Ayushman Bharath Launched

A revolutionary project was launched today named “Ayushman Bharath” that aims to provide health care assurance to 10 crore families in India. Also called the “Modicare” program on the lines of the US scheme Obamacare, the Ayushman Bharath program provides Health Security to about 50 crore individuals with  a health  insurance benefit of upto Rs 5 lakhs.

While the scheme gives a boost to the Insurance industry, it also provides a big boost to the IT sector since the scheme has to be implemented on a nation wide IT platform connecting hospitals, dispensaries, doctors, patients, diagnostic centers etc along with the insurance beneficiaries.

Since Health data will be a sensitive personal information, there is a privacy protection/data protection angle in the entire scheme. The NHS (National Health Stack) which supports the platform envisages a massive registry of patients, doctors and hospitals maintained with updation of heath records etc. which may link itself to the Digi Locker Scheme, Aadhaar Scheme, Payment systems, GST etc., besides the Data storage systems in India.

Naturally, there will be a challenge to the capability of the industry to develop supporting  IT skills along with developing the Data Protection professionals.

The overall economic benefit of the scheme is therefore expected to be very positive though the media may discuss only the political implications.

Naavi

Posted in Uncategorized | Leave a comment

National Health Stack (NHS) …Scheme open for public comments

The Press Release from  PIB has called for public comments on the proposed National Heath Stack. (NHS)

NHS is the proposed scheme by NITI Aayog that envisages maintenance of a centralized health record for all citizens of the country to facilitate better management of the health care. This would be assisting in the implementation of the ambitious “Modi Care” or “Ayushman Bharath” scheme which is planning to cover 5 lakh to 10 crore poor families under a health insurance program.

Obviously there will be privacy issues, data protection issues and Fraud management issues inherent in such a program and its implementation would be watched keenly by the community of experts.

The Consultation document is available here

The scheme envisages besides creating a master registry of health data of citizens, a federated personal health records (PHR) framework, a National Health Analytics Platform and other components such as Digital Health IDs, Health Data Dictionaries and Supply Chain Management for Drugs, Payment Gateways etc.

Along with DISHA2018, this document will bring revolutionary changes in the way Health Care and Health Care Insurance is likely to be handled in the coming days.

What would be interesting for Data Protection professionals would be to study the proposed “Data Empowerment and Protection Architecture (DEPA) which would interact with the ID systems like Aadhaar etc.

Apart from the Privacy Considerations, Data Protection Requirements, the possibility of “Frauds” has also been envisioned and some thoughts have been given in this direction.

We have the experience of HIPAA and Obama Care in US and hopefully the lessons learnt by the US authorities in administering those programs would come in handy in India when Modi Care is being planned and implemented.

The Political opponents and the supporting sections of the society will raise many questions and perhaps try to ensure the defeat of the program. But people who are interested in national welfare should welcome this massive project and provide assistance to the Government in implementing it successfully.

If we look at the Aadhaar scenario, there has been a competitive criticism by the professionals in the Privacy and Data Protection industry basically led by the political considerations.

Now NHS scheme could be a “Digital Aadhaar” scheme having wide ramifications.

I hope that the opposition that surfaced for Aadhaar does not resurface in respect of the NHS and Modi Care program.

I therefore urge all the Data Protection Professionals who were in the forefront of criticising the Aadhaar and even went to the extent of submitting their own objections to the Supreme Court, collaborated with foreign agencies to find loopholes in the Aadhaar system, to take a deep look at the proposed consultation paper and record their views today instead of coming up with their objections later.

Send your comments if any by 1st August 2018 to healthstackniti@gmail.com

Naavi

Posted in Uncategorized | Leave a comment

Public Comments to DISHA 2018 Draft

DISHA 2018 is the proposed law for India applicable to the Privacy and Data Protection related to the Health Care sector in India.

The IT industry is in the midst of discussion on GDPR and how it will impact Indian Companies. At the same time, the Srikrishna Panel is also due to submit its recommendations on the General  Data Protection law in India.

