top of page
The Legal Journal On Technology

BIG DATA IN DIGITAL HEALTHCARE:AN OUTLOOK ON DIGITAL INFORMATION SECURITY IN HEALTHCARE ACT

This Article has been written by Yashita Bharadwaj of Nirma Institute of Law


INTRODUCTION

Data breach and cyber security problems have become very common in health care industries. Every now and then we come across some or the other data breach in the health care sector. Recently hackers broke into a leading India-based healthcare website, stealing the records of 68 lakh patients and doctors[1]. All the information related to health is sensitive and confidential in nature because if it gets leaked or exposed then it can cause huge problems which can lead to discrimination and violence in the society. Information regarding sexual orientation, physical and mental conditions, abortions and HIV's are highly confidential in nature and if once the data gets leaked then any unauthorized person can use this information against that particular person for his/her own personal gains. Digital health is growing in India at a fast pace. As of now, there are about 2,975 start-ups for digital healthcare solutions in India and they are increasing every year[2]. As digital health is becoming more accessible in India and along with it millions of digital health records are also being generated, so we should also prioritize the issue of data safety and security. Currently the provisions of Information Technology Act, 2000, read with, the Information Technology (Reasonable Security Practices and Procedures And Sensitive Personal Data or Information) Rules, 2011, governs e- health in India. These Acts provide some degree of protection to sensitive personal data, which usually covers medical records and history. But still various concerns are not addressed in these Acts. So in order to solve these issues, in 2017, Ministry of Health and Family Welfare proposed a draft of Digital Information Security in Healthcare Act[3]. If this Act comes into picture then it will bring a progressive reform in the digital healthcare industry. So, let's discuss the key features of this act and how it is helpful in digital healthcare.

WHAT IS THE NEED OF DIGITAL SECURITY ACT IN INDIA

The duty of data security and privacy is of the person who holds the data. In India, if the data gets leaked then the person who is collecting the data is penalised. As per Indian Medical Council Regulations, 2002[4], doctors are supposed to maintain confidentiality related to personal or medical life of their patients. However, this law is incompetent to outline the limits for accessing information of patients. And, it doesn't include the online personal data related to patient's identity, which is of utmost importance in this digital world. The need of data security law in the health sector is to prevent health care providers from sharing any piece of data related to the patient's identity or health status. The objective of this act is to enforce privacy and security measures to protect the digital health data, regulate the storage of digital data and to establish national and state level health authorities for better functioning. This act secures the digital health data[5], personal identifiable information[6] and sensitive- health related information[7].

RIGHTS OF THE OWNER

Digital Information Security in Healthcare Act (DISHA), gives various rights to the owners of the data. Under this act it is really hard to transmit data without the due permission from the concerned owner. Apart from right to confidentiality and privacy, every owner under this act has right to give, refuse or withdraw consent for storage and transmission of digital health data. So, if the patient refuses to store his/her data or to transmit his/ her data, then the healthcare providers are obligated to not to store or transmit their information until and unless consent is given by them. They also have right to refuse consent to access or disclosure of his/her digital health data, personal identifiable information or any sensitive health related information. As per the law or any other medical requirements, if is essential to share data with other entities then the owners have the right to know the clinical establishments or entities which may have or has access to his/her personal as well as medical data.

WHO IS THE OWNER OF DIGITAL HEALTH DATA?

The digital health data which is collected and stored is owned by the person whose health data has been digitalized. Only this person has the title of ownership for that data. Every hospital, clinic or health information exchange holds such data in the trust of owners. Anyone who is the custodian of any digital health data then he/she is bound to maintain the confidentiality of the information in their custody. Although the owner of the digital health data is the patient itself but the medium of data storage and transmission is owned by clinical establishments or health information exchange.

OFFENCES COVERED UNDER THIS ACT

Breach of data and serious breach of data is explicitly divided under this act. A breach involves when any person destroys, damages, deletes or tampers with the digital health data and if any clinical establishment collects or transmits data by infringing the rights of owner under this act and a serious breach on the other hand involves a person who intentionally, dishonestly or fraudulently commits breach of digital health data or uses the information for commercial purposes or gain. Illegal obtaining of unauthorized data and data theft happens when one person steals any information stored on computer, device or servers, in order to breach the privacy or gain the confidential information, then that particular person is also an offender under this act.

