An Analysis of Indian medical laws from the perspective of patient data privacy

THE CONSTITUTION OF INDIA

• The Constitution contains fundamental right to health as has been enshrined. The 7^th Schedule contains a list of categories pertaining to those areas where respective legislature (state/parliament) can make laws.
• Certain things like regulation of profession is under the Parliament’s domain while others like public health are in state governments domain. This explains that many laws require the assent of state legislature before they can be enforced in that particular state.

Article 21

Protection of life and personal liberty.—No person shall be deprived of his life or personal liberty except according to procedure established by law.

Right to Health and Right to Privacy both flow from this fundamental right.

Article 39(e)

(e) that the health and strength of workers, men and women, and the tender age of children are not abused and that citizens are not forced by economic necessity to enter avocations unsuited to their age or strength

This is a ‘directive principle of state policy’, this is non justiciable (unlike Fundamental Rights).

Article 47

Duty of the State to raise the level of nutrition and the standard of living and to improve public health.

- The State shall regard the raising of the level of nutrition and the standard of living of its people and the improvement of public health as among its primary duties and, in particular, the State shall endeavour to bring about prohibition of the consumption except for medicinal purposes of intoxicating drinks and of drugs which are injurious to health.

7^th Schedule

‘List l- Union List’

(Only Central governments can make laws for this category.)

No. 66. Co-ordination and determination of standards in institutions for higher education or research and scientific and technical institutions.

No. 64. Institutions for scientific or technical education financed by the Government of India wholly or in part and declared by Parliament by law to be institutions of national importance.

7^th Schedule

‘List ll - State List’

(Only State governments can make laws for this category.)

No. 6. Public health and sanitation; hospitals and dispensaries.

7^th Schedule

‘List lll - Concurrent List’

(Both Central/State governments can make laws for this category.)

No. 19. Drugs and poisons, subject to the provisions of entry 59 of List I with respect to opium.

No. 26. Legal, medical and other professions.

CLINICAL ESTABLISHMENTS (REGISTRATION AND REGULATION) ACT, 2010

• This law provides for registration of clinical establishments in India, and it prescribes minimum standards for facilities and registration. It is a law of Parliament and it is not automatically applicable to all states, it has to be ratified by state governments.
• Delhi, Maharashtra, Andhra Pradesh have not adopted this legislation and they may have their own laws in place.   
• This law introduces a comprehensive term called ‘clinical establishments’ which includes different categories of healthcare institutions.

Sec. 2(c) ‘Definitions

‘Clinical Establishments’ is defined as hospital, maternity home, nursing home, dispensary, clinic, sanatorium or an institution that offers services or facilities for diagnosis, treatment or care for illness, deformity in any recognized system of medicine such as Allopathy, Homeopathy, Naturopathy, Ayurveda, Siddha, Unani etc. 

Independent entity providing pathological, biological, radiological, genetic etc. diagnosis or investigative services with aid of laboratory or medical equipment.

Institutions managed by government, trust, corporation, local authority or single doctor are included within the definition of ‘clinical establishments.

Clinical establishments operated by Armed Forces are excluded from this definition.

Sec. 12 ‘Conditions of registration’

Every clinical establishment shall follow ‘maintenance of records’ directives of authorities as prescribed.  

Records here may include within its definition personal data.

DELHI NURSING HOMES REGISTRATION ACT, 1953

• This law applies to all ‘nursing home’ establishments within State of Delhi and prohibits any nursing home from carrying on work without registration.
• It also gives power to state government of Delhi to make laws mandating health data collection.  

Sec. 2(iv)  ‘Definitions’  

'Nursing Home means any premises used or intended to be used for the reception of persons suffering from any sickness injury or infirmity and the providing of treatment and nursing for them and includes a maternity home, and the expression 'carry on nursing home means to receive persons in a nursing home for, any of the aforesaid purposes and to provide treatment or nursing for them.

'Maternity Home ' means any premises used or intended to be used for the reception of pregnant women or of women in or immediately after child birth;

Both these definitions will include medical institutions of any character.  

Sec. 16 ‘Power to make rules’

Allows for government to make rules regarding what kind of personal data needs to be collected by nursing homes from patients. This may allow them to legislate rules on confidentiality and digital health data protection.

