A shift to electronic medical records has not been matched with a legal framework on data collection and use, or on breaches.
In the first week of December, it was reported that the electronic medical records (EMR) of over 35,000 patients held by a Maharashtra-based pathology lab were leaked, pointing to the lack of availability of adequate safeguards for protecting such sensitive information.
Such instances, however, are not uncommon. Globally, the medical industry is extremely susceptible to data breaches. The Office of Civil Rights under the US Department of Health and Human Services estimated that in 2015 alone, over 100 million records were breached, with most cases being linked to IT crimes and hacking.
Hospitals in India are increasingly using EMRs as the preferred method of storing patient information. In fact, the rules of Clinical Establishments (Registration and Regulation) Act 2010, notified on May 23, 2012, mandate the “maintenance and provision of EMR or EHR for every patient” for the registration and continuation of every clinical establishment.
This shift from paper records to EMRs is a global phenomenon. In 2009, the US passed a law mandating all healthcare organisations to implement the use of EMRs by 2015 to receive federal aid, the National Health Services in the UK has committed to making patients’ records ‘largely paperless’ by 2020. Even among other BRICS countries, the progress of EMRs has been fast paced.
Such records have several discernable benefits – a reduction in costs for hospitals, facilitation of review of medical errors, improvement in the quality of care with greater transparency about the patients for healthcare providers and overall efficiency gains for the national healthcare system.
The ‘secondary use’ of EMRs is also a factor that has contributed to their growth, the ability to mine and process large volumes of medical data can be invaluable for the purpose of research and analysis.
Big data is changing the way both governments and industry use medical information. It can now be used to predict epidemics, prevent disease before it occurs, personalise diagnostics, improve the efficiency of drugs and the like.
What is alarming, however, is the fact that the market for commercialisation of medical data is booming. Hospitals in the US regularly sell medical information to data mining companies who then aggregate the data and resell it to private practitioners, insurance companies etc.
In fact, in 2011 the US Supreme Court struck down a law prohibiting such practices on constitutional grounds.
While both secondary use and sale of medical data is ‘de-indentified’ or anonymised beforehand, several reports have revealed the possibility of identifying people even based on such disparate information. Such practices can result in an increase in insurance premiums and targeted advertising, leaving very little control over such sensitive information with the patient themselves.
While EMRs will provide the government with easier access to medical information in order to aid public policy, the legal framework supporting such a governance initiative, specifically relating to data security and privacy, remains inadequate.
Inadequacy of current legal framework
Section 43(a) and section 72 of the Information Technology Act provide the broad framework for the protection of personal information in India.
Section 43(a) along with the sensitive personal information rules – which lay down the compliances that need to be observed by an entity that collects or stores or otherwise deals with sensitive information such as passwords, financial information, health conditions, sexual orientation, medical records and biometric records – mandates corporates to take reasonable procedures to protect sensitive personal data or information and section 72 protects personal information from unlawful disclosure in a breach of contract.
It is pertinent to note that section 43(a) applies only to a ‘body corporate’, defined as “a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.”
Since a majority of India’s population cannot afford private healthcare, public medical services and hospitals are invariably used more often. There is a lack of remedies if public hospitals or NGOs do not maintain reasonable security practices, thus a large volume of personal information is left vulnerable.
Other jurisdictions have already enacted sector-specific laws to protect medical information. The Health Insurance Portability and Accountability Act (HIPAA) is the primary law that establishes the US legal framework for health information privacy and gives patients substantial control over their information.
The new EU General Data Protection Regulation also requires member states to protect medical data from human and technical failures, and provides detailed grounds for processing such data and its use for secondary purposes.
Currently, the framework envisaged for governing EMRs in India is the draft Electronic Health Record Standards released by the Ministry of Health and Family Welfare (MoHFW). This document lays down the international technical, administrative and physical standards for data protection with respect to health records.
Furthermore, under the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002 (MCI code of ethics), physicians are obliged to protect the confidentiality of patients during all stages of the procedure and with regard to all aspects of the information provided by the patient to the doctor, including that relating to their personal and domestic lives.
However, even these standards are not flawless. Some of the shortcomings with the EMR standards include an unclear scope of coverage, lack of clearly defined timelines for accessing patient records, the failure to include unique identification information such as URLs and IP addresses as sensitive information and an ambiguity in defining the scope of ‘personal health information.’
The MCI code of ethics, on the other hand, simply includes guidelines without any mechanisms to enforce them.
Additionally, even when the medical information is anonymised, an authorisation from an individual to disclose the information is not required.
In the absence of a proper framework, there are almost no principles governing how this information should be stored or used, leading to the possibility that medical data will be commercialised and misused. Moreover, wherever possible, these health records are to be linked to the Aadhaar number and as recent reports reveal, the legal framework governing the use of Aadhaar is murky as well, adding another layer of uncertain privacy implications.
There are also no laws in India mandating hospitals to disclose security breaches. The HIPAA, for example, requires a hospital to disclose a breach which has affected more than 500 patients. Therefore, there is no clear framework governing electronic medical records and the manner in which they are collected and used, and nor are there remedies for data breaches due to the negligence of public hospitals.
Future trends: sector-specific laws and regulatory guidance
In what could be indicative of a promising development, the MoHFW is planning to enact a sector-specific law on privacy, tentatively called the Healthcare Data Privacy and Security Act.
According to reports, this step follows the publication of EMR standards. The law will reportedly provide civil and criminal remedies for breach of data along with clear principles for data collection and use, and will provide for interoperability with private hospitals.
There is also a need for continuous assessment and enforcement of data protection policies. The government plans to launch a National eHealth Authority, one function of which will be the enforcement of standards and ensuring security, confidentiality and privacy of patient’s health information and records.
Policymakers must also be conscious of the limitations that EMRs will pose in the early stages of implementation. There is no clarity on the manner in which the information is to be generated or stored, with terminologies and format varying widely across the country, rendering them incapable of being analysed on a mass scale.
To address this shortcoming, the US had to enact a law which enabled “meaningful use” of EMRs by compelling consistency in content, structure and vocabulary of the information by all medical practitioners. Without similar laws in India, it will be difficult to realise the full potential of EMRs.
India should take note of the best practices evolved by countries with more mature governance systems for electronic health and medical records. Considering the extremely sensitive nature of medical information and the adverse impact a breach can have on an individual’s life, the government must fast-track the Healthcare Data Privacy and Security Act in order to cover all hospitals and ensure that the regulator is prompt in addressing instances of negligent security and misuse of personal information.