Health provider obligations in securing patient information

This, the second in a two-part series on health data protection law, examines the impact of the Digital Personal Data Protection Act, 2023 (DPDPA), on healthcare organisations.

The DPDPA was enacted in 2023 but is not yet in effect. It regulates personal data processing by data fiduciaries. These are entities that determine the purposes and means of processing personal data. Hospitals, clinical establishments, laboratories and clinical research organisations will likely be data fiduciaries. The DPDPA does not regulate data processors, which are entities that process personal data on behalf of data fiduciaries. Global standards point to health-tech providers and businesses offering services for IT systems, cloud computing, health record management and health apps likely being classified as data processors.

However, if such organisations determine the means and purposes of processing, they will be data fiduciaries. A health technology B2B data analysis entity using personal data provided by its customers to improve its business or train its AI or ML models would be a data fiduciary. Many players in India offer services to companies outside the country without handling Indian residents’ personal data. Such arrangements enjoy exemptions under the DPDPA.

Personal data may only be processed with the consent of individuals or for certain legitimate uses, which include an individual voluntarily providing data, responses to medical emergencies, medical treatment in epidemics or public health events and services in disasters or public order breakdowns. Contrary to existing legislation, the DPDPA allows healthcare organisations to process health data on grounds other than consent. Informed consent requirements under sectoral laws, such as those regulating clinical trials, will continue to apply. While healthcare providers are used to seeking manual patient consent, the DPDPA will require them to institute digital consent management.

Data fiduciaries must implement reasonable security safeguards to prevent personal data breaches, but the DPDPA does not specify them. Healthcare providers should undertake due diligence and implement appropriate security safeguards. Industry guidance is a useful starting point. For instance, the Electronic Health Records Standards, 2016, applicable to healthcare providers, require regulated entities to implement measures and have security certifications to protect electronic health records. Breach notification protocols must also be in place because data fiduciaries will have to report personal data breaches to the Data Protection Board of India and affected individuals. This differs from existing standards, which do not require reports to affected individuals. Healthcare providers should review their cyber crisis management protocols, train staff in breach management and take out appropriate cyber liability cover.

The DPDPA does not prescribe general localisation. However, cross-border transfers to countries subject to specific government prohibitions will not be allowed. Additionally, sectoral localisation requirements will continue to apply. For example, cross-border transfers of biological materials and data, especially relating to clinical trials and medical research, usually require the regulators’ and internal ethics committee approvals. Such requirements are unlikely to be relaxed.

Data fiduciaries must enable individual rights, including those of access, correction and erasure of personal data where consent is the basis of processing. Data principals must have access to grievance redress and the right to nominate individuals to exercise their DPDPA rights should they die or be incapacitated. Healthcare entities must consider the ramifications of such rights and invest in patient management IT systems and personnel training. For example, patients may request the results of recruitment-linked health checks be amended; healthcare providers must be able to verify the authenticity of such requests. Healthcare organisations will have to ensure that in case of death or incapacity, nominees are validly authorised.

The government will likely implement the DPDPA soon and phase in compliance during 2024. This will be useful in mitigating the risks of cyberattacks on the health industry and ensuring patient confidentiality.

Mathew Chacko is a partner, Aadya Misra is a counsel and Shambhavi Mishra is an associate at Spice Route Legal.