Behind all these developments, there is already ITA 2000/8 which defines Personal Data, Sensitive Personal Data, the responsibilities of protecting the Confidentiality, Integrity and Availability of “Data”, “Personal Data” and “Sensitive Personal Data”, defines penalties, the dispute resolution mechanism etc.

Unfortunately each Ministry of the Government wants to have a separate law for itself addressing Data Protection in its own domain.  This multiplicity of laws is unlikely to benefit the people and will increase the cost of Administration enormously.

Today is the last day for submission of comments by the Public on DISHA 2018 or the “Digital Information Security in Health care Act 2018”. Public comments are expected to be provided before April 21, 2018 to be sent to egov-mohfw@nic.in .

In order to enable stake holders to form their views and forward to the ministry, Naavi  has provided his own immediate views on the proposed 45 section draft legislation in the form of the following articles.

  1. DISHA 2018- Proposed Health Information Security Act in India
  2. Consequences of Health Data Breach under DISHA 2018
  3. Data is a Property owned by the Data subject under DISHA 2018
  4. New Regulatory Agencies under DISHA 2018

There are also some articles posted on www.privacy.ind.in on GDPR and Srikrishna Panel 

Readers may peruse these articles and send their own comments to the Health Ministry on DISHA 2018.

It is our firm belief that “Data Protection” requires a comprehensive regulation for multiple sectors and there has to be an “Umbrella Law” that is supported by “Sectoral Security Standards”. ITA 2000/8 already has the concept of “Reasonable Security Practice” with flexibility for sectoral regulators to define their own standards.

It is therefore redundant to have multiple Data Protection Legislations leading to multiple Data Protection Authorities, Officers, Committees, Chairpersons etc. Such sectoral laws will be unproductive and create conflicts.

If Mr Modi Government believes in Minimal Governance and Best use of technology, there is a need to complete re-think on the approach to such sectoral laws, sectoral CERTs etc. These suggestions are created by Bureaucrats who think all legislations are for the benefit of creating new organizations and bloating up the Government expenditure and the law is only an excuse.

Public donot relish such approach. These laws only increase the cost of administration and also create corruption centers in the country. They donot bring proportionate benefit to the public.

I look forward to the right thinking persons in the Modi Government to give a thought to the above comment and proceed with such duplicate legislations.

At a time Mr Modi is considering the National Health Mission which is a huge political and financial investment, having an efficient organization to back it up in terms of legislation and authorities is considered necessary. But what we need to consider is whether “Medical Data” is also “Data” which is already addressed by the ITA 2000/8 and Data Protection Act (Srikrishna panel) and whether we can merge these proposed legislations into one existing legislation which should ideally be the “Information Technology Act 2000 as amended in 2008 and to be further amended in 2018”.

We can then have  one State level Adjudication Authority, One Central Level Adjudication Authority for Data in general and one Data Protection Authority supported by sectoral standard committees and sectoral CERTs.

If this basic concept is accepted, we may have to re work on DISHA 2018 and substitute it with one chapter on Health Data Security in ITA 2000/8 (with some changes in Adjudication and Appellate Tribunal aspects of ITA 2008 which could be as suggested under DISHA 2018).

I hope a reasonable thought is given in this direction also.

Naavi

 

Posted in Uncategorized | Leave a comment

Regulatory Agencies under DISHA 2018

DISHA 2018 is the proposed law for India applicable to the Privacy and Data Protection related to the Health Care sector in India. At a time there is discussion on GDPR all around the industry and anticipation of the Justice Srikrishna Committee’s recommendation on the General Data Protection Act for India, DISHA 2018 has been proposed by the Health Ministry in a draft form for public comments. The Act is likely to be named as “Digital Information Security in Health care Act 2018”. Public comments are expected to be provided before April 21, 2018 to be sent to egov-mohfw@nic.in .

In order to enable stake holders to form their views and forward to the ministry, Naavi is providing here his own views. I suppose this would be helpful in triggering thoughts in others to send their own comments.

