By Vikram Thaploo
The Covid-19 outbreak has been a massive catalyst of sorts for telehealth in the country. Yet, the imminent take off of telehealth in the country has not been without its challenges, something which is somewhat inherent in any project of this magnitude. And data security and privacy ranks among those challenges which happen to be at top of the heap. Notably, in a recent instance, the Kerala High Court had to issue directives for protecting the privacy of data of Covid patients making it incumbent on the state government to anonymise the data before sharing it with a third party.
Private health information outvalues financial data
The ongoing digitisation of the health ecosystem is riddled with a welter of technical, regulatory, logistical and moral concerns. Some of those concerns could be: interoperability of data, integrity of digital platforms and apps, uniformity of EHRs, ambiguities and vulnerabilities around software compliance with data security norms, less-than-friendly user interfaces, presence of untrained and undertrained healthcare personnel and patients, and inadequate foundational IT infrastructure. And of these, security of data and patient privacy has been one of the leading concerns.
How the government has sought to provide for health data security
Although the IT Act 2000 and Information Technology Rules 2011 have laid down that medical records and history as well as physical, psychological and mental health conditions constitute a component of ‘sensitive personal data or information’ (SPDI), these were obviously not enough. In 2018, the ministry of health and family welfare had come up with a comprehensive Digital information Security in Healthcare Act (DISHA) with a view to establish National Digital Health Authority and Health Information Exchanges. Furthermore, the 2020 telemedicine guidelines have made the registered medical practitioner (RMP) / Healthcare Service Provider largely responsible for the protection and privacy of data. Most recently, as part of the colossal Digital Health Mission, the government has sought to assure people of protecting patient data and privacy through a draft health data management policy. In this, the government has clearly defined several terms related with data protection such as personal data, personal data identifier (PHI), data principal, sensitive personal data, data fiduciary, consent manager, health information provider, health information user, etc., while laying out a method of obtaining consent and securing the rights of data principals.
What more can government do
Yet, there are issues in most of these laws that need to be addressed. For instance, on the draft health data management policy, experts have pointed out drawbacks ranging from allowing Aadhaar to be used for creation of health ID to excessive collection of personal data and leaving scope for data re-identification through allowing the sharing of anonymised and de-identified data. Similarly, different positions are enunciated by DISHA and the PDP Bill. While DISHA takes a more rigorous view of individual’s control and therefore privacy of data in general and specifically in terms of non-consent based processing of data, PDP has a more lenient approach. Then DISHA requires consent at every stage of data use unlike the PDP. This impacts the health supervision of patients needing to use wearable technologies.
In sum, data security and privacy remains an overriding concern in the realm of telehealth. Just as the government has been focused on the issue, the private telehealth players must become a partner of the government in maintaining highest standards of patient data security and privacy.
The writer is CEO, Apollo TeleHealth
