The Personal Data Protection Bill, 2019, in its current form, suffers from an acute paucity of concrete definitions and thus, does not address concerns specific to the healthcare sector. “This Bill in a generic format is good. When you go down into the sensitive areas there is lack of clarity.” Dr Sunil Shroff, President (TN), Telemedicine Society of India, said. At MediaNama’s discussion on the impact of the PDP Bill on the healthcare sector held on June 19, speakers agreed that concepts such as health services, medical emergency, etc. needed more granular contouring. This discussion was supported by Microsoft, Google, TMT Law Practice and the Telemedicine Society of India. Comments have been edited for brevity and clarity.

Everything in healthcare sector is personal data

In the healthcare sector, even a prescription, both analog and electronic, contains a lot of sensitive personal data, Shroff said. “The e-prescription talks about the history of the patient, the investigation done before it talks about the actual prescription that is supposed to be transmitted to a pharmacy. In that case, a lot of sensitive data is shared with other parties. This could include an HIV positive status that the patient may not even want to reveal to their spouse,” he said.

And even if the prescription does not carry the diagnosis, if it prescribes drugs that unique to HIV treatment, it is still easy to make out what the diagnosis is, Shroff said. Under the Personal Data Protection Bill, 2019, any data related a person that is “directly or indirectly identifiable” is personal data.

Personal data: “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling” — Personal Data Protection Bill, 2019

Health data, health services need more detailing

“Health data is defined very poorly. I think it can be defined in a much more concrete manner; at this point, it is very, very vague,” Shroff said.

Health data: “data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associating the data principal to the provision of specific health services” — Personal Data Protection Bill, 2019

Is health insurance included in “provision of specific health services”?

“[D]ata that is collected in the provision of health services in the reading of this particular definition will qualify under the head of health data,” Abhishek Malhotra, Managing Partner, TMT Law Practice, said. Services provided by a hospital or a doctor would definitely constitute health services, but the question that then arises is whether health insurance would be classified as a “health service”, he said. “Health insurance is only an enabler for you to be able to pay for the health services that you’re getting but is that data collected in the provision of health services?” he asked. Since health insurance acts as an enabler for getting health services, Malhotra said that it should be included as a health service. Moreover, “from a data principal’s point of view, this is an enabling legislation. Thus, if there is an interpretation that would help expand the scope of data principal’s rights, it will be there”, he said. But he advised that it would be best to have specific guidelines related to health related insurance.

Whenever a data principal avails any health services, it is not just health data that is collected. “If you are going to the hospital, you have to show your official ID or give your financial data to pay the bills,” Shweta Mohandas, Policy Officer at the Centre for Internet and Society, pointed out. In that case, more categories of sensitive personal data, apart from health data, are added to the gamut of personal data collected in provision of health services. Health insurance data, thus, could straddle both health data and financial data, both categories of sensitive personal data.

The question that then remains, as Malhotra said, whether just by virtue of being solicited for the provision of healthcare services, does health insurance data automatically qualify as health data?

Furthermore, Section 12(a)(i) of the Bill allows the state to process personal data without consent for “the provision of any service or benefit to the data principal from the State”. In such a case, could services provided through a government health insurance scheme, such as Ayushman Bharat, be allowed to process personal (not sensitive personal) data without consent? To this end, Malhotra proposed that sector-specific guidelines about harmonising insurance with health data, may be from the IRDA itself, would be required along with a clarification about whether or not health insurance is a healthcare service.

Cohesive insurance system may lead to standard health records

Shroff said that compliance burdens for different players in the ecosystem would need to differ. For instance, a large hospital, a standalone diabetes clinic, and an aggergation platform like 1mg cannot be treated alike by the Bill. “The basic compliance requirements need to be same in terms of encryption of data, its storage, especially for big hospitals, but for a small clinic, medical records will make no sense. If data portability is also included, you need to have some kind of medical recording system for everybody and that will add cost to the health care,” he said. But he is hopeful that with the coming of health insurance “in a big way”, “a lot of these standards [will come] into place automatically because when it comes to reimbursement, you will need to follow those protocols”. Health insurance sector in India is very fragmented in India right now, with forms differing across insurance providers. Introduction of Big Insurance standardised health records in the US, as per Shroff.