…..Naavi

This is the continuation of the earlier article on this subject


 Any new legislation brings with it a proposal for creating new regulatory authorities and new executive positions for influential Delhi bureaucrats often unmindful of the costs involved and the inefficiency which the multiplicity of regulatory authorities breed. DISHA 2018 is not an exception to this. In the light of the action taken in the last budget to abolish some Tribunals such as the Cyber Appellate Tribunal, at some point of time, the authorities created by one law may get abolished for some reason or the other. Some times authorities get created but there will be no activity.We have seen this happen with the Adjudicating authorities under ITA 2000.

Despite this experience, DISHA 2018 also tries to create many authorities for regulation of the proposed act.

The first such authority is the National Electronic Health Authority of India (NeHA). A Chairman assisted by a board of representatives from different ministries and some ex-officio members would constitute NeHA.

NeHA will be assisted by a “National Executive Committee”  with more members from the Bureaucrats.

These  regulatory body will be supported by the “State Electronic Health Authority” and  “State Executive Committee” creating more jobs for bureaucrats in all the States and Union Territories.

These bodies will then appoint there own staff, invest in Building, Cars, Hefty Salaries and Pensions all at the expense of the tax payer’s money increasing the cost of living.

Whether these regulatory bodies are aware of IT, aware of IT Security, aware of Data Protection etc., will be the last consideration.

Adjudicators

Similarly, for Dispute resolution, State and Central Adjudicating authorities have been proposed.

For breach of digital health data by a clinical establishment or any entity an aggrieved person or owner may complain to the State Adjudicatory Authority

For breach of digital health data by a health information exchange or State Electronic Health Authority or the National Electronic Health Authority of India, an aggrieved person or owner may complain to the Central Adjudicatory Authority

The Adjudicating authorities will be a multi member body and consist of a Chairperson and two other members which is welcome since our experience with the Adjudicating Authorities under ITA 2000 had thrown up the need for such multi member body. Central Adjudicating authority will also be the appeal authority against the orders of the State Adjudicating authorities.

Appeal from the Central Adjudicating authority will go to the High Court.

Otherwise the Adjudicating authorities will be like in the case of ITA 2000, authorities which will not be required to be bound by Civil Procedure Code.

No specific compensatory limit is also indicated in the proposed Act.

However, no civil court shall have jurisdiction to entertain any suit or proceeding in respect of any matter which the Central Adjudicatory Authority or the State Adjudicatory Authority is empowered by or under this Act to determine and no injunction shall be granted by any court or other authority in respect of any action taken or to be taken in pursuance of any power conferred by or under this Act.

We need to await the detailed procedural notification at a later stage for more details on the functioning of the Adjudicating authorities and the appointment of people for the different positions in the Adjudicating authorities.

If two successive Governments at the Center were unable to find a Chair Person to the Cyber Appellate Tribunal since 2011 and the Ministry of Mr Arun Jaitely decided to merge the tribunal as a solution with another Tribunal unmindful of the consequences on the society, we need to observe how the proposed Adjudicating authorities under this Act would be set up.

If there was lack of work for Cyber Appellate Tribunal under ITA 2000, will there be sufficient work with these tribunals? or can these tribunals can also handle the ITA 2000 complaints, will be questions to which answers may be expected from the Government.

Naavi

Posted in Uncategorized | Tagged | Leave a comment

Data is a Property owned by the Data subject under DISHA 2018

DISHA 2018 is the proposed law for India applicable to the Privacy and Data Protection related to the Health Care sector in India. At a time there is discussion on GDPR all around the industry and anticipation of the Justice Srikrishna Committee’s recommendation on the General Data Protection Act for India, DISHA 2018 has been proposed by the Health Ministry in a draft form for public comments. The Act is likely to be named as “Digital Information Security in Health care Act 2018”. Public comments are expected to be provided before April 21, 2018 to be sent to egov-mohfw@nic.in .

In order to enable stake holders to form their views and forward to the ministry, Naavi is providing here his own views. I suppose this would be helpful in triggering thoughts in others to send their own comments.

…..Naavi

This is the continuation of the earlier article on this subject


DISHA 2018 brings in an important concept to the Data Protection legislation for the first time by declaring that “Data is the Property of the Data Subject”.

