By Kirti Mahapatra and Raktima Roy
Telehealth services and data privacy: The healthcare sector in India has been historically subject to less stringent data protection standards than in other countries. Given the sensitivity of health data, many leading organizations in the sector have adopted their own practices that may be stricter than legally required. In 2020, physical doctor appointments went down by 32%, and online consultations increased because of the Covid-19 pandemic and the lockdowns announced to curb its spread. In the 50 plus age group, online consultations went up by as much as 502%.
Given the greater reliance on online interactions for seeking medical support, poor cybersecurity practices in the healthcare sector, especially in telemedicine, can cause unprecedented harm. All stakeholders in the telehealth ecosystem – from the regulators to the service providers – should be cognizant of this potential for harm and take steps to minimise it.
Telehealth: Indian laws and gaps
Privacy and cybersecurity for all organizations in India are governed by the Information Technology Act, 2000 (IT Act) and rules issued thereunder, which inter alia mandate: (a) written consent from the data provider for accessing any health-related data; (b) adoption of security practices and procedures for maintaining such data; and (c) reporting cybersecurity incidents to a nodal agency of the government.
In addition, the Indian Medical Council Act, 1956, the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002, the Drugs and Cosmetics Act, 1940 and the Clinical Establishment (Registration and Regulation) Act, 2010 govern the healthcare sector, but they do not contain any specific direction on cybersecurity in the healthcare/ telemedicine space.
In 2020, the Telemedicine Practice Guidelines were released with one of the stated aims being to prescribe standards for “privacy and security of the patient records and exchange of information” in the telemedicine sector. However, the reference to such standards in this document are not elaborate.
The Electronic Health Records Standards, 2016 (EHR Standards) coupled with the National Health Data Management Policy, 2020 (NHDM) comprise the most detailed standards for handling healthcare data in India. The EHR standards provide a set of recommendations relevant to adoption of standards for storage of electronic medical records and other clinical information systems. It identifies datasets and the corresponding standards applicable to them.
The NDHM provides detailed guidance on informed consent, creation of health IDs, applicable safeguards. However, the NHDM is not a legally binding document, and the EHR Standards, while helpful to assess standards applicable to various types of health records, should be supplemented by clear privacy and cybersecurity policies to minimise the risks associated with telehealth. These should be both comprehensive and dynamic, and formulated with adequate industry consultation to reflect the new realities of providing telehealth services in India.
Practices by healthcare organisations
It is critical that hospitals, doctors and healthcare organisations offering telehealth invest in strong privacy and cybersecurity protocols, and not see these are secondary to the main goal of product and services innovation. A brief overview of the important steps that all organisations should consider taking are:
1. Internal practices and policies
Organisations should have in place essential documentation such as consent templates, privacy policies, and cybersecurity policies that comply with applicable laws and regulations. Teams handling drafting and enforcement of these policies should be highly dynamic and adaptive to changes in laws or product innovation.
Regulated entities such as hospitals are subject to certain standards – for instance, the National Accreditation Board for Hospitals and Healthcare Providers (NABH) specifies standards relating to information management, which require an organisation to maintain confidentiality, integrity and security of medical records and ensure the retention of current and relevant records in a confidential and secure manner. These practices should be widely adopted by organisations.
2. Due diligence of vendors and partners
It is critical to employ due diligence practices for all vendors and partners, whether an IT vendor providing data storage software, a payment gateway helping accept charges, or an e-commerce platform enabling sale of services and products. All partners in the supply chain should be subject to checks to ensure that they adhere to necessary security practices.
3. Device policies and security of medical devices
The devices used to facilitate telehealth consultations, and devices generally used by healthcare professionals, should be secure and in compliance with relevant national and international standards. This should be accompanied by regular risk impact assessments, and training of staff on usage of secure communication channels, handling of data, risks from improper use of medical data generated by devices, etc.
4. Communication with regulators
At present, in the absence of a dedicated regulator, this is not critical. However, regular communication with healthcare sector regulators would grow in importance as and when the sector develops.
In light of the manifold increase in cybersecurity incidents in India, along with the increased use of technology in the healthcare sector, it is critical to centre privacy and cybersecurity practices in all new processes and systems.
(Kirti Mahapatra, Partner and Raktima Roy, Senior Associate at Shardul Amarchand Mangaldas & Co)