Privacy Regulations in the Health Tech Industry

The COVID-19 pandemic has completely changed the working models of various industries, especially the healthcare sector. In this decade, the internet has certainly played a vital role in bringing both the technological as well as the industrial revolution, not just in our country but worldwide. During the pandemic, we not only witnessed the rise of health-tech companies, but also saw the advancements in healthcare services such as telemedicine. 

But have you ever wondered, how all of this was even possible? The health tech industries are data-driven and solely rely on the data of the mass. It becomes an obligation of these health techs to safeguard such personal data of their users. Unfortunately, India is not only considered to be negligent with the concept of data protection & privacy, but was also ranked no.2 for the most affected country due to cyber attacks in the year 2019, and this was the global ranking of India prior to COVID-19. 

The right to privacy was declared as a fundamental right in the year 2017 in a landmark judgement passed by the apex court of this country, in the matter of Justice K.S Puttaswamy v. Union of India. Even after the establishment of the Justice BN Srikrishna committee in the year 2018 for drafting a legislation on data protection and later on the JPC (Joint Parliamentary Committee) taking in-charge of the same, till today India struggles to formalise a legislation on data protection.

In this blog, we will not just discuss the privacy challenges prevailing in our nation due to lack of data protection law, but this blog will largely discuss the current privacy standards and regulations governing the health tech industries.

Current Privacy Regulations

It is essential to note here that doctors are required to adhere to their professional code of conduct, as the information given to them by their patients are required to be kept confidential. The doctor-patient relationship enjoys a special kind of status, and the information of their patients are protected and enjoy a certain privilege. If the doctor is found guilty of not adhering to this obligation, the Medical council of India can revoke the doctor’s licence if he/she breaches the confidentiality obligation.

The patient’s personal information or in this case his/her health data enjoys this special status because of the following provisions of law-

1. The patient enjoys the right to privacy that is guaranteed to them by the Indian Constitution, 1950 under Article 21.
2. The Indian Medical Council (Professional Conduct, Etiquettes, and Ethics) Regulations, 2002, also specifically mentions that no medical professional is allowed to reveal or disclose their patient’s personal information or in this case their health data which they have learnt while treating/consulting them.

If we dig deeper to find specific Indian laws pertaining to the data privacy in this domain, since in India we still are in the phase of drafting the law on data protection and privacy, so the major laws that protect the privacy in the heath tech domain are- 

1. IT Act, 2000; 
2. The Electronic Health Record Standards, 2016;
3. IT Rules, 2021 (Intermediary guidelines, and Digital Media Ethics Code);
4. IT Rules, 2011 (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information);
5. Telecom Commercial Communications Customer Preference Regulations, 2018;
6. Telemedicine practice guidelines, 2020;
7. Digital Information Security in Healthcare Act;
8. Personal Data Protection Bill, 2019 or The Data Protection Bill, 2021;

From the above, mainly the IT Act and its rules are the most common and prevailing laws on digital privacy, whereas the Personal Data Protection Bill, 2019 and Digital Information Security in Healthcare are still yet to be passed by the Parliament.

Let’s discuss each of these regulations briefly-

1. IT Act, 2000, IT Rules, 2011 & IT Rules, 2021

• The primary law that every tech company including health techs need to comply with, is the Information Technology Act, 2000 and its related Rules. Since, the IT Act & IT Rules are the only piece of legislation till date in India that talks about privacy and protection of personal data, but it still isn’t an alternative to a privacy law as it fails to cover many other essential aspects that are usually found in privacy laws.  Although the data protection & privacy aspect is wholly missing from this law, it still has provisions wherein, individuals whose data get breached/compromised can seek relief.

• From the aspect of companies, in this case health techs, the IT Act describes these service providers as “Intermediaries.” As per section 2(w) of the IT Act, 2000, intermediary is defined as- “with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-marketplaces and cyber cafes.”

• It is essential to note here that these intermediaries as per the IT Act enjoy a certain level of protection, also known as the ‘safe-harbour’ protection as mentioned under section 79, under this, these intermediaries are protected from legal liabilities arising out of their users’ content. As technically, intermediaries are just a platform, wherein users are free to post their content, and hence the liability shifts to from the intermediary to the user whose content is in question. This exemption or protection is only granted to these intermediaries if they successfully complete the due diligence requirements.

