INTRODUCTION

INTRODUCTION

The healthcare sector has witnessed significant modernization over the last few decades. In India, effective capitalization of technological advancements has ensured the digitalization of health care at a steady pace. The National Health Policy of 2017 affirms the primary role of the Government in creating a comprehensive and integrated road map to achieve quality healthcare and wellness for all its citizens. The National Digital Health Mission (NDHM) launched in 2020 is one such policy rolled out by the Government in facilitating this aim. One of the prominent features of NDHM is the creation of unique health IDs for individuals that will be stored in a centralized database and shall contain medical records, electronic records, etc. 

The pandemic has also pushed medical consultants and pharmaceuticals to offer their services online. This has resulted in massive amounts of personal data including the person’s medical records and contact details being stored in digital banks and cloud systems. Given the fact such services will only continue to grow on digital platforms, it is imperative that a legislation addressing the concerns of data privacy in the healthcare sector be drafted and enforced at the earliest. This article will be attempting to understand the current scenario of data privacy in India and how it impacts the healthcare sector. 

RIGHT TO PRIVACY

The Supreme Court’s verdict in Justice K. Puttuswamy (Retd.) v. Union of India is the landmark judgement wherein the right to privacy was recognised as a fundamental right enshrined in Article 21 of the Constitution. The verdict also emphasises on the importance of keeping medical health of individuals confidential as such information is extremely sensitive in nature and hence, protective measures against the infringement of such information should be put up in place. The four-pronged test as laid down in this judgement is of utmost importance as it acts as a safeguard and helps verify the validity of any State legislation or policy which could potentially infringe one’s right to privacy. 

It is pertinent to note that the term ‘sensitive personal data or information’ is inclusive of medical records and history as well as biometric information, as defined in Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The IT Rules were made in furtherance of Section 43A of the Information Technology Act, 2000, which deals with compensation for failure to protect data. 

At present, there are limited provisions that deal with penal implications against the misuse of sensitive information. Section 43A of the IT Act is one such provision, however, it is applicable only to body corporates and does not govern State functionaries. 72A of the IT Act also does not address the concern of breach of informational privacy but only punishes the act of disclosing information in breach of a lawful contract through which one might cause wrongful loss or gain, without the consent of the concerned person. 

Although the offence of identity theft has not been defined in any law, but it does find its mention in the Indian Penal Code and the IT Act. The offence pertains to stealing of personal information of an individual for one’s fraudulent or economic gain. Section 66C of the IT Act provides punishment for identity theft. A liberal interpretation of Sections 419 and 420 of the IPC also brings identity theft under its purview. 

The healthcare sector has been subject to a sharp rise in cyber-attacks. Medical identity theft and ransomware attacks have become all the more common, leaving sensitive information such as a person’s medical records, contact details, addresses, bank account details, etc, vulnerable to external intrusion. The recent cyberattack on AIIMS Delhi is an example of the same. The reason why the healthcare industry has become a hotbed for cybercrime is the slow rate of detection of such crimes which gives the hackers ample time to steal sensitive information. Most medical organizations, including private healthcare companies and public healthcare entities, do not possess robust data protection systems. The lack of awareness and training amongst healthcare professionals is another concern as they are inadept at both managing data stored online and undertaking corrective measures in the event of a cyberattack. Employing artificial intelligence and effective technology can play a crucial role in remedying the situation, provided the healthcare professionals are given adequate training to utilize the same. 

The Government has taken steps to address data privacy concerns in the healthcare sector and therefore, has enacted the Digital Information Security in Healthcare Act (DISHA). Its main objectives include standardization of security measures regarding the protection of digital health data, regulating the transmission of such data and establishing the National Digital Health Authority and the Health Information Exchanges. However, all these developments are in their nascent stages. 

DIGITAL PERSONAL DATA PROTECTION BILL, 2022

Given the fact that there are several loopholes in the present-day legislations governing data privacy, the Government, after extensive reviewing, has finally approved the Digital Personal Data Protection Bill, 2022 (hereinafter referred to as the Bill), and will most likely table the Bill in the upcoming Monsoon Session in Parliament in July 2023.

The Bill is based on several principles of data protection that are listed in Article 5 of the General Data Protection Regulation (GDPR) and include principles of lawfulness, fairness and transparency, purpose limitation, integrity and confidentiality, amongst others. The GDPR is an EU legislation and is considered the pioneer in data protection laws. 