DELHI NURSING HOME REGISTRATION RULES, 1953

• Rules made by Chief Commissioner, Delhi which contain where and how personal data of patients’ needs to be collected by nursing homes.  
• These are applicable to the hospitals or other medical institutions operating in Delhi.

Rule 12 (c)

Rule prescribes keeper of nursing home to collect and maintain following information pertaining to patient-

i)Year.

ii) Registration No. 

ii) Name, S/o, D/o 

iii) Occupation 

iv) Sex 

v) Caste 

vi) Age 

vii) Date of Admission. 

viii) Date of Discharge 

ix) Disease 

x) Result 

xi) Date 

xii) History and Treatment, Diet.

Rule 12 (d)

Keeper of nursing home must maintain record of all maternity cases admitted to nursing home.

Rule 12 (e)  

Keeper of nursing home must maintain record of all births, deaths occurring in nursing home.  

Rule 13

In case of death of a patient, keeper of nursing home shall share following personal data of the dead patient:

1. Date of the Death. 

1. Name of deceased (in block letter). 

1. Name of father or of husband of the deceased (in block letters). 

1. Male or female. 

1. Age of the deceased. 

1. Occupation of the deceased. 

1. Cause of death.

NATIONAL MEDICAL COMMISSION ACT, 2019  

• It replaces the erstwhile Indian Medical Council Act, 1956 but some rules made under old law still survives.  
• Some rules formulated before will remain active such as MCI (Professional Conduct, Etiquette) Rules, 2002
• The objective of this law is to regulate medical education and professional conduct in India.

Sec. 10

‘Powers and functions of commission’

The National Medical Commission has powers to lay down rules for medical research.

The said rule will help understand what is meant by medical research since processing of personal data for purposes of medical research is completely exempt from DPDP Act, 2023 vide Sec. 17.

Sec. 34

‘Bar to practice’

No person other than a person registered with the state/national register is allowed to practice modern system of medicine.

Only registered persons can hold office of physician/surgeon in an institution.

Only registered persons can issue Medical Certificates for official purposes like issuance of driving license etc.

INDIAN MEDICAL COUNCIL (PROFESSIONAL CONDUCT, ETIQUETTE AND ETHICS) REGULATIONS, 2002

• This law made under now repealed Indian Medical Council Act, 1956. According to Sec. 61 of the National Medical Council Act, 2019.
• This is a handbook of codes of ethics, responsibilities and other professional commitments which are to be followed by medical professionals.
• This law is targeted more towards medical professionals in particular and not hospitals or healthcare institutions as a whole.  

Rule 1.1.2

‘Code of Medical Ethics’

Mandates that the primary objective of medical profession is to render service to humanity, reward or financial gain is secondary objective.

This rule establishes a base line that focus while engaging in healthcare related activities is service to humanity.  

Rule 1.1.3

‘Code of Medical Ethics’

No person other than a doctor having qualification recognised by Medical Council of India and registered with Medical Council of India/State Medical Council (s) is allowed to practice Modern system of Medicine or Surgery.

This rule establishes that the flow of treatment to be prescribed while practising modern system of medicine can only be done by a registered physician.

Hence in healthcare setups, at touch points where personal data is generated such as – medical tests, diagnosis, surgical operations which lead to generation of medical data etc. These have to be done only as per directions/advice of a attending physician.  

Only doctors can determine ‘means and purpose’ of personal data processing at those touchpoints where ‘medical data’ is generated.  

Rule 1.3.1

‘Maintenance of medical records’

Every physician shall maintain the medical records pertaining to his / her indoor patients for a period of 3 years from the date of commencement of the treatment in a standard proforma laid down by the Medical Council of India.

Proforma laid down by Medical Council of India mandates following personal data collection-

1. Name, age, sex, address, occupation

1. Date of 1^st visit

1. Clinical notes (summary) of case

1. Proven diagnosis

1. Investigation advised with reports

1. Diagnosis advised after investigation

1. Advice

The following personal information is usually recorded in a ‘prescription’ by the medical practitioner. It also includes ‘medical data’ generated such as diagnosis which is also extra sensitive in nature.

