Healthcare, being intrinsic to human existence, cannot be perceived in isolation with the technological advancements benefitting the globe. Artificial Intelligence (AI), the most perceptible technological advancement, is finding increasing inroads in medicine technology (MedTech). In its simplest terms, MedTech, also known as health technology, is the application of organized knowledge to develop procedures and systems aimed at addressing health concerns. If the report of India Brand Equity Foundation (IBEF), Ministry of Commerce, is relied on, Indian MedTech market is expected to reach US $50 billion by 2025. With such exponential rise in MedTech, comes the inevitable need to regulate its cardinal foundation – medical data. The Indian legal canvass concerning regulation of medical data lacks clarity and has sufficient traces of ambiguity that might surface post the enactment of Data Protection Bill, 2021.
Extent of breach of privacy of medical data in India
The Indian Supreme Court, in the most celebrated case of Justice K.S. Puttaswamy v. Union of India concerning the right to privacy, explicated the significance of medical data by recognizing “unauthorized parting of the medical records of an individual” within the ambit of privacy invasion. Post this judgment, there are numerous instances of breach of privacy concerning medical data in India. As per a German cybersecurity firm, Greenbone Sustainable Resilience, in one of the most serious medical data breaches in India, data of around 120 million patients was released online without obtaining their consent. Further, during the COVID 19, there were countless instances of selling of patient’s medical data to third parties. In certain cases, medical data was sold to electronic platforms, enabling such businesses to contact patients in-person. As is evident, patients’ medical data lacks safeguards and protections due to absence of specialized regulations aimed at preventing such data from falling prey to invasive practices.
Legal landscape and challenges
The legal canvass concerning regulation of AI based medical devices and health data in India lacks consistency and has many inherent lacunae that might manifest as probable obstructions in investments. The Drugs and Cosmetics Act, 1940 was the first Act aimed to regulate medical devices. The Act, extended by the Medical Device Rules, 2017 explains medical devices as a subset of “drugs”, thereby restricting the scope of the Act and Rules to regulate manufacture, licensing, and standard of products with no mention of data protection.
In 2020, the Telemedicine Practice Guidelines were issued under the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulation, 2002. The guidelines define telemedicine to include “information and communication technologies for exchange of valid information for diagnosis, treatment and prevention of diseases” which would easily lead to a reasonable inference of inclusion of data systems. However, the guidelines explicitly exclude regulations on data management systems, standards and interoperability, and are not relevant for the purpose of data protection in MedTech.
Yet another prospective legislation having substantial bearing on medical data is the proposed Personal Data Protection Bill, 2019 (titled as “The Data Protection Bill, 2021” post the recommendations of the Joint Parliamentary Committee Report) (“Bill”). The Bill is the most comprehensive draft aimed at resolving data privacy concerns by identifying data fiduciaries (entities that decide the purpose and manner of processing of data) and imputing liabilities on such fiduciaries for misuse of data. The Bill identifies “health data” as “sensitive personal data” and mandates obtainment of consent of the data principals (persons to whom the concerned data relates) before processing such data.
While the regulation of sensitive data is much awaited, the Bill exempts the condition of obtaining consent of data principal in certain cases. Such cases include inter alia the processing of data to respond to any medical emergency and to provide health services to an individual during an epidemic or outbreak of any disease or any threat to public health. The exceptions are wide enough to give way to evident lacunae associated with the protection of health data. One of the most discernible loopholes is the protection of health data during epidemics.
Throughout any epidemic, when the possibility of misuse of health data can be reasonably understood to be in its peak, the exemption from the mandate to obtain consent of data principal appears inordinate. While it is reasonable to provide for such circumstances when it may be impracticable to obtain the consent of data principals, such a blanket exception defeats the purpose of identification of health data as “sensitive personal data”, thereby jeopardizing the privacy of health data.
The Australian Privacy Principles Guidelines 2019 issued under the Australian Privacy Act, 1988 necessitate the establishment of “impracticability” in obtaining consent of the data principal as an essential prerequisite of processing of data, even if the circumstances fall within general exceptions to obtain the consent of data principals. The absence of such an obligation on data fiduciaries in India is an evident threat to the health data of citizenry.
As another challenge, the Bill allows for “anonymization” of data, so that such data can be irreversibly dissociated from its owners and can be used inter alia for the purposes of research and as an input to improve AI based systems without infringing the privacy associated with medical data. Such process of anonymization encourages investments as it enables for an organized apparatus to allow for a continuous evaluation of AI-based systems to enhance their efficiency. However, owing to the advancement in AI-based algorithms, de-identification has its own risks of “re-identification” of the owners of data. Re-identification, most simplistically means the process of identifying the data owners of anonymized data, thereby reversing the process of anonymization. Re- identification of owners of sensitive data defeats the purpose of anonymization, and leads to large-scale breaches of data privacy.
For the purposes of protection of privacy of data principals, other jurisdictions have provisions to ensure apt de-identification of medical data to minimize the probability of unwarranted re-identification. As an ocular example, in the United States, the “De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act Privacy Rule” lays down the standards of de-identification to reduce the risk of infringement of privacy concerning health data. As another example, the “De-identification Decision Making Framework” issued by the Australian Office of High Commissioner provides detailed procedure as a guidance for apt de-identification of information to ensure compliance of the Australian Privacy Act.
The Bill contains a mere mention of standards of anonymization to be notified in future. With the statistics depicting violation of patients’ privacy in India and the risk of re-identification, there is a necessity to pay special focus and safeguard such data from falling prey to misuse.
The way forward
As is evident, there are challenges associated with the regulation of MedTech in India, including the lack of a streamlined approach towards resolution of data privacy issues concerning MedTech. The blanket exception to the mandate to obtain consent of the data principal during epidemics and for delivery of medical services should be diluted to include mandatory de-identification of the concerned information and to inform the data principals about processing of such data. Further, such information should not be allowed to be processed by data fiduciaries in the absence of a reasonable ground to prove the impracticability of obtaining consent.
To resolve the challenges associated with the risk of re-identification, the process of de-identification should be standardized as per internationally accepted best practices.
As a measure to ensure protection of health data, the National Health Authority under Ministry of Health and Family Welfare is in the process of incorporation of comments received from stakeholders concerning the Draft Health Data Management Policy, 2022, Version 02. The proposed policy would apply inter alia to any health facility storing, collecting or transmitting personal data and is also applicable to medical device manufacturers.
There is a need to streamline Indian data protection laws to redress the inherent lacunae concerning regulation of MedTech in India – this can be achieved through coherence and cooperation.
Authored by
Gaurav G Arora, Partner, JSA Advocates & Solicitors
Co-Author: Aditi Richa Tiwary, Student of Law