DUTIES OF HEALTHCARE ORGANIZATIONS UNDER DISHA

Healthcare providers are bound to inform the owner before collecting any information related to them. Why the information is collected and who all can access the information, should also be told to the owner. It is the duty of healthcare providers to collect and store data as per National Electronic Health Authority. And if any data is shared and transferred to any health information exchange or any other healthcare provider then it should be done in encrypted form in order to protect the data from being leaked while it goes from one entity to the other. This act only helps in order to protect the digital health data, but the ultimate work is done by various security measures and techniques. So, in order to have secure and safe data, it is the duty of data collector to have the best software and techniques to secure data from cyber breach and leakages. Since, we all know that digital health as well as cybercrimes both are increasing day by day and now there are millions of different ways in which one can commit cyber breach or theft, so the organizations in healthcare have to provide regular trainings to their personnel so that they can maintain pace with the security guidelines mentioned in data protection laws.

LIMITATIONS OF THE ACT

Overall this draft of Digital Information Security Healthcare Act, included all the criterion for securing digital health of any patient but there are some provisions which need to be reassessed. Although the stringent provisions of this act will secure personal as well as medical data but this will cause a huge problem for the insurance as well as pharmaceuticals industry. This appears to be a constraint to clinical research activities of pharmaceutical companies, as now it will be difficult to gather the health related data from clinical establishments. Another limitations of the Act is, what instances of non- compliance amount to breach or serious breach, is not defined under this Act. Since, we know data related to health is extremely sensitive and should be kept confidential, still this Act don't have any provision related to physical data. Section 28(3) talks about owner's right to withdraw information related to him/her but how the data will be removed from the devices and servers of healthcare providers, is not mentioned in this act. Last but not the least, when a clinical establishment in one part of the country transfers data to a Health Information Exchange, and then another clinical establishment requests the same information, but from a different Health Information Exchange. How the digital health data would flow between these exchanges, whether the clinical establishments have to register themselves and have to transfer data in every Health Information Exchange in order to avoid confusion or there will be some internal communication channels between clinical establishments and the information exchange. The draft is ambiguous on such logistical issues.

CONCLUSION

As all citizens as per Indian Constitution have a fundamental right to privacy and Hon'ble Supreme Court in recent cases like Justice K.S Puttaswamy (Retd.) v. Union of India and Ors held that right to privacy is an essential part of right to life and personal liberty. This Digital Information Security in Healthcare Act explicitly mentioned the rights of owners of health data. Although the Act covered many provisions but it would be helpful if DISHA will become more holistic in nature. The important part covered in this Act is basically the patient data security at its core, there are still a lot of problems unaddressed in this Act. Like it will be difficult for healthcare companies/ establishments to access data for research and development purposes. Though interoperability is concern in some areas but still it is one of the crucial aspects covered under this Act. This Act will bring enormous changes in the digital healthcare industry and will make digital healthcare more secure and confidential. All the concerns related to privacy under digital healthcare will be minimized once this Act will come in society.



[1]"Hackers Attack Indian Healthcare website,steal68lakh records", The Economic Times,(22, August,2019) https://ciso.economictimes.indiatimes.com/news/hackers-attack-indian-healthcare-website-steal-68-lakh-records/70782910 [2]Mc Kinsey and Company,Pharmaceutical and Medical Products Practice, "India Pharma 2020 Propelling access and acceptance, realising true potential", https://www.mckinsey.com/~/media/mckinsey/dotcom/client_service/Pharma%20and%20Medical%20Products/PMP%20NEW/PDFs/778886_India_Pharma_2020_Propelling_Access_and_Acceptance_Realising_True_Potential.ashx [3]MINISTRY OF HEALTH AND FAMILY WELFARE, GOVERNMENT OF INDIA, Draft on Digital Information Security in Healthcare Act, (November,2017), https://www.nhp.gov.in/NHPfiles/R_4179_1521627488625_0.pdf [4]INDIAN MEDICAL COUNCIL (Professional Conduct, Etiquette and Ethics) Regulations, 2002, ¶2.2 ,Appendix 1(AMENDED UPTO 8th OCTOBER 2016) https://www.mciindia.org/documents/rulesAndRegulations/Ethics%20Regulations-2002.pdf [5]SECTION 3(1)(e), Draft on Digital Information Security in Healthcare Act. [6]SECTION 3(1)(k), Draft of Digital Information Security in Healthcare Act. [7]SECTION 3(1)(o), Draft of Digital Information Security in Healthcare Act.

57 views0 comments

Recent Posts

See All

Cross-Border Data Transfers in DPDP Act

By Uddhav Gupta (2nd Year MNLU , Nagpur) The DPDP Act  establishes a framework which safeguards digital personal data in India. It...

Comments


bottom of page