The healthcare sector is on the verge of full-scale digitalisation in many developed countries. The National Digital Health Blueprint (NDHB) was released in 2019 by the Ministry of Health and Family Welfare to digitize the healthcare ecosystem and make it interoperable. This shows that India is also taking initiatives to manage public healthcare systems more efficiently. The digitalisation of the healthcare system has led to better diagnosis, research, tracking healthcare needs of patients and so on. However, with increased efficiency, the risk of data privacy breaches and accidental disclosures of sensitive personal data also increases. In this blog, the need for health data privacy laws and the current legislative decisions on health data privacy in India would be discussed along with a summary of the existing law in the US i.e. the HIPAA.
WHAT IS HIPAA?
The laws regarding the security and privacy of health information are primarily governed by the Health Insurance Portability and Accountability Act (HIPAA) in the US. The main purpose of this act was to regulate the flow of health information. Creating a system where the privacy of a person’s health-related information is protected was a major concern since health data is accessed by many people starting from healthcare providers like hospitals, doctors, nurses, healthcare workers etc. to tertiary entities involved in healthcare such as health insurance plans, pharmaceutical companies, billing and coding companies, researchers etc.
Certain entities called “covered entities” are obligated to comply with the HIPAA rules as they are involved in the collection and transmission of healthcare data.
These entities include-
- Health plans are those which cover healthcare costs. It may include private-funded health insurance plans like Health Maintenance Organizations (HMOs), Employer-Sponsored plans, Blue Cross etc. or government-funded programs like Medicare, CHIP and Medicaid.
- Health Care Providers may include doctors, nurse practitioners, chiropractors, optometrists, dentists, psychologists, clinical social workers etc. that are involved in providing treatment.
- HealthCare Clearinghouses act as a nexus between health insurance payers and healthcare providers. Clearing houses examine medical claims and send them to insurance payers. They also process non-standard data into standard data configurations.
HIPAA protects data that is used by the above entities such as medical records and health information that can be used to identify an individual.
WHY INDIA NEEDS A HEALTH DATA PROTECTION LAW?
With widespread digitisation and almost universal mobile phone penetration in India, much of the health data is also on the verge of being digitized. The Government of India has launched a public health insurance program called the Ayushman Bharat program. The rapid deployment of ‘AADHAR’, which is mainly used for biometric identity systems, creates a need for stringent legislation on privacy because large and efficient digital identity ecosystems also bring in changes to data protection, privacy and security. The potential drawbacks of increased digitalisation of personal data without appropriate policy regulations in place include security risks, data breaches and inadvertent leakages due to technological errors. In recent times, the reach of AADHAR has spread to bank accounts, medical information, pensions and a variety of other activities even though initially it was only meant for limited purposes which has created leeway for easier access to private information. There were several articles published in early 2017 regarding the ease of access to data which led to the release of bank details of millions of Aadhar users on a government website.
At the peak stage of digitalisation, every type of health information of a patient may be accumulated into a single platform. However, patients would not want to disclose certain types of health information due to social stigma and discrimination.
CURRENT STATUS OF HEALTH DATA PROTECTION LAWS IN INDIA
India is trying to step up towards digitalisation by introducing an electronic health record (EHR) system wherein the health data of a person can be collected from multiple healthcare institutions and the data can be made interoperable by following various standards of interoperability at international or national levels. The policies for adopting and implementing this system have been proposed and they include the draft Digital Information Security in Healthcare Act (DISHA) and the Digital Personal Data Protection Bill.
- Draft DISHA Act- The draft of the Digital Information Security in Healthcare Act (DISHA) Act was released by the Ministry of Health and Family Welfare in 2018 into the public domain. This act can be somewhat comparable to the HIPAA of the US. Its primary objectives include the security, privacy and confidentiality of Electronic Health Records. It is also meant for standardizing e-Health and creating regulations to make electronic health records interoperable.
- The Digital Personal Data Protection Bill-The Digital Personal Data Protection Bill is an important bill relating to data privacy that has been introduced by the Ministry of Electronics and Information Technology (MeitY). The purpose of this bill is to create a legal framework to protect any type of sensitive personal data apart from health-related data. This bill acknowledges the need to protect the privacy and integrity of personal data of individuals as well as the need to process personal data for ethical purposes. This bill has also reinforced the penalties to be imposed for violations and eased the rules related to cross-border data exchange.
While various policies are being formulated to shift from paper-based record keeping to a more digitized and interoperable system of handling healthcare data, the right to privacy of individuals should be kept at the forefront and data privacy rules also need to be implemented stringently. A digitized health record-keeping system will be a boon for society as it would help in transforming health research. More efficient healthcare research can help to come up with new ways of diagnosis, treatment, therapy and preventative measures. But it is also important to ensure that health research is conducted in an ethical manner by protecting the dignity and privacy of individuals. The breach of health data privacy can lead to a lot of potential social, economic harms and psychological harms, for example, it could lead to job loss, social stigma, isolation or other harmful effects like identity theft.
Author(s) Name: Adrita Hazra (Department of Law, University of Calcutta)
 Solove, Daniel J.,‘HIPAA Turns 10: Analyzing the Past, Present, and Future Impact’(2013),84 Journal of AHIMA 22-28 , <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2245022> accessed on 21 December 2022
 <https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html> accessed on 21 December 2022
 <https://www.hcsc.com/understanding-health-insurance/how-insurance-works>accessed on 25 December 2022
 <https://sdata.us/2020/09/09/what-is-a-healthcare-clearinghouse/> accessed on 25 December 2022
<https://www.india.gov.in/spotlight/ayushman-bharat-national-health-protection-mission>accessed on 25 December 2022
 Dixon, Pam, “A Failure to “Do No Harm”–India’s Aadhaar biometric ID program and its inability to protect privacy in relation to measures in Europe and the US.” (2017) , Health and technology 7.4 : 539-567.
 Kaur, ‘Electronic health records in India: Legal framework and regulatory issues’, (2020) RGNUL Student Research Review (RSSR), Volume 6, Issue 1 <http://rsrr.in/wp-content/uploads/2020/08/ELECTRONIC-HEALTH-RECORDS-IN-INDIA.pdf.> accessed on 23 December, 2022
The Digital Personal Data Protection Bill, 2022
<https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Protection%20Bill%2C%202022.pdf> accessed on 25 December 22