E Pharmacies need to take note of these regulations

In the last few months, there have been many start ups in Bangalore and elsewhere who have introduced many mobile app based services in Health Care industry. Some of them have ventured into areas which may come under the provisions of the Pharmacy Act 1948. (Refer here under the link Rules &Regulations). Some of  these Companies are functioning as e-Pharmacies who need to also keep an eye on the effect of the “Pharmacy Practice Regulations 2015” on their business activities.

Additionally the pharmacists will also be subject to the proposed Health Care Data Privacy and Protection Act.

According to the Pharmacy regulations, registered pharamcists need to maintain medical/prescription records pertaining to a period of 5 years. He should be in a position to make it available on demand by the patient/authorized attendant. Pharmacist is bound to maintain “Privacy” of patient information and the associated security when the information is maintained in electronic form.

The critical aspect of the regulations from the perspective of the App developers is that the definition of “prescription” takes cognizance of e-prescriptions.

The definition states, “Prescription” means a written or electronic direction from a Registered Medical Practitioner or other properly licensed practitioners such as Dentist,Veterinarian, etc. to a Pharmacist to compound and dispense a specific type and quantity of preparation or prefabricated drug to a patient.

The “Electronic direction” is considered as an “e-prescription” and meet all the requirements of a written prescription.

The requirements of a written prescription include the following:

Prescribers office information – [Name, qualification, address & Regn. No.]
(ii) Patient information – [Name & address, Age, Sex, Ref.No.]
(iii) Date
(iv) Rx Symbol or superscription
(v) Medication prescribed or inscription
(vi) Dispensing directions to Pharmacist (or) subscription
(vii) Directions for patient [to be placed on lable]
(viii) Refill, special labeling and /or other instructions
(ix) Prescriber’s signature and licence (or) Drug Enforcement Agency (DEA) number as required.

Hopefully, the e-pharmacies and e-prescription app developers take these into consideration before the department starts questioning them on the legality of their activities.


Posted in Uncategorized | Leave a comment

Understanding the SNOMED CT Coding system used in Indian Healthcare system

Ministry of Health & Family Welfare (MoH&FW) had notified the EHR standards for India way back in 2013. As a part fof these standards SNOMED- CT (Systematized Nomenclature for Medicine-Clinical Terms) was developed by the International Health Terminology Standards Development Organization-(IHTSDO). About 27 countries are members of IHTSDO but the terminolog is used in more than 50 countries. India became a member in April 2014.

India has obtained a “Country license” for SNOMED-CT and it is available free of cost to vendors/developers/clinical entities in India. (Ref : Circular dated 4th April 2014). The circular also urged all States/UTs to adopt EHR standards in all e-health applications.

SNOMED CT (distributed by the International Health Terminology Standards Development Organization-IHTSDO.) currently contains more than 300,000 medical concepts, divided into hierarchies such as body structure, clinical findings, geographic location and pharmaceutical/biological product etc. Each concept is represented by an individual number and several concepts can be used simultaneously to describe a complex condition.

The numerical reference system to represent medical concepts, SNOMED CT provides a standard by which medical conditions and symptoms can be referred, eliminates the confusion that may result from the use of regional or colloquial terms and also facilitates the exchange of clinical information among disparate health care providers and electronic medical records (EMR) systems.

SNOMED CT consists of four primary core components:

1.Concept Codes – numerical codes that identify clinical terms, primitive or defined, organized in hierarchies
2.Descriptions – textual descriptions of Concept Codes
3.Relationships – relationships between Concept Codes that have a related meaning
4. Reference Sets – used to group Concepts or Descriptions into sets, including reference sets and cross-maps to other classifications and standards

Concepts are further described by various clinical terms or phrases, called Descriptions, which are divided into Fully Specified Names (FSNs), Preferred Terms (PTs), and Synonyms.

