As per the news report, the Union Health Ministry is contemplating a new legislation tentatively titled “Healthcare Data Privacy and Security Act” (HDPSA) to devise a “comprehensive legal framework” for “Protection of individual health data” and “Standardization”.
The statement released in the Press also says that the law will “Identify Ownership” of the data through establishment of a “National e-Health Authority” and “Health Information Exchanges”.
The law will also have “Detailed remedies for breach of data” both Civil and Criminal penalties entitling the patient to compensation if data is leaked as well as severe punitive action against “Agencies responsible”.
It also speaks about the “Consent” to be obtained from the patient.
The law appears to have been influenced by the need for “Interoperability of Electronic Health Records (EHR)” and sounds much like the HIPAA of 1996 in USA.
It is clear that the law will follow the standard principles of privacy revolving around authorization of collection of information based on prescription and obtaining of consent of the patient. Collected data should follow the principles of minimal collection. Data Breach notification to the owner would be part of the legislation.
The mention of what is called “Information Exchanges” indicate regulation of IT facilities including Mobile App companies with a registration requirement with a National Authority to be set up and consequential “Compliance Regime”.
Like the HIPAA, there will be Unique registration numbers assigned to every health facility starting with the public sector.
A new “E-Cloud Repository” for real time health data is also envisaged.
A New Adjudicatory and Appellate Authority is also likely to be set up.
The legislation should be considered as a huge step in the Health Care Regulation in India and just as HIPAA made a seminal difference to the industry. There is a clear overlap of the proposed law with the Information Technology Act which already defines “Health Information of an Individual” as a “Sensitive Personal Information” and prescribed “Reasonable Security Practice”.
However, given the slackness of the Ministry of IT in implementing the provisions of ITA 2000/8, the emergence of the new “Healthcare Data Privacy and Security Act” or HDPSA could provide a good competition to ITA 2008 in redefining the standards of “Data Security” in India.
We therefore welcome the proposed new legislation.
HIPAA legislation in USA implemented through the HHS is a model law which is worth emulation not only from the point of view of the basic provisions but also in how it needs to be implemented in the industry.
We hope that HDPSA will also be taken through similar steps of “Receiving Comments from Public” on the draft provisions at every stage of its implementation and “Providing a Compliance Time line” for the industry unlike the ITA 2000/8 implementation which occurred through MCIT.
Watch out for more comments…