NAVIGATING PATIENT DATA PRIVACY UNDER THE DPDPA: BEST PRACTICES FOR HEALTHCARE PROVIDERS 

INTRODUCTION

Last year, India achieved a significant mark when the long-awaited data protection legislation known as the Digital Personal Data Protection Act, 2023 (DPDPA, 2023), got presidential assent. This is the first time India has adopted such a comprehensive privacy-centric legislation to protect the personal data of data principals. The primary objective of this legislation is to oversee the handling of digital personal data, recognizing individuals’ rights to protect their personal information and the essential nature of processing such data for lawful purposes, among other associated concerns. The DPDPA includes provisions regarding consent, legitimate uses, breaches, data fiduciary and processor responsibilities, and individuals’ rights over their data. It encompasses diverse facets, such as its scope, reasons justifying the processing of personal data, consent framework, overall responsibilities of data fiduciaries, entitlement to access information regarding personal data, and penalties for non-compliance. As a result, the protection of data and the right to privacy have become increasingly important in healthcare sector.  

The DPDPA is not in effect as of now, but it is likely to be enforced soon. The DPDPA will significantly impact various industries, including healthcare sectors. Currently, there are laws such as the code of ethics issued under the National Medical Commission Act of 2019, which requires physicians to give patients access to their medical records on request. Furthermore, it provides that doctors must keep patient data confidential unless disclosure is required by law or necessary to prevent the spread of a communicable disease. Patients may file complaints with state medical councils, which actively investigate allegations of doctor misconduct. Similarly, the Pharmacy Act, 1948 imposes obligations on pharmacists to maintain the confidentiality of information provided by patients. 

However, the enactment of the DPDPA will impose additional obligations on healthcare providers and provide more safeguards to patients by equipping them with various rights. Entities such as hospitals, clinical establishments, laboratories, and clinical research organizations will likely be designated as data fiduciaries. Therefore, they will have to adhere to specific obligations while processing the data of patients to avoid penalties, which will depend on the nature and severity of any breaches. In this blog, we will discuss the impact of the DPDPA 2023 on healthcare providers and outline best practices for compliance. 

SIGNIFICANCE OF DATA PRIVACY IN HEALTHCARE: 

The technological advancement has made storing and retrieving data as easy as tapping a finger, but this convenience comes with its own risks. As we are over relying on technology, data breaches and cyber-attacks have become more common, making patient information more vulnerable. This is why the highest level of data privacy is essential in healthcare services, as people trust healthcare companies with their sensitive information. 

Data breaches in healthcare sectors could have certain grave repercussions. It has tendency to enable hackers to utilise healthcare data to blackmail and extort people while also causing them significant physical and mental trauma. They can also utilise medical information to perpetrate fraud, such as insurance fraud. Another risk is that unencrypted medical data exposes the victim’s identity, bank accounts, and so on. According to a 2019 report by a US-based cybersecurity firm, hackers stole data from 6.8 million patients from a leading India-based healthcare website. This incident highlight how important it is for the healthcare providers to manage data of patients with the utmost care and further ensure that data of patients are effectively managed.  

BEST PRACTICES FOR HEALTHCARE PROVIDERS: 

The DPDPA aims to provide individuals greater control over their personal data while also ensuring that it is processed fairly and transparently. The DPDPA mandates that healthcare providers must handle personal data to create a standard operating procedure and train their employees to meet certain requirements. To effectively comply with the requirements of DPDPA, healthcare provides must take following practices into their consideration so that they can fulfill their obligations under the Act.  These practices are: 

• Collecting Only Necessary Data: Healthcare providers should adhere to the principle of data minimization by collecting only the personal data necessary for the specified purpose. This aligns with Section 6(1) of the DPDPA, which mandates that data collected must be relevant and limited to what is necessary for the purpose of processing. 
• Limiting Data Retention Periods: Healthcare providers must refrain from retaining personal data for a period longer than required for the specified period. Furthermore, DPDPA provides that data fiduciary must erase the data of a patient upon their request unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force. 
• Obtaining Explicit Patient Consent: Before processing the data of patients, healthcare providers must obtain their explicit consent. This consent given by the patient must be free, informed, specific, unconditional, and unambiguous. For children or individuals with disabilities, consent must be obtained from a parent or lawful guardian, in accordance with Section 9. 
• Transparent Communication About Data Usage: Healthcare providers should clearly inform patients about how their data will be used, shared, and processed. This transparency is critical to maintaining compliance with the Act, which mandates informed consent. Furthermore, when these healthcare providers involve other entities (data processors) to process data on their behalf for offering any kinds of goods or services to patients, this must be done under a valid contract. 
• Implementing Robust Encryption Methods: Section 8(4) of the DPDPA provides that data fiduciaries must implement appropriate technical and organizational measures to ensure effective observance of this Act. Therefore, healthcare providers can make sure that all personal data they collect is encrypted, both in transit and at rest, to protect against unauthorized access. Furthermore, healthcare providers can use anonymization and pseudonymization techniques to protect patient identities. This helps in reducing the risks associated with data breaches and aligns with DPDPA, which encourages the use of such techniques for enhancing data protection. 
• Regular Security Audits and Vulnerability Assessments: The healthcare providers should Conduct regular security audits and vulnerability assessments to identify and mitigate potential risks. This proactive approach is essential for compliance with the DPDPA’s security obligations. 
• Role-Based Access to Patient Data: Considering the sensitivity of health data, the healthcare providers should implement strict role-based access controls measures to ensure that only authorized personnel can access those sensitive patient data. Furthermore, healthcare providers should maintain logs of all access attempts to patient data and regularly review these logs to detect and address unauthorized access attempts, supporting the DPDPA’s security and accountability requirements. 
• Regular Training Programs on Data Privacy: For effective safeguard of the patient data, the healthcare providers must conduct regular training sessions for employees on data privacy and protection to ensure they are aware of their responsibilities.   
• Incident Response Planning: Healthcare providers must develop and maintain a comprehensive incident response plan to quickly address data breaches. This preparation is crucial for minimizing damage and ensuring compliance with Section 8(5) of the DPDPA, which requires Data Fiduciaries to have measures in place for managing data breaches. Furthermore, they must outline specific steps to mitigate damage post-breach, including notifying affected individuals and the relevant authorities, assessing the breach’s impact, and implementing measures to prevent future incidents.  

CONCLUSION: 

As the DPDPA, 2023, prepares to be enforced, healthcare providers must adapt to the new regulatory landscape to protect patient data effectively. This legislation marks a significant shift towards safeguarding patient data with stringent guidelines on consent, encryption, and access controls. Adhering to practices like data minimization, explicit consent management, and regular security audits is crucial for compliance. These measures not only ensure legal adherence but also bolster patient trust in healthcare services. By implementing robust encryption methods and maintaining vigilant role-based access controls, providers can mitigate risks of unauthorized data access. Furthermore, a well-prepared incident response plan is vital for handling potential breaches effectively. These proactive steps not only align with regulatory requirements but also uphold the integrity and security of patient information. Thus, embracing these best practices will empower healthcare providers to navigate the complexities of data privacy under the DPDPA, ultimately fostering enhanced patient care and confidentiality.