SNOMED CT is a clinical terminology designed to capture and represent patient data for clinical purposes. Industry also uses the International Statistical Classification of Diseases and Related Health Problems (ICD) which is an internationally used medical classification system; which is used to assign diagnostic and, in some national modifications, procedural codes in order to produce coded data for statistical analysis, epidemiology, reimbursement and resource allocation.

Both systems use standardized definitions and form a common medical language used within electronic health record (EHR) systems. SNOMED CT enables information input into an EHR system during the course of patient care, while ICD facilitates information retrieval, or output, for secondary data purposes.

SNOMED CT is used in a number of different ways, some of which are:

-It captures clinical information at the level of detail needed for the provision of healthcare
-Through sharing data it can reduce the need to repeat health history at each new encounter with a healthcare professional
-Information can be recorded by different people in different locations and combined into simple information views within the patient record
-Use of a common terminology decreases the potential for differing interpretation of information
-Electronic recording in a common way reduces errors and can help to ensure completeness in recording all relevant data
-Standardised information makes analysis easier, supporting quality, cost effective practice, research and future clinical guideline development
-A clinical terminology allows a health care provider to identify patients based on specified coded information, and more effectively manage screening, treatment and follow up

SNOMED-CT is used in the second stage of meaningful use definition under HITECH Act. Even in the US, health care providers are complaining of the practical difficulties in implemnting the standards for recording patient care information. However, certain mapping techniques between SNOMED-CT and ICD 10 have been developed and are reportedly being used.

Along with SNOMED-CT and ICD codes, we also have HL7 standards and ANSI standards for medical encounter /transaaction recording and data transmission making the coding aspects of ealth care industtry reasonably complex.

These coding systems should be of interest to all IT companies engaged in the domain of health care including the several star ups that are now in India with services in the Health cared industry through mobile apps. This will also apply to wearables and cloud storage organizations and naturally for medical coding agencies.

It is not clear if the Indian Health cared industry which is not exposed to HIPAA is now anywhere near adopting these medical coding standards in full. Once the HDPSA becomes operative, the initial thrust in the industry would be on this aspect of implementation since non compliance to these standards would lead to a Y2K type of situation.

However, it appears that the sources for employee training in these areas in India are limited and needs to be attended to by the MoH before HDPSA kicks in.

Presently, SNOMED CT related documents can be obtained in India from the National Release Center 

CDAC has also dveloped a Toolkit for SNOMED CT which is available here.

It is time for the industry to review its software and embedded system software in health care industry to be compliant with these codes where necessary.


For More Information on SNOMED CT Codes refer here:

Also refer National Health Portal India for further information

Posted in Uncategorized | Leave a comment

Online Registration System for Indian Hospitals.. No Privacy Policy?

As a part of the Digital India program, the Government of India is encouraging hospitals in India to make use of the “Online Registration System (ORS) framework to link various hospitals across the country for providing some services such as booking appointments, collecting lab reports etc.

The framework will enable aadhar based eKYC process if patient’s mobile number is registered with UIDAI.

Presently about 53 hospitals have gone online under this framework . Some of the Hospitals that have gone onboard now include AIIMS at different places, PGIMER, and GMC at Chandigarh, NIMHANS and K.C.General hospital, Bengaluru, JIPMER, Puducherry, etc. There is no doubt that this is just a small sample of Government hospitals.

At present around 1000-1500 appointments per day are being booked under the system and since its launch on 1st July 2015, about 448700 appointments have been booked under the system.

There is no doubt that  there is a long way to go before the scheme could be called successful.

For Privacy practitioners, it is necessary to realize that even before the HDPSA draft is available with the public, a major initiative to collect and link the hospitals in India on a common portal is underway. The Government has developed an “Online Boarding Manual” as a guideline for hospitals (Details available here).

At present the appointment registration will collect the Sensitive Personal Information of Aadhar along with the department contacted, the purpose of contact etc which are also considered health related information of an individual and hence can be classified as Sensitive Personal Information under Section 43A of ITA 2008 requiring “Reasonable Security Practices”.

It appears that the individual hospitals just link to the ORS portal and the information processing is done at the ORS portal. Hence the Privacy and Security obligations fall on the portal.