Under the proposed Clause 31 of the Act, it is stated:

(1) The digital health data generated, collected, stored or transmitted shall be owned by the individual whose health data has been digitised;
(2) A clinical establishment or Health Information Exchange shall hold such digital health care data referred to in sub-section (1) above in trust for the owner;
(3) Any other entity who is in custody of any digital health data shall remain the custodian of such data, and shall be duty bound to protect the privacy,confidentiality and security of such data;
(4) Notwithstanding anything stated in the above sub-sections (1) to (3), the medium of storage and transmission of digital health data shall be owned by the clinical establishment or health information exchange, as the case may be.

Under Section 3(e) Digital Health Data is defined as follows:

(e) ‘Digital Health Data’ means an electronic record of health related information about an individual and shall include the following:

(i) Information concerning the physical or mental health of the individual;
(ii) Information concerning any health service provided to the individual;
(iii) Information concerning the donation by the individual of any body part or any bodily substance;
(iv) Information derived from the testing or examination of a body part or bodily substance of the individual;
(v) Information that is collected in the course of providing health services to the individual; or
(vi) Information relating to details of the clinical establishment accessed by the individual.

It is interesting to note that the “Ownership” is limited to the Digital Health Data and may not extend to the “Personal Data”.

The implication of this provision is that a patient can demand that any health data collected about himself is his property and must be handed over to him. Being a “Property”, the legal heirs will also have a right if the patient is not alive.

This definition should have effect on cases such as J Jayalalitha’s health records which now become the property of the legal heirs of jayalalitha. The Hospitals cannot hide the data under non existent “privacy” considerations of a deceased individual.

The rights of the owner of digital health data is defined under Section 28 as under:

(1) An owner shall have the right to privacy, confidentiality, and security of their digital health data, which may be collected, stored and transmitted in such form and manner as may be prescribed under this Act.

(2) An owner shall have the right to give or refuse consent for the generation and collection of digital health data by clinical establishments and entities, subject to the exceptions provided in Section 29 of this Act.

(3) An owner shall have the right to give, refuse or withdraw consent for the storage and transmission of digital health data.

(4) An owner shall have the right to refuse consent to the access or disclosure of his or her digital health data, and if refused it shall not be disclosed, subject to the exceptions provided in Section 33 of the Act.

(5) An owner of the digital health data shall have the right that the digital health data collected must be specific, relevant and not excessive in relation to the purpose or purposes for which it is sought;

(6) An owner of the digital health data shall have the right to know the clinical establishments or entities which may have or has access to the digital health data, and the recipients to whom the data is transmitted or disclosed;

(7) The owner of the digital health data shall have a right to access their digital health data with details of consent given and data accessed by any Clinical Establishment/Entity;

(8) The owner of the digital health data shall have, subject to sub-section (1) to (3) above:

(a) The right to rectify without delay, from the respective clinical establishment or health information exchange or entity, any inaccurate or incomplete digital health data, in the prescribed form as may be notified by the National Electronic Health Authority;

(b) The right to require their explicit prior permission for each instance of transmission or use of their digital health data in an identifiable form, through such means as may be prescribed by the Central Government;

(c) The right to be notified every time their digital health data is accessed by any clinical establishment within the meaning of Section 34 of the Act;

(d) The right to ensure that in case of health emergency, the digital health data of the owner may be shared with their family members;

(e) The right to prevent any transmission or disclosure of any sensitive health related data that is likely to cause damage or distress to the owner;

(f) The right not to be refused health service, if they refuse to consent to generation, collection, storage, transmission and disclosure of their health data;

(g) The right to seek compensation for damages caused by a breach of digital health data.

There is a streak of GDPR in the above provisions. What attracts notice is Section 28(f) which states that a person has the right not to be refused health service if they refuse to consent to generation, collection, storage or transmission or disclosure of their health data.

How is it possible for a health establishment to provide health service without say conducting a blood examination is a matter that will be intriguing for the hospitals if the consent is refused.

In order to protect the rights of the Digital Health Data Subject, the principles of purposeful collection (Section 29), Lawful collection (Section 30), Secured storage (Section 32), Secured Transmission (Section 33), Access provision (Section 34), Recitification option (Section 36) etc.