Rule 1.3.2

‘Maintenance of medical records’

If any request is made for medical records either by the patients / authorised attendant or legal authorities involved, the same may be duly acknowledged and documents shall be issued within the period of 72 hours. 

This rule allows for authorized attendants and legal authorities to access such  personal information. 

Rule 1.3.3

‘Maintenance of medical records’

A Registered medical practitioner shall maintain a Register of Medical Certificates giving full details of certificates issued. When issuing a medical certificate he / she shall always enter the identification marks of the patient and keep a copy of the certificate. He / She shall not omit to record the signature and/or thumb mark, address and at least one identification mark of the patient on the medical certificates or report. 

This rule additionally requires medical practitioner to record identification marks and thumb mark or signature on medical certificates issued by him/her. Hence, medical practitioner is legally allowed to maintain such medical certificates. 

Rule 1.3.4

‘Maintenance of medical records’

Efforts shall be made to computerize medical records for quick retrieval. 

This rule encourages that personal data collected in paper/tangible form should be digitized, as such this comes within application of DPDP Act, 2023 under Sec. 1.

Rule 1.4.1 

‘Display of registration numbers’ 

A medical practitioner shall display his ‘registration number’ (personal data) in his/her clinic, prescriptions, certificates, money receipts.

Registration number allotted by Medical Council of India/ State Medical Council also comes under the definition of personal data. This rule mandates making public of such information and as such this may be outside the purview of DPDP Act,2023 as per Sec. 3(c)(ii). 

Rule 2.1

‘Patience, Delicacy and Secrecy’

Confidences concerning individual or domestic life entrusted by patients to a physician and defects in the disposition or character of patients observed during medical attendance should never be revealed unless their revelation is required by the laws of the State. 

This rule disallows a medical practitioner to share patient’s dispositions etc. which may also contain personal data in digital format. Except with prior authorization of law. 

Rule 3.4

‘Statement to patient after consultation’

The disclosure of medical opinion to the patient or his relatives should rest with the medical attendant. 

This rule permits ‘medical data’ such as case updates to be shared with medical attendant of patient. Doctor is allowed to share such medical data with attendant. 

Rule 3.6

‘Patients referred to Specialists’ 

When a patient is referred to specialist, attending physician is duty bound to share medical history (‘medical, health data) with such specialist.

Rule 3.7

‘Fees and other charges’

A physician shall write his/her name and designation on all prescriptions letter issued by him. This rule mandates that name and designation of patient shall be in public for interest of patients and others. 

Rule 7.14 

‘Misconduct’

A physician shall not disclose secrets of a patient (which may include personal data) to anyone except to courts, public health authorities. 

Rule 7.17

‘Misconduct’

A registered medical practitioner shall not publish photographs or case reports of his / her patients without their permission, in any medical or other journal in a manner by which their identity could be made out. If the identity is not to be disclosed, the consent is not needed.

A doctor processing personal data of patients is not allowed to publish such data (photographs, case reports) without taking prior consent from such data principals. 

Rule 7.22

‘Misconduct’

Research: Clinical drug trials or other research involving patients or volunteers as per the guidelines of ICMR can be undertaken, provided ethical considerations are borne in mind. Violation of existing ICMR guidelines in this regard shall constitute misconduct. Consent taken from the patient for trial of drug or therapy which is not as per the guidelines shall also be construed as misconduct.

This rules establishes that research involving patients/volunteers shall be only as per the guidelines ICMR (Indian Council of Medical Research). Hence, research involving ‘personal data’ or ‘medical data’ may be used only as per guidelines of ICMR.

So, to claim exemption under Sec. 17(2)(b) for research, it is important to note that hospital is using personal data as per guidelines of ICMR.

Rule 8.2 and 8.3

‘Punishment and Disciplinary Action’

A case for professional misconduct may be brought forward by someone before National Medical Commissions (then MCI) or State Medical Commissions and they may award punishment of removal of name from register temporarily or permanently.

Removal of name from register means that a physician is not allowed to practice medical profession in India under Sec. 34 of National Medical Commission Act, 2019.

