Data protection, privacy and digitisation in healthcare


What are the legal developments regarding digitisation in the healthcare sector and industrial networks or sales channels?

Medicine and healthcare are becoming more individualised and accurate due to the convergence of digital technologies in health, healthcare and delivery. Information and communication technologies (ICTs) can assist patients with health issues and problems. The use of new technologies, such as digital health applications, telemedicine and information sharing, will provide substantial benefits for both providers and patients. However, increased communication poses new risks to the privacy and security of patient information. Numerous telemedicine and digital health companies are concerned with confidentiality and safety.

In September 2016, the Ministry of Health and Family Welfare (MoHFW) announced electronic health record (EHR) standards for India (the EHR Standards). These standards were selected from the most widely adopted EHR standards in the world with an eye toward their applicability in India. Academics, government officials and technologists were on the committee that developed the recommendations. In addition to professional entities, regulators and stakeholders, several technology and social commentators submitted the standards for review. Regarding the handling of personal information, data security is a top priority. In September of that year, MoHFW announced Indian electronic health record standards. This list was compiled using the most effective international electronic health record standards currently in use, with an eye toward their applicability in India. As a result, worldwide healthcare organisations and providers have been notified and have submitted EHR Standards 2016 implementation plans. The name of the Interim National Release Center comes from Systematized Nomenclature of Medicine Clinical Terminology (SNOMED CT), a clinical terminology standard that is becoming more and more well-known around the world among people who work in healthcare IT.

In 2016, the EHR Standards were revised in response to input from a variety of stakeholders. According to the MoHFW proposal, the Digital Information Security in Healthcare Act (DISHA) would establish a national digital health authority to promote and implement e-health standards, protect patient privacy and security and regulate the storage and sharing of electronic medical records. The MoHFW’s National Digital Health Authority is a proposed organisation charged with creating an integrated Indian health information system. One of the organisation's primary objectives is to assist India in its digital health journey and subsequent realisation of ICT's health sector benefits.

Consequently, healthcare organisations and providers across the nation have been notified and requested to comply with the most recent EHR Guidelines. The sharing of personal data raises a number of concerns, including, but not limited to, those regarding confidentiality, data exchange control, security and privacy, as well as those regarding knowledge, trust and accountability. The MoHFW devised the DISHA to protect patient data and give patients full control over their health information.

Provision of digital health services

Which law regulates the provision of digital health services, and to what extent can such services be provided?

The DISHA of 2018, per the MoHFW, is a new law governing data security in healthcare services. This Act was passed to protect the privacy and confidentiality of digital health information by ensuring its protection and standardisation. According to the parliament, the purpose of this bill is to promote the nationwide adoption of e-health standards. The new regulation has not yet taken effect. Under its supervision, the National Institution for Transforming India (NITI Aayog) has also launched the National Health Stack, a scheme to create digital health records for all citizens by 2022.


Which authorities are responsible for compliance with data protection and privacy, and what is the applicable legislation? Have the authorities issued specific guidance or rules for data protection and privacy in the healthcare sector?

The MoHFW plans to establish a national legislative body through DISHA to promote and implement e-health standards, enforce privacy and security policies for electronic health information, and regulate the storage and sharing of electronic health records. This organisation will be called the National Digital Health Authority.


What basic requirements are placed on healthcare providers when it comes to data protection and privacy? Is there a regular need for qualified personnel?

Data security and privacy are the responsibility of those who are responsible for data storage. If a data breach occurs, the organisation could be punished. In the Indian healthcare industry, there is a growing understanding of the significance of implementing data security safeguards to preserve patients’ confidential information and only share it when needed by law. Protecting the privacy and security of an individual's digital health information is the primary responsibility of a healthcare provider or organisation. When digital health data are collected, stored and transmitted, they must be safeguarded against unauthorised access, use, disclosure and accidental or intentional destruction by the implementation of all appropriate physical, administrative and technical measures. For instance, the Indian Medical Council Regulations of 2002 provide that physicians must always keep a patient's identity private during medical care and operations. By offering frequent training and oversight, a healthcare institution or information exchange can ensure that its workers adhere to security protocols and regulations.

Common infringements

What are the most common data protection and privacy infringements committed by healthcare providers?

Late in 2019, the central government and MoHFW announced the National Digital Health Mission and published a blueprint recommending the establishment of a National Digital Health Ecosystem that enables interoperability between digital health systems at the patient, hospital and ancillary healthcare provider level. MoHFW established a Health Data Management Policy (HDM Policy) for the ecosystem on 14 December 2020, largely based on the Personal Data Protection (PDP) Bill. The HDM Policy recognises entities in the data processing space, such as data fiduciaries (similar to GDPR data controllers) and data processors (similar to the PDP Bill), and it sets up a permission framework for processing personal data in health data management.

Healthcare providers who violate Chapter II of the Personal Data Protection Bill 2019 by creating, acquiring, storing, distributing, or disclosing digital health information are considered to have violated patient privacy rights. Anyone who violates digital health information, digital health information that has not been anonymised or de-identified, or healing data by not storing it according to standard rules will be held responsible.

The Indian government recently withdrew the PDP Bill 2019 from Parliament on 4 August 2022. A Joint Parliamentary Committee produced a comprehensive report on the legislation, which had languished in the House of Representatives since 2019. The withdrawal shows that the government must re-evaluate the extent and structure of data regulation. The government indicated that the new law will likely be one of four new laws addressing social media, digital technology, telecommunications and privacy. In lieu of a comprehensive law, the government wishes to enact specialised statutes for particular aspects of the digital technology industry. In addition, the PDP law would be replaced with a new act that is part of a comprehensive legal framework.

The Indian Penal Code of 1860 defines terms such as dishonesty and fraud. Three to five years in prison and a minimum fine of at least 500,000 Indian rupees (approximately $5,600) await anyone convicted of a significant healthcare information violation. Depending on what the court decides, the fine could be used to pay the person who was hurt.

Data protection in India is governed by sections 43A and 72A of the Information Technology Act of 2000, as well as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules of 2011. Section 72A addresses penalties for disclosing information that does not comply with the law's content restrictions, whereas Section 43A addresses damages for failure to secure data. Section 72A stipulates three years in prison, a fine of up to five lakh rupees, or both. The Information Technology Rules of 2011 say that a business must get permission before sharing sensitive or personally identifiable information.