COVID-19 outbreak has been a massive catalyst of sorts for telehealth in the country. Although it came to prominence in unfortunate circumstances, for a country like India with large swathes of remote and nearly-inaccessible terrain, as well as a large part of the hinterland remaining outside the ambit and reach of regular physical healthcare personnel and services, this has been a much-needed impetus. Particularly for millions of people in the country whose health conditions have been compromised for decades merely due to lack of access to quality professional services and infrastructure, the recent technology-driven push has been nothing short of lifesaving.
Yet, the take off of telehealth in the country has not been without its share of challenges, something which is inherent in any project of this magnitude. And data security and privacy are among the challenges that happen to be at top of the heap. Notably, in a recent instance, the Kerala High Court had to issue directives for protecting the privacy of data of COVID-19 patients, making it incumbent on the state government to anonymise the data before sharing it with a third party.
Private health information outvalues financial data
The ongoing digitisation of the health ecosystem is riddled with a welter of technical, regulatory, logistical and moral concerns. Some of those concerns could be: interoperability of data, integrity of digital platforms and apps, uniformity of EHRs (electronic health record), ambiguities and vulnerabilities around software compliance with data security norms, less-than-friendly user interfaces, presence of mass of untrained and undertrained healthcare personnel and patients, and inadequate foundational IT infrastructure. Of these, security of data and patient privacy has been one of the leading concerns. Remember, the Interpol had issued a purple notice in April last year on a possible cyber attack on critical healthcare institutions. In fact, there have been assertions made in some quarters that the private health information (PHI) outvalues even financial data or other personal information on the black market.
How the govt has sought to provide for health data security
Although the IT Act 2000 and Information Technology Rules 2011 have laid down that medical records and history as well as physical, psychological and mental health conditions constitute a component of ‘sensitive personal data or information’ (SPDI), these were obviously not enough. In 2018, the ministry of health and family welfare had come up with a comprehensive Digital information Security in Healthcare Act (DISHA) with a view to establish National Digital Health Authority and Health Information Exchanges. The Act had stringent provisions for data safety and privacy, barring the use, access or disclosure of data for any commercial purpose whatsoever, except for processing insurance claims by insurance companies. Then, the Personal Data Protection Bill (PDP), 2019, under section 3(36), has provided that the ‘health data’ of an individual constitutes ‘sensitive personal data’. Furthermore, the 2020 telemedicine guidelines have made the registered medical practitioner (RMP)/healthcare service provider largely responsible for the protection and privacy of data. Most recently, as part of the colossal Digital Health Mission, the government has sought to assure people of protecting patient data and privacy through a draft health data management policy. This has been approved by the health ministry after a due public consultation exercise. In this, the government has clearly defined several terms related with data protection such as personal data, personal data identifier (PHI), data principal, sensitive personal data, data fiduciary, consent manager, health information provider, and health information user among others while laying out a method of obtaining consent and securing the rights of data principals. With safeguards, the draft has stipulated that only a prior informed consent through designate consent managers would permit data fiduciaries to access data even as the ownership and control would remain with data principals.
What more could govt do
Yet, there are issues in most of these laws and rules that need to be addressed. For instance, on the most recent draft health data management policy, experts have pointed out drawbacks, ranging from allowing Aadhaar to be used for creation of health Id to excessive collection of personal data and leaving scope for data re-identification through allowing the sharing of anonymised and de-identified data. Similarly, there are seemingly different positions enunciated by DISHA and the PDP Bill. While DISHA takes a more rigorous view of individual’s control and therefore privacy of data in general and specifically in terms of non-consent based processing of data, PDP has a somewhat more lenient approach. DISHA requires consent at every stage of data use unlike the PDP. This impacts the health supervision of patients needing to use wearable technologies. Another difference has been that DISHA takes a more restrictive view of even the government using of an individual’s data, unlike the PDP Bill. So now that telehealth has been in a mode of ascendancy like never before, the authorities need to resolve these divergences through a comprehensive health data protection law. The sooner the PDP Bill becomes an Act and is enforced, the better.
In sum, data security and privacy remains an overriding concern in the field of telehealth. Just as the government has been pretty focused on the issue, the private telehealth players must become a partner of the government in maintaining highest standards of patient data security and privacy.
Vikram Thaploo, CEO, Apollo TeleHealth