Medical emergency must be defined to establish consent

Under Section 12, the Bill allows for processing of personal data without consent to respond to “any medical emergency involving a threat to the life or a severe threat to the health” of any individual and to provide “medical treatment or health services to any individual during an epidemic, outbreak of disease or any other threat to public health”. Similarly, under Section 34(2), critical personal data may be transferred outside India only if it is to be transferred to “a person or entity engaged in the provision of health services or emergency services” and such transfer is necessary as under Section 12. But the problem is that the Bill doesn’t define a medical or a health emergency.

In this scenario, Malhotra pointed out that well-being becomes an exceptional circumstance for which transfer of data overseas is allowed. Thus, “it’s very important to delineate the contours of medical emergency,” he said.

Even in emergencies, privacy cannot be discarded: Sprinklr case in Kerala High Court

Malhotra pointed out that “courts or authorities are not circumscribed or limited by the absence of such a situation to come to the aid of, you know addressing an issue if it does arise”. He referred to the Sprinklr case in Kerala High Court where the Court dealt with the transfer of health data of COVID-19 patients in Kerala to Sprinklr, a US-based company. In this case, Malhotra said that “courts are very well aware of principles they are and they are not they don’t shy away from implementing them as and when the scenarios are required even though they may not be a legislation”.  The April 24 order read, “Imperative criteria as to whom the data can be disclosed; whether there are sufficient safeguards to ensure the data remains confidential; how it is to be dealt with after processing/analysis and its conditions, thus become vitally important.  The corner-stone of managing data confidentiality is, to a large extent, determined by the control over access to it and the modus and the manner in which it is dealt with.” This, Malhotra explained, “ensured that the possibility of the flight of data and it referred to it as data epidemic should not come in the way of the either the privacy of the you know individuals concerned or the the concomitant benefit that could be derived from that by virtue of the processing of that data which was required to be done locally in that regard”.

Since medical emergency may include a patient who is incapacitated or is unconscious, it becomes all the more important to define medical emergency, Shroff said. The Mental Health Act can help in such a situation as in a medical emergency, the nature of consent and how it is to be taken from someone other than the data principal will also need to be reconsidered.

Distinguish between scientific and healthcare research

Under Section 39 of the Bill, the Data Protection Authority may exempt a data fiduciary for the purposes of carrying out research, archiving or statistical analysis. This, as per Malhotra, requires more detail. To that effect, there may be a need to distinguish between scientific and healthcare research wherein “the scientific research aspect need not necessarily apply only to healthcare” and “could have wider contours”, he said. “Perhaps research is something which can come about by way of a sector specific definition in the relevant rules or the regulations or those to be notified whether to be constituted DPA,” he clarified.

Define where liability lies, remove criminal offence

“The medical institution is considered the custodian of the data. If there is a breach or misuse of anonymised data, etc., all liability falls upon the person holding the data. And today, in the absence of a national or state electronic health system to keep that data, the responsibility falls on the hospital,” Dr. Shubnum Singh, Advisor, CII National Healthcare Council, and Consultant Emeritus, Max Healthcare Institute Ltd, said. “In the 2019 version of the Bill, criminal offences have been reduced to one, that is, re-identification of de-identified data. But still, I think for all those things, you don’t need a criminal offence. I still feel that there has to be a penalty and it’s a civil issue that needs to be handled. And it needs to be more detailed because as one of the persons into innovation that gives me lot of fear that anything can be put into this and then they say that this is the re-identification and that’s an issue, that’s number one,” Dr Varun Gupta, Vice President of Medical Affairs and Public Policy at 1mg, said.

“The Telemedicine Guidelines and the Information Technology Act only marginally regulate a medical aggregator platforms [such as 1mg]. The Consumer Protection Act 2019 omits medical services,” Soumya Tiwari, a student at Rajuv Gandhi National University of Law, said. Their regulator is thus unclear. Gupta said that the responsibilities of the companies in the healthcare sector that are not hospitals or doctors often changes depending on the role they play. “Digital ecosystem depends on the service, the role and the journey,” he said.

Clarify participation criteria for innovation sandbox to resist government monopoly

“In the absence of any legislation, in my view, you are already in a sandbox. If true innovation has to come in, it should come now. This is being discussed in Singapore and other developed countries as well. We are discussing the data framework for health what kind of innovations can be implemented in India. The only worry is that under the sandbox provisions of the PDP Bill, the government should not end up monopolising it because the criteria for participation in the sanbox is unclear. The PDP Bill just has to have a good balancing act between private and public interest and that will shape up only one the regulations come out,” Vatsal Gaur, Associate Partner at HSA Advocates, said.