Health Privacy in India by manan chhabra
-
Upload
pravinsankalp -
Category
Documents
-
view
220 -
download
1
description
Transcript of Health Privacy in India by manan chhabra
HEALTH PRIVACY
IN INDIA
MANAN CHHABRA 3/10/16 11FLUHH010219
1 | P a g e
1 Contents2 Introduction..........................................................................................................3
3 Legislations..........................................................................................................4
4 Case laws.............................................................................................................8
5 Indian Position: Evolving Standards...................................................................10
6 Right to Privacy in India.....................................................................................10
7 Recent Developments........................................................................................11
8 Key Recommendations.......................................................................................13
9 Conclusion..........................................................................................................14
2 | P a g e
2 Introduction
Confidentiality and privacy are essential to all trusting relationships, such as that between
patients and doctors. Moreover, in a healthcare context, patient confidentiality and the protection
of privacy is the foundation of the doctor-patient relationship. Patients must feel comfortable
sharing private information about their bodily functions, physical and sexual activities, and
medical history. Healthcare personnel must acquire, process, store, retrieve and transfer clinical,
administrative and financial health information as healthcare is an extremely information
intensive and sensitive industry. The unfortunate aspect of the robust data flows is the inherent
problem of the misuse of information, disclosure of confidential information and risk of privacy
violations.
To this date, there exists no universally acceptable definition of the right to privacy. It is a
continuously evolving concept whose nature and extent is largely context driven. There are
numerous aspects to the right to privacy, each different from the other in terms of the
circumstance in which it is invoked. Bodily privacy however, is to date, the most guarded facet
of this vastly expansive right. The privacy over one’s own body including the organs, genetic
material and biological functions that make up one’s health is an inherent right that does not; as
in the case of other forms of privacy such as communication or transactional privacy, emanate
from the State. It is a right that has its foundations in the Natural Law conceptions of The Right
to Life, which although regulated by the State can at no point be taken away by it except under
extreme circumstances of a superseding Right to Life of a larger number of people.
The deliberation leading to the construction of a universally applicable Right to Privacy has up
until now however only been in terms of its interpretation as an extension of the Fundamental
Right to Life and Liberty as guaranteed under Article 21 as well as the freedom of expression
3 | P a g e
and movement under Articles 19(1) (a) and (b) of the Constitution of India. While this may be a
valid interpretation, it narrows the ambit of the right as one that can only be exercised against the
State. The Right to privacy however has much larger implications in spheres that are often
removed from the State. There is thus an impending need to create an efficient and durable
structure of Law and policy that regulates the protection of privacy in Institutions that may not
always be agents of the State.
From tracking unauthorized drug prescriptions to assessing the effect of different treatments on
patients, the ability to automatically process data provided by thousands of patients has proven
invaluable to healthcare service providers globally. It has also become important for healthcare
providers to consider patient privacy and data security in the utilization of patient data, especially
where such information has stigmatizing consequences.
3 Legislations
Epidemic Diseases Act, 1897
The Epidemic Diseases Act, 1897 brought into force for the purpose of preventing the spread of
epidemic diseases. Implicit in the Epidemic Diseases Act, 1897 is the assumption that in the case
of infectious diseases, the rights, including the right to privacy, of infected individuals must give
way to the overriding interest of protecting public health. Because of the nature of the Act, the
principles of access and correction, choice and consent, and notice do not apply to this Act.
Under the Epidemic Diseases Act, 1897, if any part of the state is “visited by, or threatened with
an outbreak of any dangerous epidemic disease”, the state government can enforce certain
measures and prescribe regulations to prevent the outbreak or spread of a disease. Such measures
may include “inspection of persons travelling by railway or otherwise, and the segregation, in
hospital, temporary accommodation or otherwise, of persons suspected by the inspecting officer
of being infected with any such disease.” Additionally, the Central Government may take
4 | P a g e
measures including the inspection of any ship or vessel and detention of any person leaving or
arriving at any port.