• On the other hand, if we talk about the IT Rules, 2011 or the SPDI Rules. Since, health techs feed on a lot of sensitive personal data, the said rules were framed in order to govern the collection and processing of these sensitive personal data by tech companies. The said rules are based on two principles- Data minimization & purpose limitation. Further the rules also mandate corporations that consume data of their users to publish a privacy policy on their website. The privacy policy must mention the type of the sensitive personal data, the purpose of collection of such sensitive data, in the present scenario, if it is a health tech, then it must mention clearly in its privacy policy as to why they are collecting the health data of their users, the usage of such data, furthermore, health techs or any corporation who is falls under the purview of this legislation, must take all the reasonable security measures and practices to safeguard the data of their users.

• Now coming to the latest IT Rules, 2021 also known as the Intermediary Rules, provides for a list of due diligence requirements that ought to be taken by these intermediaries, in the present scenario- heath techs. These requirements are as follows-

1. Establishing a grievance redressal mechanism and appointing a grievance officer, the details of the same must be available on the intermediary’s website.
2. Intermediaries and in this case- health techs are required to publish privacy policy, user agreement/terms & conditions/terms of use/terms of service.
3. Ensuring that false or misleading information is not available or uploaded on their website.Taking all the reasonable security measures to ensure the protection of the users’ data.

2.Telemedicine Practice Guidelines, 2020

The said guidelines govern medical practitioners who provide teleconsultations, the guidelines clearly state that only registered medical practitioners are eligible to consult patients, and no technology driven company based on machine learning or AI can consult, counsel and/or prescribe medications to patients. It further states that it is the responsibility of the State Medical Council to conduct due diligence and check whether the medical practitioner is registered or not before listing them on their online portal.  Lastly, setting up of a grievance redressal mechanism is also mandated by the said guidelines.

3.Digital Information Security in Healthcare Act

Unfortunately, this bill has not been passed yet, but the bill if passed will govern/regulate the health data or as the bill defines it as- electronic record of health related information. The bill prohibits the commercialisation of health data, and further states that the purpose of use of such data should only be for- patient-centred medical care,  in guiding medical decisions, improving public health responses, and research. Further, the bill provides that the autonomy of the individual should be maintained and on the consent of such an individual their data can be withdrawn. If this bill is passed, then it will be applicable to all the heath techs.

4. Telecom Commercial Communications Customer Preference Regulations, 2018

This regulation prohibits telemedicine platforms from sending unsolicited commercial messages or calls to the general public.

5.The Electronic Health Record Standards, 2016

These guidelines are applicable to all the electronic health records, and states that clinical establishments such as health techs, hospitals, nursing homes, ought to adopt a security standard in order to ensure privacy and protection of the health data from potential threats such as cyber-attacks. These standards were issued under section 52 of the Clinical Establishment Act, 2010 read with Rule 9 (iv) of the Clinical Establishment Rules, 2012.

6.Personal Data Protection Bill, 2019

The PDP bill, 2019 or the Data Protection Bill, 2021 as mentioned in the December 2021, Joint Parliamentary Committee’s recommendation. The said Bill has been in talks for more than 3 years now. If the said Bill gets passed, then it will not only govern/regulate the personal data but will also cover the non-personal data as mentioned in the December 2021 JPC’s recommendation. Every health techs will have to mandatorily comply with the provisions of this legislation, right from safeguarding the health data to awaring and ensuring the rights of the data principals, moreover, these health techs will become more accountable to the general public with respect to their personal data & non-personal data. Health techs will be obliged to report data breaches, conduct data protection impact assessment and will also have to establish a mechanism for grievance redressal.

Conclusion

From the above-discussion, we can understand that the future of health techs in India won’t go unregulated, and the government is currently drafting and preparing necessary laws for safeguarding this area, with the aim of protecting individuals and their digital privacy from any kind of interference or infringement. Unfortunately, there are laws that are still in the initial stage, which makes the current scenario in India with respect to digital privacy unrealistic and at high threat. Since, only the IT Act, and its Rules are the major laws governing this domain, these laws still lack some major provisions and need further improvement, and grossly fail to act as an alternative to privacy laws.