Indian Version of HIPAA in the making

The proposed  HDPSA (Health Data Privacy and Security Act) which is being worked on by the Health and Family Welfare department of the Union Government is likely to draw a lot from the HIPAA (Health Insurance Portability and Accountability Act) of USA. HIPAA was drafted around 1996 and then modified/upgraded with the HITECH Act (Health Information Technology for Clinical and Economic Health Act). For some body following HIPAA and its implementation for more than a decade, it appears that India is exactly tracing the same path of development which we saw in HIPAA.

Firstly, HIPAA came into being a law when the Health Insurance Industry was trying to force more digitization into medical record keeping so that the processing of health insurance could be more efficient and less fraud prone. The Insurance industry therefore wanted a push for greater use of Electronic Health Records( EHR) by medical professionals. At the same time, Privacy advocates were skeptical that increased use of EHR would result in higher risk for Privacy of the patients. Hence Privacy Protection and a standard for Information Security was built into the HIPAA. HITECH Act expanded the security measures and at the same time strengthened the Privacy obligations of the covered entities. It also introduced incentives and disincentives to promote accelerated use of EHR which wa felt necessary even 12 years after HIPAA. (HITECH Act came into operation in January 2009).

We in India are retracing similar steps through the actions sorrounding HDPSA.

One of the provisions of the proposed HDPSA is to bring in interoperability of electronic data captured and processed across different systems. This requires defined common standards for identification of health entities as well as different parameters of health data and also structuring of data transmission codes.

In 2013, the Department of Health and Family Welfare  (D-HFW) published the “Electronic Health Record Standards for India” and a copy was placed on the website for stakeholders to comment. The copy is available here.

The goals of suggesting the standards were indicated as follows:

  •  Promote interoperability and where necessary be specific about certain content exchange and vocabulary standards to establish a path forward toward semantic interoperability

  • Support the evolution and timely maintenance of adopted standards

  • Promote technical innovation using adopted standards

  • Encourage participation and adoption by all vendors and stakeholders

  • Keep implementation costs as low as reasonably possible

  • Consider best practices, experiences, policies and frameworks

  • To the extent possible, adopt standards that are modular and not interdependent.

Within the standards, guidelines were also incorporated for hardware, networking and connectivity, as well as software standards to be complied with the industry.

The standards also touched on the Ethical, Legal, Social Issues (ELSI) guidelines for Electronic Health Record (EHR) to define the Privacy and Security Requirements of EHR with the recommendations following HIPAA  requirements of Privacy and Security.

If  HDPSA becomes a law, it is a reasonable presumption that there will be a need to adopt some of the provisions which was available as the Standards document. Similarly it needs to also adopt some of the provisions of the Tele Medicine Act which was drafted several years back and simply forgotten.

The HDPSA will also have to contend with the co-existence with ITA 2008 which would interfere in the Privacy and Information Security issues but not on the data standards issues.

Overall there are interesting days ahead to watch how the legislation is likely to unfold. So far, the draft law which was discussed in the news report has not been made public and hence it is difficult to comment on the exact provisions that have been included there in. We wait for the Government to release the draft for public comment.

We may also remember that in 2006, a “Personal Data Privacy Bill” was drafted and even placed before the Parliament along with the amendments envisaged for ITA 2000. Subsequently, in 2008, the ITA amendments passed through but the Privacy Bill lapsed. Since then there are other versions of the Privacy Bill which were presented in the Parliament but have failed to get the consensus since they directly interfered with the national security issues involved in “Intereception of communication” and also the issues related to Aadhaar implementation.

The Sector specific approach now proposed in  HDSPA addressing only the Heath Care Data Privacy and Security is unlikely to receive much of opposition except from the Health Care industry itself which would be seriously affected in the process of implementation of the Act.

While the larger hospital chains are likely to implement the provisions of HDPSA, there will be numerous number of smaller nursing homes, neighborhood doctors, pharmacies, mobile App companies dealing in Health information who will simply be unable to comply with the provisions of the Act and will remain non compliant.

Even in the advanced US market, HITECH Act had to set aside US$ 17.2 billion for providing various kinds of incentives to make the industry comply with HIPAA. This would be an equivalent of over Rs 1 lakh crores. Will the Government make such investments? obviously not.

This means that we are in for a long haul as regards the real implementation of the provisions as and when implemented.

HIPAA actually gave compliance deadlines which extended from 1996 to beyond 2003 and yet they had to postpone some provisions of data breach notification provisions into the Omnibus Rule in 2014.

If therefore the law makers are serious about adoption of HDSPA, then there has to be a strategization of how the compliance will be pushed. We know that even after 16 years, ITA 2000 compliance is still at the nascent stage. If so, it is anybody’s guess about what should be the time line for HDSPA implementation.

If there is no proper strategization of the compliance, we will have an industry domain which will be living under the umbrella of non compliance with the constant fear that the regulator could crush then down any time.

This “Living under Fear” will be the biggest threat to the Health Care industry which they need to avoid.

I therefore suggest the industry to organize themselves properly so that when the next phase of roll out of this draft legislation happens, the interest of survival of the industry is not forgotten.

