Navigating Health Data Privacy in India: Regulations and Best Practices for Compliance and Trust

Navigating Health Data Privacy in India: Regulations and Best Practices for Compliance and Trust

Yellow Flower
Yellow Flower
Yellow Flower

In the fifth research article curated by DPO Club, the authors, esteemed Global DPO Tanin Chakraborty (tc) and Shivang Mishra, explore the regulatory landscape and best practices for managing sensitive patient data in India's healthcare sector, focusing on compliance and trust.

Introduction

Privacy in healthcare is crucial due to the sensitive nature of patient information, including medical histories, treatments, and personal details. Ensuring confidentiality protects patients from potential misuse, discrimination, and identity theft. It also fosters trust and transparency between patients and healthcare providers.

Data flow in healthcare can be B2B (business-to-business) when pharmaceutical companies collaborate with healthcare providers for drug development and distribution under the OEM Production model. It also includes B2C (business-to-consumer) interactions, where hospitals and medical clinic manage patient care and prescriptions. Pharmaceutical companies sometimes operate B2C directly, such as through Patient Assistance Programs (PAP), offering medications and support to patients in need. In both the models, companies do need to keep clinical trial data which consists of all patient medical history for long period. These data flows must be carefully managed to protect patient privacy and ensure compliance with regulations. Under the B2C model, we have HCP (Health Care Professionals), pathology or diagnostic centre who also collect patient information which are classified as Sensitive Personal Information (SPI).

In India, while there is no single law to regulate health data, however, there are certain regulatory measures in this domain. Through this article, we wish to highlight some of these measures and advocate for adoption of best practices for remaining compliant and also protecting privacy, in order to foster trust and accountability.

The Myriad Regulations

The Health Data Management Policy (HDMP), released by the Ministry of Health and Family Welfare (MoHFW) acts as a guidance document across the National Digital Health Ecosystem (NDHE). Apart from focussing on principles on principles of security and privacy-by-design, the HDMP also lays out a consent framework, and mentions principles of accountability, transparency, consent driven sharing, purpose limitation, collection, usage, data minimisation and storage limitation. The second draft of the HDMP was also released for public consultation in 2022.

The Indian Council for Medical Research has published its own guidelines too, wherein it is made clear that data privacy is a notable consideration that should not be overlooked. These guidelines are-

National Ethical Guidelines for Biomedical and Health Research Involving Human Participants - These guidelines underline the importance of data protection and data security and also highlight that it is essential that data acquisition, management, sharing and ownership remain ethical, i.e., they are based on informed consent and transparency.

ICMR Guidelines for Good Clinical Laboratory Practices, 2021- In these guidelines, privacy is highlighted as an essential principle and it underscores the importance of security measures to protect data and also robust data management strategies, including disaster security plans.

Over the past few years, telemedicine has gained prominence in India and the need to regulate telemedicine was also acknowledged. The Government, in March 2020, came out with the Telemedicine Practice Guidelines, 2020. According to these guidelines, being apprised of data protection laws and regulations is a duty of the Registered Medical Practitioner (RMP). The RMP should also take reasonable measures to protect confidentiality of the patient.

For clinical trials, medical researchers should also be cognizant about the New Drugs and Clinical Trials Rules, 2019, where it is mandated that data is to be retained for a period of five years after completion of such clinical trials.

Patient Consent

Forming an important part of the ethical principle of patient autonomy, is the concept of patient consent. Patient consent is mandated under the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002. It also states that the doctor cannot neither exaggerate nor minimize the gravity of a patient’s condition. Even the Mental Healthcare Act, 2017 outlines the conditions under which informed consent must be obtained from patients undergoing mental health treatment. The act emphasizes that consent must be informed, voluntary, and given by a competent individual. Even the Supreme Court of India has underlined the importance of consent. In the case of Samira Kohli v. Dr. Prabha Manchanda, AIR 2008 SC 1385, the Hon’ble Supreme Court held that until and unless any additional medical procedure is necessary to save the life of a patient and waiting for the patient who is unconscious will cause an unreasonable delay, no additional procedure can be carried out with the consent of the patient.

The DPDP Act: A New Era?

The Digital Personal Data Protection Act, 2023 (DPDP Act) is a paradigm altering legislation for the healthcare sector, as it not only reinforces the right to privacy but also empowers individuals with rights. Gone are the days when pre-checked boxes, and unlimited data being collected, the Act mandates informed and unambiguous consent and also gives impetus to data minimisation (meaning that only the data necessary for the specific and lawful purpose can be processed). It is interesting to note that Section 6 of the Act, which deals with consent provides the illustration involving a telemedicine mobile application to demonstrate the principle of data minimisation as given under the Act. The following illustration is provided-

“X, an individual, downloads Y, a telemedicine app. Y requests the consent of X for (i) the processing of her personal data for making available telemedicine services, and (ii) accessing her mobile phone contact list, and X signifies her consent to both. Since phone contact list is not necessary for making available telemedicine services, her consent shall be limited to the processing of her personal data for making available telemedicine services”.

It is also interesting to see that, in Section 7 of the Act (dealing with Certain Legitimate Uses) it is provided that in case the individual has voluntarily provided their data and has not communicated that they do not consent to processing of their data, their data can be validly processed. Here also, an illustration from the healthcare sector is given-

“X, an individual, makes a purchase at Y, a pharmacy. She voluntarily provides Y her personal data and requests Y to acknowledge receipt of the payment made for the purchase by sending a message to her mobile phone. Y may process the personal data of X for the purpose of sending the receipt.”

This means that while individuals can share their personal data without notifying consent, the Data Fiduciary should be careful in processing the data only for the purpose for which the data was shared. Thus, for instance, when data is shared by a person to a diagnostic and testing centre, that data cannot be used for marketing purposes, unless specific consent is taken from the individual.

Under Section 7, another pragmatic approach can be seen by allowing the Government to process data during medical emergencies, epidemics etc.

Under Section 17(2) it is also clarified that the provisions of the Act would not apply if the data is to be used for purposes of research. However, the processing has to be processed in such a manner that would be prescribed by the widely anticipated rules under the Act and it cannot be used to make any decisions specific to the individuals. Thus, medical researchers should also remain careful and vigilant.

One of the major challenges which is being seen in healthcare industry is of keeping the records for certain years as per the regulations which sometimes can be even for 25 years (UK - NHS Code of Practice for Records Management) in some cases. A major challenge in enforcing a rigorous data privacy framework is the establishment of a process for data storage and deletion after lawful processing.

Conclusion

To ensure compliance and protect patient privacy, healthcare organizations should adopt regular security audits, conduct data protection impact assessments, and implement robust consent management systems. Building strong data governance structures, providing continuous staff training on data privacy, utilizing encryption and anonymization techniques, and establishing clear data retention policies are essential practices.

The evolving landscape of healthcare data privacy in India, shaped by various regulations and the Digital Personal Data Protection Act, 2023, underscores the importance of safeguarding sensitive patient information. Adopting these measures not only protects patient privacy but also enhances trust and accountability in the healthcare system.

References

https://corporate.cyrilamarchandblogs.com/2024/06/mind-your-meds-and-metrics-navigating-the-indian-health-data-protection-labyrinth/

https://www.ncbi.nlm.nih.gov/books/NBK54293/

https://www.lexology.com/library/detail.aspx?g=9aaffd7f-8a0c-448a-b7e5-8dc4f14ec7a5

*Disclaimer- DPO Club is a not-for-profit research initiative aimed at raising awareness regarding data privacy. The views expressed by the authors and reviewers are their personal opinions and do not necessarily reflect the views of their respective organizations.