The healthcare sector in India is making pioneering advances in terms of technology and patient care in methods of diagnosis, and treatment. However, when it comes to interaction with law it is still in an embryonic stage. Necessary digitization of medical records under the Clinical Establishment (Central Government) Rules, 2012 is one such development that comes attached with the threat of unwarranted disclosure against the will and acquaintance of the owner of such information, making medical data highly susceptible to breaches. There are umpteen plinths of healthcare like privacy and confidentiality requirements that slip through the gaps in the systems and get bludgeoned between corporate interest and rights of an individual.
In June 2017 IBM reported that Indian Companies could lose Rupees 11 crores to data breaches putting critical medical or other crucial patient data of an individual at risk. In the present business milieu, individual medical data is not only vulnerable to cyber attacks and hacks but also the unethical practice of monetization of such data by corporates for secondary use to cut down upon Research and Development costs.
Applicable Legal Scaffold for Protection of Medical data.
The Information Technology Act, 2000 broadly addresses within Sections 43(a) and 72 an expansive structure for protecting personal information. Where Section 43(a) along with Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 lay down the compliances to be observed by an entity dealing in collection or storage with other sensitive information, health conditions, sexual orientation, medical records and biometric records and mandates corporates to take reasonable steps to protect sensitive personal data or information; Section 72 protects personal information from unlawful disclosure in a breach of contract.
Therefore, situations where disclosure of personal health information is permitted is during a referral, when demanded by the court or by the police on a written requisition, or under any other requirements as may be prescribed under any applicable law. That said, medical data or medical records of any individual lying with any laboratory, or healthcare centre if monetized upon or used by corporates for research and development purposes, would not only invoke privacy concerns, but also ethical and legal issues.
Under the Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002 (“Code of Ethics”) physicians are bound to protect the confidentiality of patients including their personal and domestic lives, unless its revelation is felt necessary under law, or if non- disclosure of the same may lead to a serious and identified risk to a public.
As under the Code of Ethics, physicians are obliged to only inform the patient, his relatives or his responsible friends about the prognosis. However, efforts towards computerization of medical records serves as a fodder for pharmaceutical companies who would mostly likely prefer to invest in this data than conduct a clinical trial which would otherwise require several regulatory approvals and informed consent of the subjects. However, it must be noted that the requirement of informed consent continues to persist even if medical data in electronic health record (“EHR”) form and already maintained at hospitals, laboratories and with physicians is made use of in any way.
Cannot Commercially Exploit EHRs without Informed Consent?
Maintenance of EHRs in India should ideally be in consonance with the EHR Standards of 2016 that seeks to introduce a uniform standard based system for creation and maintenance of EHRs by healthcare providers and the standards are placed for adoption in IT systems by healthcare givers across the nation. These standards prescribe general safeguards to ensure that medical data is available when needed and that the information is not used, disclosed, accessed, altered, or deleted inappropriately while being stored or retrieved or transmitted. The security standards provided in these EHR Standards require healthcare providers to implement reasonable and appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of all the e-Protected Health Information they create, transmit, receive, or maintain. However, it fails to provide sanctions for if the prescribed standards are not met with by a healthcare provider.
It is thus noteworthy that usage of EHRs and medical data for secondary use would also call for the patient’s informed consent unless the EHR or any other medical data gathered is capable of being completely de-identified and anonymised. The National Ethical Guidelines for Biomedical and Health Research Involving Human Participants, 2017 published by ICMR (“ICMR Guidelines”) apply to all biomedical, social and behavioural science research for health conducted in India involving human participants, their biological material and data; whereby it lays thrust on maintaining privacy of the potential participant, her/his identity and records are kept confidential and access is limited to only those authorized. The ICMR Guidelines also affirm that informed consent protects the individual’s autonomy to freely choose whether or not to participate in the research. Therefore, even though the nature of mere usage of EHRs and other medical data is nothing like conducting a clinical trial, since the data collected for secondary use raises similar privacy and confidentiality concerns if informed consent was not taken, it may be inferred inter alia that monetizing or conducting research even on EHRs and other medical data already stored with a healthcare centre, laboratory, or physician would require the informed consent of the subjects. Storage of samples collected as part of routine care with potential for future genetic research should be done with appropriate consent from individuals. Failure to do so may amount to privacy breach as the researcher is obligated to safeguard the confidentiality of research related data of participants.
While there are several guidelines that highlight best ethical practices but India still lacks a dedicated legislation like the U.S. Health Insurance Portability and Accountability Act (HIPAA) as even though it is accepted that the best ethical practices highlighted above need to be undertaken, there no sanctions prescribed if such practices are not undertaken; furthermore, there is no law in India as of now that mandates hospitals to disclose security breaches. Therefore, even though it is very difficult to prove and fix liabilities in case of data breach, this lacuna in law keeps the healthcare sector vulnerable to risks at the cost of sensitive information of the patients.
Sudipto Mitra an Alumnus of Hidayatullah National Law University, Raipur is a Corporate Lawyer working with a law firm in New Delhi.
[The opinions expressed in this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of LiveLaw and LiveLaw does not assume any responsibility or liability for the same]