In order to understand how the system seems to be used, I checked the NIMHANS OPD website which is one of the users of this framework.

 The Privacy policy disclosed and notified under the NIMHANS website just relates to the visitors of the website and not to people who seek appointment. When the link on appointment on the Nimhans website is clicked, it takes the registrant to the ors.gov.in website where there is no declared Privacy policy.

It is also not clear how the information collected for appointment at the ORS website is re-transmitted to NIMHANS or made accessible to them.

Obviously, the system must be considered as being under the pilot run and a lot more thought needs to be given.

When HDPSA kicks in, these hospitals suddenly realize that they have already put a huge chunk of Sensitive personal Information which ought to have been protected from a back date and they will be in default from day one.

I hope some responsible persons in the management of these hospitals would take some corrective steps in this regard.


Posted in Uncategorized | Leave a comment

Two Incidents Highlight the need for better Security in automation of healthcare

Two incidents reported yesterday in two different hospitals highlight the risk in automation of health care processes and the criticality of information security.

In one of the incidents, a virus left three hospitals in disarray and cancellation of all routine operations and outpatient appointments. (Read the Story Here)

The Virus infection affected two hospitals namely the Northern Lincolnshire and Goole NHS Foundation Trust (NLAG). Due to use of some shared services, a third hospital United Lincolnshire Hospitals NHS Trust (ULHT) also had to cancel operations.

Hopefully this is more like a “Denial of Medical Services” and unless some of the cancelled operations were time critical, the damage may be contained with some inconvenience.

But the incident highlights how a normal information security incident gets into “life Threatening” mode in a health care scenario making Information security that much more of a critical care issue.

There was another incident which is also of concern which indicates how some times human intervention should always be at standby when we use automation in health care.

This incident (See Report here) occured during a robotic surgery when a laser beam being used in surgery caught fire at Tokyo Medical University Hospital. The cause of the fire was unfortunately farting (passing of gas) by the woman during the surgery. The gas being inflammable was ignited by the laser beam and caused severe burns in the 30 year old women undergoing ovarian surgery.

This fire incident may not directly be called an “Information Security Incident” but it must be recognized that the robotic surgery was not equipped to stop the laser beam instantly when the surrounding environment changed due to an unforeseen incident.

The incident is similar to the automatic brake system of a Google car failing when a crash is imminent. It must be attributed to the failure of the safety system in the automation of the health care process.

This could eventually be considered as “Negligence” of the “System” and the company manufacturing the equipment and the user (hospital) may be held negligent as an “Intermediary” and have to bear the liabilities.

When HDPSA is drafted, it will incorporate certain aspects of the “Telemedicine Act” which was once contemplated in India and abandoned which had elaborate provisions for the medical equipment manufacturers to be registered and monitored.


Posted in Uncategorized | Leave a comment

How should HDPSA and ITA 2008 relate to each other?

The Information Technology Act 2000 which was substantially amended in 2008 (ITA2008) and presently under another revision, was enacted as a “Special Act” that was applicable to “Electronic Documents”. In view of the international obligations, only the IPR regulations like the Copyright Act was kept as an overriding provision in case of any conflict. Otherwise wherever an “electronic Document” was a subject matter of law, ITA 2008 was considered as the final law to resolve conflicts if any.

ITA 2000/8 was generous to extend its provisions to every other law and did not negate any law since Section 4 simply stated that “Wherever any law requires a document to be in writing, it can be rendered in electronic form”. Similarly, Section 5 extended the validity of a “Signature” by stating that “Wherever any law requires a document to be signed, the requirement can be fulfilled in the form of digital signature as defined under section 3 (later extended to electronic signature defined under section 3A)”

The ITA 2008 made many provisions under “Data Protection” which indirectly provided protection to “Privacy” though  there was no other legislation providing privacy protection in India. There were civil and criminal remedies and the Adjudication proceedings to render justice. By defining “Health Information” as “Sensitive personal Information”, it was also prescribed that there had to be “Reasonable Security Practices”  to protect the Confidentiality, Integrity and Availability of such information when Body Corporates handled the same. Under the concept of “Due Diligence” under Section 79, all the known best principles of Privacy protection used in International practice were made part of ITA 2008.

