New EHR Guidelines notified

The Ministry of Health and Family Affairs had released a comprehensive version of technical standards for Electronic Health Records first in 2013. Subsequently in March 2016 a revised version had been released for public comments.

Now a final version has been notified on December 2016, a copy of which is available here.

It needs to be adopted in IT systems by health care institutions/providers across the country.

When the Health Data Privacy and Security Act which is under drafting is enacted, these standards will acquire legal mandate. However, in view of the enormous work required in implementing these standards, it is preferable for all IT companies to start adopting a transformation plan to adopt these standards.

Naavi

Posted in Uncategorized | Leave a comment

Ownership of data clarified..in EHR Guidelines 2016

In discussions on “Privacy” we often debate how can the service provider use my data for purposes which are commercially beneficial to him but I am neither aware nor benefiting from such usage.

The general principle of all Privacy legislations is that the “Data shall not be used nor disclosed by the processor except as authorized by the data owner or otherwise provided under law”. Data owner often signs a contract with the data collector in which the data collector discloses his privacy policy detailing why he is collecting the information, what he will do with it etc. Once this contract is accepted by the data owner by say “Clicking on the I accept button”, it is deemed to be a consent and it will determine all further rights and liabilities.

In India “Click Wrap” contract through an “I Accept button” is not recognized in law and hence all such consents only become “Deemed consent” which is “Voidable” at the option of the customer at least as to some fine print clauses of the standard contract.

Under these circumstances, if the data user had over stepped the consent terms and used the data for commercial exploitation, the data owner normally could only grumble without a proper legal remedy.

It appears that now there is a new door being opened in the Privacy legislation in India applicable to “Health information” which is also a “Sensitive Personal Information” under ITA 2008.

The recently amended EHR guidelines released by the Ministry of Health and Family Welfare which is a pre-cursor to the Health Care Data Privacy and Security Act make a categorical statement that

  1. The contained data which are the sensitive personal data of the patient is owned by the patient.
  2. The medium of storage or transmission of such electronic medical record will be owned by the healthcare provider.
  3. The physical or electronic records, which are generated by the healthcare provider, are held in trust by them on behalf of the patient

This provision actually lends substantial strength to the “Consent” by not only making it a part of a Contract under the Indian Contracts Act but also introduces the element of possibility of “Breach of Trust” if the data user uses the data other than as provided for in the consent.

Though the EHR does recognize the national interests in denying some privacy rights (which we shall discuss in a subsequent article), the use of the term “Data is owned by the patient” makes a strong case for legal interpretation of “Data” as “Property” and all the rights associated with it including the right of the data owner to place a price on it. If the data user makes any substantial profit out of aggregation of individual data, it would therefore be reasonable to expect that part of the commercial benefit arising thereof should go to the data owner.

This concept though laid out specifically in the case of health data, should be extendable to all types of data including financial data.

It would require some time for understanding the full implications of this concept in the era of data analytics and data aggregation over IoT devices and a multitude of platforms.

Naavi

Posted in Uncategorized | Leave a comment

E Pharmacies need to take note of these regulations

In the last few months, there have been many start ups in Bangalore and elsewhere who have introduced many mobile app based services in Health Care industry. Some of them have ventured into areas which may come under the provisions of the Pharmacy Act 1948. (Refer here under the link Rules &Regulations). Some of  these Companies are functioning as e-Pharmacies who need to also keep an eye on the effect of the “Pharmacy Practice Regulations 2015” on their business activities.

Additionally the pharmacists will also be subject to the proposed Health Care Data Privacy and Protection Act.

According to the Pharmacy regulations, registered pharamcists need to maintain medical/prescription records pertaining to a period of 5 years. He should be in a position to make it available on demand by the patient/authorized attendant. Pharmacist is bound to maintain “Privacy” of patient information and the associated security when the information is maintained in electronic form.

The critical aspect of the regulations from the perspective of the App developers is that the definition of “prescription” takes cognizance of e-prescriptions.

The definition states, “Prescription” means a written or electronic direction from a Registered Medical Practitioner or other properly licensed practitioners such as Dentist,Veterinarian, etc. to a Pharmacist to compound and dispense a specific type and quantity of preparation or prefabricated drug to a patient.

The “Electronic direction” is considered as an “e-prescription” and meet all the requirements of a written prescription.

