The rapid growth and ongoing expansion of the healthcare sector have significantly increased the volume of health data collected, stored, and processed by hospitals, diagnostic research centers, medical device manufacturers, retailers, research institutes, and other stakeholders. However, without robust infrastructure and privacy-enabling technologies, entities within the healthcare sector are vulnerable to reputational damage and financial losses stemming from data breachesand potentially ill-informed decisions taken for patients hesitant to share complete health information. Information that is medical in nature is extremely private to the individual concerned (Data Principal), and as such, it is imperative that healthcare institutions strictly follow and comply with the provisions of the Digital Personal Data Protection Act, 2023 ("the Act"). The regulation imposed upon the collection, processing and protection of the personal data weighs a far reaching effect on the healthcare sector among others. While we await the robust and comprehensive rules, let’s navigate through key aspects related to healthcare servicessector and the critically acclaimed game-changer Act of 2023:
Reconceived Consent Architecture: To ensure protection of data throughout its lifecycle, healthcare service entities should use tailored consent artifacts or forms specific to each data collection purpose and datatype. Such artifacts or forms should incorporate a layered consent approach to enable opt-in for data sharing for optional research purposes. After collection, multi-factor authentication and data encryption can safeguard data at rest and in transit. Data provenance tracking mechanisms and a blockchain-based log of consent interactions for audit can enhance accountability for data within the healthcare ecosystem. A centralized consentmanagement platform which can be integrated with the National Health Stack, Electronic Health Records, and patient portals, can streamline the consent process, manage various consent versions, track patient preferences across different data collection points, allow patients to review, modify, or withdraw their consent at any time, and facilitate secure data exchange and consent management among different healthcare stakeholders.
Compliant Cross Border Data Transfer: For cross-border data transfers, healthcare service entities should establish contact points and use secure communication protocols such as HTTPS and VPNs. Data Processing Agreements should be executed with entities that possess public authority-approved security certifications and are situated in jurisdictions with data protection regimes equivalent to the Act. Prior to transfer, healthcare stakeholders should assess whether the data's sensitivity and volume necessitate stringent transfer requirements and rigorous security evaluations. Conducting a transfer impact assessment to evaluate potential risks associated with the destination country's data protection regime and notifying patients prior to planned data transfer is recommended. Healthcare service entities engaging in global collaborations or partnerships should ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), the Directive 2011/24/EU on Cross-border healthcare and other applicable general and health data specific collection, storage and processing laws in different jurisdictions.
The Compliance with data minimization mandate: The requirement of collection of necessary data under the 2023 act mandates the healthcare organizations to ensure reevaluation of the data collected and enhance its security mechanism to ensure the continuance of long built patient trust and legal compliances.
Data Fiduciaries and Significant Data Fiduciaries (“SDF”): Data Fiduciaries and SDFs will be required to notify and seek complete consent from patients for the data such institutions intend to process, such as medical history, which could be physical, mental as well as sexual health history of a patient. Considering the nature of such data, Data Fiduciaries and SDFs will have to be strictly regulated in terms of seeking consent of patients for processing such data and even when processing such data, must ensure that the data not be leaked. It is further important that Data Fiduciaries and SDFs keep the data secure and safe from cyberattacks, and for such purpose, Data Fiduciaries and SDFs have to appoint Data Protection Officers as per the provisions of the Act.
Right to be forgotten and access to data: The Act ensures that the patients have complete control over their personal data shared with the healthcare organization and can event request for its deletion. However, such ambiguous and wide spectrum rights possess a serious logistical challenges for the healthcare sector, unless they can portray some compelling reasons to retain such data post withdrawal of consent.
Data Breach and obligation to report: The healthcare sector is required to adopt and have in place a robust mechanism of efficient procedures and systems that ensures timely detection, reporting and response to the personal data breaches and mitigate their adverse effects on patients and simultaneously preserve its reputational interest and liabilities that invites hefty penalties.
Grievance Redressal: Healthcare providers will have to be vigilant in implementing grievance redressal mechanisms for resolution of disputes concerning the personal data of individuals utilizing such services. As health related data is extremely private, and leakage of such data can lead to the individual’s reputation being tarnished, it becomes imperative for healthcare service providers to keep safety mechanisms in place to avoid such circumstances, and further, create a comprehensive mechanism for addressing and redressing disputes of such kind.
Conclusion
Healthcare sector, as it is, plays an important role from both, an economic as well as personal standpoint, considering that the healthcare industry presently deals with the health and wellbeing of individuals. Hence, the robust and efficient integration of the DPDP mandates and obligations into the healthcare sector is the need of the hour, wherein the impact of the said act is profound and multifaceted possessing significant challenges to the healthcare organizations and requires a persistent commitment to weigh both the aspects of privacy and innovation equally. The role that the healthcare industry plays a crucial role in the daily lives of the people, and when such institutions are permitted to utilize personal data of individuals, an equal duty falls upon these institution to adhere to strict standards of data protection, whether particularly mandated by the Act or self-imposed becomes inconsequential in this scenario.
The above article is authored by Ms. Pranshu Singh (Senior Associate Designate), Mr. Upamanyu Ganguly (Associate) and Mr. Raghav Sachdev (Assessment Intern)
Comments