Section 35 imposes all the liabilities under Information Security Management because it states

35. Duty to maintain privacy and confidentiality of digital health data

(1) A clinical establishment, health information exchange, State Electronic Health Authority and the National Electronic Health Authority, shall be duty bound to protect the privacy, confidentiality, and security of the digital health data of the owner;

(2) Any other entity, which has generated and collected digital health data, shall be duty bound to protect the privacy, confidentiality, and security of the digital health data of the owner.

(3) The privacy, confidentiality and security of digital health data shall be ensured by taking all necessary physical, administrative and technical measures, that may be prescribed or specified, to ensure that the digital health data, collected, stored and transmitted by them, is secured and protected against access, use or disclosure not permitted under this Act or regulations made thereunder, and against accidental or intentional destruction, loss or damage.
(4) Without prejudice to the above provisions, a clinical establishment or health information exchange shall ensure through regular training and oversight that their personnel comply with the security protocols and procedures as may be prescribed or specified under this act.
(5) A clinical establishment, or a health information exchange, shall provide notice immediately, and in all circumstances not later than three working days to the owner, in such manner as may be prescribed under this Act, in case of any breach or serious breach of such digital health data.

It is clear from the above that the Clinical establishments will have a tough time for complying with DISHA 2018 almost on the lines of GDPR.

Since DISHA is applicable to “Clinical Establishments” which definition [Section 3(i)] includes

-a hospital, maternity home, nursing home,

-dispensary, clinic, sanatorium or an institution by whatever name called offers services, facilities requiring diagnosis, treatment or care for illness, injury, deformity, abnormality or pregnancy in any recognised system of medicines  or

-a place established  in connection with the diagnosis where pathological, bacteriological, genetic, radiological, chemical, biological investigations or other diagnostic or investigative services with the aid of laboratory or other medical equipment are usually carried on

the impact of what it proposes as security is far reaching.

(Discussions will continue)

Naavi

Posted in Uncategorized | Tagged | Leave a comment

Consequences of Health Data Breach under DISHA 2018

DISHA 2018 is the proposed law for India applicable to the Privacy and Data Protection related to the Health Care sector in India. At a time there is discussion on GDPR all around the industry and anticipation of the Justice Srikrishna Committee’s recommendation on the General Data Protection Act for India, DISHA 2018 has been proposed by the Health Ministry in a draft form for public comments. The Act is likely to be named as “Digital Information Security in Health care Act 2018”. Public comments are expected to be provided before April 21, 2018 to be sent to egov-mohfw@nic.in .

In order to enable stake holders to form their views and forward to the ministry, Naavi is providing here his own views. I suppose this would be helpful in triggering thoughts in others to send their own comments.

…..Naavi

This is the continuation of the earlier article on this subject


The importance of any legislation is often measured in terms of the penal consequences that would follow if the law is not complied with.  The same logic applies to DISHA 2018 also and hence we need to take a quick look at Chapter V of the proposed legislation that deals with Offences and Penalties.

For the purpose of defining the consequences of non compliance of DISHA 2018, the proposed law defines “Breach of Digital Health Data” along with a term “Serious Breach of Digital health Data”.

As per section 37, Digital Health Data is said to be breached when

a) Any person generates, collects, stores, transmits or discloses digital health information in contravention of the provisions of the Act or

b) Any person who does anything in contravention of the exclusive right conferred upon the owner of the digital health data or

c) Digital health data collected, stored or transmitted by any person is not secured as per the standards prescribed by the Act or any rules thereunder or

d) Any person damages, destroys, deletes, affects injuriously by any means or tampers with any digital health data.

A person who is responsible for such breach shall be liable to pay damages by way of compensation. This is treated as a civil wrong.

