A new direction for data privacy in healthcare

The draft Digital Information Security in Healthcare Act aims to regulate the use of digital health data, emphasizing patient consent and privacy. It allows anonymized data for public health research but restricts commercial use. However, its timing is questionable, as it precedes the anticipated overarching national data protection framework, potentially leading to inconsistencies in privacy regulations across sectors.

This article was first published in The Mint. You can read the original at this link.

I have long been interested in the many applications of data to the medical profession. Medical professionals have traditionally been limited to using the information they get from a physical examination of the patient—the records of his past medical history and the specific medical tests that the doctor may have thought of requesting.

This is, at best, just a small fraction of the relevant information that the doctor should use to arrive at an accurate diagnosis. With new digital technologies, it is now possible for doctors to overlay other relevant data over a patient’s medical history in order to be able to come up with better diagnostic outcomes.

For instance, by applying contextual analysis we can improve our ability to treat diseases like strep-throat by correlating its symptoms with local demographic information in order to better treat specific symptoms. Similarly, by generating heat maps of diseases like H1N1 that spread rapidly, it is possible to identify where in the city these outbreaks are concentrated so that municipal officials can focus their efforts on those areas to eliminate the disease-bearing vectors.

There are doubtless many other ways in which data science can be leveraged to our medical advantage. Essential to all of this is the establishment of a robust and standardized electronic health records system that can be used by all the stakeholders in the healthcare ecosystem. And a sound legal and regulatory framework that spells out clearly what can and cannot be done with the personal data of the patient.

On 23 March, the Union ministry of health and family welfare published a draft legislative framework for information security in the healthcare industry. The proposed digital information security in healthcare Act (DISHA) has been designed to regulate the generation, collection, access, storage, transmission and use of digital health data and associated personally identifiable information. It proposes a rights-based framework for medical privacy, conferring upon the owners of digital health data the right to privacy, confidentiality and security over their data. It requires that each instance of transmission or use of digital health data will require the explicit prior permission of the owner and oblige every clinical establishment that accesses this data to notify them every time they access it.

Significantly, the proposed law confers upon owners of digital medical data the right to refuse consent for its generation, collection, storage or disclosure and goes on to specify that no one can be denied a health service if they refuse to consent to the collection of this data.

This is one of the more problematic provisions of the proposed law. While it does give primacy to consent, it seems to ignore the fact that there are circumstances under which the health service sought to be availed is dependent on the collection of health data. To require medical practitioners to provide a health service even when they are denied the permission to collect the data they need seems perverse—particularly given the fact that most data protection laws make it lawful to process data so long as there exists a legitimate interest in doing so.

The proposed law allows anonymized or de-identified data to be used for the early identification and prevention of diseases and research for public health, clinical and academic purposes. However, it includes various specific prohibitions on its use for commercial purposes.

Insurance companies can only access digital health data (DHD) for the purpose of processing a claim and there is an absolute ban on the use of DHD by pharmaceutical companies for academic, clinical and public health research—even if this information has been completely anonymized.

Once again, these stringent restrictions on the use of medical information, while they come from a sensible place, might be excessively harsh under certain circumstances. So long as digital health data is appropriately de-identified, there are considerable benefits to allowing it to be used for research.

However, the most disconcerting aspect about the introduction of the draft legislation on digital health is its timing. The Justice Srikrishna Committee is currently in the process of preparing a report that will propose a framework for data protection in the country. It is anticipated that the committee will set out the principles of privacy that apply broadly throughout the country—which every sector of industry will need to adhere to. If passed into law, these principles will no doubt apply to the medical sector as well.

In this context it seems strange that the Union ministry of health and family welfare would choose to propose a legislation to regulate the privacy of health data when, in just a few months, we are expecting to get an over-arching legislation on privacy.

It is important that we develop a set of principles that apply consistently across all industries but which will at the same time allow respective sector regulators the flexibility to develop detailed regulations that apply to their specific sectors. With that in mind, the Union ministry of health and family welfare should have held off presenting the draft law on the privacy of medical data until the Justice Srikrishna Committee was done with its report. Once it was clear what was being recommended, they could have presented a specific law pertaining to the privacy of medical data that was in conformity with this.