– by Rinkle Dudhani
In 2019, an unauthorized breach occurred on a healthcare website in India. It resulted in the illicit access of health records belonging to more than 6.8 million patients and doctors!
Privacy, an indispensable component in any industry, becomes even more important within the confines of the healthcare industry. The sacred trust between doctors and patients hinges on the assurance that medical information remains shielded from prying eyes.
Now, with the addition of digital health in the aftermath of the Covid-19 pandemic, the connection between healthcare and technology has grown stronger. This integration enhances healthcare efficiency while delivering a more personalized experience for patients. However, the downside of it is obviously “breaches,” and to what extent!
So, are there any laws protecting your healthcare data? Read on to find out.
What is Digital Health data?
The Digital Information Security in the Healthcare Act of 2018 in India defines ‘digital health data’ as containing a digital record of a patient’s physical and mental health, medical history, and the healthcare services they’ve utilized. This legislation establishes the framework for regulating digital health, outlining legal provisions, guidelines, and norms.
Though various digital health tools and business models operate independently, there are overarching regulations that universally apply to digital health technology.
Major Laws Regulating the Healthcare Data (Before August 2023)
The major laws regulating healthcare data in India contain a set of core healthcare regulatory schemes primarily focused on digital health. These regulatory frameworks govern various aspects of digital health tools and business models:
- Information Technology Act, 2000 (IT Act)
The IT Act serves as a foundational piece of legislation that plays a pivotal role in regulating digital health. It addresses a spectrum of activities on the internet, outlining legal provisions for digital records and authentication of digital signatures. The Act’s provisions are extensive, covering crucial aspects like the legal status of digital records and combating cybercrime, including hacking.
- Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data and Information) Rules, 2011 (SPDI Rules)
The SPDI Rules under the IT Act are specifically designed to ensure reasonable security practices and procedures concerning sensitive personal data and information.
- Information Technology (Intermediaries Guidelines) Rules, 2011
Another integral component of the regulatory system is the Information Technology (Intermediaries Guidelines) Rules, 2011. These rules define guidelines for intermediaries associated with digital health, specifying their roles and responsibilities.
What Happened in August 2023?
In 2023, a significant development occurred with the introduction of the India Digital Personal Data Protection Act (DPDPA), marking the country’s inaugural comprehensive data protection law. This legislation, published in the Official Gazette on August 11, 2023, holds profound implications for various sectors, including healthcare data privacy.
The India DPDPA, although officially enacted, is pending a specific announcement by the government regarding its commencement date. Once in effect, it will significantly impact healthcare data privacy in the country.
Healthcare companies that have Indian patients fall within the scope of the DPDPA. The law will regulate the processing of personal health data, ensuring that such data is handled with the utmost care, security, and compliance with privacy standards.
Healthcare Data Laws: India vs US
India is definitely making remarkable strides in shaping new healthcare data laws. But the burning question remains: where does it stand when measured against the known superpower, America? Let’s explore and compare the data protection regulations in both nations.
Before we move to the comparison, here’s a little overview of the United State’s healthcare laws:
The US has been a pioneer in healthcare data regulation through the Health Insurance Portability and Accountability Act, 1996 (HIPAA). It primarily focuses on covered entities like healthcare providers, health plans, and clearinghouses.
The US supplements HIPAA with sector-specific laws such as the Genetic Information Nondiscrimination Act (GINA) and Federal Trade Commission (FTC) regulations, offering protection for specific health data types.
Key Comparisons between DPDPA & HIPAA
| Aspect | India | US |
| Comprehensiveness | DPDPA 2023 offers a broader and more comprehensive framework for protecting healthcare data. It applies to all entities processing digital personal data in India, including non-healthcare entities, and covers a wider range of data types than HIPAA. | Relies on a patchwork of laws and regulations with HIPAA as the core, but it leaves gaps in coverage for entities and data types. Individual states may offer additional protections, but consistency is lacking. |
| Patient Rights | DPDPA grants patients stronger rights to access, correct, restrict, and erase their data compared to HIPAA. | HIPAA gives patients some rights to access and amend their Protected Health Information (PHI), but these rights are more limited than under DPDPA. |
| Consent | Explicit consent is required for most data collection and usage under DPDPA. | HIPAA requires consent for certain disclosures but not for all uses of PHI within covered entities. |
| Data Localization | Requires sensitive data, including health data, to be stored within India. | No general data localization requirement for healthcare data. |
| Challenges | DPDPA is new, and its implementation remains untested. | Patchwork systems can be complex, and compliance is challenging. |
Wrapping Up
The introduction of the DPDPA in India signifies a significant step towards comprehensive healthcare data protection. The comparison with the U.S. highlights that even developed countries can learn from the legal developments in developing nations. The coming years will be crucial in understanding the impact of the DPDPA on healthcare data, and there is hope that it will bring about positive changes in safeguarding sensitive information.
References
- https://www.indialawoffices.com/legal-articles/healthcare-data-privacy-india
- https://secureprivacy.ai/blog/india-digital-personal-data-protection-act-dpdpa-2023
- https://www.businessinsider.in/tech/news/biggest-data-breaches-of-2019-to-affect-india/articleshow/72465865.cms
- https://compliancy-group.com/disha-and-hipaa-how-do-they-compare/
- https://health.economictimes.indiatimes.com/news/industry/is-india-lacking-healthcare-data-security-guidelines/88931122
- https://www.lexology.com/library/detail.aspx?g=9aaffd7f-8a0c-448a-b7e5-8dc4f14ec7a5
- https://thewire.in/law/without-data-security-and-privacy-laws-medical-records-in-india-are-highly-vulnerable
- https://www.techtarget.com/searchhealthit/definition/HIPAA
