Are your Medical Records and Health Information Safe? Understanding Privacy in Healthcare
Following the heels of the announcement of the ‘Janta Curfew’ in India to battle the COVID-19 pandemic, the Ministry of Health and Family Welfare, Government of India (“Government”) released the ‘Telemedicine Practice Guidelines’[i] on March 25, 2020 (“Guidelines”). It provides broad guidelines to medical practitioners/doctors (used interchangeably) regarding the manner in which patients can be advised treatment by doctors over the internet through messaging and texting applications, audio calling services, video chat services and asynchronous applications (such as emails and recordings).[ii]
In order to provide healthcare services effectively, doctors are required to collect, process and store personal and sensitive personal data of patients. This includes identifiers such as, inter alia, name, age, address, email ID, phone number, medical history, prescriptions, health conditions etc. In fact, as per the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002 (“IMC Regulations”), medical practitioners are required to store medical records (which constitutes sensitive personal data) pertaining to their patients for a period of 3 (three) years.[iii] Further, there is an obligation to maintain secrecy regarding any patient data, including details pertaining to personal and domestic life, which is entrusted to them.[iv] If any request is made for medical records by the patient or authorised legal personnel, the medical practitioner is required to make such records available within a period of 72 hours.[v]
The Guidelines state that all medical practitioners are required to protect patient privacy and confidentiality as per the IMC Regulations, the Information Technology Act, 2000 (“IT Act”),[vi] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”)[vii] and other applicable data protection laws as notified by the Government.
Analysis of Applicable Privacy Laws
Interestingly, however, the SPDI Rules, which govern the collection, processing and storage of sensitive personal data such as medical records, are only applicable to a body corporate.[viii] As per Section 43-A of the IT Act, a body corporate has been defined as “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities”.[ix] Therefore, a medical practitioner collecting and processing medical records will not constitute a ‘body corporate’.[x] Accordingly, the protections provided under the SPDI Rules will not apply to the medical records of the patient who seeks treatment from a medical practitioner through telemedicine.
The Electronic Health Record Standards 2016 (“EHR Standards”) is the other key guideline that is applicable to the protection of medical records. It provides for the adoption of certain baseline security standards such as ISO/TS 14441:2013 Health Informatics – Security & Privacy Requirements of EHR Systems for Use in Conformity Assessment; ISO 27799 Health informatics – Information Security Management in Health using ISO/IEC 27002; ISO 22600:2014 Health informatics – Privilege Management and Access Control (Part 1 through 3); ISO 27789:2013 Health informatics – Audit Trails for Electronic Health Records; and ISO 17090 Health informatics – Public Key Infrastructure (Part 1 through 5). However, the devil, regarding the applicability of the EHR Standards, is in the details. The EHR Standards has been issued under Section 52 of the Clinical Establishments (Registration and Regulation) Act, 2010 (“CE Act”)[xi] read with Rule 9(iv) of the Clinical Establishments (Central Government) Rules, 2012 (“CE Rules”).[xii] This provision provides in relevant part that, “clinical establishments shall maintain or provide Electronic Medical Records or Electronic Health Records of every patient as may be determined and issued by the Central Government …”.[xiii] Consequently, the EHR Standards are only applicable to clinical establishments.
A clinical establishment, as per the CE Act, has been defined as
“(i) a hospital, maternity home, nursing home, dispensary, clinic, sanatorium or an institution by whatever name called that offers services, facilities requiring diagnosis, treatment or care for illness, injury, deformity, abnormality or pregnancy in any recognised system of medicine established and administered or maintained by any person or body of persons, whether incorporated or not; or (ii) a place established as an independent entity or part of an establishment referred to in sub-clause (i), in connection with the diagnosis or treatment of diseases where pathological, bacteriological, genetic, radiological, chemical, biological investigations or other diagnostic or investigative services with the aid of laboratory or other medical equipment, are usually carried on, established and administered or maintained by any person or body of persons, whether incorporated or not, and shall include a clinical establishment owned, controlled or managed by—
(a) the Government or a department of the Government;
(b) a trust, whether public or private;
(c) a corporation (including a society) registered under a Central, Provincial or State Act, whether or not owned by the Government;
(d) a local authority; and
(e) a single doctor,
but does not include the clinical establishments owned, controlled or managed by the Armed Forces.”[xiv]
Accordingly, a single doctor will qualify to be a ‘clinical establishment’ if they own, control or manage an institution or clinic that offers treatment or care services for illness. In Sameer Kumar v. State of Uttar Pradesh through Principal Secretary Medical Health Department and Others (“Sameer Kumar”),[xv] the Allahabad High Court observed that as per Section 2 of the CE Act, “every medical professional whether working individually or through nursing homes, hospitals, medical universities … is obliged to follow provisions contained in the Act.”[xvi] The reading of the CE Act in Sameer Kumar seems to have extended the scope of the definition to include medical practitioners working individually as well. Consequently, even if a single doctor operates on her own without owning or being attached to such an institution, such doctor will be required to adhere to the requirements of the EHR Standards which have been prescribed under the CE Act.
