The healthcare industry is one of the most sensitive sectors when it comes to data privacy as it collects a diverse range of personal information that includes patient demographics, medical histories, test results, insurance details, genetic data, and family medical histories for purposes of diagnosis and prognosis. Sensitive personal data such as biometrics, mental health records, and information on substance abuse treatments are also commonly collected. These details are vital for diagnosis, treatment, billing, insurance claims, and medical research.  With the advent of advanced technologies like Artificial Intelligence (“AI”), Machine Learning (“ML”), and cloud computing, healthcare providers are increasingly reliant on digital systems to collect, store, process, analyse and share patient information.

Key players of the healthcare industry are hospitals, private clinics, diagnostic laboratories, insurance companies, pharmaceutical firms, telemedicine providers, digital health platforms and healthcare technology companies that develop AI-based diagnostic tools and health apps. Each of these entities interacts with patient data for various purposes, making them integral stakeholders.

Currently, the protection of sensitive personal data is regulated by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under the Information Technology Act, 2000 alongside sector-specific guidelines. The Electronic Health Record Standards, 2016 (“EHR Standards”)[1], emphasize safeguarding Protected Health Information with consent as a key principle for disclosures. Sectoral guidelines outline data protection measures, confidentiality requirements, and research-related responsibilities. Additionally, the Telemedicine Practice Guidelines, 2020[2] mandate secure management of medical records, privacy safeguards, and adherence to ethical practices in healthcare data management.

DPDP Act

The Digital Personal Data Protection Act, 2023 (“DPDP Act”), which was passed by the Parliament but not yet operationalised, governs ‘digital personal data’ of individuals. The legislation mandates data fiduciaries (one who collects and decides on individuals’ personal data e.g. hospitals or medical practitioners) to abide by strict obligations when collecting and handling such data. The DPDP Act also provides certain rights to data principals (whose data is collected e.g. patients or family members) to ensure their control over their own personal data.

As soon as DPDP Act becomes operational, there will be many obligations that the data fiduciaries will have to follow including a major overhaul of their systems to uphold those rights of the data principals. In this article, we have attempted to highlight a few issues once DPDP Act becomes operational. 

Patient not the only Data Principal

The data principal in the healthcare sector is often understood to be a patient, as they are the primary subjects of the data collected, processed, and stored. However, this interpretation cannot be limited to patients alone especially when the understanding of ‘personal information’ is wide under the legislation. In many cases, data is collected and processed for other related individuals, such as caregivers, legal guardians, or parents in the case of minors, or even family members when genetic or hereditary information is involved. For instance, the medical history of a family member might be relevant for diagnostic purposes or treatment plans, making them indirect data principals.

Additionally, in scenarios involving third-party insurance claims, the policyholder—who may not necessarily be the patient—also becomes a data principal. This broader interpretation ensures that all individuals whose data is collected and processed in the healthcare ecosystem are afforded the protections and rights under the DPDP Act. Healthcare providers must therefore identify all relevant data principals and ensure compliance with consent and data handling obligations for each of them.

Obtaining Consent at Multiple Stages and in Emergencies 

Consent is the cornerstone of lawful data processing under the DPDP Act. Patients are often unaware of how their data is being processed and shared. Under the obligations imposed by the DPDP Act, consent must be freely given, specific, informed, and unambiguous.

In the health care sector, consent will be required at multiple stages. Initially, it will have to be sought at the time of data collection for diagnosis, prescriptions, treatment, or other medical purposes. Before sharing data with all third parties such as insurance companies, diagnostic centres, who receive and handle such data required for providing their respective services, data principals must be informed. Furthermore, secondary uses, such as medical research or AI-based analytics, will necessitate separate and explicit consent. Importantly, patients must retain the ability to withdraw consent at any time, with clear communication on the implications of doing so. All such consent will need to be obtained digitally, necessitating hospitals to implement consent management systems. Individual practitioners will also need to establish similar mechanisms to ensure compliance with these requirements.

Practical difficulties may arrive when consent will have to be taken during emergencies.

Only Relevant Data to be Collected

The healthcare industry collects a wide range of data, including patient demographics, medical histories, test results, insurance details, and even family medical histories. However, some data often collected by the industry may not be strictly relevant to the purpose at hand. For example, recording a patient’s marital status for a blood test might not be directly relevant to the medical procedure but is still commonly included in patient records. This highlights the need for a comprehensive review of data collection practices to align with the principles of relevance, necessity and fundamental philosophy of ‘Privacy by Design’.

Record Maintenance & Deletion Obligations

The DPDP Act does not specify exact timelines for record retention. However, it emphasizes that personal data should not be retained longer than necessary to fulfil the purpose for which it was collected. Furthermore, upon a request from the data principal, organizations must delete the data unless otherwise required by law. The legislation also provides that where specific regulations mandate retention timelines for sectors, those sectoral regulations take precedence over the general requirement under the DPDP Act.

In the healthcare sector, specific regulatory frameworks must be considered. For instance, the National Medical Commission, under its National Medical Commission Registered Medical Practitioner (Professional Conduct) Regulations 2023[3], requires registered medical practitioners to maintain patient records for at least three years from the commencement of treatment. Additionally, the Ministry of Health & Family Welfare’s Electronic Health Records Standards, 2016[4] mandate that patient data should be preserved for the patient’s lifetime and for a minimum of three years following the demise.