Mental Health Act, 1987
The Provisions under the Act pertaining to the protection of privacy of the patient have been
examined. The principles embodied within the Act include aspects of the Law that determine the
nature and extent of oversight exercised by the relevant authorities over the collection of
information, the limitation on the collection of data and the restrictions on the disclosure of the
data collected. The principle of oversight is embodied under the legislation within the provisions
that allow for the inspection of records in psychiatric hospitals and nursing homes only by
officers authorized by the State Government. The limitation on the Collection of information is
imposed by the Inspection of living conditions by a psychiatrist and two social workers are on a
monthly basis. This would include analyzing the living condition of every patient and the
administrative processes of the psychiatric hospital and/or psychiatric nursing
home. Additionally, Visitors must maintain a book regarding their observations and
remarks. Medical certificates may be issued by a doctor, containing information regarding the
nature and degree of the mental disorder as reasons for the detention of a person in a psychiatric
hospital or psychiatric nursing home. Lastly, the disclosure of personal records of any facility
under this Act by inspecting officers is prohibited
Pre-Conception and Pre-Natal Diagnostic Techniques (Prohibition of Sex Selection) Act,
1994
The Act was instituted in light of a prevalent public interest consideration of preventing female
foeticide. However, it is imperative that the provision of the Act remain just shy of unnecessarily
intrusive techniques and do not violate the basic human requirement of privacy in an inherently
personal sphere. The procedure that a mother has to follow in order to avail of pre-natal
diagnostic testing is mandatory consent of age, abortion history and family history. These
conditions require a woman to reveal sensitive information concerning family history of mental
5 | P a g e
retardation or physical deformities. Special concern for privacy and confidentiality should be
exercised with regards to disclosure of genetic information. 1
Medical Termination of Pregnancy Act, 1971
Although, the right to an abortion is afforded to a woman within the construct of her inherent
right to bodily privacy, decisional privacy (for e.g., autonomy and choice in medical decision-
making) is not afforded to patients and their families with regards to determining the sex of the
baby. The sections of the Act that have been examined lay down the provisions available within
the Act to facilitate the protection of a woman’s right to privacy during the possible termination
of a pregnancy. These include the principles pertaining to the choice and consent of the patient to
undergo the procedure, a limit on the amount of information that can be collected from the
patient, the prevention of disclosure of sensitive information and the security measures in place
to prevent the unauthorized access to this information. The Medical Termination of Pregnancy
Regulations, 2003 supplement the Act and provide relevant restrictions within every day
practices of data collection use and storage in order to protect the privacy of patients. The Act
mandates Written Consent of the patient in order to facilitate an abortion .Consent implies that
the patient is aware of all her options, has been counselled about the procedure, the risks and
post-abortion care. The Act prohibits the disclosure of matters relating to treatment for
termination of pregnancy to anyone other than the Chief Medical Officer of the State. The
Register of women who have terminated their pregnancy, as maintained by the hospital, must be
destroyed on the expiry of a period of five years from the date of the last entry. The Act also
emphasizes upon the security of information collected. The medical practitioner assigns a serial
number for the woman terminating her pregnancy. Additionally, the admission register is stored
in safe custody of the head of the hospital.2
Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002
(Code of Ethics Regulations, 2002)
1 Pre-Conception and Pre-Natal Diagnostic Techniques (Prohibition of Sex Selection) Act, 1994, s. 4(2). Pre-natal diagnostic techniques shall be conducted for the purposes of detection of: chromosomal abnormalities, genetic metabolic diseases, haemoglobinopathies, and sex-linked genetic diseases, congenital anomalies any other abnormalities or diseases as may be specified by the Central Supervisory Board.2 Medical Termination of Pregnancy Regulations, 2003, Regulations 4(2) and 4(4).