MENTAL HEALTHCARE ACT, 2017

• This law made by Parliament is to regulate healthcare for mentally ill patients as well as give them sufficient rights to enable them avail mental healthcare services.  
• This law has comprehensive rights for patients of mental diseases such as right to access medical records.

Sec. 2(i)  

‘Definition’

“Informed consent” means consent given for a specific intervention, without any force, undue influence, fraud, threat, mistake or misrepresentation, and obtained after disclosing to a person adequate information including risks and benefits of, and alternatives to, the specific intervention in a language and manner understood by the person

This clause defines ‘informed consent’ within meaning of mental healthcare law.

Sec. 2(s)

‘Definitions’

“Mental illness” means a substantial disorder of thinking, mood, perception, orientation or memory that grossly impairs judgment, behaviour, capacity to recognise reality or ability to meet the ordinary demands of life, mental conditions associated with the abuse of alcohol and drugs, but does not include mental retardation which is a condition of arrested or incomplete development of mind of a person, specially characterised by sub normality of intelligence.

Sec.2(t)

‘Definitions’

“minor” means a person who has not completed the age of eighteen years

Sec. 7

‘Maintenance of online register’

Requires Mental Health Review Board to maintain an online register for advance directives issued by people.

Sec. 22

‘Rights to information’

A person with mental illness or his nominated representative has right to information-

1. To know about the nature of person’s mental illness and proposed treatment plan, also about the side-effects of the proposed treatment plan.
2. Person has right to receive this information in a language in which he understands.

The nature of illness and treatment plan may come under definition of personal data and under this section a doctor has a duty to share such personal information with authorized representative of person with mental illness.    

Sec. 23

‘Right to confidentiality’

A doctor treating a person with mental illness shall maintain confidentiality in respect of his mental health, mental healthcare, treatment and physical healthcare.

A treating doctor may only share such personal information related to treatment when:

• Release of information to nominated representatives.
• Release of information to other mental health professionals to enable them to provide care and treatment to the person with mental illness.
• Release of information to protect a person from harm or violence.
• Release of information upon order of Mental Health Boards or courts of law.

Sec. 24

‘Restriction on release of information in respect of mental illness’

(1) No photograph or any other information relating to a person with mental illness undergoing treatment at a mental health establishment shall be released to the media without the consent of the person with mental illness.

(2) The right to confidentiality of person with mental illness shall also apply to all information stored in electronic or digital format in real or virtual space.

Photographs and other personal information is subject to Right to privacy of person with mental illness and as such protected under this clause.

Sec. 25

‘Right to access mental healthcare records’

All persons with mental illness shall have right to access mental health records and a mental healthcare professionals is bound to share such records (‘personal information’) with the patient. This is akin to Sec. 11 of the DPDP Act, 2023.

Situations where professional may withhold release of such information-

(a) serious mental harm to the person with mental illness; or

(b) likelihood of harm to other persons.

Sec. 27

‘Right to legal aid’

A person with mental illness has right to legal aid. And a mental health professional in charge of mental health establishment has the duty to inform the mental illness patient about this Right under Legal Services Authority Act, 1987. The person with mental illness has to be informed about contact details of the same.

A person with mental illness may require legal assistance for exercising his/her rights under DPDP Act, 2023 and the same has to be provided by the hospital.

THE MENTAL HEALTHCARE (RIGHTS OF PERSONS WITH MENTAL ILLNESS) RULES, 2018

This is a set of rules under Mental Healthcare Act, 2017.

• It seeks to encourage state governments and central government institutions such as AIIMS, NIMHANS to establish halfway homes, which are essentially transitional centers between medical establishments and homes.
• It prescribed minimum standards of mental healthcare in prisons and for prisoners.
• It gives right to patient (data principal) to gather basic medical record from the Medical Officer in-charge of medical establishments.

