The Digital Personal Data Protection Act 2023 (DPDPA) lays down stringent safeguards for the processing of digital personal data by mandating a consent process for gathering data, robust security measures to prevent data breaches, along with the principle of purpose limitation and data minimisation. The Act applies to personal data in digital form and non-digital data digitised subsequently, both processed in India and processed anywhere in the world if it relates to individuals in India.
The Act adds to the growing global regulatory focus towards personal data protection, similar to GDPR. Digital health solutions and the associated need for patient privacy have also been a key focus for the Health Working Group under India’s G20 Presidency. With the healthcare sector stepping up tech transformation efforts, organisations in the space have an opportunity to enhance trust and reputation by leading compliance with DPDPA. Non-compliance could lead to penalties up to INR 250 Cr.
Key considerations for healthcare
During the entire patient lifecycle, personal data is collected and generated at various stages. This includes patient health records, personally identifiable information (name, age, contact, etc.), medical history, diagnosis and treatment information, prescription details, lab results, billing and payment details, among others. Moreover, healthcare entities engaged in medical research are also in possession of genetic data. The sensitive nature of data necessitates rigorous safeguards to uphold patient confidentiality, data integrity and ethical data handling practices.
A survey of healthcare professionals co-conducted by Grant Thornton Bharat in early 2023 reveals that 84 per cent of respondents plan to significantly enhance their budget for digital solutions and technology initiatives. However, 66 per cent of professionals were not confident that their technology infrastructure is sufficient to prevent cyber threats and only 40 per cent felt that their technology infrastructure can ensure patient data privacy.
Some of the key considerations for the healthcare ecosystem include:
First, patient-centric consent process; where one needs to establish a robust framework for a verifiable consent process of the parent or legal guardian in the case of minors and, individuals with disabilities. Also, evaluate the need for taking informed consent again (a) after the patient is able to provide consent whose personal information has been collected during a medical emergency, pandemic or outbreak, (b) if consent was obtained at the first point of care in case the patient was transferred from a different hospital.
Second, trust & transparency in data governance: Lack of standardised tools and software applications across the industry can hinder proper processing, storage, and erasure. Our survey revealed that while 62 per cent of respondents have implemented Electronic Medical Records (EMR), the absence of a robust mechanism to monitor digital data coupled with data residing in silos would pose a challenge for data governance. Further, healthcare providers will have to train and drive the culture of protecting patient privacy across the healthcare workforce.
Next, collaborative engagement with third-party stakeholders: Healthcare delivery usually involves multiple stakeholders coming together and it often includes the exchange of patient data. These stakeholders include healthcare providers, health insurance companies, third-party administrators (TPAs), diagnostics, pharmacies, and technology companies. It is therefore critical for healthcare organisations to implement robust data governance mechanisms and contractually define and enforce roles & responsibilities for various stakeholders.
Telemedicine: As per our survey, the share of revenue from telemedicine is still less than 10 per cent for 98 per cent of the hospitals. However, with increasing adoption, telemedicine would require appropriate data security measures, such as encryption, to protect patient data during transmission and storage with appropriate access controls, and incident response procedures.
Medical tourism: DPDPA would apply to international patients seeking treatment in India. However, a nuanced approach would be required in cases of conflicts with the data privacy rules of the patient's home country.
Lastly, advancing Universal Health Coverage (UHC): The government has taken several initiatives towards Universal Health Coverage, such as PM Jan Arogya Yojana, eSanjeevani and a range of initiatives under the Ayushman Bharat Digital Mission umbrella, including Ayushman Bharat Health Account, Unified Health Interface and National Health Claims Exchange. Collaboration and focus on data protection across various touchpoints within the network would be critical.
For healthcare businesses, a proactive assessment of privacy policies in line with DPDPA will bring in a competitive edge. Organisations can adopt a phased approach over 8-10 months through self-assessment, gap analysis, planned implementation along with cultural change, independent audits and sustained compliance.
The new law is expected to build trust in the healthcare ecosystem by addressing technical intricacies with adequate resource allocation. The growth of the healthcare sector, fueled by technology and innovation, will be further accelerated by the enactment of the privacy law ushering in a culture of protecting patient privacy.
This article first appeared in ET Healthworld.com on 10 September 2023.