6 | P a g e
The Medical Council of India (MCI) Code of Ethics Regulations sets the professional standards
for medical practice. These provisions regulate the nature and extent of doctor patient
confidentiality. It also establishes universally recognized norms pertaining to consent to a
particular medical procedure and sets the institutionally acceptable limit for intrusive procedure
or gathering excessively personal information when it is not mandatorily required for the said
procedure. The provisions addressed under these regulations pertain to the Security of the
information collected by medical practitioners and the nature of doctor patient confidentiality.
Physicians are obliged to protect the confidentiality of patients 5during all stages of the procedure
and with regard to all aspects of the information provided by the patient to the doctor, including
information relating to their personal and domestic lives. The only exception to this mandate of
confidentiality is if the law requires the revelation of certain information, or if there is a serious
and identifiable risk to a specific person and / or community of a notifiable disease.
Ethical Guidelines for Biomedical Research on Human Subjects 3
The provisions for the regulation of privacy pertaining to biomedical research include aspects of
consent as well as a limitation on the information that may be collected and its subsequent use.
The provisions of this act aim to regulate the protection of privacy during clinical trials and
during other methods of research. The principal of informed consent is an integral part of this set
of guidelines. The Privacy related information included in the participant/ patient information
sheet includes: the choice to prevent the use of their biological sample, the extent to which
confidentiality of records could be maintained and the consequences of breach of confidentiality,
possible current and future uses of the biological material and of the data to be generated from
the research and if the material is likely to be used for secondary purposes or would be shared
with others, the risk of discovery of biologically sensitive information and publications,
including photographs and pedigree charts.4The Guidelines require special concern for privacy
and confidentiality when conducting genetic family studies.5The protection of privacy and
maintenance of confidentiality, specifically surrounding the identity and records, is maintained
3 Ethical Guidelines for Biomedical Research on Human Subjects. (2006) Indian Council of Medical Research New Delhi.4 Informed Consent Process, Ethical Guidelines for Biomedical ResearchonHuman Subjects (2006). Indian Council of Medical Research New Delhi. 21.5 Statement of Specific Principles for Human Genetics Research, Ethical Guidelines for Biomedical Research on Human Subjects (2000). Indian Council of Medical Research New Delhi. 62.
7 | P a g e
when using the information or genetic material provided by participants for research
purposes. [The Guidelines require investigators to maintain confidentiality of epidemiological
data due to the particular concern that some population based data may also have implications on
issues like national security or public safety.6All documentation and communication of the
Institutional Ethics Committee (IEC) must be dated, filed and preserved according to the written
procedures. Data of individual participants can be disclosed in a court of law under the orders of
the presiding judge, if there is a threat to a person’s life, communication to the drug registration
authority regarding cases of severe adverse reaction and communication to the health authority if
there is risk to public health.
Insurance Regulatory and Development Authority (Third Party Administrators) Health
Services Regulations, 2001
The provisions of the Act that have been addressed within the scope of the study regulate the
practices of third party administrators within the healthcare sector so as to ensure their
compliance with the basic principles of privacy. An exception to the maintenance and
confidentiality of information confidentiality clause in the code of conduct, requires TPAs to
provide relevant information to any Court of Law/Tribunal, the Government, or the Authority in
the case of any investigation carried out or proposed to be carried out by the Authority against
the insurance company, TPA or any other person or for any other reason. In July 2010, the IRDA
notified the Insurance Regulatory and Development Authority (Sharing of Database for
Distribution of Insurance Products) Regulations. These regulations restrict referral
companies from providing details of their customers without their prior consent.TPAs must
maintain the confidentiality of the data collected by it in the course of its agreement and maintain
proper records of all transactions carried out by it on behalf of an insurance company and are
also required to refrain from trading information and the records of its business.TPA’s must keep
records for a period of not less than three years.
4 Case laws
6 Statement of Specific Principles for Epidemiological Studies, Ethical Guidelines for Biomedical ResearchonHuman Subjects (2000). Indian Council of Medical Research New Delhi P. 56.
8 | P a g e
The following cases have been used to deliberate upon important points of contention within the
ambit of the implementation and impact of Privacy Regulations in the healthcare sector. This
includes the nature and extent of privacy enjoyed by the patient and instances where in the
privacy of the patient can be compromised in light of public interest considerations.