Rule 6

‘Right to access basic medical records’

• A person with mental illness, shall be entitled to receive documented medical information pertaining to his diagnosis, investigation, assessment and treatment as per the medical records.
• A person with mental illness may apply for a copy of his basic inpatient medical record by making a request in writing in Form-A, addressed to the medical officer or mental health professional in charge of the concerned mental health establishment
• Within fifteen days from the date of receipt of the request under sub-rule (2), basic inpatient medical records shall be provided to the applicant in Form-B.
• If a mental health professional or mental health establishment, as the case may be, is unable to decide,· whether to disclose information or provide basic inpatient medical records or any other records to the applicant for ethical, legal or other sensitive issues, he or it may make an application to the Mental Health Review Board stating the issues involved and his or its views in the matter with a request for directions in the form of a written order.
• The Board shall, after hearing the 'concerned person with mental illness, by an order, give such directions, as it deems fit, to the mental health professional or mental health establishment, as the case may be.

The above rule is similar to Sec. 11 of DPDP Act, 2023 as ‘Right to access personal information’. In this the mental health patient has right to information about his ‘basic medical record’ which includes his medical data/ personal data.

ANDHRA PRADESH ALLOPATHIC, PRIVATE MEDICAL CARE ESTABLISHMENTS (REGISTRATION AND REGULATION) RULES, 2002

• This law is applicable to all private allopathic hospitals in Andhra Pradesh.
• This also mandates hospitals to mandatorily preserve some data and keep some data in public interest which may contain personally identifiable information.

Rule 10

‘Display of registration numbers etc.’

The hospital needs to mandatorily display-

1. Names of all doctors associated/working with them and their registration numbers.
2. Doctors need to compulsorily display their registration numbers on prescriptions, certificates (issued by them)

Hence, this personal information may be deemed to be publicly available personal data within the meaning of Sec. 3 of the DPDP Act, 2023.

Rule 14

‘Medical Records’

The establishments shall maintain medical records of the patients treated by it and health information in respect of national programmes and furnish to authorities as and when they are required. The minimum medical records to be maintained by the Establishments are prescribed in Appendix-IV, V and VI.

Appendix i

Part ii

‘Functional Program’

The hospitals and nursing homes need to compulsorily have certain functional areas like ‘Medical Records Department’.

This apply to general hospitals and nursing homes, which are healthcare establishments which cater to a wide range of health facilities.

Appendix IV under Rule 14

 Various kinds of medical records to be maintained by hospitals:

(Contains personal data within the meaning of DPDP Act, 2023)

(1) Out Patient Data

(2) Inpatient register

(3) Operation theatre register

(4) Labour room register

(5) MTP register

(6) Case sheet

(7) Case sheet for procedure

(8) Case sheet for F.P

(9) Medico - legal certificate in duplicate

(10) Medico - legal register

(11) Laboratory register

(12) Radiology and Imaging register

(13) Discharge summary

(14) Medical certificate in duplicate

(15) Birth Register

(16) Death Register

(17) Notified diseases Information –

(a) Cerebro-spinal fever,

(b) Chicken- pox,

(c) Cholera,

(d) Diphteria,

(e) Leprosy,

(f) Measles,

(g) Plague,

(h) Rabbies,

(i) Scarlet fever,

(U) Small-pox,

(k) Typhus, or

(l) T.B

(m) HIV - AIDS

Appendix IV under Rule 14

‘Formats of medical records to be maintained’

It is obligatory for all hospitals to maintain the records of every patient utilising the services of the hospital.

The rule prescribes different kinds of manner in which medical records needs to be maintained-

• Maintain a In-Patient Register with the following columns: -

(I.P. No.) (Pt. Name) (Age) (Address) (Date of Admission) (Date of Discharge) (Final Diagnosis Bill No)

• The case sheet is the most important document. It should include admission notes, consent, investigation reports, progress notes of any procedures conducted, condition at time of discharge and the discharge advice. It is important to record all the happenings during the Patients stay in the hospital and the consultants, duty doctors and nurses should write notes in the case sheet every time they visit the patients. The case sheets after the patients discharge should be preserved carefully.
• The outpatients Register is another important document which is very often neglected. An out-patient Register with following columns should be maintained.

(Sl.No.) (Name) (Age) (Address) (Date) (Diagnosis) (Advice)

• Today the medical profession is under the constant threat of litigation and it is essential that all medical records are maintained properly as they form the only evidence which come to the rescue of a doctor in the court of Law
• Consent Form. - As mentioned earlier obtaining written and informed consent is an important obligation of every medical practitioner. A model of the consent form is given here:

(Patient Name) (Age) (Sex) (Date) (L.P. No)

THE BIRTHS, DEATHS AND MARRIAGES REGISTRATION ACT, 1886

• This is a law to provide for voluntary Registration of birth and deaths at registry officers in every district. It also mandates Registry office (under respective state government called ‘Registrar of Births, Deaths and Marriages) to maintain register of births, deaths and marriages.