However, as per Entry 6, List II of the Seventh Schedule of the Constitution of India, ‘Health’ is a state subject and states have the flexibility to adopt and implement (or elect not to adopt and implement) the CE Act as per their discretion. As on date, as per the operational guidelines for CE Act, sixteen states/UTs including Assam, Arunachal Pradesh, Himachal Pradesh, Rajasthan, Jharkhand, Mizoram, Uttar Pradesh and Uttarakhand, Sikkim, Pondicherry, Chandigarh and Bihar have adopted the CE Act.[xvii] Several states such as West Bengal, Delhi and Maharashtra have implemented or proposed their own legislation, and certain states such as Kerala, Gujarat and Goa have neither enacted their own legislation nor have they adopted the CE Act.[xviii]
It should be noted that even if a state adopts and implements the CE Act (or some similar version thereof), the centre cannot compel the state to implement the rules or standards which have been issued thereunder.[xix] Therefore, it is quite likely that a number of patients who opt for telemedicine consultation may not have any legal protection afforded to their medical records and health information on the basis of whether the state in which their doctor is situated has adopted and implemented the CE Act and rules thereunder.
The Consent Conundrum
Interestingly, while the Guidelines specify that patient consent is necessary for any telemedicine consultation,[xx] it does not mandate the collection of patient consent for the processing, storage and transfer of the patient’s medical records and health information.
The Privacy Judgment (as defined below) relied on the observation of the Supreme Court of Canada in Her Majesty, The Queen v. Brandon Roy Dyment,[xxi]wherein Justice La Forest observed that “the use of a person’s body without his consent to obtain information about him, invades an area of personal privacy essential to the maintenance of his human dignity.”[xxii]
Fundamental Right to Privacy
The Supreme Court of India (“SC”) in its judgment in Justice K.S. Puttaswamy (Retd.) and Anr.v.Union of India and Ors.[xxiii] dated August 24, 2017 (“Privacy Judgment”), held that a fundamental right to information privacy was guaranteed by the Constitution of India.
The Privacy Judgment referred to the observation of the Constitutional Court of South Africa in NM and Others v. Smith and Others[xxiv] wherein it was held that,
“Private and confidential medical information contains highly sensitive and personal information about individuals.… The lack of respect for private medical information and its subsequent disclosure may result in fear jeopardizing an individual’s right to make certain fundamental choices that he/she has a right to make. There is, therefore, a strong privacy interest in maintaining confidentiality.”[xxv]
The SC in the Privacy Judgment held that “An unauthorized parting of the medical records of an individual which have been furnished to a hospital will amount to an invasion of privacy.”[xxvi]
Additionally, in the Aadhaar Judgment,[xxvii] the SC relied on the Privacy Judgment’s enumeration of data protection principles like data minimization, purpose limitation, and storage limitation to strike or read down provisions of law permitting the collection or storage of certain types of personal information.[xxviii]
Further, pursuant to the Privacy Judgment, the Government of India is proposing to enact a comprehensive general data protection law. A draft Personal Data Protection Bill, 2019 (“PDP Bill”)[xxix] is currently being reviewed by a joint parliamentary committee.
As per the statistics released in a recent report by Greenbone Sustainable Resilience, a German cybersecurity firm, the health data of over 120 million Indian patients is freely available on the internet.[xxx] Medical and healthcare information has the potential to cause harm in a variety of ways. It is possible to fraudulently obtain medical services, healthcare devices, and prescription medications using medical data,[xxxi] and claim insurance amount.[xxxii] This information may be used to extort money from patients,[xxxiii] sold to interested third parties such as medical research organizations and insurance companies, without the consent or knowledge of the patient.[xxxiv] Further, medical information can be used to deny employment and cause social ostracization.
The Way Ahead
In order to ensure that the letter and spirit of the Privacy Judgment is adopted for the protection of the medical records and history of millions of patients in India, the Government should include privacy-enhancing practices into the Guidelines. While enlisting the full gamut of measures that the Government ought to incorporate into the Guidelines is beyond the scope of this article, certain basic requirements have been outlined.