A “Serious Beach of Digital health Data” on the other hand is defined  as follows:

(1) A serious digital health data breach shall be said to have taken place, if:

(a) A person commits a breach of digital health data intentionally, dishonestly, fraudulently or negligently; or
(b) Any breach of digital health data occurs, which relates to information which is not anonymised or de-identified; or
(c) A breach of digital heath data occurs where a person failed to secure the data as per the standards prescribed by the Act or any rules thereunder; or
(d) Any person uses the digital health data for commercial purposes or commercial gain; or
(e) An entity, clinical establishment or health information exchange commits breach of digital health data repeatedly;

Explanation: The terms “dishonestly” and “fraudulently” shall have the same meaning as assigned to them under the Indian Penal Code, 1860

(2) Any person who commits a serious breach of health care data shall be punished with imprisonment, which shall extend from three years and up to five years; or fine, which shall not be less than five lakh of rupees.

Provided that, any fine imposed as part of sub-section (2) may be provided to the individual whose data is breached, by the Court, as it deems fit as compensation.

This section is meant to be a section to define offences which may be punished with Imprisonment and Fine and hence should be recognized as a “Criminal Offence”.

The imprisonment under this section is declared as it shall be for a minimum of 3 years and extend upto 5 years and fine is stated as “Shall not be less than Five lakh of rupees”.

The above section  perhaps requires to be better constructed to avoid ambiguities.

Firstly it tries to combine the Criminal penalty with Civil compensation by  providing that the Court may provide compensation by collecting it as a fine. This makes Section 37 redundant since the definition of “Serious Breach of Digital Data” under Section 38 differs from Section 37 only with the addition of “Intention” and “Dishonesty” etc.

Also since the separator “Or” has been used to separate sub sections 1(a) to 1 (e), it appears that “Any Breach of identifiable digital health data” would come under Section 38 with or without dishonesty or malicious intention.

Further 37 (1) (a) has included the term “Negligently” along with “Intentionally”, “Dishonestly” and “Fraudulently”.  This has mixed up criminal intention with “negligence” and “Negligence without Criminal Intention” can be a grey area under this section.

Under (1) (c), breach of data for failure to secure it has also been defined as a serious breach inviting imprisonment and fine. Considering that the punishment can be for a minimum imprisonment of 3 years and fine of Rs 5 lakhs, and “Security” being as ambiguous as it can be, it is difficult to accept the section as it is now drafted as a fair drafting.

The other two actions that can invoke punishment under this section is “Use of digital health data for marketing” and “Repeated breach by a clinical establishment”.

These offences also need to be qualified properly.

Overall, Section 38 is not properly drafted and has to segregate the “Motive”, “Action”, “Consequence” of an action that is defined as an offence before indicating the punitive measures.

Section 39 is again an extension of Section 38 offences to the domain of civil compensation and overlaps both with Sections 37 and 38.

Section 40 of the proposed Act prescribes fines for administrative delay for furnishing of information or document or boos, returns or reports that may be specified. The fine may extend to Rs 1 crore.

Section 41 states that

“Whoever, fraudulently or dishonestly, obtains the digital health information of another person, which he is not entitled to obtain under the Act from a person or entity storing such information shall be punished with imprisonment for a term which shall extend up to one year or fine, which shall be not less than one lakh rupees; or both.”

This addresses the cases of “Digital Impersonation” for which ITA 2000/8 already prescribes 3 years imprisonment.

Additionally, under Section 42, “Data Theft” has been defined as an offence that can result in imprisonment for 3 to 5 years. The section states as under.

“Whoever intentionally and without authorization acquires or accesses any digital health data shall be punished with imprisonment for a term, which shall extend from three years up to five years or fine, which shall be not less than five lakh rupees; or both.”

Section 43 speaks of “Cognizability” and again is ambiguously drafted.

It says that ” No Court shall take cognizance of any offence punishable under this Act or any rules or regulations made thereunder, save on complaint made by the Central Government, State Government, the National Electronic Health Authority of India, State Electronic Health Authority,” but adds “Or a person affected”.

This means that on the basis of a complaint made by the person affected, cognizance can be taken irrespective of the term of imprisonment etc.

This may not be acceptable to the Criminal judicial system.

Section 44 extends the offences which can be attributed to the Company to its executives as under Section 85 of ITA 2000/8.