The requirements of a written prescription include the following:

Prescribers office information – [Name, qualification, address & Regn. No.]
(ii) Patient information – [Name & address, Age, Sex, Ref.No.]
(iii) Date
(iv) Rx Symbol or superscription
(v) Medication prescribed or inscription
(vi) Dispensing directions to Pharmacist (or) subscription
(vii) Directions for patient [to be placed on lable]
(viii) Refill, special labeling and /or other instructions
(ix) Prescriber’s signature and licence (or) Drug Enforcement Agency (DEA) number as required.

Hopefully, the e-pharmacies and e-prescription app developers take these into consideration before the department starts questioning them on the legality of their activities.

Naavi

Posted in Uncategorized | Leave a comment

Understanding the SNOMED CT Coding system used in Indian Healthcare system

Ministry of Health & Family Welfare (MoH&FW) had notified the EHR standards for India way back in 2013. As a part fof these standards SNOMED- CT (Systematized Nomenclature for Medicine-Clinical Terms) was developed by the International Health Terminology Standards Development Organization-(IHTSDO). About 27 countries are members of IHTSDO but the terminolog is used in more than 50 countries. India became a member in April 2014.

India has obtained a “Country license” for SNOMED-CT and it is available free of cost to vendors/developers/clinical entities in India. (Ref : Circular dated 4th April 2014). The circular also urged all States/UTs to adopt EHR standards in all e-health applications.

SNOMED CT (distributed by the International Health Terminology Standards Development Organization-IHTSDO.) currently contains more than 300,000 medical concepts, divided into hierarchies such as body structure, clinical findings, geographic location and pharmaceutical/biological product etc. Each concept is represented by an individual number and several concepts can be used simultaneously to describe a complex condition.

The numerical reference system to represent medical concepts, SNOMED CT provides a standard by which medical conditions and symptoms can be referred, eliminates the confusion that may result from the use of regional or colloquial terms and also facilitates the exchange of clinical information among disparate health care providers and electronic medical records (EMR) systems.

SNOMED CT consists of four primary core components:

1.Concept Codes – numerical codes that identify clinical terms, primitive or defined, organized in hierarchies
2.Descriptions – textual descriptions of Concept Codes
3.Relationships – relationships between Concept Codes that have a related meaning
4. Reference Sets – used to group Concepts or Descriptions into sets, including reference sets and cross-maps to other classifications and standards

Concepts are further described by various clinical terms or phrases, called Descriptions, which are divided into Fully Specified Names (FSNs), Preferred Terms (PTs), and Synonyms.

SNOMED CT is a clinical terminology designed to capture and represent patient data for clinical purposes. Industry also uses the International Statistical Classification of Diseases and Related Health Problems (ICD) which is an internationally used medical classification system; which is used to assign diagnostic and, in some national modifications, procedural codes in order to produce coded data for statistical analysis, epidemiology, reimbursement and resource allocation.

Both systems use standardized definitions and form a common medical language used within electronic health record (EHR) systems. SNOMED CT enables information input into an EHR system during the course of patient care, while ICD facilitates information retrieval, or output, for secondary data purposes.

SNOMED CT is used in a number of different ways, some of which are:

-It captures clinical information at the level of detail needed for the provision of healthcare
-Through sharing data it can reduce the need to repeat health history at each new encounter with a healthcare professional
-Information can be recorded by different people in different locations and combined into simple information views within the patient record
-Use of a common terminology decreases the potential for differing interpretation of information
-Electronic recording in a common way reduces errors and can help to ensure completeness in recording all relevant data
-Standardised information makes analysis easier, supporting quality, cost effective practice, research and future clinical guideline development
-A clinical terminology allows a health care provider to identify patients based on specified coded information, and more effectively manage screening, treatment and follow up

SNOMED-CT is used in the second stage of meaningful use definition under HITECH Act. Even in the US, health care providers are complaining of the practical difficulties in implemnting the standards for recording patient care information. However, certain mapping techniques between SNOMED-CT and ICD 10 have been developed and are reportedly being used.

Along with SNOMED-CT and ICD codes, we also have HL7 standards and ANSI standards for medical encounter /transaaction recording and data transmission making the coding aspects of ealth care industtry reasonably complex.

These coding systems should be of interest to all IT companies engaged in the domain of health care including the several star ups that are now in India with services in the Health cared industry through mobile apps. This will also apply to wearables and cloud storage organizations and naturally for medical coding agencies.

It is not clear if the Indian Health cared industry which is not exposed to HIPAA is now anywhere near adopting these medical coding standards in full. Once the HDPSA becomes operative, the initial thrust in the industry would be on this aspect of implementation since non compliance to these standards would lead to a Y2K type of situation.

