Data Security Council of India establishes privacy guidelines for healthcare sector

By Bhavana Muralidhar

Health data pertains to information relating to an individual’s mental and physical health. Rapid digitalisation across all sectors has resulted in huge amounts of health data being generated in the healthcare ecosystem.

Thus far, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 recognised health data as sensitive personal information and mandates entities to adopt reasonable security practices to protect such data. The Electronic Health Record Standards, 2016 published by the Ministry of Health and Family Welfare introduced a system for maintenance of Electronic Medical Records/Electronic Health Records (EMR/EHR) by hospitals and healthcare providers in the country.

Now, the Data Security Council of India (DSCI), an industry body that works to establish best practices in cyber security and privacy, has released the DSCI Sectoral Privacy Guide applicable to healthcare. The Guidelines intend to be a simplified blueprint of best practices using which private and public healthcare service providers may revisit their practices for handling health data.

Highlights of the DSCI Privacy Guidelines

The DSCI’s guidelines recognise the various stakeholders a patient has to interact within the process of availing healthcare services. These stakeholders like healthcare providers, pharmacies, and insurance companies, in turn, interact with each other and this results in large amounts of data being continuously exchanged. The need to protect patient privacy becomes increasingly important as data is shared between these stakeholders.

In this light, the Guidelines are manifestly patient centric and discuss the essential privacy controls such as notice and consent, and state what would amount to disclosure and processing of such collected data. The objective of the Guidelines is to provide actionable guidance to healthcare service providers to mitigate any type of privacy harm to patients they interact with.

According to the Guidelines, the seven actionable points or standards that entities can use as a checklist are as follows:

1. Accurate and proportional data collection for patient identification: Healthcare service providers must strive to improve the process of collecting patients’ personal data to ensure that only accurate and necessary information is collected from the patient.
2. Effective patient communication: Healthcare service providers must provide the patient clear notification with respect to the nature and extent of utilisation, and the relevance of their personal data to the service(s) being provided.
3. Informed patient consent: Healthcare service providers must take express patient consent through a clear and affirmative action-based manner.
4. Use or disclosure of patient personal data: Healthcare service providers must use a patient’s personal data only to the extent laid down in the purpose or to the extent of the consent provided by the patient.
5. Securing patient personal data: Healthcare service providers must ensure the security of the patient’s personal data through administrative and technological controls.
6. Enabling access to and correction of personal data: Healthcare service providers must allow patients access to their personal data. This must be done without excessive expense or delay. Patients should also be empowered to request amendments to their personal data to ensure that it is accurate, relevant, up to date, complete, and not misleading.
7. Maintaining patient anonymity: Where lawful and practicable, patients should be given the option of not identifying themselves when dealing with health organisations.

To facilitate the application of these principles to real use cases, the Guidelines provide a comprehensive self-assessment tool that can be used by stakeholders to evaluate adequate compliance. The tool can be accessed here.

*

Bhavana Muralidhar is with the data privacy team at Quasar Legal. Views expressed are personal.

Also Read:

• Risks Posed By Stolen Health Data And Challenges In Securing Health Data – #NAMA
• Measures And Policies To Strengthen The Cybersecurity Of Health Data And Healthcare Infrastructure – #NAMA
• What India Should Do To Improve Cybersecurity In Healthcare — Ambassador Latha Reddy — #NAMA
• ‘Sharing Personal Data With Insurance, Pharma Companies Violates Data Protection Bill’: CPI(M) On Health Data Management Policy

Have something to add? Subscribe to MediaNama here and post your comment.