Sec. 21(d) ‘Persons authorised to give notice of birth’

Any medical practitioner in attendance after the birth and having personal knowledge of birth occurred shall give notice to registrar registrar.

A medical practitioner is under obligation to give notice of birth.

PRE-CONCEPTION AND PRE-NATAL DIAGNOSTIC TECHNIQUES ACT, 1994 (PC-PNDT ACT)

• This law prohibits sex selection before or after conception and it regulates pre-natal diagnostic techniques (like ultrasound) for any purpose other than for sex determination.
• Sex determination may lead to female-feticide, hence the need for this law.

Sec. 2(i)

‘Definitions’

“pre-natal diagnostic procedures” means all gynaecological or obstetrical or medical procedures such as ultrasonography, foetoscopy, taking or removing samples of amniotic fluid, chorionic villi, blood or any other tissue or fluid of a man, or of a woman for being sent to a Genetic Laboratory or Genetic Clinic for conducting any type of analysis or pre-natal diagnostic tests for selection of sex before or after conception

Sec. 4

‘Regulation of pre-natal diagnostic techniques’

Pre-natal diagnostic procedure on a pregnant woman may be conducted for diagnosis of following abnormalities-

1. chromosomal abnormalities;
2. genetic metabolic diseases;
3. haemoglobinopathies;
4. sex-linked genetic diseases;
5. congenital anomalies;

Person conducting ultrasonography (medical doctor) has to collect following ‘personal data’-

1. age of the pregnant woman is above thirty-five years;
2. the pregnant woman has undergone of two or more spontaneous abortions or foetal loss;
3. the pregnant woman had been exposed to potentially teratogenic agents such as drugs, radiation, infection or chemicals;
4. the pregnant woman or her spouse has a family history of mental retardation or physical deformities such as, spasticity or any other genetic disease;

Person conducting ultrasonography has to keep a complete record of this ‘personal data’ with himself.

Sec. 29

‘Maintenance of records’

1. All records, charts, forms, reports, consent letters and all other documents required to be maintained under this Act and the rules shall be preserved for a period of two years or for such period as may be prescribed: (Provided that, if any criminal or other proceedings are instituted against any Genetic Counselling Centre, Genetic Laboratory or Genetic Clinic, the records and all other documents of such Centre, Laboratory or Clinic shall be preserved till the final disposal of such proceedings.)

2. All such records shall, at all reasonable times, be made available for inspection to the Appropriate Authority or to any other person authorised by the Appropriate Authority in this behalf.

This law makes it mandatory to retain certain ‘personal data’ for a period of 2 years. And in case of a civil or criminal proceedings, the records have to be kept till case is active.

TRANSPLANTATION OF ORGANS ACT, 1994

• This law regulates the removal and transplantation of human organs only for therapeutic purposes.
• Only hospitals/tissue registered under the government can conduct organ removal and transplantation for therapeutic purposes.
• This law also prohibits and enumerates offences related to commercial dealing of human organs.
• Under this law, no person under the age of 18 years can do organ donation.

Sec. 2(d)

‘Definitions’

“Brain-stem death” means the stage at which all functions of the brain-stem have permanently and irreversibly ceased and is so certified under sub-section (6) of section 3.

This is an essential criteria to determine death of an individual. Additionally, ‘death’ is also defined in this law.

