Telehealth services and data privacy: The healthcare sector in India has been historically subject to less stringent data protection standards than in other countries. Given the sensitivity of health data, many leading organizations in the sector have adopted their own practices that may be stricter than legally required. In 2020, physical doctor appointments went down by 32%, and online consultations increased because of the Covid-19 pandemic and the lockdowns announced to curb its spread. In the 50 plus age group, online consultations went up by as much as 502%.
Given the greater reliance on online interactions for seeking medical support, poor cybersecurity practices in the healthcare sector, especially in telemedicine, can cause unprecedented harm. All stakeholders in the telehealth ecosystem – from the regulators to the service providers – should be cognizant of this potential for harm and take steps to minimise it.
Privacy and cybersecurity for all organizations in India are governed by the Information Technology Act, 2000 (IT Act) and rules issued thereunder, which inter alia mandate: (a) written consent from the data provider for accessing any health-related data; (b) adoption of security practices and procedures for maintaining such data; and (c) reporting cybersecurity incidents to a nodal agency of the government.
In addition, the Indian Medical Council Act, 1956, the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002, the Drugs and Cosmetics Act, 1940 and the Clinical Establishment (Registration and Regulation) Act, 2010 govern the healthcare sector, but they do not contain any specific direction on cybersecurity in the healthcare/ telemedicine space.
In 2020, the Telemedicine Practice Guidelines were released with one of the stated aims being to prescribe standards for “privacy and security of the patient records and exchange of information” in the telemedicine sector. However, the reference to such standards in this document are not elaborate.
The Electronic Health Records Standards, 2016 (EHR Standards) coupled with the National Health Data Management Policy, 2020 (NHDM) comprise the most detailed standards for handling healthcare data in India. The EHR standards provide a set of recommendations relevant to adoption of standards for storage of electronic medical records and other clinical information systems. It identifies datasets and the corresponding standards applicable to them.
The NDHM provides detailed guidance on informed consent, creation of health IDs, applicable safeguards. However, the NHDM is not a legally binding document, and the EHR Standards, while helpful to assess standards applicable to various types of health records, should be supplemented by clear privacy and cybersecurity policies to minimise the risks associated with telehealth. These should be both comprehensive and dynamic, and formulated with adequate industry consultation to reflect the new realities of providing telehealth services in India.
It is critical that hospitals, doctors and healthcare organisations offering telehealth invest in strong privacy and cybersecurity protocols, and not see these are secondary to the main goal of product and services innovation. A brief overview of the important steps that all organisations should consider taking are:
Organisations should have in place essential documentation such as consent templates, privacy policies, and cybersecurity policies that comply with applicable laws and regulations. Teams handling drafting and enforcement of these policies should be highly dynamic and adaptive to changes in laws or product innovation.
Regulated entities such as hospitals are subject to certain standards – for instance, the National Accreditation Board for Hospitals and Healthcare Providers (NABH) specifies standards relating to information management, which require an organisation to maintain confidentiality, integrity and security of medical records and ensure the retention of current and relevant records in a confidential and secure manner. These practices should be widely adopted by organisations.
It is critical to employ due diligence practices for all vendors and partners, whether an IT vendor providing data storage software, a payment gateway helping accept charges, or an e-commerce platform enabling sale of services and products. All partners in the supply chain should be subject to checks to ensure that they adhere to necessary security practices.
The devices used to facilitate telehealth consultations, and devices generally used by healthcare professionals, should be secure and in compliance with relevant national and international standards. This should be accompanied by regular risk impact assessments, and training of staff on usage of secure communication channels, handling of data, risks from improper use of medical data generated by devices, etc.
At present, in the absence of a dedicated regulator, this is not critical. However, regular communication with healthcare sector regulators would grow in importance as and when the sector develops.
In light of the manifold increase in cybersecurity incidents in India, along with the increased use of technology in the healthcare sector, it is critical to centre privacy and cybersecurity practices in all new processes and systems.
This article was originally published in Policy Circle on 7 June 2021 Co-written by: Kirti Mahapatra, Partner; Raktima Roy, Senior Associate. Click here for original article
Contributed by: Kirti Mahapatra, Partner; Raktima Roy, Senior Associate
This is intended for general information purposes only. The views and opinions expressed in this article are those of the author/authors and does not necessarily reflect the views of the firm.
The Bar Council of India does not permit solicitation of work and advertising by legal practitioners and advocates. By accessing the Shardul Amarchand Mangaldas & Co. website (our website), the user acknowledges that: