Data security is an interesting and complex topic, particularly when examining health care data. With India’s recent proposal for a data protection law that will give government authorities broad powers to access personal information (see this article in the Financial Times)
Let me share two personal stories that relate to data protection encouraged me to prepare this material:
- While scrolling through Facebook I noticed one person has shared one patient’s reports on his status to boost his methodology for treatment. This included both personal and health information. Below is an anonymized screenshot.
2. Doctor Ajay(name changed) is a specialist in respiratory and lung diseases. When we spoke on technology, he was eager to learn and implement technology that can save time and follows laws. Currently, many doctors use WhatsApp to share/receive reports but they are not sure if it is compliant. Still, it is widely used because it is easy to use and allows for the rapid sharing of information. Dr. Ajay told me they don’t prefer applications for booking because they take away patient information and use for their benefits. Lastly, he avoids handwritten prescription which is openly used in India. He wishes to have print or electronic form (protected as well). It was a healthy conversation with him.
My research is focused on discussing the following topics:
- Does India have any data protection law in place?
- What was are the specific issues relating to the health care industry?
- Is GDPR applicable in health care?
- Where is India on Health Care Data Protection and how we are different?
This article is intended to collect research on India that can be used for comparison with other jurisdictions such as the US to compare and learn from other laws and compliances.
US has Federal Data protection law in place (for history and details refer here https://fas.org/sgp/crs/misc/R45631.pdf) under which there are major listed acts such as GLBA, HIPAA, FCRA, Communication Act, FERPA, COPPA, ECPA and CFPA. There are also different state protection laws such as CCPA along with the EU’s GDPR.
HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information.HHS (Health and Human Services) is the Regulatory/Authority covering all areas for PHI. Under this data security law, all health care providers or related parties should protect electronic data. If there is a breach, then they have 60 days of time to notify to authority. Violations of HIPAA could lead to imprisonment.
The EU had the Data Protection Directive (DPD), also known as Directive 95/46/EC, from 1995. On April 27, 2016, GDPR replaced DPD and came into force on May 25, 2018 (Read the difference here https://www.synopsys.com/blogs/software-security/dpd-vs-gdpr-key-changes/).
GDPR, which covers both personal, sensitive and critical information of individual and entity, is being discussed and accepted around the globe when operating in the EU. It is implemented under data protection Act 2018 by which is applicable in EU region but parties from around the globe who work with or for people/parties in EU has to comply with GDPR requirements. GDPR applies even though there is separate US federal data protection policy for the EU region.DPA (Data Protection Authority) is the agency within each EU country which is the regulatory body. Article 33 defines that any breach should be reported within 72 hours to authority.
There are two levels of penalties based on the GDPR:
1. The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher.
2. The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.
The potential fines are substantial and serve as a high motivation for companies to ensure compliance.
Referring to the initial points:
- Yes, India does have the data protection bill named as Personal Protection Bill (PDP) 2018.
a. “Privacy” as a fundamental right essential to life and liberty.
b. Bill provides the right to an individual to seek protection for personal and sensitive information. PDP divides information in two categories -i) Personal and ii) Sensitive.
c. Data protection Authority is empowered to regulate and control the implementation of the bill in the country.
d. There are grounds created to use or provide consent to use/transfer data.
e. Data also allows to transfer data outside of India but on certain conditions and approvals but do not define the regulations mentioned in GDPR (for more information see http://prsindia.org/billtrack/draft-personal-data-protection-bill-2018 )
f. There is no timeline to notify authority is specified (my research has not found any) but there is the penalty in place as 50 Million INR or 2% worldwide turnover of the fiduciary.
2. Yes, India has recently put in place DISHA (Digital Information Security in Healthcare, act) for health care industry data protection –https://www.nhp.gov.in/NHPfiles/R_4179_1521627488625_0.pdf
a. DISHA legislation is focused on healthcare data privacy, confidentiality, security and standardization.
b. DISHA creates regulatory authorities, both at the central and state level, to enforce the rights and duties envisaged under the legislation.
c. At the central level, the National Electronic Health Authority (‘NeHA’) and State Electronic Health Authority (‘SeHA’) will be responsible.
d. Article 38 and 39 provide detailed information on the breach, notify on breach and penalty but not the specification of under which timeline or how much will be the penalty.
In conclusion, although India is behind other jurisdictions when it comes to data protection the current actions are encouraging.