However, it appears that the sources for employee training in these areas in India are limited and needs to be attended to by the MoH before HDPSA kicks in.

Presently, SNOMED CT related documents can be obtained in India from the National Release Center 

CDAC has also dveloped a Toolkit for SNOMED CT which is available here.

It is time for the industry to review its software and embedded system software in health care industry to be compliant with these codes where necessary.

Naavi

For More Information on SNOMED CT Codes refer here:

Also refer National Health Portal India for further information

Posted in Uncategorized | Leave a comment

Online Registration System for Indian Hospitals.. No Privacy Policy?

As a part of the Digital India program, the Government of India is encouraging hospitals in India to make use of the “Online Registration System (ORS) framework to link various hospitals across the country for providing some services such as booking appointments, collecting lab reports etc.

The framework will enable aadhar based eKYC process if patient’s mobile number is registered with UIDAI.

Presently about 53 hospitals have gone online under this framework . Some of the Hospitals that have gone onboard now include AIIMS at different places, PGIMER, and GMC at Chandigarh, NIMHANS and K.C.General hospital, Bengaluru, JIPMER, Puducherry, etc. There is no doubt that this is just a small sample of Government hospitals.

At present around 1000-1500 appointments per day are being booked under the system and since its launch on 1st July 2015, about 448700 appointments have been booked under the system.

There is no doubt that  there is a long way to go before the scheme could be called successful.

For Privacy practitioners, it is necessary to realize that even before the HDPSA draft is available with the public, a major initiative to collect and link the hospitals in India on a common portal is underway. The Government has developed an “Online Boarding Manual” as a guideline for hospitals (Details available here).

At present the appointment registration will collect the Sensitive Personal Information of Aadhar along with the department contacted, the purpose of contact etc which are also considered health related information of an individual and hence can be classified as Sensitive Personal Information under Section 43A of ITA 2008 requiring “Reasonable Security Practices”.

It appears that the individual hospitals just link to the ORS portal and the information processing is done at the ORS portal. Hence the Privacy and Security obligations fall on the portal.

In order to understand how the system seems to be used, I checked the NIMHANS OPD website which is one of the users of this framework.

 The Privacy policy disclosed and notified under the NIMHANS website just relates to the visitors of the website and not to people who seek appointment. When the link on appointment on the Nimhans website is clicked, it takes the registrant to the ors.gov.in website where there is no declared Privacy policy.

It is also not clear how the information collected for appointment at the ORS website is re-transmitted to NIMHANS or made accessible to them.

Obviously, the system must be considered as being under the pilot run and a lot more thought needs to be given.

When HDPSA kicks in, these hospitals suddenly realize that they have already put a huge chunk of Sensitive personal Information which ought to have been protected from a back date and they will be in default from day one.

I hope some responsible persons in the management of these hospitals would take some corrective steps in this regard.

Naavi

Posted in Uncategorized | Leave a comment

Two Incidents Highlight the need for better Security in automation of healthcare

Two incidents reported yesterday in two different hospitals highlight the risk in automation of health care processes and the criticality of information security.

In one of the incidents, a virus left three hospitals in disarray and cancellation of all routine operations and outpatient appointments. (Read the Story Here)

The Virus infection affected two hospitals namely the Northern Lincolnshire and Goole NHS Foundation Trust (NLAG). Due to use of some shared services, a third hospital United Lincolnshire Hospitals NHS Trust (ULHT) also had to cancel operations.

Hopefully this is more like a “Denial of Medical Services” and unless some of the cancelled operations were time critical, the damage may be contained with some inconvenience.

But the incident highlights how a normal information security incident gets into “life Threatening” mode in a health care scenario making Information security that much more of a critical care issue.

There was another incident which is also of concern which indicates how some times human intervention should always be at standby when we use automation in health care.

This incident (See Report here) occured during a robotic surgery when a laser beam being used in surgery caught fire at Tokyo Medical University Hospital. The cause of the fire was unfortunately farting (passing of gas) by the woman during the surgery. The gas being inflammable was ignited by the laser beam and caused severe burns in the 30 year old women undergoing ovarian surgery.

This fire incident may not directly be called an “Information Security Incident” but it must be recognized that the robotic surgery was not equipped to stop the laser beam instantly when the surrounding environment changed due to an unforeseen incident.

The incident is similar to the automatic brake system of a Google car failing when a crash is imminent. It must be attributed to the failure of the safety system in the automation of the health care process.

