Privacy

(P.S.: Since the copy of the proposed HDPSA is not yet available, we present here the contents of the Electronic Health Record Standards for India(EHRSI) which was released by the Department of Health and Family Welfare -DHFW in 2013 and placed for public comments. Our own views may be found in any of the articles).

A Revised version of the EHR Standards were published in February 2016 which is being incorporated into this document…Naavi


For the purposes of the recommendations under the “Electronic Health Record Standards for India” (EHRSI),

“Privacy” shall mean that only those person or person(s) including organisations duly authorized by the patient may view the recorded data or part there of.

Privacy would refer to authorization by the owner of the data (the patient)

Protected health information (PHI) would refer to any individually identifiable information whether oral or recorded in any form or medium that (1) is created, or received by a stakeholder; and (2) relates to past, present, or future physical or mental health conditions of an individual; the provision of health care to the individual; or past, present, or future payment for health care to an individual.

Electronic protected health information (ePHI) would refer to any protected health information (PHI) that is created, stored, transmitted, or received electronically. Electronic protected health information includes any medium used to store, transmit, or receive PHI electronically.

The following and any future technologies used for accessing, transmitting, or receiving PHI electronically are covered:

The following and any future technologies used for accessing, transmitting, or receiving PHI electronically are covered:

-Media containing data at rest (data storage)
-Personal computers with internal hard drives used at work, home, or traveling
-External portable hard drives, including iPods and similar devices
-Magnetic tape
-Removable storage devices, such as USB memory sticks, CDs, DVDs, and floppy disks
-PDAs and smartphones
-Data in transit, via wireless, Ethernet, modem, DSL, or cable network connections
-Email
-File transfer

Data access and confidentiality

This would refer to:

a. Regulations are to be enforced to ensure confidentiality of the recorded patient/health data and the patient should have a control over this.
b. Patients will have the sufficient privileges to inspect and view their health records without any time limit. Patient’s privileges to amend data shall be limited to correction of errors in the recorded patient/health details.

This shall need to be performed through a recorded request made to the healthcare provider within a period of 30 days from the date of discharge in all inpatient care settings or 30 days from the date of clinical encounter in outpatient care settings.

An audit of all such changes shall be strictly maintained.

Both the request and audit trail records shall be maintained within the system. Patients will have the privileges to restrict access to and disclosure of individually identifiable health information.
c. All recorded data will be available to care providers on an ‘as required on demand’ basis
d. Minimum data standards

Data Ownership

For data ownership, a distinction is to be made between

a. The physical or electronic records, which are owned by the healthcare provider. (These are held in trust on behalf of the patient) and

b. The contained data which are the sensitive personal data of the patient is owned by the patient himself/herself.
c. The healthcare provider will have the privilege to change/append/modify any record in relation to the health care of the patient as necessary with a complete documented trail of such change. No alteration of the previously saved data will be permitted.No update or update like command shall be utilised by the system to store a record or part thereof. A new record will be created with the unaltered parts of the existing record. The changed/appended/modified data will replace the relevant parts of that record. This
record shall then be stored and marked as active while rendering the previous version or versions of the same record marked inactive. The data will thus be immutable. A strict
audit trail shall be maintained of all activities at all times that may be suitably reviewed by an appropriate authority like auditor, legal representatives of the patient, the patient, healthcare provider, privacy officer, court appointed/authorised person, etc.
d. The medium of storage or transmission of such electronic health record will be owned by the healthcare provider.
e. The “sensitive personal information (SPI) and personal information (PI)” of the patient is owned by the patient themselves. Refer to IT Act 2000 for the definition of SPI and PI.
f. Sensitive Data: As per the Information Technology Act 2000, Data Privacy Rules, refer to ‘sensitive personal data or information’ (Sensitive Data) as the subject of protection, but also refer, with respect to certain obligations, to ‘personal information’. Sensitive Data is defined as a subset of ‘personal information’. Sensitive Data is defined as personal
information that relates to:

i. Passwords;
ii. Financial information such as bank account or credit card or debit card or other payment instrument details;
iii. Physical, psychological and mental health condition;
iv. Sexual orientation;
v. Medical/clinical records and history;
vi. Biometric information;
vii. Any detail relating to (1) – (6) above received by the body corporate for provision of services; or
viii. Any information relating to (1) – (7) that is received, stored or processed by the body corporate under a lawful contract or otherwise

Data Disclosure Norms

Disclosure of information would be applicable as follows:

a. For use for treatment, payments and other healthcare operations: In all such cases, a general consent must be taken from the patient or next of kin, etc. as defined by applicable laws.

b. Fair use for non-routine and most non-health care purposes: a specific consent must be taken from the patient; format as defined.

c. Certain national priority activities, including notifiable/communicable diseases, will be specified for which health information may be disclosed to appropriate authority as mandated by law without the patient’s prior authorization Responsibilities of any healthcare provider would include:

a. Protect and secure the stored health information, as per the guidelines specified in the document

b. While providing patient information, remove patient identifying information , if it is not necessary to be provided

c. Will ensure that there are appropriate means of informing the patient of policies relating to his/her rights to health record privacy

d. Document all its privacy policies and ensure that they are implemented and followed.

This will include:

i. Develop internal privacy policies

ii. Designate a privacy officer (preferably external, may be internal) who will be responsible for implementing privacy policies, audit and quality assurance

iii. Provide privacy training to all its staff Patient will have the privilege to appoint a personal representative to carry out the activities detailed below.

a. Patients will have the privilege to ask for a copy of their health records held by a healthcare organization.

b. Patients will have the privilege to request a healthcare organization that holds their health records, to withhold specific information that he/she does not want disclosed to other organizations or individuals.

c. Patient can demand information from a healthcare provider on the details of disclosures performed on the patients health records.

Instances where denial of information will apply are as follows:

Healthcare provider will be able to deny information to a patient or representative or third party, in contravention of normal regulations, if in the opinion of a licensed healthcare professional the release of information would endanger the life or safety of the patients and others.

This will include but not be limited to as follows:

d. Information obtained from an anonymous source under a promise of confidentiality.
e. Psychotherapy notes.
f. Information compiled for civil, criminal or administrative action.

Instances where use and disclosure without individual authorization will be possible are as follows:

Disclosures can be performed without individual authorization in the following situations.

 With Identifiers, on production of court order
 However, as far as possible, and where appropriate, the data so provided should be anonymised to remove information that will allow identification of the patient.

Removing identifiers as indicated in the Patient Identifying Information Table below.

Patient Identifying Information

Data are “individually identifiable” if they include any of the under mentioned identifiers for an individual or for the individual’s employer or family member, or if the provider or researcher is aware
that the information could be used, either alone or in combination with other information, to identify an individual.

These identifiers are as follows:

1. Name
2. Address (all geographic subdivisions smaller than street address, , and PIN code)
3. All elements (except years) of dates related to an individual (including birth date, date of death,
4. Telephone and/or Fax numbers
5. Email address
6. Medical record number
7. Health plan beneficiary number
8. Bank Account and/or Credit Card Number
9. Certificate/license number
10. Any vehicle or other any other device identifier or serial numbers
11. PAN number
12. Passport number
13. ADHAAR number
14. Voter ID card
15. Fingerprints/Biometrics
16. Voice recordings that are non-clinical in nature
17. Photographic images and that possibly can individually identify the person
18. Any other unique identifying number, characteristic, or code

Applicable legislation details:

The existing Indian laws, including but not limited to IT Act 2000 and as amended from time to time will prevail at all times