Sec. 2(e)

‘Definitions’

“deceased person” means a person in whom permanent disappearance of all evidence of life occurs, by reason of brain-stem death or in a cardio-pulmonary sense, at any time after live birth has taken place

“donor” means any person, not less than eighteen years of age, who voluntarily authorises the removal of any of his human organs for therapeutic purposes under sub-section (1) or sub-section (2) of section 3

Sec. 2(g)

‘Definitions’

“hospital” includes a nursing home, clinic, medical centre, medical or teaching institution for therapeutic purposes and other like institution

Sec. 2(h)

‘Definitions’

“human organ” means any part of a human body consisting of a structured arrangement of tissues which, if wholly, removed, cannot be replicated by the body

Sec. 2(n)

‘Definitions’

“registered medical practitioner” means a medical practitioner who possesses any recognised medical qualification as defined in clause (h) of section 2 of the Indian Medical Council Act, 1956 (102 of 1956), and who is enrolled on a State Medical Register as defined in clause (k) of that section.

As of today, the Indian Medical Council Act, 1956 stands repealed by the National Medical Commission Act, 2019. Hence, rights of practice will now be read to be under the 2019 law.

Sec. 2(p)

‘Definitions’

“transplantation” means the grafting of any human organ from any living person or deceased person to some other living person for therapeutic purposes

Sec. 14

‘Registration of hospitals engaged in removal, storage or transplantation of human organs or tissues or both’

Hospitals/Organ retrieval centres are not allowed to carry on functions under this law unless they are registered with government.

Sec. 15

‘Certificate of registration’

Appropriate Authority has powers under this section to grant registration to hospitals/tissue banks and only then can they perform organ storage within premises.

TRANSPLANTATION OF HUMAN ORGANS AND TISSUES RULES, 2014

• These rules mandate processing of certain kinds of documentary evidence before transplant takes place.
• It also lists one criteria for ensuring confidentiality and privacy of the patient.

Rule 18

‘Procedure in case of near relatives’

When the proposed transplant is to take place between near relatives related genetically, namely, grandmother, grandfather, mother, father, brother, sister, son, daughter, grandson and granddaughter, above the age of eighteen years, the head of institution or hospital carrying out the transplantation, has to evaluate:

• Documentary evidence of relationship eg: birth certificates, marriage certificates other relationship certificates from Tehsildar/Sub-divisional magistrate or Metropolitan Magistrate or Sarpanch of Panchayat or similar identity certificates like Electors Photo Identity Card or AADHAR card.
• The head of institution may also evaluate ration card, voters ID card, passport or driving license or other similar identity certificates.
• Head of institution may also conduct a DNA Profiling medical test. This can be done only by NABL (National Accreditation Board for Testing and Calibration Laboratories) certified labs.
• If proposed transplantation is between married couple then head of hospital must ensure that documents such as marriage certificate, marriage photograph etc. are kept for records along with the information on the number and age of children and a family photograph depicting the entire family, birth certificate of children containing the particulars of parents.

This rule mandates collection and storage of varied types of personal data in case of transplantation between near relatives such as AADHAR, DNA samples (for DNA profiling), marriage certificates etc. As such since this is a mandate under the medical law, this meets the criteria for taking personal data without consent.

Rule 28

‘Conditions and standards for grant of certificate of registration for tissue banks’

Clause ‘F’ on ‘Data Protection and Confidentiality’ states that

‘A unique donor identification number shall be used for each donor, and access to donor records shall be restricted.’

As such tissue registry shall maintain appropriate data protection and privacy protocols to comply with this rule.

Rule 32

‘Information to be included in National Registry regarding donors and recipients of human organ and tissue’

Organ Transplant Registry:

(1) The Organ Transplant Registry shall include demographic data about the patient, donor, hospitals, recipient and donor follow up details, transplant waiting list, etc., and the data shall be collected from all retrieval and transplant centres.

(2) Data collection frequency, etc., will be as per the norms decided by the Advisory Committee which may preferably be through a web-based interface or paper submission and the information shall be maintained both specific organ wise and also in a consolidated format.

(3) The hospital or Institution shall update its website regularly in respect of the total number of the transplantations done in that hospital or institution along with reasonable detail of each transplantation and the same data should be accessible for compilation, analysis and further use by authorised persons of respective State Governments and Central Government.

(4) Yearly reports shall be published and also shared with the contributing units and other stakeholders and key events (new patients, deaths and transplants) shall be notified as soon as they occur in the hospital and this information shall be sent to the respective networking organisation, at least monthly.