Overall, it appears that the offensive sections are loosely drafted and need to be tightened substantially before becoming the law.

Perhaps when the draft goes to the Law Ministry, it has to be revised thoroughly.

(To Be continued)

Naavi

Posted in Uncategorized | Leave a comment

DISHA 2018- Proposed Health Information Security Act in India

DISHA 2018 is the proposed law for India applicable to the Privacy and Data Protection related to the Health Care sector in India. At a time there is discussion on GDPR all around the industry and anticipation of the Justice Srikrishna Committee’s recommendation on the General Data Protection Act for India, DISHA 2018 has been proposed by the Health Ministry in a draft form for public comments. The Act is likely to be named as “Digital Information Security in Health care Act 2018”. Public comments are expected to be provided before April 21, 2018 to be sent to egov-mohfw@nic.in .

In order to enable stake holders to form their views and forward to the ministry, Naavi is providing here his own views. I suppose this would be helpful in triggering thoughts in others to send their own comments.

…..Naavi


DISHA 2018 has been structured into the following 7 Chapters:

I: Preliminary

II: National Electronic Health Authority

III: Powers and Functions of the National and State Authorities

IV: Data Ownership, Security and Standardization

V: Digital Health Data Breach and Consequences

VI: Adjudicating Authority

VII: Miscellaneous Provisions

Schedule I: Personally Identifiable Information

Geographical Applicability 

Let’s start with the Preliminary Chapter that states that this law extends to the whole of India except the State of Jammu and Kashmir.

Since ITA 2000/8 is a law that also applies to J&K and it has provisions that state that Health Information is sensitive personal information and it has to be protected in a certain manner, that provision will continue to apply to J&K. In other areas there could be some overlap of regulations between ITA 2000/8 and this law when it becomes effective.

Personal Information

The definition section is Section 3 and it requires a detailed discussion. Before we get into the definitions under Section 3, we can first have a look at the Schedule I which lists certain parameters as “Personally Identifiable Information”. (PII)

The listed parameters that would be considered as PII are

  1. Name
  2. Address
  3. Date of Birth
  4. Telephone Number
  5. Email Address
  6. Password
  7. Financial Information such as Bank account or credit card or debit card or other payment instrument details
  8. Physical, Physiological and Mental Health Condition
  9. Sexual Oritentation
  10. Medical Records and Histrory
  11. Biometric Information
  12. Vehicle Number
  13. Any Government number including Aadhaar, Voter’s Identity, Permanent Account Number (PAN), passport, Ration Card, Below Poverty Line (BPL) card

Compared to the HIPAA identifiers, there appears to be an omission of E Mail Address,  IP Address, IMEI Number, SIM number (unless telephone number can be interpreted also as mobile number). Also Age is not included and Address as a whole is included and there is no exemption for address at higher level as in HIPAA.

There is an additional definition under Section 3(o) which defines “Sensitive Health Related Information” namely,

(o) ‘Sensitive health-related information’ means information,

that if lost, compromised, or disclosed, could result in substantial harm, embarrassment, inconvenience, violence, discrimination or unfairness to an individual,

including but not limited to, one’s physical or mental health condition, sexual orientation, use of narcotic or psychotropic substances, consumption of alcohol, sexual practices, Human Immunodeficiency Virus status, Sexually Transmitted Infections treatment, and abortion.

This appears to be a departure from the other legislations where “Personal Information” is defined in general terms and some types of Personal Information are defined as Sensitive Personal Information (SPI). This approach has been used in ITA 2000/8 as well as in GDPR.

It is interesting to note that DISHA 2008 has defined “Sensitive” nature of PI in the context in which the breach could cause “Substantial” harm.

The interpretation of the word “Substantial” would be subject to debate as it happened when the Supreme Court discussed Section 66A of ITA 2008 and interpreted that the term “Grossly Offensive” was vague. But this judgement was prompted by other considerations and should be considered as an aberration.

On the other hand, “Personally Identifiable Information”   as per Section 3(k) means any information that can be used to uniquely identify, contact or locate an individual, or can be used with other sources to uniquely identify a person, and includes the information stated in Schedule I.