Now therefore when HDPSA is enacted with the specific provisions that are meant to protect the privacy and security of health information there could be several overlapping provisions between HDPSA and ITA 2008.

Ensuring that the conflicts are avoided not only in the provisions but in enforcement would be one of the prime considerations of the new law makers who draft HDPSA.

For example, “Hospitals or Health Care Providers” under HDPSA may be considered as “Body Corporates under Section 43A of ITA 2008” if they are companies. But if they are “Trusts” or a medical practitioner who is not an “association of individuals”, there could be a debate on whether it falls under the explanation of Section 43A which states

“body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities”

On the other hand, whether any of the covered entities under HDPSA are considered “Intermediaries” would also be debated.

Another point of debate would be while ITA 2000/8 is restricted to electronic documents, will HDPSA be available for protecting privacy when data is breached in non electronic form?… Will the security cover physical security of privacy documents in paper or voice form?

There will also be a debate…When things go wrong, is there a remedy under HDPSA with its own adjudicator or is the remedy under ITA 2000/8 with the adjudicators appointed under Section 46 of ITA 2000/8?

It is therefore necessary to understand the possible areas of conflict and steer clear of them at the drafting stage itself.

Hope the ministries will take necessary steps


Posted in Uncategorized | Leave a comment

What should be the coverage of HDPSA?

We have already discussed one of the aspects that HDPSA should consider and that is on providing a compliance time line to enable all stakeholders to understand and implement the provisions and be compliant in good faith and to the best of their ability.

The next point that HDPSA needs to address squarely is to define the scope of the Act in terms of its coverage on different stakeholders. The HIPAA-HITECH act defines 4 types of stakeholders namely the Health Care Providers, The Health Plans, The health Care Clearing Houses and the Business Associates. It further extends the provisions to the Sub Contractors through a contractual binding.

The Indian Act also may follow the same line. The HIPAA was however driven by the needs of the Insurance industry while the Indian Heath Card data privacy and security act seems to have been driven by the needs of the patient’s need for privacy. As a result it can approach the law slightly in a different manner and make the “Health Care Service Consumer” as the “Central Focus of the Law”.

If so, the Act needs to first define what is a “Health Care Service” and then design the law around the consumer who consumes the product and the product providers. “Privacy” will be one of the attributes of the product and different aspects of Privacy such as “Disclosure”, “Consent”, “Minimal Collection”, “Purposeful collection”, “Security”, “Destruction”, “Transfer”,  “Updation” etc needs to be provided as different sub-attributes regulated under the law.

The appointment of an “e-Health Authority” will therefore be with the objective of providing the “Protection of the health Care Service Provider’s Consumer Rights”. Similarly the appointment of an Adjudicator or an Appellate Authority will all be focussed on the consumer.

On the other hand if the law is “Industry oriented”, the “E-Health Authority” will be like TRAI or RBI and mainly regulate the industry. The emphasis on the “Data Standards”, “Medical Code”, “Single ID for stakeholders” etc are “Industry Oriented” objectives.

The “Central Health Data Repository” will in an “Industry oriented approach” be like a UIDAI. The approach to the “Central Health Data Repository” in a “Consumer Oriented Legislation” would be different and may perhaps focus more on “Encryption and Confidentiality”, “Access Rights to the Data Owner” etc.

The technical standard of storage could also be different in the two approaches. The penalties and liabilities as well as the procedure for adjudication and grievance redressal also would be different in the two approaches.

If we look at HIPAA, it does not provide for a Private Complaint from a Data owner but focusses more on the “Audits by the HHS”. This is a classical industry approach and is not ideal for India where there is no other Privacy Protection law to back this legislation as was available in US for HIPAA.

Those who frame the law need to have a perspective of the US laws and EU privacy laws besides avoiding conflicts with ITA 2008.

