By: Pravah Ranka
The deadly coronavirus has given rise to unprecedented restrictions on the movement of people, posing extensive challenges to the health-care systems across the globe. Individuals are hesitant about visiting hospitals to seek medical interventions due to the growing risk of infections. States like Rajasthan have allowed three-month-old prescriptions to be followed to avoid the risk of the COVID-19. In hard times like these, telemedicine comes into sight to act as a saviour.
The World Health Organization and the Centre for Disease Control Prevention have approved the use of Telemedicine. The Medical Council of India permitted the practice of telemedicine by the Registered Medical Practitioner under the Indian Medical Council Act, 1956 in accordance with the Telemedicine Practice Guidelines.
Oxford defines telemedicine as “the remote diagnosis and treatment of patients by means of telecommunications technology”. Its ability to cater to the needs of the patients, wherever, whenever has made it instrumental in achieving the highest standards of health-care. With the help of telemedicine, health-care professionals are able to remotely monitor the patients and detect their potential complications in order to provide personalised interventions. Although this innovation is influential in providing good health-care, it has manifested serious ethical issues.
This article aims at analysing the poor implementation of the law concerning data protection in the country that has led to a rise in privacy issues concerning telemedicine.
PRIVACY CONCERNS ARISING OUT OF TELEMEDICINE
The development of telemedicine has been accompanied by several privacy concerns, which have to be addressed. In the 21st century, people have become more comfortable with the technology and have experienced its interference in almost all the aspects of life, paving the way for the rise of Virtual Health Care. Fears about the privacy and protection of telemedicine systems may negatively affect people’s confidence in telemedicine and undermine the potential of telemedicine systems to enhance the availability, efficiency and efficacy of healthcare.
Telemedicine involves health professionals as well as the IT staff, who also have access to, information and are not bound by a strong ethical code of conduct. Telemedicine devices and sensors have the potential of imparting information that the patient would want to keep private. Lack of effective enforcement of laws has made every transmission a potential security breach. The American Securities and Exchange Commission revealed that American Medical Collection Agency was hacked for eight months. Sensors, which are located in the patient’s home to take care of their safety and medical emergencies, can transmit private information, for example, they are home alone or nobody’s home. This could result in serious threats.
Mobile health-care apps also cause privacy concerns. These apps could be financed by transmitting information to a third party that could be interested in creating ads based on the patient’s needs.
LAWS GOVERNING DATA PROTECTION IN INDIA
On March 25, 2020 the Ministry of Health, in partnership with NITI Aayog proposed Telemedicine Practice Guidelines to deal with the ongoing pandemic, making it mandatory for the Registered Medical Practitioners to abide by the Indian Medical Council Regulations, 2002. Although the registered medical practitioners have been prescribed rules for professional conduct and ethics and are forbidden to perform any data breach, health-care breaches have been a recurring phenomenon in the Indian health-care system. Web threats like data-stealing malware have monetised stolen data, increasing privacy concerns amongst telemedicine users.
The Indian legislature amended the Information Technology Act, 2000 to include sections 43A and 72A, which guaranteed the right to compensation for unauthorised disclosure of personal data. Section 72A of the Information Technology Act, 2000 provides a penalty for breach of confidentiality and privacy. The Aadhaar Act, 2016 stated rules and regulations, which obligated the regulated sectors to ensure confidentiality. Yet disclosure of data persists in the country. A German firm reported that over a million medical records and 121 million medical images of patients had gotten leaked and were easily accessible online.
Ministry of Health and Family Welfare drafted the Digital Information Security in Health Care Act to secure confidentiality and privacy in health-care systems. It states the technical measures a clinical establishment should take. Still, many clinical establishments don’t have their data encrypted which has amounted to an accidental breach of data. The risk of potential disclosure of data has made people sceptic about availing virtual health care facilities.
Although there is no express law that governs data protection, the judiciary has attempted to safeguard an individual’s right to privacy. In Justice K.S. Puttaswammy v Union of India, it was held that right to privacy was a facet of Article 21 of the Indian Constitution. It further held that “the right of an individual to exercise control over his personal data and to be able to control his/her own life would also encompass his right to control his existence on the internet.” This is a landmark case as this was the first case where the apex court expressly acknowledged an individual’s right over their personal data. This recognition might not do much good to the patients since India lacks a robust data security regime that will protect patients from privacy breaches in this digital age.
The Government of India had constituted a committee that proposed the Personal Data Protection Bill 2019 which would be the country’s first law concerning solely with data protection. The bill is extremely imperative to safeguard the rights of the citizens including patients.
LESSONS TO LEARN FROM THE WEST
America on Health-Data Privacy
The Health Insurance Portability and Accountability Act provides health insurance for workers and their families. The privacy rules in this act aim to establish national standards for the protection of health-related information. These privacy rules make individuals in control of their health information and allow them to obtain a copy of their health records.
European Regime on Health-Data Privacy
The European law recognises a patient’s health information as its personal information. Legislations like Data Protection Directive, General Data Protection Regulation and the E-privacy directive expressly deal with issues concerning health-data privacy. Article 8 of Data Protection Directive and Article 9 of GDPR prohibits the processing of data concerning health.
The United States and the European Union have signed the Safe Harbor Principles Commission that laid down some guidelines to facilitate cross border transition health-care data to continue the practice of telemedicine.
This agreement provides an excellent example of how telemedicine can be continued, without ignoring the privacy concerns of the patients. India can also look forward to such agreements to boost the practice of telemedicine and ensure the highest health-care standards in the country.
Telemedicine is a bliss in times like these as it attempts to attain the highest health-care standards. Yet, it poses some serious privacy concerns. We would not be able to utilise the advantages of telemedicine if we don’t effectively implement data protection laws in the country. We need to acknowledge this brainwave and formulate appropriate data protection laws to enhance the telemedicine sector in India. Although the Indian Judiciary has recognised citizen’s rights over their data protection, there is no express law to ensure data protection which is a huge blunder. In times like this, telemedicine could ensure the attainment of the highest health care standards. India needs to have appropriate data protection laws so that its citizens would not have to make a choice between health care and privacy.
(Pravah is currently an undergraduate at Gujarat National Law University, Gandhinagar. She may be contacted at firstname.lastname@example.org.)
Cite as: Pravah Ranka, ‘Ensuring Effective Implementation of Data Protection Laws to Secure Telemedicine: The Need of the Hour’ (The RMLNLU Law Review Blog, 24 May 2020) <https://rmlnlulawreview.wordpress.com/2020/05/24/ensuring-effective-implementation-of-data-protection-laws-to-secure-telemedicine-the-need-of-the-hour> date of access.