The proposed HDPSA (Health Data Privacy and Security Act) which is being worked on by the Health and Family Welfare department of the Union Government is likely to draw a lot from the HIPAA (Health Insurance Portability and Accountability Act) of USA. HIPAA was drafted around 1996 and then modified/upgraded with the HITECH Act (Health Information Technology for Clinical and Economic Health Act). For some body following HIPAA and its implementation for more than a decade, it appears that India is exactly tracing the same path of development which we saw in HIPAA.
Firstly, HIPAA came into being a law when the Health Insurance Industry was trying to force more digitization into medical record keeping so that the processing of health insurance could be more efficient and less fraud prone. The Insurance industry therefore wanted a push for greater use of Electronic Health Records( EHR) by medical professionals. At the same time, Privacy advocates were skeptical that increased use of EHR would result in higher risk for Privacy of the patients. Hence Privacy Protection and a standard for Information Security was built into the HIPAA. HITECH Act expanded the security measures and at the same time strengthened the Privacy obligations of the covered entities. It also introduced incentives and disincentives to promote accelerated use of EHR which wa felt necessary even 12 years after HIPAA. (HITECH Act came into operation in January 2009).
We in India are retracing similar steps through the actions sorrounding HDPSA.
One of the provisions of the proposed HDPSA is to bring in interoperability of electronic data captured and processed across different systems. This requires defined common standards for identification of health entities as well as different parameters of health data and also structuring of data transmission codes.
In 2013, the Department of Health and Family Welfare (D-HFW) published the “Electronic Health Record Standards for India” and a copy was placed on the website for stakeholders to comment. The copy is available here.
The goals of suggesting the standards were indicated as follows:
Promote interoperability and where necessary be specific about certain content exchange and vocabulary standards to establish a path forward toward semantic interoperability
Support the evolution and timely maintenance of adopted standards
Promote technical innovation using adopted standards
Encourage participation and adoption by all vendors and stakeholders
Keep implementation costs as low as reasonably possible
Consider best practices, experiences, policies and frameworks
To the extent possible, adopt standards that are modular and not interdependent.
Within the standards, guidelines were also incorporated for hardware, networking and connectivity, as well as software standards to be complied with the industry.
The standards also touched on the Ethical, Legal, Social Issues (ELSI) guidelines for Electronic Health Record (EHR) to define the Privacy and Security Requirements of EHR with the recommendations following HIPAA requirements of Privacy and Security.
If HDPSA becomes a law, it is a reasonable presumption that there will be a need to adopt some of the provisions which was available as the Standards document. Similarly it needs to also adopt some of the provisions of the Tele Medicine Act which was drafted several years back and simply forgotten.
The HDPSA will also have to contend with the co-existence with ITA 2008 which would interfere in the Privacy and Information Security issues but not on the data standards issues.
Overall there are interesting days ahead to watch how the legislation is likely to unfold. So far, the draft law which was discussed in the news report has not been made public and hence it is difficult to comment on the exact provisions that have been included there in. We wait for the Government to release the draft for public comment.
We may also remember that in 2006, a “Personal Data Privacy Bill” was drafted and even placed before the Parliament along with the amendments envisaged for ITA 2000. Subsequently, in 2008, the ITA amendments passed through but the Privacy Bill lapsed. Since then there are other versions of the Privacy Bill which were presented in the Parliament but have failed to get the consensus since they directly interfered with the national security issues involved in “Intereception of communication” and also the issues related to Aadhaar implementation.
The Sector specific approach now proposed in HDSPA addressing only the Heath Care Data Privacy and Security is unlikely to receive much of opposition except from the Health Care industry itself which would be seriously affected in the process of implementation of the Act.
While the larger hospital chains are likely to implement the provisions of HDPSA, there will be numerous number of smaller nursing homes, neighborhood doctors, pharmacies, mobile App companies dealing in Health information who will simply be unable to comply with the provisions of the Act and will remain non compliant.
Even in the advanced US market, HITECH Act had to set aside US$ 17.2 billion for providing various kinds of incentives to make the industry comply with HIPAA. This would be an equivalent of over Rs 1 lakh crores. Will the Government make such investments? obviously not.
This means that we are in for a long haul as regards the real implementation of the provisions as and when implemented.
HIPAA actually gave compliance deadlines which extended from 1996 to beyond 2003 and yet they had to postpone some provisions of data breach notification provisions into the Omnibus Rule in 2014.
If therefore the law makers are serious about adoption of HDSPA, then there has to be a strategization of how the compliance will be pushed. We know that even after 16 years, ITA 2000 compliance is still at the nascent stage. If so, it is anybody’s guess about what should be the time line for HDSPA implementation.
If there is no proper strategization of the compliance, we will have an industry domain which will be living under the umbrella of non compliance with the constant fear that the regulator could crush then down any time.
This “Living under Fear” will be the biggest threat to the Health Care industry which they need to avoid.
I therefore suggest the industry to organize themselves properly so that when the next phase of roll out of this draft legislation happens, the interest of survival of the industry is not forgotten.
If the industry is complacent, there would be a “Globalization” of the hospital and health care industry to such an extend that just like the K-Marts eating away our neighborhood kirana store, the international hospital brands may eat away all our domestic medical practitioners. In the process, health care in India will become more expensive and dependent on heath insurance industry.
Keeping all these things in mind, it is necessary to ensure that the proposed legislation builds adequate safeguards to protect the interests of the consumers.
Has the health ministry factored all these aspects?… God knows..