Data PrivacyImpact of the Digital Personal Data Protection Act, 2023 on the Healthcare industry

INTRODUCTION

We previously covered the general requirement and implications of Data Privacy practices in the Healthcare sector in https://amlegals.com/data-privacy-in-the-healthcare-sector/, however after the passing of the Digital Personal Data Protection Act, 2023 (hereinafter referred to as “DPDPA“) it has become pertinent to see the materialised data privacy law’s application on the sector and ways for hospitals and healthcare entities to ensure compliance to its provisions.

On dealing with Data Privacy with regards to health care, the DPDPA aims at protecting the privacy rights of an individual by implementing staunch provisions with respect to collecting, storing, and sharing of personal sensitive data of patients. In today’s fast adapting digital era, the utilization of personal data in healthcare sector has become a prominent progression.

The Government is also investing tremendously on creating health data infrastructure and provisions to regulate the same at various levels of healthcare system i.e., primary, secondary as well as tertiary. These policies can help ensure that the data is accessible, usable, and secure, while also protecting the privacy and rights of individuals.

The Government is now focussing more on the role of digital technology in the healthcare ecosystem by necessitating alterations such as increased disclosure of information, interconnectivity, digitalized prescriptions, and systemized claim management. It is in this environment that India has finally passed the DPDPA which would undoubtedly be a remarkable step and ensure the implementation of essential data protection safeguards in the Healthcare Sector.

KEY STAKEHOLDERS

1. Healthcare Service Providers

Healthcare service providers such as independent practitioners, hospitals and hospice institutions are the primary and most visible players in the healthcare ecosystem. They directly interact with patients and provide a variety of services, including diagnosis, treatment, and preventive care. There are many other types of healthcare providers, including private and Government hospitals, home care providers diagnostics etc. Each type of provider offers a different quality and type of care, and at varying costs, and for the purpose of the same, collects and processes varying type of personal and sensitive data.

2. Pharmaceuticals

The pharmaceutical industry is a complex and interconnected network of companies that work together to bring medicines to patients. Pharmaceutical companies are responsible for developing and manufacturing medicines, while suppliers and distributors ensure that these medicines are available to pharmacies and other healthcare providers. Retail pharmacies then stock and sell these medicines to patients.

Being one of the primary stakeholders of this sector, pharmaceutical companies collect, process and store a huge amount of data for medicinal and research purposes.

3. Health Insurance Providers

Health insurance providers play a major underlying role in this industry and help people access quality healthcare by pooling resources and paying for medical expenses. There are many different types of providers, each with its own advantages and disadvantages.

For the purpose of providing insurance, the insurance providers collect data from patients directly and also procure patient data from hospitals, nursing homes, healthcare facilities, pathological laboratories, etc.

4. Nursing Homes

A nursing home is essentially a residential care facility that provides long-term care for older adults, senior citizens, or disabled people who need assistance with activities of daily living (ADLs) such as bathing, dressing, eating, and toileting. Nursing homes may also provide medical care, rehabilitation services, and social activities. They may be referred to as care homes, skilled nursing facilities (SNFs), or long-term care facilities.

Nursing Homes maintain data records of the individuals who reside therein, along with their medical records and health records for the purpose of providing due care to them.

5. Post Care Rehab Centre

They provide specialized care and support that patients need to fully recover from their conditions and transition back to their normal lives. These centres offer a variety of services, including physical therapy, occupational therapy, speech therapy, and counselling. They also work with patients to develop a personalized care plan that meets their individual needs.

Like the other stakeholders, even these centres process varied kinds of data for varied purposes.

LEGAL FRAMEWORK

The combination of digitalization and technology is making India, a fast-emerging player in Digital adoption. The Indian healthcare sector has been given the topmost priority in assisting advancements in diagnosis, treatments, and service delivery medium through advanced technology. However, till now, this sector had no proper privacy regulations in accordance to how the personal data of patients would be stored and processed digitally.

The legislative framework governing the sector with regards to data privacy are as follows:

1. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

Personal information about patients, such as their medical history and physiological conditioning, is considered as Sensitive Personal Data. This type of data is considered as ‘Sensitive Personal Data’ or ‘Information’ under Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (hereinafter referred to as “SPDI Rules”).

There is no particular law that protects the privacy of health data exclusively. For instance, the health data management policy serves as a guidance document for the entities involved in National Digital Health Mission. It establishes the minimum requirements for data privacy protection that all organizations must meet in order to comply with applicable laws, rules and regulations.

2. Electronic Health Record Standards for India, 2016

Proposed by the Ministry of Health and Family Welfare, considering the chief principles of ‘capture data once and use many times’, and ‘move from silos to systems’, the National Digital Health Blueprint (hereinafter referred to “NDHB”) delivers strong guidance policies for all stakeholders to engage and contribute to strengthen health systems in India.

