Data PrivacyPrivacy v. Public Health- A Reassessment of Centralized Digital Health Data

September 28, 20220


Access to healthcare services at the primary, secondary, and tertiary levels has become critical in today’s world. Governments across the globe are investing in establishing health data infrastructures and regulatory rules to facilitate data access and usage.

These policy measures would be critical in improving care, coordination and delivery, as well as discovering new ways to make systems more productive and sustainable.

Digitization of health records in public health facilities and its quick access in the form of electronic records anywhere, at any time is yet to be adopted in developing countries such as India and others. The Government is now focusing more on establishing a stable and sustainable healthcare model that is capable of alleviating the burden of the disease.

Digital technology is enabling and propelling the healthcare sector towards its objectives. Innovative digitization can be utilised to create an integrated health ecosystem that places healthcare seekers at the centre of the system and provides them with high-quality, cost-effective healthcare solutions.

The Government in India is firmly committed to empowering the healthcare landscape. India’s Prime Minister Shri Narendra Modi inaugurated the revolutionary ‘National Digital Health Mission’ (hereinafter referred to as “NDHM”) in August 2020, with the goal of creating an “open digital health ecosystem” in the country.

The goal is to build a shared digital infrastructure that both public and commercial organisations may use to collaborate and provide future-ready healthcare services.


In September 2013, the Ministry of Health and Family Welfare (hereinafter referred to as “MoHFW”) published the Electronic Health Record (hereinafter referred to as “EHR”) Standards for India. An EHR is a collection of medical records created during any clinical interaction or occurrence.

The set of standards provided for EHR in India were picked amongst the finest available and widely used standards applicable to EHR from around the world, with consideration given to their acceptability and applicability in India.

With the rise of self-care and homecare devices and systems, valuable healthcare data is now created 24 hours a day, 7 days a week, and has long-term clinical importance. To manage patient data in electronic format, some secondary and tertiary care facilities have begun implementing healthcare Information Technology (hereinafter referred to as “IT”) applications such as Hospital Information System (hereinafter referred to as “HIS”), Hospital Management Information System (hereinafter referred to as “HMIS”), Electronic Medical Records (hereinafter referred to as “EMR”), and so on.


According to the NDHM, health data can be categorized as follows:

  • Personal Health Data

Personal Health Data is the detailed information on an individual’s health issues and treatments undergone. It comprises any data including personally identifiable information about different stakeholders, such as healthcare professionals; and

  • Non-personal Health Data

Non- personal Health Data consists of the aggregated health data such as the number of dengue cases as well as anonymized health data in which all personally identifiable information has been removed.

The Non-personal Health Data will also include non-personally identifiable information regarding health care facilities, medications, etc.

Additionally, the Government has developed a comprehensive Health Data Management Policy with the goal of protecting citizens’ health data.

Currently, under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (hereinafter referred to as “IT Rules”), a patient’s personal information, including health information, is treated as Sensitive Personal Data or Information (hereinafter referred to as “SPDI”) and is afforded greater protection than personal data.


The main objective of the HIS of any hospital is to keep the data of the patients secure while respecting the privacy rights of patients and their caregivers. While records are preserved electronically using EHR it is to be shared across numerous healthcare professionals at different levels of the healthcare systems. The chances of a breach in a patient’s privacy and confidentiality increases, posing a threat to a healthcare institution.

Since the medical records contain sensitive information about the patient, breaches in privacy and confidentiality may also result in defamation, discrimination, and stressful situations for the patient and caregivers. Thus, the health record system in India must adhere to the Privacy and Security Standards.

The Privacy and Security Standards are inextricably intertwined. Any health record system must include safeguards to ensure that data is available when needed and that information is not inappropriately utilised, disclosed, accessed, altered, or destroyed while being stored, retrieved, or transferred.

The Security Standards collaborate with the Privacy Standards to implement appropriate controls and safeguards. Entities in the health sector that are obligated to follow the Privacy Standards must also follow the Security Standards.

Individual healthcare providers make business decisions about how they will meet security needs and which technologies they will utilise. While implementing security measures, the organisations must consider a number of aspects such as:

  1. The size, complexity, and capabilities of the organisation;
  2. Technical infrastructure of the Organisation i.e. hardware, and software security capabilities;
  3. The cost of specific security measures; and
  4. The probability and degree of potential risks to the Electronic Public Health Information (hereinafter referred to as “ePHI”) which stores, retrieves, and transmits the data.


Data Privacy issues may occur while dealing with the SPDI and the service providers must guarantee that the requirements of a body corporate are met in accordance with the SPDI Rules.

When an organisation collects, stores, transfers, or processes the SPDI, the Rules require that specific conditions governing SPDI collection, storage, and transfer be met.

Consent is required for the collection of the SPDI via letter, fax or email. Furthermore, the patient must be notified that his/her SPDI is being collected, what it will be used for, who will get the data, and whether the data will be shared to any third parties, as well as the contact information for the agency collecting the information.

Moreover, the service provider must have a privacy policy in place. The service providers must guarantee suitable data security and management strategies and processes are in place. In case the SPDI is to be released to a third party, the owner’s consent must be acquired first.

In circumstances when the SPDI is transferred, the organisation transferring the SPDI must guarantee that the recipient of the SPDI has acceptable security policies in place, in addition to getting the consent for transfer from the supplier of the information.

The SPDI Rules require the installation of acceptable security standards and processes to keep the SPDI secure in an organisation. An organisation under the SPDI Rules should appoint a grievance officer, whose contact information is to be disclosed on the website. Apart from this, other needs include allowing users to remove or modify their SPDI.

However, organisations that collect, store, process, or transfer information as part of a contractual duty are exempt from some of the requirements laid down in the Rules such as getting authorization from the owner of the SPDI before collecting or disclosing such SPDI. The other standards, however, must still be met.

There are no dedicated data protection laws in India; however, certain provisions of the Information Technology Act 2000 (hereinafter referred to as “IT Act”) and the  IT Rules deal with the protection of personal information and sensitive personal data including health data.

Offenses under the IT Act are punishable by both imprisonment and fines. Furthermore, any irresponsible disclosure of personal information may give rise to a compensation claim. If the disclosure is linked with criminal intent, it may result in imprisonment for up to three years, a fine of up to Rs. 5,00,000, or both.


When it comes to keeping and managing treatment and plans, digitalizing health records benefits both patients and institutions. The process of digitising health records begins with gathering and recording patient information at several data collection locations.

Hospital front desks, clinics, diagnostic centres, and healthcare gadgets that generate patient-specific data can all serve as data gathering points. These data are stored at the collection points’ data storage repositories for further processing and future usage.

The risk connected with data is increasing as data repositories expand and technology advances. With digital health data, care must be taken to secure data security while also protecting the patient’s privacy and confidentiality.. While transferring health records across all health care providers for treatments, it is critical to ensure secure transfer of interoperable health records.

Given the quick pace at which healthcare is becoming digitised, and the increasing volume of health-related sensitive data being shared between persons and the digital technology platforms, it is imperative that a law for data protection is enacted with issues related to health data.

The Digital Health Management Policy is a watershed moment in the medical business, enabling for better data management and individual access to better medical care.

-Team AMLEGALS, assisted by Ms. Devanshi Jain (Intern)

For any queries or feedback, please feel free to get in touch with or

Leave a Reply

Your email address will not be published. Required fields are marked *

Current day month ye@r *

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.