Data Protection in the Healthcare Sector

Regulatory Requirements, Proposed Legislation and Corresponding Issues

The National Health Policy (2017) aims to leverage the extensive health data and use it for providing better services. The idea is to establish a digitalised system leveraging the use of information and communication technology (ICT).

Introduction

The National Health Policy (NHP) 2017[i] apart from aiming to create a robust healthcare structure in the country which can provide free drugs and diagnostics also aims to create a digital health technology ecosystem. The policy aims to leverage the extensive health data and use it for providing better services. The idea is to establish a digitalised system leveraging the use of information and communication technology (ICT). Moreover, as the world suffers from the COVID-19 pandemic, the Government of India (GoI) launched the mobile application ‘Aarogya Setu’ for contact tracing purposes which enabled the government to collect citizen’s data including their data related to demographic, contact, self-assessment and location.

However, with no existing framework for data protection apart from the outdated 2011 Rules under the Information Technology Act 2000, there is a huge risk of the Right to Privacy getting breached if the National Health Policy is implemented in letter and spirit.

The 2017 Puttaswammy Judgement[ii] of the Supreme Court of India established that Right to Privacy is a fundamental right under the Articles 14, 19 and 21 of the Constitution of India. While the hearing was still going on, the GoI set up the ‘Committee of Experts’ under the Chairmanship of Justice B. N. Srikrishna (Retd.) for making a draft bill on data protection. The committee came up with the draft report in January 2018 and the draft bill called the ‘Personal Data Protection Bill’ (PDP Bill) in July 2018. Later on, in December 2019, the GoI tabled a modified version of the draft PDP Bill 2018 which is referred to as PDP Bill 2019. The PDP bill which was tabled in the Parliament and the Justice Sri Krishna led-committee which was set up were both under the Ministry of Electronics, Information and Technology (MeitY). The bill is currently being scrutinised by a Joint Committee in the Parliament.

However, in March, 2018, the Ministry of Health and Family Welfare (MoHFW) released new draft legislation for public consultation. The draft named ‘Digital Information Security in Healthcare Act’ bill abbreviated as the DISHA bill aimed to provide security for healthcare data. The bill envisaged creation of a regulatory structure to protect citizens health data. While the DISHA bill now seems to be lost in oblivion as no action has been taken upon it, there is much which can be extracted from it and can be taken into the PDP Bill. The article looks into the issues pertaining to health sector data with a special focus on how the DISHA bill aimed to achieve so and what the PDP bill can incorporate for the same.

An overview of the DISHA Bill

The bill envisaged giving rights to citizens over their healthcare data. The rights included provisions for providing consent, anonymization (permanently deleting personally identifiable information from an individual’s health data), and de-identification (temporarily deleting personally identifiable information which can be retrieved again if desired) and a grant of compensation in case a breach of data happens.

Way before the NHP was released, in 2012, the Government of India (GoI) mandated that all clinical establishments have to maintain an electronic copy of the health records under the Clinical Establishment (Central Government) Rules 2012[iii]. The NHP furthered this cause by envisioning the setting up of the ‘National Health Information Architecture’. Furthermore, NITI Aayog’s National Health Stack report in 2018 proposed to utilise Aadhar Card linkage and creation of a national health database. The MoHFW published the National Digital Health Blueprint (NDHB) 2019 against NITI Aayog’s National Health Stack. It aims to create a Unique Health ID which will be linked to Aadhar. It also aims to provide for data protection to citizens for their health data in the form of consent, anonymization, and protecting privacy.

Under this backdrop, the MoHFW also came up with DISHA bill (Draft Digital Digital Information Security in Healthcare Act 2018) in March 2018. This erstwhile bill aimed to provide comprehensive data protection for the health records of citizens.

The bill envisaged giving rights to citizens over their healthcare data. The rights included provisions for providing consent, anonymization (permanently deleting personally identifiable information from an individual’s health data), and de-identification (temporarily deleting personally identifiable information which can be retrieved again if desired) and a grant of compensation in case a breach of data happens.

In order to protect these rights, the bill proposed to set up regulatory authorities both at the central and the state. The bill further proposed to establish the National Electronic Health Authority of India (NeHA) at the national level and State Electronic Health Authorities at the state level.  It also proposed to set up Health Information Exchanges which would facilitate the flow of data between entities. In case of breach of data, the bill proposed to set up the Adjudicating Authority at both central and state levels which would look into breaches and provide remedy.