A few years back, Government wanted to draft a “Tele Medicine Law” which never saw the light of the day. Now is the time to add some provisions intended in this law into the HDPSA. Similarly, some aspects of “Medical Negligence” related provisions may also be part of this law.

Though both approaches need to define the “Protected Health Information” and the “Different types of the stake holders” the ultimate law will look different depending on the approach.

Should the law be industry oriented like HIPAA or Consumer oriented needs to be determined before the drafting exercise begins.

We need to discuss and debate these issues in the coming days.


Posted in Uncategorized | Leave a comment

Lets Build a Law that is “Compliance Friendly”

Whenever a new law is framed, there are many stakeholders whose interests get affected. A law is normally meant for the Citizen of a country but is framed by the Government in consultation with those who are close to the law making body at the time of its formation.

Since the days of ITA 2000, a practice has emerged even in India where a proposed law is placed for public comments so that views of the public can be incorporated in the legislation. However, it is a fact that once a basic draft is framed by the group of experts in a Ministry, changing any part of it is next to impossible. Except some cosmetic changes, real changes are impossible. We have seen this happen in the framing of ITA 2000 and its amendments in 2008. (See Here for details).

Once the law was framed, there were complaints that the law was insufficient, draconian, drafted without understanding the industry realities, etc. The same politicians who defended the law in 2000 opposed it in 2008 and industry ignored it until in 2011, it started pinching them under Section 79 and 43A. Even now, when we talk of ITA 2008 compliance, industry finds it difficult to accept the law as it is and complains of misuse by Police and misinterpretation by the Judiciary.

Now that a new law is being proposed for “Health Care Data Privacy”, we should endevour to avoid the same mistakes that were committed when ITA 2000 was drafted and implemented.

One of the problems which Indian law faces particularly in the type of laws such as ITA 2000/8 or Data Protection is that the impact of law is on the industry and sensible industry captains want to be compliant with the law and not be at the wrong end of the stick.

When new laws are made, they are notified on a specific day which will be the day when it is passed in the Parliament or otherwise notified for effect. For example, until 17th October 2000, there was no recognition of legal documents in India and overnight it became recognized along with digital signatures, digital contracts and cyber crimes. Though Naavi.org had been preparing the ground in the industry since around 1998, until the rules were notified no body knew there would be such a law in effect.

Similarly, on 27th October 2009, suddenly, a host of regulations related to compliance under ITA 2008 became effective overnight. Along with it all IT companies in India without exception became “Legally Non Compliant to ITA 2008” and became “Rogue Companies not following the law of the land. Of course even the Police did not understand so that no case was booked immediately anywhere but the fact was that there were some legal provisions which all of us were not compliant.

Such forced state of “Non Compliance” should not be hapen once again when this new Privacy law for the healthcare is introduced in India.

We can recall here how the HIPAA was implemented in USA in 1996. HIPAA is a law which will be reflected in the proposed Health Care Data Privacy and Security Act (HDPSA) that is our subject of discussion here and hence we need to draw lessons from the implementation of this law.

When HIPAA was introduced as well as it was amended through the HITECH Act in 2009, there was a clear time line given to the industry for compliance….like Data standards by such and such data, Privacy rule by such and such date, Security rule by such and such date, with extensions for small business, time for running out of existing contracts etc.

All this meant that though the law became effective from a certain date, the industry was given time for compliance over an extended time so that all those in the industry who always wanted to be compliant had their opportunity.

This fixing of a time line for compliance is the first important thing which we need to incorporate in the law. We need to bring in this practice for the first time when this new law HDPSA is notified.

Additionally when such acts are drafted by non-industry persons, there will be many provisions which are difficult are too complex to implement and industry may try to find loopholes to avoid them or try to save costs by implementing it wrongly.