Mr. Surupsingh Hrya Naik vs. State of Maharashtra,7 (2007)
The decision in this case held that The RTI Act 2005 would supersede The Medical Council
Code of Ethics. The health records of an individual in judicial custody should be made available
under the Act and can only be denied in exceptional cases, for valid reasons.
Since the Code of Ethics Regulations are only delegated legislation, it was held in the case
of Mr. SurupsinghHrya Naik v.State Of Maharashtra that these would not prevail over the Right
to Information Act, 2005 (RTI Act) unless the information sought falls under the exceptions
contained in Section 8 of the RTI Act. This case dealt with the important point of contention of
whether making the health records public under the RTI Act would constitute a violation of the
right to privacy. These health records were required to determine why the convict in question
was allowed to stay in a hospital as opposed to prison. In this context the Bombay High Court
held that The Right to Information Act supersedes the regulation that mandate the confidentiality
of a person, or in this case a convict’s medical records. It was held that the medical records of a
person sentenced or convicted or remanded to police or judicial custody, if during that period
such person is admitted in hospital and nursing home, should be made available to the person
asking the information provided such hospital nursing home is maintained by the State or Public
Authority or any other Public Body. It is only in rare and in exceptional cases and for good and
valid reasons recorded in writing can the information may be denied.
Radiological & Imaging Association v. Union of India,8 (2011)
On 14 January 2011 a circular was issued by the Collector and District Magistrate, Kolhapur
requiring the Radiologists and Sonologists to submit an on-line form “F” under the PNDT Rules.
This was challenged by the Radiological and Imaging Association, inter alia, on the ground that
it violates the privacy of their patients. Deciding the above issue the Bombay High Court held
7 http://www.indiankanoon.org/doc/570038/8 http://www.indiankanoon.org/doc/680703/
9 | P a g e
that .The images stored in the silent observer are not transmitted on-line to any server and thus
remain embedded in the ultra-sound machine. Further, the silent observer is to be opened only on
request of the Collector/ the civil surgeon in the presence of the concerned
radiologist/sonologist/doctor in charge of the Ultra-sound Clinic. In light of these considerations
and the fact that the `F' form submitted on-line is submitted only to the Collector and District
Magistrate is no violation of the doctor's duty of confidentiality or the patient's right to privacy. It
was further observed that the contours of the right to privacy must be circumscribed by the
compelling public interest flowing through each and every provision of the PC&PNDT Act,
when read in the background of the following figures of declining sex ratio in the last five
decades.
The use of a Silent Observer system on a sonograph has requisite safeguards and doesn’t violate
privacy rights. The declining sex ratio of the country was considered a compelling public
Interest that could supersede the right to privacy.
5 Indian Position: Evolving Standards
No specific legislation regarding the disclosure of medical records exists in India. Under the Indian Medical Council Regulations, however, every medical professional is obligated to maintain physician-patient confidentiality. While a physician disclosing personal information about his or her patients could be held guilty of professional misconduct, this obligation does not extend to other persons responsible for processing patient data,9 either under the mandate of a state body or a body corporate. Physicians are only allowed to disclose patient information to public health authorities in limited circumstances, such as in case of a “serious and identified risk to a specific person and/ or community”.
6 Right to Privacy in India
Contrary to the trend in the UK and US, the Indian judiciary has carved out the right to privacy
as an exception to the rule that permits interference by public authorities in an individual’s 9 Medical Council Regulations, Rule 1.1 (‘Character of Physician’ covers only “Doctors with qualification of MBBS or MBBS with post-graduate degree/diploma or with equivalent qualification in any medical discipline” are covered under the Regulations).