These provisions made the DISHA Bill an important and well-designed piece of legislation, this can be attested by the fact that the bill performs fairly well on the ‘OECD Privacy Principles’[iv] framework. An analysis of the same is given below in a tabular form:

OECD Privacy Principles DISHA Bill, 2017
Collection Limitation PrincipleProvision for consent-based data collection and limitation was specified under clause 2 of Section 28 of the bill.
Data Quality PrincipleThe bill gave provisions for updating health data under clause 8(a) of Section 28 of the bill.
Purpose Specification PrinciplePurpose specification was provided for under Section 29 of the bill.
Use Limitation PrincipleSection 29 provided provisions for the limitation principle.
Security Safeguards PrincipleClause 5 of Section 29 provided essential security safeguards.
Openness PrincipleSection 28 provided provisions for the openness principle.
Individual Participation PrincipleClause 1, 2 and 3 of Section 28 provided provisions for this. The owner could also withdraw his or her consent.
Accountability PrincipleChapter 5 had multiple sections which gave details about how accountability could be maintained and what would happen if there was a breach of data.

Assessing the draft DISHA bill leads us to the conclusion that it was compliant with the OECD privacy principles. This sets the pace for further discussion as we see that the DISHA bill largely passed the touchstone test of data protection to the citizens in case of the healthcare data.

It is in this background that we need a comparative analysis of the erstwhile DISHA Bill with the current PDP Bill presented by the MeitY.

DISHA Bill vs. PDP 2019 – A Comparative Analysis

…the two bills take different approaches to data governance. We find that the DISHA Bill was better and stronger in terms of providing protection to an individual in terms of her or his data…

The interesting thing to note here is that both the draft regulations came up during the same time period. On one hand, while the Sri Krishna Committee on Data Protection which came up with the draft PDP Bill was set up in July, 2017 before the Puttaswammy judgement (in August 2017), on the other hand, the draft DISHA Bill was made public by the MoHFW without setting up any committee and came in March 2018. The Sri Krishna Committee released its draft legislation on data protection in July, 2018. The natural debate which arises over here is whether did we require two separate legislation which would set up two separate regulatory bodies with one of them being an over encompassing regulatory authority and the other being a sectoral specific one or not. Another question is that did the two ministries, MeitY and MoHFW lack coordination and were trying to come up with their own legislation or was there really a need for a regulator in the healthcare sector for data protection. We take up these questions one by one.  

There are critical differences as well as similarities between the two bills. A comparative analysis is done to understand them. The following table gives a comparative tabular analysis of the DISHA Bill against the PDP bill.

PDP Bill, 2019 DISHA Bill, 2017
ConsentOnceAt every stage of Data Processing
Purpose LimitIt has provisions for Purpose Limitation.Clearly specified for what the health data could be used.
AnonymizationDoes not define.Clearly defined and mandated Anonymization
Govt Access and UseState can use data without consent for any functions of the Parliament.State would need to take prior permission from the National Electronic Health Authority (NeHA).
Private Access and UseLays principles according to which the commercial data will be governed.Was strongly against use of data for commercial purposes like marketing by insurance companies. Only Clinical Establishments could have access.
Other ProvisionsDetailed provisions for Data Auditing. Stricter provisions for Penalties in terms of monetary value.NeHA could audit. No clear specifications. Weaker provisions for penalties in terms of monetary value.

With this comparison, the two bills take different approaches to data governance. We find that the DISHA Bill was better and stronger in terms of providing protection to an individual in terms of her or his data. However, it lacked to provide details pertaining to things such as auditing and penalties. While the DISHA Bill took a data-owner centric approach, it was understood by many that the PDP bill was capable of filling the lacunae in the DISHA Bill (Regidi 2019). For instance, the PDP bill has provisions for stricter penalties as compared to the DISHA Bill.

At this stage, it is interesting to look at how this issue is managed around the world. The European Union came up with the GDPR[v] in 2016, which is an over encompassing cross-sector legislation. There are no sector-specific regulators to protect healthcare data as such and the GDPR takes care of it. However, in the USA, a comprehensive and over encompassing cross-sector legislation is not found. The USA boasts several sector-specific legislation for data protection like the Fair Credit Reporting Act and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA is specifically for the health sector but there are no other regulators that can have authority over its jurisdiction. In the Indian context, we can imagine both the GDPR and the HIPAA as analogous to the PDP Bill 2019 and the DISHA bill respectively.

Had the two legislation been enacted together, it would have been a unique case since this has not been done elsewhere before. However, such a situation would have opened a new set of questions. The enactment of both the legislation would have resulted in overlapping of jurisdictions for the regulatory authorities. For instance, how would the NeHA have established a harmonious relationship with the Data Protection Authority (DPA) which will be the regulator set up under the PDP Bill? Who would regulate a firm like Practo which deals with online consultation with doctors?

With respect to overlapping jurisdictions, Section 52 of the DISHA bill stated that the provisions under the bill would supersede any other law in place with respect to the digital healthcare data. Similar provision is also provided under Section 96 of the PDP 2019 Bill.