This could eventually be considered as “Negligence” of the “System” and the company manufacturing the equipment and the user (hospital) may be held negligent as an “Intermediary” and have to bear the liabilities.

When HDPSA is drafted, it will incorporate certain aspects of the “Telemedicine Act” which was once contemplated in India and abandoned which had elaborate provisions for the medical equipment manufacturers to be registered and monitored.

Naavi

Posted in Uncategorized | Leave a comment

How should HDPSA and ITA 2008 relate to each other?

The Information Technology Act 2000 which was substantially amended in 2008 (ITA2008) and presently under another revision, was enacted as a “Special Act” that was applicable to “Electronic Documents”. In view of the international obligations, only the IPR regulations like the Copyright Act was kept as an overriding provision in case of any conflict. Otherwise wherever an “electronic Document” was a subject matter of law, ITA 2008 was considered as the final law to resolve conflicts if any.

ITA 2000/8 was generous to extend its provisions to every other law and did not negate any law since Section 4 simply stated that “Wherever any law requires a document to be in writing, it can be rendered in electronic form”. Similarly, Section 5 extended the validity of a “Signature” by stating that “Wherever any law requires a document to be signed, the requirement can be fulfilled in the form of digital signature as defined under section 3 (later extended to electronic signature defined under section 3A)”

The ITA 2008 made many provisions under “Data Protection” which indirectly provided protection to “Privacy” though  there was no other legislation providing privacy protection in India. There were civil and criminal remedies and the Adjudication proceedings to render justice. By defining “Health Information” as “Sensitive personal Information”, it was also prescribed that there had to be “Reasonable Security Practices”  to protect the Confidentiality, Integrity and Availability of such information when Body Corporates handled the same. Under the concept of “Due Diligence” under Section 79, all the known best principles of Privacy protection used in International practice were made part of ITA 2008.

Now therefore when HDPSA is enacted with the specific provisions that are meant to protect the privacy and security of health information there could be several overlapping provisions between HDPSA and ITA 2008.

Ensuring that the conflicts are avoided not only in the provisions but in enforcement would be one of the prime considerations of the new law makers who draft HDPSA.

For example, “Hospitals or Health Care Providers” under HDPSA may be considered as “Body Corporates under Section 43A of ITA 2008” if they are companies. But if they are “Trusts” or a medical practitioner who is not an “association of individuals”, there could be a debate on whether it falls under the explanation of Section 43A which states

“body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities”

On the other hand, whether any of the covered entities under HDPSA are considered “Intermediaries” would also be debated.

Another point of debate would be while ITA 2000/8 is restricted to electronic documents, will HDPSA be available for protecting privacy when data is breached in non electronic form?… Will the security cover physical security of privacy documents in paper or voice form?

There will also be a debate…When things go wrong, is there a remedy under HDPSA with its own adjudicator or is the remedy under ITA 2000/8 with the adjudicators appointed under Section 46 of ITA 2000/8?

It is therefore necessary to understand the possible areas of conflict and steer clear of them at the drafting stage itself.

Hope the ministries will take necessary steps

Naavi

Posted in Uncategorized | Leave a comment

What should be the coverage of HDPSA?

We have already discussed one of the aspects that HDPSA should consider and that is on providing a compliance time line to enable all stakeholders to understand and implement the provisions and be compliant in good faith and to the best of their ability.

The next point that HDPSA needs to address squarely is to define the scope of the Act in terms of its coverage on different stakeholders. The HIPAA-HITECH act defines 4 types of stakeholders namely the Health Care Providers, The Health Plans, The health Care Clearing Houses and the Business Associates. It further extends the provisions to the Sub Contractors through a contractual binding.

The Indian Act also may follow the same line. The HIPAA was however driven by the needs of the Insurance industry while the Indian Heath Card data privacy and security act seems to have been driven by the needs of the patient’s need for privacy. As a result it can approach the law slightly in a different manner and make the “Health Care Service Consumer” as the “Central Focus of the Law”.

If so, the Act needs to first define what is a “Health Care Service” and then design the law around the consumer who consumes the product and the product providers. “Privacy” will be one of the attributes of the product and different aspects of Privacy such as “Disclosure”, “Consent”, “Minimal Collection”, “Purposeful collection”, “Security”, “Destruction”, “Transfer”,  “Updation” etc needs to be provided as different sub-attributes regulated under the law.

