Protecting patient data: Indian data protection framework

The Indian healthcare sector is expected to grow into a USD50 billion industry by 2025 due to digital innovation, such as in remote healthcare, medtech, and artificial intelligence. However, cyberattacks on AIIMS Delhi, a premier Indian healthcare institution, demonstrate the importance of robust data privacy laws that protect health data and encourage innovation. This is the first of a two-part series on Indian health data protection laws and looks at present laws.

No single Indian law specifically regulates health data processing. Relevant laws include the Information Technology Act, 2000, and rules and directions under it, including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (rules), and cybersecurity directions issued by the Indian Computer Emergency Response Team, India’s cybersecurity regulator. The rules do not differentiate between controllers and processors and apply to all body corporates, which include companies, firms, sole proprietorships, or other associations of individuals engaged in commercial or professional activities. Most healthcare providers, including hospitals, clinics, and independent practitioners are body corporates and must comply with the rules. The rules impose additional obligations on the processing of “sensitive personal data or information” (SPDI), which includes data on the health conditions of individuals and their medical records.

The sole grounds for SPDI collection under the rules is consent. The rules also impose obligations such as transparency, purpose limitation and data minimisation. They provide individuals with access, correction, consent withdrawal and grievance redressal rights.

Laws governing clinical establishments such as hospitals, clinics, nursing homes, dispensaries, and healthcare facilities impose limited data protections on clinical establishments. The Charter of Patient Rights and Responsibilities issued under the Clinical Establishments (Registration and Regulation) Act, 2010 (a central model law issued for states and union territories), gives individuals rights to confidentiality and privacy. Patients may access their medical records and consent to their digitisation.

Laws regulating medical professionals such as doctors and pharmacists also impose confidentiality obligations. The code of ethics issued under the National Medical Commission Act, 2019, requires physicians to give patients access to their medical records on request. Doctors must keep patient data confidential unless disclosure is required by law or necessary to prevent the spread of a communicable disease. Patients may complain to state medical councils, which are active in investigating allegations of doctor misconduct. Pharmacists have similar obligations under the Pharmacy Act, 1948.

Laws protecting certain individuals or regulating the care of specific health concerns also impose privacy obligations on healthcare organisations. These include laws on the termination of pregnancies and the provision of care to those with mental illnesses.

The government has launched the Ayushman Bharat Digital Mission (ABDM) to build India’s digital health infrastructure. It includes policymakers, healthcare providers, and private entities such as insurers and health-tech companies. Its aims include creating registries of healthcare providers and strengthening health information systems. ABDM participants must comply with the Health Data Management Policy. The policy is similar to the GDPR and differentiates between data fiduciaries and processors. The sole grounds for processing sensitive health data under the policy is the consent of the individual.

Existing Indian laws are inadequate to deal with the increasing risk of cyberattacks. Healthcare organisations risk compromise of patient data, regulatory sanctions and fines, and the loss of consumer trust and litigation. To avoid fallout from cybersecurity lapses, healthcare providers must comply with data protection laws. Perhaps it is time for detailed rules on health data.

Mathew Chacko is a partner, Aadya Misra is a senior associate and Shambhavi Mishra is an associate at Spice Route Legal.