The Guidelines should incorporate the principles of purpose specification, collection limitation, data minimization and storage limitation. Further, the Guidelines should mandate the collection of explicit consent of the patient for the collection, handling, processing and storage of all personal and sensitive personal data. Furthermore, baseline security standards as mentioned in the EHR Standards should be reviewed and the latest security standards should be incorporated into the Guidelines. The medium for communication has the potential to compromise the security and confidentiality of medical records and health information. Accordingly, interactions between the medical practitioner and patient should only take place over applications and mediums that have robust security and encryption systems to protect privacy. Accordingly, platforms which do not meet this threshold such as SMS, unsecured messaging and calling applications, unsecured emails etc. should not be permitted to be used for the purposes of telemedicine.[xxxv]
The rise in virtual consultations should not come at the cost of patient privacy. While the PDP Bill endeavours to provide baseline protections for personal and sensitive personal data, it is not clear when it will be passed by the parliament. In the interim, the Government should embrace this opportunity to improve the privacy protection afforded to medical and health information to bring it in line with global best practices.
[i]Telemedicine Practice Guidelines, Indian Medical Council (Professional Conduct, Etiquette and Ethics Regulation, 2002, Appendix 5, Mar 25, 2020, available at https://www.mohfw.gov.in/pdf/Telemedicine.pdf.
Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002, Regulation 1.3.1.
[iv]Id., at Regulation 2.2 and Regulation 7.14.
[v]Id, at Regulation 1.3.2.
[vi] The Information Technology Act, 2000.
[vii]Id., Section 43A.
[viii]Id., at Section 43A, Explanation (I).
[x]Asheeta Regidi, DISHA and the draft Personal Data Protection Bill, 2018: Looking at the future of governance of health data in India, IKIGAI LAW, Feb. 25, 2019, https://www.ikigailaw.com/disha-and-the-draft-personal-data-protection-bill-2018-looking-at-the-future-of-governance-of-health-data-in-india/.
[xi] The Clinical Establishments (Registration And Regulation) Act, 2010, Section 52.
[xii] The Clinical Establishments (Central Government) Rules, 2012, Rule 9(iv).
[xiv] CE Act, 2010, Section 2(c).
[xv] Sameer Kumar v. State of Uttar Pradesh through Principal Secretary Medical Health Department and Others, 2014 SCC OnLine All 14605.
[xvi]Id., at para 19.
[xvii]Operational Guidelines For Clinical Establishments Act, 2017, http://clinicalestablishments.gov.in/WriteReadData/2591.pdf
[xx] Telemedicine Practice Guidelines, 2020, Guideline 3.4.
[xxi] Her Majesty, The Queen v. Brandon Roy Dyment, (1988) 2 SCR 417 (1988).
[xxiii] Justice K.S. Puttaswamy (Retd.) and Anr. v. Union of India and Ors,(2017) 10 SCC 1.
[xxiv] NM and Others v. Smith and Others,2007 (5) SA 250 (CC).
[xxvi] Justice K.S. Puttaswamy (Retd.) and Anr. V. Union of India and Ors,(2017) 10 SCC 1 at para 312.
[xxvii] Justice Puttaswamy (Retd.) and Anr. v. Union of India and Ors., (2019) 1 SCC 1.
[xxix] The Personal Data Protection Bill, 2019.
[xxx] Gautam S. Mengle, Maharashtra tops list of States hit by global medical data leak, The Hindu, Feb. 05, 2020,https://www.thehindu.com/news/national/other-states/maharashtra-tops-list-of-states-hit-by-global-medical-data-leak/article30737743.ece.
[xxxi]MIFA Shares Industry Wisdom on Medical Identity Theft and Fraud, HIPPA JOURNAL, Nov. 03, 2016, https://www.hipaajournal.com/mifa-shares-industry-wisdom-on-medical-identity-theft-and-fraud-3657/.
[xxxii]Hackers are stealing personal medical data to impersonate your doctor, THE NEXT WEB, Jun. 11, 2019, https://thenextweb.com/security/2019/06/11/hackers-are-stealing-personal-medical-data-to-impersonate-your-doctor/.
[xxxiii]First Half of 2019 Sees 31.6 Million Healthcare Records Breached, HIPPA JOURNAL , Aug 2, 2019, https://www.hipaajournal.com/first-half-of-2019-sees-31-million-healthcare-records-breached/.
[xxxv] See generally, David F. Katz & Caitlin Amick, As Telehealth Services Expand, Beware of Data Protection and Cybersecurity Challenges, Lexology,https://www.lexology.com/library/detail.aspx?g=6277c93b-eba1-4fab-94ad-9b795f7d50de; see also Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency, Mar. 17, 2020, https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html.
Authored by Samraat Basu, a Bengaluru-based Technology and Data Protection Lawyer. He was assisted by Soumya Tiwari, a 3rd year student at the Rajiv Gandhi National University of Law.