The appointment of an “e-Health Authority” will therefore be with the objective of providing the “Protection of the health Care Service Provider’s Consumer Rights”. Similarly the appointment of an Adjudicator or an Appellate Authority will all be focussed on the consumer.

On the other hand if the law is “Industry oriented”, the “E-Health Authority” will be like TRAI or RBI and mainly regulate the industry. The emphasis on the “Data Standards”, “Medical Code”, “Single ID for stakeholders” etc are “Industry Oriented” objectives.

The “Central Health Data Repository” will in an “Industry oriented approach” be like a UIDAI. The approach to the “Central Health Data Repository” in a “Consumer Oriented Legislation” would be different and may perhaps focus more on “Encryption and Confidentiality”, “Access Rights to the Data Owner” etc.

The technical standard of storage could also be different in the two approaches. The penalties and liabilities as well as the procedure for adjudication and grievance redressal also would be different in the two approaches.

If we look at HIPAA, it does not provide for a Private Complaint from a Data owner but focusses more on the “Audits by the HHS”. This is a classical industry approach and is not ideal for India where there is no other Privacy Protection law to back this legislation as was available in US for HIPAA.

Those who frame the law need to have a perspective of the US laws and EU privacy laws besides avoiding conflicts with ITA 2008.

A few years back, Government wanted to draft a “Tele Medicine Law” which never saw the light of the day. Now is the time to add some provisions intended in this law into the HDPSA. Similarly, some aspects of “Medical Negligence” related provisions may also be part of this law.

Though both approaches need to define the “Protected Health Information” and the “Different types of the stake holders” the ultimate law will look different depending on the approach.

Should the law be industry oriented like HIPAA or Consumer oriented needs to be determined before the drafting exercise begins.

We need to discuss and debate these issues in the coming days.

Naavi

Posted in Uncategorized | Leave a comment

Lets Build a Law that is “Compliance Friendly”

Whenever a new law is framed, there are many stakeholders whose interests get affected. A law is normally meant for the Citizen of a country but is framed by the Government in consultation with those who are close to the law making body at the time of its formation.

Since the days of ITA 2000, a practice has emerged even in India where a proposed law is placed for public comments so that views of the public can be incorporated in the legislation. However, it is a fact that once a basic draft is framed by the group of experts in a Ministry, changing any part of it is next to impossible. Except some cosmetic changes, real changes are impossible. We have seen this happen in the framing of ITA 2000 and its amendments in 2008. (See Here for details).

Once the law was framed, there were complaints that the law was insufficient, draconian, drafted without understanding the industry realities, etc. The same politicians who defended the law in 2000 opposed it in 2008 and industry ignored it until in 2011, it started pinching them under Section 79 and 43A. Even now, when we talk of ITA 2008 compliance, industry finds it difficult to accept the law as it is and complains of misuse by Police and misinterpretation by the Judiciary.

Now that a new law is being proposed for “Health Care Data Privacy”, we should endevour to avoid the same mistakes that were committed when ITA 2000 was drafted and implemented.

One of the problems which Indian law faces particularly in the type of laws such as ITA 2000/8 or Data Protection is that the impact of law is on the industry and sensible industry captains want to be compliant with the law and not be at the wrong end of the stick.

When new laws are made, they are notified on a specific day which will be the day when it is passed in the Parliament or otherwise notified for effect. For example, until 17th October 2000, there was no recognition of legal documents in India and overnight it became recognized along with digital signatures, digital contracts and cyber crimes. Though Naavi.org had been preparing the ground in the industry since around 1998, until the rules were notified no body knew there would be such a law in effect.

Similarly, on 27th October 2009, suddenly, a host of regulations related to compliance under ITA 2008 became effective overnight. Along with it all IT companies in India without exception became “Legally Non Compliant to ITA 2008” and became “Rogue Companies not following the law of the land. Of course even the Police did not understand so that no case was booked immediately anywhere but the fact was that there were some legal provisions which all of us were not compliant.

Such forced state of “Non Compliance” should not be hapen once again when this new Privacy law for the healthcare is introduced in India.

We can recall here how the HIPAA was implemented in USA in 1996. HIPAA is a law which will be reflected in the proposed Health Care Data Privacy and Security Act (HDPSA) that is our subject of discussion here and hence we need to draw lessons from the implementation of this law.

When HIPAA was introduced as well as it was amended through the HITECH Act in 2009, there was a clear time line given to the industry for compliance….like Data standards by such and such data, Privacy rule by such and such date, Security rule by such and such date, with extensions for small business, time for running out of existing contracts etc.