Hence the suggestion that “Data” is Data under all circumstances and it becomes “Sensitive” in certain circumstances is welcome.

Entity 

The Act defines a “Clinical Establishment” as well as the term “Entity”. Both the definitions include all types of or organizations including individuals, Trusts, private and public establishments, Hospitals, diagnostic centers, pathological laboratories, radiology laboratories etc. Only the establishments owned by armed forces are exempted from this definition.

As a result of this approach, the scope of this proposed Act will have a very wide impact in the Health Care industry.

……To Be Continued

Naavi

Posted in Uncategorized | Leave a comment

Draft Law now available for Public Comment

Government of India has- Ministry of Health & Family Welfare has released the first completed draft of the proposed “Digital Information Security in Helathcare, Act (DISHA).

A copy of the draft is available here:

Public comments have been invited upto 21st April 2018 which may be sent to egov-mohfw@nic.in

We will discuss the details of this proposed Act in these columns as well as at www.naavi.org.

Naavi

Posted in Uncategorized | Leave a comment

New EHR Guidelines notified

The Ministry of Health and Family Affairs had released a comprehensive version of technical standards for Electronic Health Records first in 2013. Subsequently in March 2016 a revised version had been released for public comments.

Now a final version has been notified on December 2016, a copy of which is available here.

It needs to be adopted in IT systems by health care institutions/providers across the country.

When the Health Data Privacy and Security Act which is under drafting is enacted, these standards will acquire legal mandate. However, in view of the enormous work required in implementing these standards, it is preferable for all IT companies to start adopting a transformation plan to adopt these standards.

Naavi

Posted in Uncategorized | Leave a comment

Ownership of data clarified..in EHR Guidelines 2016

In discussions on “Privacy” we often debate how can the service provider use my data for purposes which are commercially beneficial to him but I am neither aware nor benefiting from such usage.

The general principle of all Privacy legislations is that the “Data shall not be used nor disclosed by the processor except as authorized by the data owner or otherwise provided under law”. Data owner often signs a contract with the data collector in which the data collector discloses his privacy policy detailing why he is collecting the information, what he will do with it etc. Once this contract is accepted by the data owner by say “Clicking on the I accept button”, it is deemed to be a consent and it will determine all further rights and liabilities.

In India “Click Wrap” contract through an “I Accept button” is not recognized in law and hence all such consents only become “Deemed consent” which is “Voidable” at the option of the customer at least as to some fine print clauses of the standard contract.

Under these circumstances, if the data user had over stepped the consent terms and used the data for commercial exploitation, the data owner normally could only grumble without a proper legal remedy.

It appears that now there is a new door being opened in the Privacy legislation in India applicable to “Health information” which is also a “Sensitive Personal Information” under ITA 2008.

The recently amended EHR guidelines released by the Ministry of Health and Family Welfare which is a pre-cursor to the Health Care Data Privacy and Security Act make a categorical statement that

  1. The contained data which are the sensitive personal data of the patient is owned by the patient.
  2. The medium of storage or transmission of such electronic medical record will be owned by the healthcare provider.
  3. The physical or electronic records, which are generated by the healthcare provider, are held in trust by them on behalf of the patient

This provision actually lends substantial strength to the “Consent” by not only making it a part of a Contract under the Indian Contracts Act but also introduces the element of possibility of “Breach of Trust” if the data user uses the data other than as provided for in the consent.

Though the EHR does recognize the national interests in denying some privacy rights (which we shall discuss in a subsequent article), the use of the term “Data is owned by the patient” makes a strong case for legal interpretation of “Data” as “Property” and all the rights associated with it including the right of the data owner to place a price on it. If the data user makes any substantial profit out of aggregation of individual data, it would therefore be reasonable to expect that part of the commercial benefit arising thereof should go to the data owner.

This concept though laid out specifically in the case of health data, should be extendable to all types of data including financial data.

It would require some time for understanding the full implications of this concept in the era of data analytics and data aggregation over IoT devices and a multitude of platforms.

Naavi

Posted in Uncategorized | Leave a comment