It proposes a federated architecture starting such as Electronic Health Records (hereinafter referred to as “EHR“) Standards and provisioning of health services across multiple access channels like call centres for support, and the Digital Health India portal for increased data sharing between healthcare providers and patients.

Additionally, the benefits include increased investment leading to economic growth, job creations and increase in exports of newer health products and services, reduction on import reliance of medical devices, and a much-required patient-centric approach.

All this is easier said than done; however, as there exist fundamental challenges to achieve the outcomes, the most prominent ones of them being, lack of healthcare infrastructure readiness, a lack of integration of standardized medical technology, lack of minimum viable standards with reference to record management and interoperability and low IT budget of the hospitals for EHR implementation.

3. Bureau of Indian Standards’ 17428 Standard

The Bureau of Indian Standards (hereinafter referred to as “BIS”) is the National Standard Body of India, its role is to develop different standardizations, markings, and quality certifications for goods and services. In June 2021 BIS introduced the IS 17428 standard, a privacy framework for data privacy assurance released as a standard format all entities that collect and process data of individuals.

The introduction of this standard will ensure that all data collecting entities are maintaining a minimum level of data security practices that collect and process in order to keep the data secure and protect the individuals who have submitted their data innocuously. The data which is to be kept must be regularized by the standard and kept safe by the entity

4. Digital Personal Data Protection Act, 2023

The DPDPA seeks to provide individuals with greater control over their personal data and to ensure that it is processed in a fair and transparent manner. The DPDPA in India requires companies and businesses that handle personal data to develop a standard operating procedure and train their personnel to comply with certain requirements.

These requirements include cooperating with the Data Protection Officer (DPO) in case of Significant Data Fiduciaries, hiring an Independent Data Auditor, implementing a consent management mechanism, conducting data protection impact assessments, and maintaining valid contracts with data processors. The DPDPA is a comprehensive law that aims to protect the privacy of individuals in India. The requirements outlined above are just some of the key obligations that any organization processing personal data of an individual must comply with.

GREY AREAS

Section 6(4) of the DPDPA states that the Data Principal has the right to withdraw their consent to the processing of their personal data at any time. The data fiduciary must then stop processing the data unless it has another lawful basis for doing so. However, the implementation of this right can be difficult in the context of healthcare. This is because medical history is often essential for providing quality medical care.

For example, a doctor may need to know about a patient’s previous allergies in order to prescribe medication safely, and such history might date back to years or decades. If a patient withdraws their consent to the processing of their medical history, this could make it difficult for the doctor to provide them with the best possible care.

Ultimately, the decision of whether or not to withdraw consent to the processing of medical history is a complex one that should be made on a case-by-case basis. It is important to strike a balance between the patient’s right to privacy against the need for good medical care.

Section 8(7) of the DPDPA states that the data fiduciary must erase personal data once the data principal withdraws their consent or if it is reasonable to assume that the specified purpose of processing the data is no longer being served. This is a principle of data minimization, which is one of the eight principles of data protection.

However, this provision could create a complication in the healthcare sector. In the healthcare sector, it is often necessary to keep patient’s personal data and medical history for a long period of time, which comes under the ambit of ‘patient history’ and is a pivotal part of providing optimal and accurate health care. The same might create unwarranted bottlenecks, owing to the complex structure of the healthcare sector.

For example, a patient may withdraw their consent for their medical records to be shared with a specific doctor, but they may still need the records to be shared with other doctors in the future. Or, a patient’s medical records may be needed for research or clinical trial for providing a new treatment.

AMLEGALS REMARKS

With the intention of ensuring healthcare data privacy, security, confidentiality and standardisation, the Government has enacted such exemplary policies and legislations. The DPDPA has been a much-awaited legislation as it deals with a universally common subject matter in modern industries across all sectors.

A specific need for a robust healthcare safety and privacy set up is a matter of utmost priority. Considering the above stated rules and policies strongly suggest a need to increase funding by Government and private sector, focus on pan-India quality of health care delivery through private partnership, addressing infrastructure and training gaps.

To maintain a safe and secure data environment in a healthcare organisation, the DPDPA does address regulations under the concept of cross-border external transfer of personal data information. However, a robust mechanism to address the internal sharing and transferring of the same still stands unquestioned.

A few suggestions regarding the same are to introduce data encryption i.e., even if an unauthorized entity or person gains access to information, they will not be able to mismanage, or mis utilise it, introduce system monitoring apps, multi-factor authentication, and proper employee training to protect patient records, data and other vital information.

Team AMLEGALS assisted by – Ms. Jeel Pathak (Intern)

For any query or feedback, please feel free to get in touch with tanmay.banthia@amlegals.com or mridusha.guha@amlegals.com