To avoid this, industry should be proactively involved in the framing of the law. Here again when we suggest this to the Government, it will simply say that NASSCOM or FICCI is represented in the working group and therefore industry is represented. But we all know that the NASSCOM Chair person or FICCI Secretary is not the person who can go to the micro level discussions that are required to make the law “Compliance Friendly”. He has to depend on his secretariat for bringing things to his attention to be raised before the Government.

In such cases the large companies may be able to have their say but the SMEs and public will never get to be heard.

This proposed law will affect many small companies some of them are startups which have developed medical industry related Apps. It will include small Nursing homes and pharmacies as well as diagnostic centers. They need to have their say in the law.

I would like the community participation to be at a high level in the framing of this law, so that we will not have to accuse the Government of framing the laws that cannot be implemented.

We are still in the beginning of the thinking process as regards this law but we know the direction in which the Government is moving. We donot want to embarass the Government later by calling it a bad law by contributing our ideas in the beginning itself. Hence I invite the stake holders to join this online forum and contribute both in the form of detailed articles and in the form of discussions in the Whats app group.


Related Article: Times of India

Posted in Uncategorized | Leave a comment

UID will now be the UHID

The UID or the Aadhar started as an ID that could separate Indian Citizens in border areas from illegal migrants and serve the national security purpose.

Subsequently, it has become a project to provide a control mechanism to reduce pilferage in Government subsidies reaching the target citizens.

When the system began the only concern about Privacy in Aadhaar was about the collection of “biometrics” and its possible misuse. Arguments were both on the technical issues of false rejections and positives as also the use of unreliable vendors who could steal the biometric data either at the time of creation or when it was in storage.

Government brushed aside the objections and went ahead with linking the Aadhaar with the Banking information of an individual extending the privacy concerns to the financial information.

Presently we see that KYC system in Banking is completely dependent on the Aadhaar number being provided as a “Photocopy of the Aadhaar document” which exposes all the parameters attached to the ID (except biometric) in the form of a paper document. Similar paper documents are available with Gas dealers, Mobile Companies, schools and many others who may have little understanding of the meaning of “Privacy” let alone the legal concept of “Privacy Protection”.

To this risk of biometric and financial information being combined and spread all over in an insecure manner, we are now adding the healthcare information since the UID is set to be the “Universal ID” to be associated with patient information in the proposed HDPSA (HealthCare Privacy and Data Security Act).

Though the details of the proposed act are not yet available, the document which the Government of India (Department of Health and Family Welfare) released for public comments in 2013 on the “Electronic Health Standards of India” contained detailed guidelines on what the Government intends to do.

This Circular which was released earlier gets a new life with the recent public announcement that a “Draft Health Care Privacy and Data Security Act” is now under the consideration of the Government. We should logically presume that many of the suggestions made in the earlier circular will be adopted in the new Act as and when it becomes a reality. Afterall the circular was founded on a time tested framework adopted in US under the HIPAA in 1996 which carries todate.

According to the circular, the standaridization of healthcare information collection, storage, transmission and processing will adopt a system of using unique IDs for every patient, every medical practitioner, every hospital, every pharmacy, along with adoption of medical codes for diseases, procedures, health encounters etc.

In this process the circular speaks of “UHID” which is the Unique Health Identifier to act as a Patient identifier, for which UID will be used in all EMR systems.

This would now mean that Aadhaar details will now be available in all hospital records of the patients and gets integrated with the Bank details and the associated biometric data.

In principle there is nothing wrong in adopting this nationally unique ID which integrates a person with health and financial data. However this raises the issue of how the information security is handled by all the entities who may have access to any one of these fundamental parameters.

The Information Security community which deals with the sensitive personal information in electronic form as well as the physical security community in health care organizations where the sensitive personal information is available in the form of paper, will now need to devise their strategies to upgrade their security arrangements.

The needs in “Hospitals” which includes the neighborhood clinics and other health care entities such as pharmacies need to start their learning of the principles of Privacy.


