We have already discussed one of the aspects that HDPSA should consider and that is on providing a compliance time line to enable all stakeholders to understand and implement the provisions and be compliant in good faith and to the best of their ability.
The next point that HDPSA needs to address squarely is to define the scope of the Act in terms of its coverage on different stakeholders. The HIPAA-HITECH act defines 4 types of stakeholders namely the Health Care Providers, The Health Plans, The health Care Clearing Houses and the Business Associates. It further extends the provisions to the Sub Contractors through a contractual binding.
The Indian Act also may follow the same line. The HIPAA was however driven by the needs of the Insurance industry while the Indian Heath Card data privacy and security act seems to have been driven by the needs of the patient’s need for privacy. As a result it can approach the law slightly in a different manner and make the “Health Care Service Consumer” as the “Central Focus of the Law”.
If so, the Act needs to first define what is a “Health Care Service” and then design the law around the consumer who consumes the product and the product providers. “Privacy” will be one of the attributes of the product and different aspects of Privacy such as “Disclosure”, “Consent”, “Minimal Collection”, “Purposeful collection”, “Security”, “Destruction”, “Transfer”, “Updation” etc needs to be provided as different sub-attributes regulated under the law.
The appointment of an “e-Health Authority” will therefore be with the objective of providing the “Protection of the health Care Service Provider’s Consumer Rights”. Similarly the appointment of an Adjudicator or an Appellate Authority will all be focussed on the consumer.
On the other hand if the law is “Industry oriented”, the “E-Health Authority” will be like TRAI or RBI and mainly regulate the industry. The emphasis on the “Data Standards”, “Medical Code”, “Single ID for stakeholders” etc are “Industry Oriented” objectives.
The “Central Health Data Repository” will in an “Industry oriented approach” be like a UIDAI. The approach to the “Central Health Data Repository” in a “Consumer Oriented Legislation” would be different and may perhaps focus more on “Encryption and Confidentiality”, “Access Rights to the Data Owner” etc.
The technical standard of storage could also be different in the two approaches. The penalties and liabilities as well as the procedure for adjudication and grievance redressal also would be different in the two approaches.
If we look at HIPAA, it does not provide for a Private Complaint from a Data owner but focusses more on the “Audits by the HHS”. This is a classical industry approach and is not ideal for India where there is no other Privacy Protection law to back this legislation as was available in US for HIPAA.
Those who frame the law need to have a perspective of the US laws and EU privacy laws besides avoiding conflicts with ITA 2008.
A few years back, Government wanted to draft a “Tele Medicine Law” which never saw the light of the day. Now is the time to add some provisions intended in this law into the HDPSA. Similarly, some aspects of “Medical Negligence” related provisions may also be part of this law.
Though both approaches need to define the “Protected Health Information” and the “Different types of the stake holders” the ultimate law will look different depending on the approach.
Should the law be industry oriented like HIPAA or Consumer oriented needs to be determined before the drafting exercise begins.
We need to discuss and debate these issues in the coming days.