10 | P a g e
private life. The Supreme Court has on several occasions emphasized that the right to privacy is
not an absolute right.10 Instead, the Court has chosen to adopt a case-by-case approach in the
interpretation of the right to privacy. There have been instances where the Court has allowed a
hospital to inform the patient’s future spouse about his HIV positive status. The rationale for
disclosure in such cases has been the public welfare argument that the negligent spreading of an
infectious disease is an offence against public safety
In resolving the clash between the “right to be let alone” and the “greater good” of the public, the
judiciary has leaned towards favoring public interest over individual privacy. In Sharda v.
Dharmpal, a husband filed for divorce on the basis that his wife was mentally ill. In order to
prove this fact, the wife was compelled to undergo a medical examination. She claimed that
being forced to do so without her consent would be violative of her personal liberty. After stating
that the “right to privacy” is not an absolute right, the Court held that the absence of such data
would make it impossible to reach a decision on the facts of the case.
7 Recent Developments
The Information Technology Act, 2000, has had several amendments in the last couple of years
that have expanded and changed the law according to the latest technological innovations. The
IT Rules introduced in 2011, define ‘sensitive personal data’ for the first time in India.11 The
Rules stipulate that a body corporate collecting such sensitive personal data shall obtain written
consent from the provider of said data. This data can only be collected for a lawful purpose,
which is connected to the working of the body corporate. The body should also make sure that
the data provider is made aware of the fact that such information is being collected. The provider
should be made aware of the reasons for which such information is being collected and of the
identity of the persons who intend to receive such information.
10 See Sharda v. Dharmpal, AIR 2003 SC 3450 (“Assuming that the fundamental rights explicitly guaranteed to a citizen have penumbral zones and that the right to privacy is itself a fundamental right, such fundamental right must be subject to restriction on the basis of compelling public interest.” The petitioner had had an abortion and refused to be subject to a DNA test ordered by the Court, at the instance of her husband. The Court did not recognize the petitioner’s right to privacy in this matter, citing public interest); see also Selvi v. State of Karnataka, (2010) 7 SCC 263; Ms. X v. Mr. Z, 96 (2002) DLT 354. 11 Information Technology Rules, 2011, Rule 3 (Sensitive Personal Data includes information relating to the physical, physiological and mental health condition, sexual orientation, medical records and history and biometric information of an individual).
11 | P a g e
There are very few instances in which sensitive personal data can be disclosed to a third party,
such as when under a previous contract, the provider has consented to such disclosure by the
body corporate. Government agencies can collect such information without prior consent, subject
to the condition that the information is collected for certain specified purposes alone and that
those purposes are made known to the individual. The only basis on which a body corporate in
India can send data to other such bodies (whether within or outside India) is if they maintain the
same level of data protection.
One of the main lobbyists for this position is the International Pharmaceutical Privacy
Consortium (IPCC), which deals with the promotion of sound policies for patient privacy in
pharmaceutical companies that have operations in India. Their position is that pharmaceutical
companies are responsible for the safety of their products, which require them to provide patients
with identifiable information in dealing with reports regarding adverse reactions to drugs. It is
imperative, therefore, for these companies to continue collecting personal health data to ensure
proper application of safety measures. If the recommended good practices for pharmaceutical
companies were to be properly implemented, such companies would have to keep track of
information about patients using the drug and physicians prescribing them. Additionally, as per
the regulatory requirements governing US companies operating in India, following up with
patients on the effects of the drug is mandatory, which requires them to retain a patient’s SPD in
order to perform these follow ups.88
According to the IPCC, the IT Rules could bring to a halt important biomedical research that
involves personal health data. Even though it is largely undisputed that consent is important to
prevent physical harms, they argue that it is now being used to prevent non-physical harms like
privacy and confidentiality. Biomedical research largely consists of “key-coded” data. This data
is mainly stored in order to facilitate additional research purposes in the future. Since secondary
research branching out from the primary research cannot be determined during the first stage,
researchers will have to obtain private medical information relating to the patients. Such
information should, however, be de-identified as researchers do not specifically need to know the
identity of the patient group. It is anticipated that the Rules may substantially hamper this
process because it would require companies to get in touch with the patients to obtain their
consent. This may even lead to a reduction in the number of consenting patients, even if they
12 | P a g e
know that the information being provided will be partially de-identified. Notwithstanding the
obvious relevance of ethics in these situations, the principles of data protection and patient
privacy should factor in biomedical research as an important permitted use.
