IN WHAT may be the first sector specific law on privacy, the health ministry has roped in the National Law School of India University, Bengaluru, to draft a law guaranteeing right to privacy and confidentiality of medical information.
The law — tentatively called the Healthcare Data Privacy and Security Act — will devise a comprehensive legal framework for protection of individual health data and its standardisation, and identify the “ownership” of that data through the establishment of a national e-health authority and health information exchanges.
The law will have detailed remedies for any breach of data — both civil and criminal proceedings — entitling the patient to compensation if the data is leaked and severe punitive action against persons or agencies responsible. Health data is to be collected only with the consent of the patient.
The law, according to sources in the health ministry, was necessitated by the fact that interoperable electronic health records (EHR) are a key component of Digital India, as envisaged by the Prime Minister. Though the groundwork for EHR is in advanced stages — expression of interest has already been issued for an integrated health information platform and exchange — the confidentiality of health data thus generated and stored became a crucial stumbling block.
Leaking of largescale health data, apart from impinging on the privacy of patients, is a real threat because such data is in great demand, especially in the pharmaceutical industry.
“This is a sector specific law which was needed, because though privacy and confidentiality are constitutional rights, there is no overarching law to protect them. The initial draft law envisages creation of a framework for a health information exchange that will reduce cost, inconvenience and duplication when a person goes to consult more than one doctor. Whatever e-health data is stored here, anyone can draw information from the exchange. There are provisions for creation of an ecosystem where when data is breached, a person is entitled to seek compensation from whoever is responsible. The finer points still need work,” explained a source in the health ministry.
According to the contours of the law being drawn up, health data is to be collected, stored and disseminated as per prescription. No excess health data is to be collected. Any breach will immediately have to be notified to the owner. Information exchanges for health data can be set up by private players, but will need to be recognised by the national authority, established by the Government of India. It will set standards for collection, storage and dissemination of health data. Each exchange will be headed by a chief health data information executive.
The law will clearly lay down what is to be termed a breach of health data, for which the adjudicatory authority and the appellate authority will be set up by the central government. Every health facility — in the public sector initially — will be assigned a unique number to ensure streamlining of data. A cloud-based e-hospital application will be the platform where all hospitals can enrol for uploading real-time data. The required computerisation will be funded under the National Health Mission.