Consequently, healthcare providers must balance compliance with both the DPDP Act and specific regulations. A mere request from the data principal or their legal heirs to delete records may need to be assessed considering these sectoral regulations.

Liabilities for sharing Data with Multiple Stakeholders

When patient data is shared with multiple contacts or subject matter experts, each party handling the data is considered a data fiduciary under the DPDP Act. This raises questions about responsibility. The healthcare provider, for instance hospitals, initiating the data collection bears primary responsibility for ensuring patient consent is valid and specific. Each data fiduciary receiving the data must also comply with the DPDP Act’s requirements, ensuring data protection and usage only for the agreed purposes. If one data fiduciary is compliant and another is not, the original healthcare provider could face liability unless robust contractual safeguards are in place.

Hospitals frequently share data with third parties such as insurance companies, diagnostic centres, and research bodies. To mitigate risks, contracts must include data protection clauses to ensure that all data fiduciaries comply with applicable data protection laws, audit rights granting the hospital the right to periodically audit the third party’s data protection practices, and indemnity clauses holding the third party liable for breaches. While hospitals cannot control external servers, they may require third parties to implement encryption, access controls, and secure storage practices.

Cross-border data transfers are permitted under the DPDP Act with patient consent and if the receiving country’s data protection standards are adequate. However, practical issues arise in ensuring compliance across jurisdictions, verifying the adequacy of foreign laws, and addressing potential loopholes in enforcement. Remedies include drafting detailed contractual clauses with foreign entities and leveraging international agreements or frameworks like GDPR adequacy decisions.

Right to Nominate and Data Breach Post-Mortem

The DPDP Act introduces a concept of ‘right to nominate’, enabling individuals to designate a nominee who can exercise their data protection rights after their death. This is particularly significant in the healthcare context, where sensitive data continues to hold importance even after a patient’s demise. In cases of a data breach discovered posthumously, the nominee or the deceased’s legal heirs can seek remedies on behalf of the deceased. This includes filing complaints with the Data Protection Board and pursuing claims for damages against non-compliant data fiduciaries. Hospitals and healthcare providers must maintain robust systems to ensure that data breaches are promptly addressed and that the rights of the nominee are respected, further underscoring the need for stringent data governance practices.

Grievance Redressal Mechanism

Patients have the right to seek correction, deletion, and erasure of their personal data, as well as request full disclosure of other data processors and fiduciaries handling such data. While this mechanism appears robust, the law remains unclear on many aspects, which could pose significant operational challenges for the healthcare industry. One key challenge is the lack of precise turnaround timelines for grievance redressal. The absence of defined timelines could lead to delays and inconsistencies, compounded by the unnecessary duplication of authorities empowered to resolve grievances. This lack of clarity creates confusion for patients seeking remedies and complicates compliance efforts for healthcare providers.

Another issue arises from the involvement of multiple data fiduciaries and processors in handling patient data. Greater clarity is required on the source of responsibility and the expected speed of remedial action, particularly when various parties are involved in processing or storing the data.

Additionally, given the sheer volume of data that hospitals and healthcare providers handle daily, there is a risk of minor non-compliances occurring inadvertently. Imposing heavy penalties in such cases seems unreasonable, as it poses serious reputational risks for healthcare providers. A graded approach to enforcement, based on the severity and potential impact of the non-compliance, would likely be more practical and effective. 

Implementation of Robust Security Measures

To effectively comply with the requirement of robust data protection practises, healthcare industry is required to upgrade its security systems and digital systems drastically which come at a high cost. Large organisations will, therefore, need specialised support of an expert such as Chief Information Security Officer (“CISO”) to design and implement the data privacy policies. A CISO is a technically trained professional with sufficient background in operating IT Systems who can assist in identifying vulnerabilities in internal and external IT systems thereby minimising data breach. A CISO’s presence is critical during employee awareness training on how operate and handle organisation’s internal IT systems safely.

In times to come, in order to see higher rate of practical compliance and efficiency, data fiduciaries will need to collaborate with a CISO while preparing data privacy policies, compliances roadmaps, risk identification measures, incident response plans and third-party risk management.

Conclusion

The healthcare industry faces unique challenges in balancing patient care, research needs, and data protection compliance. Implementing robust consent mechanisms, contractual safeguards, and technical controls is essential for navigating the complexities of data privacy laws like the DPDP Act. Compliance not only builds trust with patients but also mitigates the risks of legal and reputational damage, ensuring a sustainable framework for data governance in healthcare. However, achieving compliance requires more than legal mandates; it calls for proper handholding and guidance tailored to the healthcare sector’s operational realities. The industry needs practical frameworks, capacity-building initiatives, and detailed guidelines that account for the diversity in scale, revenue, and data-handling practices among healthcare entities. Smaller clinics and individual practitioners, for example, may need access to affordable compliance tools and resources, while larger organizations might require specialized expertise in privacy technologies and cross-border data management.

The rules under the DPDP Act, as and when announced, must provide clarity about the obligations of each player in the healthcare ecosystem. These rules should ensure that compliance is fair and scalable, considering factors such as the scale of operations, revenue, and the nature of data collected. Collaborative efforts between regulators, industry stakeholders, and technology providers can help create a supportive environment that enables healthcare organizations to meet compliance requirements without compromising on patient care or innovation.