Currently, the Indian lobby for pharmacovigilance (the study and prevention of adverse effects of
a drug) like the IPCC consists mainly of conglomerates in the pharmaceutical industry. They
advocate the use of partially de-identified information towards advancing medical research that
could lead to the discovery of novel treatments. Their support for the use of pseudonymised (or
partially de-identified) information could, however, lead to an erosion of the principles of data
privacy.
8 Key Recommendations
It is Imperative that Privacy concerns relating to the transnational flow of Private data be
addressed in the most efficient way possible. This would involve international cooperation and
collaboration to address privacy concerns including clear provisions and the development of
coherent minimum standards pertaining to international data transfer agreements. This exchange
of ideas and multilateral deliberation would result in creating more efficient methods of applying
the provisions of privacy legislation even within domestic jurisdictions.
There is a universal need for the development of a foundational structure for the physical
collection, use and storage of human biological specimens (in contrast to the personal
information that may be derived from those specimens) as these are extremely important aspects
of biomedical research and clinical trials. The need for Privacy Impact Assessments would also
arise in the context of clinical trials, research studies and the gathering of biomedical data.
Further, there also arises the need for patients to be allowed to request for the deletion of their
personal information once it has served the purpose for which it was obtained. The keeping of
records for extended periods of time by hospitals and laboratories is unnecessary and can often
result in the unauthorized access to and subsequent misuse of such data.
There is a definitive need to ensure the incorporation of safeguards to regulate the protection of
patient’s data once accessed by third parties, such as insurance companies. In the Indian Context
13 | P a g e
as well as insurance agencies often have unrestricted access to a patient's medical records
however there is a definitive lack of sufficient safeguards to ensure that this information is not
released to or access by unauthorized persons either within these insurance agencies or
outsourced consultants
The system of identifiers which allocate specific numbers to an individual’s data which can only
*be accessed using that specific number or series of numbers can be incorporated into the Indian
system as well and can simplify the administrative process thus increasing its efficacy. This
would afford individuals the privilege of anonymity while entering into transactions with specific
healthcare institutions.
An important means of responding to public concerns over potential unauthorized use of
personal information gathered for research, could be through the issuing of Certificates of
confidentiality as issued in the United States to protect sensitive information on research
participants from forced disclosure. 12
Additionally, it is imperative that frequent discussions, deliberations, conferences and
roundtables take place involving multiple stakeholders form the healthcare sector, insurance
companies, patient’s rights advocacy groups and the government. This would aid in evolving a
comprehensive policy that would aid in the protection of privacy in the healthcare sector in an
efficient and collusive manner.
9 Conclusion.
The Right to Privacy has been embodied in a multitude of domestic legislations pertaining to the
healthcare sector. The privacy principles envisioned in the A.P Shah Committee report have also
been incorporated into the everyday practices of healthcare institutions to the greatest possible
extent. There are however significant gaps in the policy formulation that essentially do not
account for the data once it has been collected or its subsequent transfer. There is thus an
imminent need for institutional collaboration in order to redress these gaps. Recommendations
for the same have been made in the report. However, for an effective framework to be laid down
12 Guidance on Certificates of Confidentiality, Office of Human Research Protections, U.S Department of Health and Human Services available at http://www.hhs.gov/ohrp/policy/certconf.pdf [Accessed on 14th May, 2014].
14 | P a g e
there is still a need for the State to play an active role in enabling the engagement between
different institutions both in the private and public domain across a multitude of sectors
including insurance companies, online servers that are used to harbor a data base of patient
records and civil action groups that demand patient privacy while at the same time seek to access
records under the Right to Information Act. The collaborative efforts of these multiple
stakeholders will ensure the creation of a strong foundational framework upon which the Right to
Privacy can be efficiently constructed.