countries, including India, in order to conduct business with EU countries.
PERSONAL DATA PROTECTION BILL, 2019 AND EHR
In the judgment of Justice K.S. Puttaswamy (Retd.) & Anr v Union of India, (2017) 10 SCC 1, the Supreme Court ruled that the Right to Privacy is a fundamental right guaranteed by the Constitution of India. Following that, a Committee chaired by Justice BN Srikrishna presented a draft Personal Data Protection Bill, 2019 (the Bill).
The Bill is the first of its type to create a statutory framework for data protection in India by conferring several rights on the owners of personal data. The Bill was drafted in large part in accordance with GDPR. It has also established requirements for the companies and institutions that would manage or process such information.
The categories of sensitive personal data include health data, sexual orientation, biometric data, genetic data, transgender status, intersex status, and so on. This is in contrast to international data protection rules, which have given sensitive personal data a considerably narrower scope. This would imply that, in comparison to GDPR, foreign corporations or MNCs would be required to comply with the Bill to a greater extent.
The foregoing may make it more difficult to do business in India, but however, it is a positive step towards protecting the privacy of the sensitive information provided by the patients. Furthermore, certain GDPR provisions have been incorporated into this Bill, including limits on data collection, use, and storage, meaningful notice, openness, and, most importantly, the necessity to be able to “show accountability.”
Significantly, any violation of the provisions will subject the Data Fiduciary or Data Processor to a penalty that is equal to or greater than that imposed by GDPR, namely, a fine ranging from Rs. 5 crores to Rs. 15 crore, or 2% to 4% of the preceding financial year’s total worldwide turnover, whichever is higher.
As a result, substantial costs may be incurred, forcing enterprises to ensure that personal data such as electronic health information is kept private. There are many grey areas in the law that will need to be addressed through consultation with various parties.
However, it is a positive step toward safeguarding people’s rights to their personal information. This law will undoubtedly be a watershed moment in India’s legislative history, and it will be fascinating to follow its progress through the legislative process, since it will elevate data protection to a whole new level.
AMLEGALS REMARKS
While there are still roadblocks in the way of EHR interoperability, the public-health benefits of effective patient data sharing are apparent. Aggregated patient data can help hospitals respond more quickly to pandemics, streamline research, and deliver more efficient and effective treatment.
With the pandemic pressuring healthcare stakeholders to make patient data more accessible, large-scale aggregated EHR data may one day be readily available to aid public health efforts.
At the same time, the usage and sharing of such data raises serious privacy concerns, necessitating the implementation of controls to protect and secure patient data. As we move toward a future with more easily accessible healthcare data, it will be critical to strike a balance that maximises the data’s public-health advantages while still respecting individuals’ privacy rights.
Security comes at a cost, and it’s not just a technological expense, but also a cost of opportunity and education. However, the costs of not implementing comprehensive security strategies are frequently much higher.
The Government of India and the Indian health-care industry are well aware of the numerous advantages of installing EHR systems. As a result, they are devoted to mass adoption of these technologies. For this, India can learn from worldwide best practises in EHR implementation and tailor it to the country’s needs.
-Team AMLEGALS assisted by Ms. Unnati Jain (Intern)
For any query or feedback, please feel free to get in touch with aditi.tiwari@amlegals.com or mridusha.guha@amlegals.com.
Leave a Reply