If the industry is complacent, there would be a “Globalization” of the hospital and health care industry to such an extend that just like the K-Marts eating away our neighborhood kirana store, the international hospital brands may eat away all our domestic medical practitioners. In the process, health care in India will become more expensive and dependent on heath insurance industry.

Keeping all these things in mind, it is necessary to ensure that the proposed legislation builds adequate safeguards to protect the interests of the consumers.

Has the health ministry factored all these aspects?… God knows..

Comments please…


Posted in Uncategorized | Leave a comment

First Sector Specific Privacy Law likely on Health Information in India

As per the news report, the Union Health Ministry is contemplating a new legislation tentatively titled “Healthcare Data Privacy and Security Act” (HDPSA)  to devise a “comprehensive legal framework” for  “Protection of individual health data” and “Standardization”.

Refer Article here

The statement released in the Press also says that the law will “Identify Ownership” of the data through establishment of a “National e-Health Authority” and “Health Information Exchanges”.

The law will also have “Detailed remedies for breach of data” both Civil and Criminal penalties entitling the patient to compensation if data is leaked as well as severe punitive action against “Agencies  responsible”.

It also speaks about the “Consent” to be obtained from the patient.

The law appears to have been influenced by the need for “Interoperability of Electronic Health Records (EHR)” and sounds much like the HIPAA of 1996 in USA.

It is clear that the law will follow the standard principles of privacy revolving around authorization of collection of information based on prescription and obtaining of consent of the patient. Collected data should follow the principles of minimal collection. Data Breach notification to the owner would be part of the legislation.

The mention of what is called “Information Exchanges” indicate regulation of IT facilities including Mobile App companies with a registration requirement with a National Authority to be set up and consequential “Compliance Regime”.

Like the HIPAA, there will be Unique registration numbers assigned to every health facility starting with the public sector.

A new “E-Cloud Repository” for real time health data is also envisaged.

A New Adjudicatory and Appellate Authority is also likely to be set up.

The legislation should be considered as a huge step in the Health Care Regulation in India and just as HIPAA made a seminal difference to the industry. There is a clear overlap of the proposed law with the Information Technology Act which already defines “Health Information of an Individual” as a “Sensitive Personal Information” and prescribed “Reasonable Security Practice”.

However, given the slackness of the Ministry of IT in implementing the provisions of ITA 2000/8, the emergence of the new “Healthcare Data Privacy and Security Act” or HDPSA could provide a good competition to ITA 2008 in redefining the standards of “Data Security” in India.

We therefore welcome the proposed new legislation.

HIPAA legislation in USA implemented through the HHS is a model law which is worth emulation not only from the point of view of the basic provisions but also in how it needs to be implemented in the industry.

We hope that HDPSA will also be taken through similar steps of “Receiving Comments from Public” on the draft provisions at every stage of its implementation and “Providing a Compliance Time line” for the industry unlike the ITA 2000/8 implementation which occurred through MCIT.

Watch out for more comments…


Posted in Uncategorized | Leave a comment

A New World of Privacy Protection in India to be unleashed

There is a great wave of change that is coming across India. More particularly to the healthcare industry in India which includes Hospitals, Pharmacies, Diagnostic Centers, Medical Professionals, IT companies engaged in Health care related operations,Health Insurance, Professionals engaged in Information Security, Privacy Lawyers and perhaps many others….including all of us who are and will be at one time or other “patients” in the system of healthcare.

What is happening is likely to give a huge stimulus to the Indian Economy by triggering a big change in the Health Care industry.

This revolutionary change is as big if not bigger than the Y2K event. It did happen in US in 1996 when the “Health Insurance Portability and Accountability Act” or what we fondly call the HIPAA was legislated. In 2009, Mr Obama taking over as President set aside a sum of US$17.2 billion for incentivising the use of Electronic Health records by the industry in USA because he believed that this could be the key to bringing about the economic stimulus to the then ailing US economy.

Now Mr Modi appears to be replaying the Obama trick in India with the proposed new law tentatively titled as the “Healthcare Data Privacy and Security Act”. (HDPSA).

For Naavi, it appears a replaying of the situation in 1998 when the “Draft E Commerce Act-1998” was adopted by the Government as the roadmap for legislation on electronic documents which metamorphed into Information Technology Bill in 1999 and further to Information Techology Act 2000 in October 2000 and Information Technology Act in 2008 (ITA 2000/8).

The draft/proposed Healthcare Data Privacy and Security Act is expected to make substantial difference to the way the Healthcare and IT industry will be handling the information of Citizens which have a “Healthcare component” in it.

Keeping with the tradition of Naavi, this cyber space will be devoted to the dissemination of information related to HDPSA as it unfolds.

In the course of this dissemination, we are certain we will have some good things to say about the legislation and perhaps also many not so palatable things if the implementation does not go in accordance with what we may consider as in the interest of Digital India.

However, I urge the visitors to take things in the right spirit and contribute towards the betterment of Digital India by sharing their views and becoming part of this community.

We are aware that there could be many a slip between the cup and the lip and the legislation may or may not come forth immediately or for some time. But we shall continue to explore the wonderful space of the “Law As it Emerges”.

I welcome you all aboard this journey on Privacy in Healthcare in India.


Posted in Uncategorized | Leave a comment