Posted in Uncategorized | Leave a comment

Indian Version of HIPAA in the making

The proposed  HDPSA (Health Data Privacy and Security Act) which is being worked on by the Health and Family Welfare department of the Union Government is likely to draw a lot from the HIPAA (Health Insurance Portability and Accountability Act) of USA. HIPAA was drafted around 1996 and then modified/upgraded with the HITECH Act (Health Information Technology for Clinical and Economic Health Act). For some body following HIPAA and its implementation for more than a decade, it appears that India is exactly tracing the same path of development which we saw in HIPAA.

Firstly, HIPAA came into being a law when the Health Insurance Industry was trying to force more digitization into medical record keeping so that the processing of health insurance could be more efficient and less fraud prone. The Insurance industry therefore wanted a push for greater use of Electronic Health Records( EHR) by medical professionals. At the same time, Privacy advocates were skeptical that increased use of EHR would result in higher risk for Privacy of the patients. Hence Privacy Protection and a standard for Information Security was built into the HIPAA. HITECH Act expanded the security measures and at the same time strengthened the Privacy obligations of the covered entities. It also introduced incentives and disincentives to promote accelerated use of EHR which wa felt necessary even 12 years after HIPAA. (HITECH Act came into operation in January 2009).

We in India are retracing similar steps through the actions sorrounding HDPSA.

One of the provisions of the proposed HDPSA is to bring in interoperability of electronic data captured and processed across different systems. This requires defined common standards for identification of health entities as well as different parameters of health data and also structuring of data transmission codes.

In 2013, the Department of Health and Family Welfare  (D-HFW) published the “Electronic Health Record Standards for India” and a copy was placed on the website for stakeholders to comment. The copy is available here.

The goals of suggesting the standards were indicated as follows:

  •  Promote interoperability and where necessary be specific about certain content exchange and vocabulary standards to establish a path forward toward semantic interoperability

  • Support the evolution and timely maintenance of adopted standards

  • Promote technical innovation using adopted standards

  • Encourage participation and adoption by all vendors and stakeholders

  • Keep implementation costs as low as reasonably possible

  • Consider best practices, experiences, policies and frameworks

  • To the extent possible, adopt standards that are modular and not interdependent.

Within the standards, guidelines were also incorporated for hardware, networking and connectivity, as well as software standards to be complied with the industry.

The standards also touched on the Ethical, Legal, Social Issues (ELSI) guidelines for Electronic Health Record (EHR) to define the Privacy and Security Requirements of EHR with the recommendations following HIPAA  requirements of Privacy and Security.

If  HDPSA becomes a law, it is a reasonable presumption that there will be a need to adopt some of the provisions which was available as the Standards document. Similarly it needs to also adopt some of the provisions of the Tele Medicine Act which was drafted several years back and simply forgotten.

The HDPSA will also have to contend with the co-existence with ITA 2008 which would interfere in the Privacy and Information Security issues but not on the data standards issues.

Overall there are interesting days ahead to watch how the legislation is likely to unfold. So far, the draft law which was discussed in the news report has not been made public and hence it is difficult to comment on the exact provisions that have been included there in. We wait for the Government to release the draft for public comment.

We may also remember that in 2006, a “Personal Data Privacy Bill” was drafted and even placed before the Parliament along with the amendments envisaged for ITA 2000. Subsequently, in 2008, the ITA amendments passed through but the Privacy Bill lapsed. Since then there are other versions of the Privacy Bill which were presented in the Parliament but have failed to get the consensus since they directly interfered with the national security issues involved in “Intereception of communication” and also the issues related to Aadhaar implementation.

The Sector specific approach now proposed in  HDSPA addressing only the Heath Care Data Privacy and Security is unlikely to receive much of opposition except from the Health Care industry itself which would be seriously affected in the process of implementation of the Act.

While the larger hospital chains are likely to implement the provisions of HDPSA, there will be numerous number of smaller nursing homes, neighborhood doctors, pharmacies, mobile App companies dealing in Health information who will simply be unable to comply with the provisions of the Act and will remain non compliant.

Even in the advanced US market, HITECH Act had to set aside US$ 17.2 billion for providing various kinds of incentives to make the industry comply with HIPAA. This would be an equivalent of over Rs 1 lakh crores. Will the Government make such investments? obviously not.