These provisions might have led to the requirement of intervention by the judiciary. Moreover, NeHA might have got reduced to regulating just the clinical establishments, health information exchanges and related entities specifically and not all the health data which may include data generated through Smartphone apps and wearable devices. Therefore, more clarity was needed about the overlapping jurisdictions which the two ministries would have to negotiate about (Regidi 2019).

Furthermore, there were other difficulties. How would have NeHA got the unregistered clinical establishments like unregistered pathology labs which deal with a huge amount of health data regulated? How would NeHA have dealt with the several other bodies in play like the Indian Council of Medical Research etc.?

Had the GoI brought in both the legislation, there would have been several issues. The DISHA Bill, therefore, by being shoved into oblivion has eliminated the possibilities of such issues. However, protecting health data is crucial. In this regard, the DISHA Bill was more comprehensive and provided greater power in the hands of the data principal. Therefore, there are several lessons which can be learnt from the erstwhile draft DISHA Bill.

Lessons to be learned for the PDP Bill from the DISHA Bill

Firstly, it may be noted that the DISHA Bill stood out in terms of giving citizens more power to protect their data. Principles such as anonymisation and consent which are crucial to the protection of data and privacy of citizens found strong mention in the bill. The DISHA bill envisaged embedding the core idea of data protection and privacy in the healthcare industry.

Secondly, since public health is a state subject, the DISHA Bill also planned to take a decentralised approach by establishing state-level State Electronic Health Authorities. This approach would have helped in dealing with smaller establishments that might go unscrutinised under the NeHA.

When technology is being used for contact tracing in the times of the Covid-19 pandemic, the enormous amount of data being collected by the state without proper data protection laws in place can lead to a sense of distrust among the citizens. It can be detrimental to the dynamics of the state-citizen relationship. At such a stage, a strong data protection law which enables the citizens to trust their government, as well as the other private entities with whom they are sharing their data, is crucial. The PDP Bill 2019 as tabled in the parliament though provides for data protection from private entities, it has already faced criticism from various experts including Justice Sri Krishna himself under whom the first draft PDP Bill 2018 was drafted. Justice Sri Krishna went on to say that the PDP Bill as tabled in the parliament will lead India to become an Orwellian State (Mandavia 2019) since the government is being kept outside of the protection ambit of the bill.

Therefore, while the PDP Bill still lies in the Parliament with the Joint Committee for the Personal Data Protection Bill 2019, there is a need to relook at several of the provisions of the bill. In such a scenario, incorporating elements that were a part of the DISHA Bill will lead to the establishment of a better and comprehensive data protection regime especially in the sensitive area of healthcare data.

(Prince is currently pursuing the Master’s Programme in Public Policy at the National Law School of India University. He completed engineering before switching to the field of Public Policy. He has a keen interest in economics and politics. He loves to debate about almost everything. He can be reached at princegupta@nls.ac.in. Alternatively, you can visit his website at www.princegupta.xyz)

Notes:

[i] The National Health Policy (NHP) 2017 was given by the Ministry of Health and Family Welfare, Government of India with an aim to provide better healthcare services.

[ii] Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Ors 2017 10 SSC 1. The Writ Petition (Civil) No. 494 of 2012. The judgement is famously known as the Puttaswammy judgement or the Aadhar judgement.

[iii] Clinical Establishment (Central Government) Rules 2012 was given by the central government under the Clinical Establishments (Regulation and Registration) Act, 2010.

[iv] The ‘OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data’ given in 1980 and recently updated in 2013. The guideline has Core Privacy Principles which specifies 8 privacy principles which can be considered the Magna Carta of data protection laws. These principles are accessible at the following link: https://www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm

[v] General Data Protection Regulation (2016) is a legislation to govern and protect privacy of citizens of the European Union.

References

Dr.Milind Antani, Darren Punnen and Anay Shukla. 2018. DISHA: The First Step Towards Securing Patient Health Data In India. August. https://www.mondaq.com/india/healthcare/723960/disha-the-first-step-towards-securing-patient-health-data-in-india.

2018. “Draft Digital Digital Information Security in Healthcare Act.” Ministry of Health and Family Welfare , March.

Mandavia, Megha. 2019. Personal Data Protection Bill can turn India into ‘Orwellian State’: Justice BN Srikrishna. 12 December. https://economictimes.indiatimes.com/news/economy/policy/personal-data-protection-bill-can-turn-india-into-orwellian-state-justice-bn-srikrishna/articleshow/72483355.cms?from=mdr#:~:text=BENGALURU%3A%20Justice%20BN%20Srikrishna%2C%20who,into%20an%20%E2%80.

Regidi, Asheeta. 2019. DISHA and the draft Personal Data Protection Bill, 2018: Looking at the future of governance of health data in India. 25 February. Accessed May 2020. https://www.ikigailaw.com/disha-and-the-draft-personal-data-protection-bill-2018-looking-at-the-future-of-governance-of-health-data-in-india/.

Leave a Reply

Your email address will not be published. Required fields are marked *