The Bill majorly focuses on ensuring data processing in a safe manner and with the consent of the Data Principal. To achieve this objective, the Bill affixes numerous responsibilities on the Data Fiduciary so that the data being collected is done so in accordance with the aforementioned principles. Therefore, it is permissible to process only such data to which the Data Principal has consented, after being informed of the purpose behind such processing. One of the highlights of this Bill is that the Data Principal is permitted to withdraw her consent at any given in point. 

However, the concept of ‘deemed consent’ is of concern. Section 8 of the Bill lists down the circumstances in which the Data Principal is deemed to have given consent to the processing of her personal data if it is necessary. Some of these include data processing necessary for responding to a medical emergency in the event of the Data Principal’s health or life coming under immediate threat and, for taking steps to provide medical treatment or health services in the event of an epidemic or threat to public health. The issue arising over here is the uncertainty over the term ‘medical emergency’ as the present draft of the Bill doesn’t quite elaborate on the same. Such discrepancies could expose the personal data of the concerned person to unwarranted processing by the concerned Data Fiduciary or Significant Data Fiduciary. 

An interesting observation to note is that the subject of healthcare is placed in List II of the 7th schedule in the Indian Constitution. The juxtaposition is in how the Bill, being a Central Government legislation, will exercise control over the subject of health when the same is under the domain of State legislation. This further raises questions as to how the federal structure of the National Digital Health Mission will address privacy concerns. Therefore, the success of the Bill’s implementation will rest on how well it is synchronized with other policies and schemes that involve healthcare facilities for citizens using digital platforms. 

The major stakeholders in the healthcare sector include hospitals, pharmaceuticals, insurance companies, physicians, etc. An emerging figure in this market is companies selling healthcare wearable smart devices. Effective implementation of the Bill should have a positive impact on the growth of this industry as it would not only ensure a higher level of protection of customers’ personal data but also help them in becoming more aware of how their personal data are being collected and stored by such healthcare entities. 

A GLOBAL PERSPECTIVE

The American law of Health Insurance Portability and Accountability Act of 1996 (HIPPA) is widely considered as the benchmark in healthcare information security law. The Act lays down strict compliance measures for all healthcare providers, businesses and insurance industries known as ‘covered entities.’ These entities are prohibited from sharing protected health information (PHI) with third parties without the consent of the patient or their authorized representatives. The Act also creates both civil and criminal liability for violating offences pertaining to healthcare fraud and misuse of sensitive data. In furtherance of fulfilling the protective measures stipulated in the Act, the U.S. Government issued the Standards for Privacy of Individually Identifiable Health Information, also known as the Privacy Rules, which prescribes national standards for the use and disclosure of PHI. 

The Personal Data Protection Act of 2012 is the governing law on data protection in Singapore. Like many of its counterparts, this Act also elaborates on the collection, use, and disclosure of an individual’s personal data by organizations under ‘reasonable’ circumstances. Having undergone its first major revision in 2020, the amended law has stressed upon a mandatory breach notification regime that directs organizations having experienced a data breach to immediately alert the Personal Data Protection Commission, their data protection regulator. The financial penalties in case of any contravention were also increased up to 10% of an organization’s annual turnover, i.e., if the organisation's annual turnover in Singapore exceeds SGD 10 million (approx. €6.80 million), or SGD 1 million (approx. €679,980), whichever is higher. 

It is pertinent to note that the Digital Personal Data Protection Bill, 2022, also envisions the establishment of a Data Protection Board of India entrusted with the responsibility of enforcing the provisions of the said Act and also deals with issues arising from its non-compliance. 

In Germany, the Patient Data Protection Act was enforced in 2020 with the aim of digitalizing their healthcare system. It encompasses security measures, usage guidelines and accessibility concerns pertaining to sensitive medical information of patients in consonance with the compliances outlined in the General Data Protection Regulation. One of the highlights of this new law is that it pushes for the digitalization of documents, including e-prescriptions and electronic patient files. The patients are authorized to decide what is stored in their e-files and who gets access to them. Interestingly, the German Act also mentions data donation through which patients, with their informed consent, are allowed to share their electronic files with researchers for designated research purposes such as improving the quality of public healthcare. Of course, the patients are empowered to determine the scope of such data donation. 

CONCLUSION

Data privacy is one of the most pressing issues at present. With the alarming increase in the number of cybercrimes, a comprehensive data protection law must be enforced at the earliest. Given the fact that the present-day Government has pushed for digitalization across the board and public healthcare being one of its primary concerns, a lot of expectations are riding on the Digital Personal Data Protection Bill, 2022. Post its implementation, the law will certainly be scrutinized for how well it accommodates data privacy guidelines and compliances in the existing healthcare mechanisms and state policies, but also the expanding healthcare businesses in the post Covid-19 world.