This means that we are in for a long haul as regards the real implementation of the provisions as and when implemented.

HIPAA actually gave compliance deadlines which extended from 1996 to beyond 2003 and yet they had to postpone some provisions of data breach notification provisions into the Omnibus Rule in 2014.

If therefore the law makers are serious about adoption of HDSPA, then there has to be a strategization of how the compliance will be pushed. We know that even after 16 years, ITA 2000 compliance is still at the nascent stage. If so, it is anybody’s guess about what should be the time line for HDSPA implementation.

If there is no proper strategization of the compliance, we will have an industry domain which will be living under the umbrella of non compliance with the constant fear that the regulator could crush then down any time.

This “Living under Fear” will be the biggest threat to the Health Care industry which they need to avoid.

I therefore suggest the industry to organize themselves properly so that when the next phase of roll out of this draft legislation happens, the interest of survival of the industry is not forgotten.

If the industry is complacent, there would be a “Globalization” of the hospital and health care industry to such an extend that just like the K-Marts eating away our neighborhood kirana store, the international hospital brands may eat away all our domestic medical practitioners. In the process, health care in India will become more expensive and dependent on heath insurance industry.

Keeping all these things in mind, it is necessary to ensure that the proposed legislation builds adequate safeguards to protect the interests of the consumers.

Has the health ministry factored all these aspects?… God knows..

Comments please…


Posted in Uncategorized | Leave a comment

First Sector Specific Privacy Law likely on Health Information in India

As per the news report, the Union Health Ministry is contemplating a new legislation tentatively titled “Healthcare Data Privacy and Security Act” (HDPSA)  to devise a “comprehensive legal framework” for  “Protection of individual health data” and “Standardization”.

Refer Article here

The statement released in the Press also says that the law will “Identify Ownership” of the data through establishment of a “National e-Health Authority” and “Health Information Exchanges”.

The law will also have “Detailed remedies for breach of data” both Civil and Criminal penalties entitling the patient to compensation if data is leaked as well as severe punitive action against “Agencies  responsible”.

It also speaks about the “Consent” to be obtained from the patient.

The law appears to have been influenced by the need for “Interoperability of Electronic Health Records (EHR)” and sounds much like the HIPAA of 1996 in USA.

It is clear that the law will follow the standard principles of privacy revolving around authorization of collection of information based on prescription and obtaining of consent of the patient. Collected data should follow the principles of minimal collection. Data Breach notification to the owner would be part of the legislation.

The mention of what is called “Information Exchanges” indicate regulation of IT facilities including Mobile App companies with a registration requirement with a National Authority to be set up and consequential “Compliance Regime”.

Like the HIPAA, there will be Unique registration numbers assigned to every health facility starting with the public sector.

A new “E-Cloud Repository” for real time health data is also envisaged.

A New Adjudicatory and Appellate Authority is also likely to be set up.

The legislation should be considered as a huge step in the Health Care Regulation in India and just as HIPAA made a seminal difference to the industry. There is a clear overlap of the proposed law with the Information Technology Act which already defines “Health Information of an Individual” as a “Sensitive Personal Information” and prescribed “Reasonable Security Practice”.

However, given the slackness of the Ministry of IT in implementing the provisions of ITA 2000/8, the emergence of the new “Healthcare Data Privacy and Security Act” or HDPSA could provide a good competition to ITA 2008 in redefining the standards of “Data Security” in India.

We therefore welcome the proposed new legislation.

HIPAA legislation in USA implemented through the HHS is a model law which is worth emulation not only from the point of view of the basic provisions but also in how it needs to be implemented in the industry.

We hope that HDPSA will also be taken through similar steps of “Receiving Comments from Public” on the draft provisions at every stage of its implementation and “Providing a Compliance Time line” for the industry unlike the ITA 2000/8 implementation which occurred through MCIT.

Watch out for more comments…


Posted in Uncategorized | Leave a comment