Organ Donation Registry:

(5) The Organ Donation Registry shall include demographic information on donor (both living and deceased), hospital, height and weight, occupation, primary cause of death in case of deceased donor, associated medical illnesses, relevant laboratory tests, donor maintenance details, driving license or any other document of pledging donation, donation requested by whom, transplant coordinator, organs or tissue retrieved, outcome of donated organ or tissue, details of recipient, etc.

Tissue Registry:

(6) The Tissue Registry shall include demographic information on the tissue donor, site of tissue retrieval or donation, primary cause of death in case of deceased donor, donor maintenance details in case of brain stem dead donor, associated medical illnesses, relevant laboratory tests, driving license or any other document pledging donation, donation requested by whom, identity of counsellors, tissue(s) or organ(s) retrieved, demographic data about the tissue recipient, hospital conducting transplantation, transplant waiting list and priority list for critical patients, if these exist, indication(s) for transplant, outcome of transplanted tissue, etc.

(7) Yearly reports in respect of National Registry shall be published and also shared with the contributing units and other stakeholders

ELECTRONIC HEALTH RECORD STANDARDS, 2016

• Notified by the ‘e-Health’ section of the Ministry of Health and Family Welfare with objective to introduce standard based system for creation and maintenance of Electronic Health Records by healthcare providers. These guidelines have been passed through an executive order no. Q-11011/3/2015-eGov by Ministry.

• This document also does not cater to aspects of creation and operation of local, regional, and national infrastructures as they are dealt by appropriate regulatory or administrative bodies.

• This document released by the Ministry also prescribes popular ISO standards applicable to healthcare institutions such as-

• ISO/TS 22220:2011 Health Informatics- Identification of subjects of healthcare and ensuring basic identity details of patients.

• ISO 22600:2014 Health Informatics- Privilege Management and Access Control for ensuring proper access controls.

• ISO/TS 14441:2013 Health Informatics- Security and Privacy Requirements of EHR Systems for use in conformity assessment

• Pharmacy Practice Regulations, 2015 Notification No. 14-148/2012- PCI as specified by Pharmacy Council of India

• SNOMED[4] Clinical Terms (SNOMED CT) for primary terminology

Page 19

‘Data Ownership of health records’

‘Ethical, Legal, Social Issues (ELSI) Guidelines’

Definition of term privacy, trust and security in this document.

For the purposes of these recommendations, the term “privacy” shall mean that only those person or people(s) including organizations duly authorized by the patient may view the recorded data or part thereof.

The term ‘security’ shall mean that all recorded personally identifiable data will at all times be protected from any unauthorized access, particularly during transport (eg: from healthcare provider to provider, healthcare provider to patient, etc.).

The term ‘trust’ shall mean that person, persons or organizations (doctors, hospitals and patients) are those who they claim they are.

Page 19

‘Protected Health Information’

Protected health information (PHI) would refer to any indivicually identifiable information whether oral or recorded in any form or medium that (1) is created, or received by a stakeholder; and (2) relates to past, present, or future physical or mental health conditions of an individual; the provision of health care to the individual; pr past, present, or future payment for healthcare to an individual.

Electronic PHI would refer to any protected health information (PHI) that is created, stored, transmitted or received electronically. Electronic protected health information includes any medium used to store, transmit or receive ePHI electronically.

Page 20

‘Data Access and Confidentiality’

Patients will have the sufficient privileges to inspect and view their medical records without any time limit. Patient’s privileges to amend data shall be limited to correction of errors in the recorded patient/medical details. This shall need to be performed through a recorded request made to the healthcare provider within a period of 30 days from the date of discharge in all inpatient care settings or 30 days from the date of clinical encounter in outpatient care settings. An audit of all such changes shall be strictly maintained. Both the request and audit trail records shall be maintained within the system.

Page 21

‘Privileges pf patient or personal representative’

Patients can demand from a healthcare provider a copy of their medical records held by that healthcare provider, which should be provided within 30 days of receipt of communication of request.

Page 22

‘Electronic Medical Records Preservation’ or ‘Data Retention’

Upon the demise of the patient where there are no court cases pending, the records can be removed from active status and turned to inactive status. HSPs are free to decide when to make a record inactive, however, it is preferable to follow the “three (3) year rule” where all records of a deceased are made inactive three (3) years after death.