All this meant that though the law became effective from a certain date, the industry was given time for compliance over an extended time so that all those in the industry who always wanted to be compliant had their opportunity.

This fixing of a time line for compliance is the first important thing which we need to incorporate in the law. We need to bring in this practice for the first time when this new law HDPSA is notified.

Additionally when such acts are drafted by non-industry persons, there will be many provisions which are difficult are too complex to implement and industry may try to find loopholes to avoid them or try to save costs by implementing it wrongly.

To avoid this, industry should be proactively involved in the framing of the law. Here again when we suggest this to the Government, it will simply say that NASSCOM or FICCI is represented in the working group and therefore industry is represented. But we all know that the NASSCOM Chair person or FICCI Secretary is not the person who can go to the micro level discussions that are required to make the law “Compliance Friendly”. He has to depend on his secretariat for bringing things to his attention to be raised before the Government.

In such cases the large companies may be able to have their say but the SMEs and public will never get to be heard.

This proposed law will affect many small companies some of them are startups which have developed medical industry related Apps. It will include small Nursing homes and pharmacies as well as diagnostic centers. They need to have their say in the law.

I would like the community participation to be at a high level in the framing of this law, so that we will not have to accuse the Government of framing the laws that cannot be implemented.

We are still in the beginning of the thinking process as regards this law but we know the direction in which the Government is moving. We donot want to embarass the Government later by calling it a bad law by contributing our ideas in the beginning itself. Hence I invite the stake holders to join this online forum and contribute both in the form of detailed articles and in the form of discussions in the Whats app group.

Naavi

Related Article: Times of India

Posted in Uncategorized | Leave a comment

UID will now be the UHID

The UID or the Aadhar started as an ID that could separate Indian Citizens in border areas from illegal migrants and serve the national security purpose.

Subsequently, it has become a project to provide a control mechanism to reduce pilferage in Government subsidies reaching the target citizens.

When the system began the only concern about Privacy in Aadhaar was about the collection of “biometrics” and its possible misuse. Arguments were both on the technical issues of false rejections and positives as also the use of unreliable vendors who could steal the biometric data either at the time of creation or when it was in storage.

Government brushed aside the objections and went ahead with linking the Aadhaar with the Banking information of an individual extending the privacy concerns to the financial information.

Presently we see that KYC system in Banking is completely dependent on the Aadhaar number being provided as a “Photocopy of the Aadhaar document” which exposes all the parameters attached to the ID (except biometric) in the form of a paper document. Similar paper documents are available with Gas dealers, Mobile Companies, schools and many others who may have little understanding of the meaning of “Privacy” let alone the legal concept of “Privacy Protection”.

To this risk of biometric and financial information being combined and spread all over in an insecure manner, we are now adding the healthcare information since the UID is set to be the “Universal ID” to be associated with patient information in the proposed HDPSA (HealthCare Privacy and Data Security Act).

Though the details of the proposed act are not yet available, the document which the Government of India (Department of Health and Family Welfare) released for public comments in 2013 on the “Electronic Health Standards of India” contained detailed guidelines on what the Government intends to do.

This Circular which was released earlier gets a new life with the recent public announcement that a “Draft Health Care Privacy and Data Security Act” is now under the consideration of the Government. We should logically presume that many of the suggestions made in the earlier circular will be adopted in the new Act as and when it becomes a reality. Afterall the circular was founded on a time tested framework adopted in US under the HIPAA in 1996 which carries todate.

According to the circular, the standaridization of healthcare information collection, storage, transmission and processing will adopt a system of using unique IDs for every patient, every medical practitioner, every hospital, every pharmacy, along with adoption of medical codes for diseases, procedures, health encounters etc.

In this process the circular speaks of “UHID” which is the Unique Health Identifier to act as a Patient identifier, for which UID will be used in all EMR systems.

This would now mean that Aadhaar details will now be available in all hospital records of the patients and gets integrated with the Bank details and the associated biometric data.

In principle there is nothing wrong in adopting this nationally unique ID which integrates a person with health and financial data. However this raises the issue of how the information security is handled by all the entities who may have access to any one of these fundamental parameters.

The Information Security community which deals with the sensitive personal information in electronic form as well as the physical security community in health care organizations where the sensitive personal information is available in the form of paper, will now need to devise their strategies to upgrade their security arrangements.

The needs in “Hospitals” which includes the neighborhood clinics and other health care entities such as pharmacies need to start their learning of the principles of Privacy.

Naavi

Posted in Uncategorized | Leave a comment