WHETHER OUR PRIVACY ALSO PROTECTED IN PRESENT DAY HEALTH CARE SYSTEM ALONG WITH OUR HEALTH?
Author: Arya A V, Currently pursuing LL. M in IPR from INTER UNIVERSITY CENTRE FOR IPR Studies, Cochin University of SCience and Technology, Kerala
HEALTH CARE SYSTEM
The health care system which is also known as the health system is the organization of people, institutions, and resources that deliver health care services to satisfy the health needs of target populations. The World Health Organization defines health care systems as “a system which consists of all organizations, people and actions whose primary intent is to market, restore or maintain health”.[i]
The Indian health system includes both government hospitals, private hospitals and also specialized Ayurvedic hospitals offering the normal sort of Indian alternative medicine. Today in India, healthcare has become one of the most important sectors, both in terms of revenue and employment. The Healthcare industry in India consists of hospitals, medical devices, clinical trials, outsourcing, telemedicine, medical tourism, medical insurance and medical equipment. The Indian healthcare sector is growing at an alarming rate due to its strengthening coverage, services and increasing expenditure by the public and also private players.
The Ministry of Health was established in our country with independence from Britain in 1947. The government has made health a priority in several five-year plans, each of which determines state spending priorities for the coming five years. The National Health Policy was initiated by the Parliament in 1983. The policy aimed toward universal health care coverage by 2000, and therefore the program was again updated in 2002. The health care system in India is primarily administered by the State governments. The National Rural Health Mission was launched by the Government of India in 2005, to deal with the lack of medical coverage in rural areas.
ELECTRONIC HEALTH RECORDS (EHRs)
Rapid contributions have been made from both the field of information technology as well as health care for successfully integrating both for better facilities and services offered by the health-givers.
The evolution of EHR provides easier access to patients about their present health conditions and also helps their doctors to have an effective picture of the condition of each patient. But still, there are so many doubts regarding who can access these reports, whether the information provided in these records are correct, whether these records are safe from hacking etc.
However due to its increased usefulness, and increasing enthusiasm in its adoption, much care and attention is not being paid to the ethical issues that might arise from its usage.
Some of the main security issues that may arise due to the usage of EHRs are :
User authentication of data of each patient
Confidentiality and integrity of health records
Misuse of health records by unauthorized access
Violation of data protection policies
Some technicians may also fill out data in the wrong field and cause mistakes in the records of the patient and it can create harmful impacts on the patient that way. EHR technology is not a 100 percent error-proof one and medical workers have made mistakes through these systems.
For example, in a survey conducted by the West Health Institute, it was found that about 50 percent of polled nurses identified a medical error because a device or EHR system was not integrated adequately either within the hospital or during the practice. Lack of EHR interoperability or integration may make it more difficult for doctors, nurses, and other health care professionals to provide effective care and avoid medical errors. It is very clear from the normal condition in a busy hospital that, at the end of a long shift, if a professional has to spend an additional two hours entering in data through an EHR or other system, he or she is more likely to make a mistake in that. The effective management of EHRs requires the active participation of a multidisciplinary team including telecommunication, instrumentation and computer science to enable the transfer of health records across different geographic regions.
The two important aspects of privacy regulation within the health care sector are consent and the choice of the patient. Specific protocols are available for hospitals, diagnostic laboratories to ensure that consent of the patient is taken and is given by him voluntarily before every stage of the treatment procedure.
The Supreme Court of India has on several landmark cases emphasized that the right to privacy available to the citizens is not absolute . But the court has adopted a case by case approach in the interpretation of amplitude of the right to privacy[ii].
There is a fiduciary relationship between the patient and the health care provider, he or she can be a doctor, nurse, lab technician or any member of the hospital authority. This fiduciary relationship evolves from a reasonable expectation of mutual trust between the doctor and his patients and it is well established through section 20(A) of the Indian Medical Council Act of 1952[iii], which lays down the code of ethics which a doctor must adhere to at all times. Furthermore, under the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002 (MCI code of ethics), physicians are obliged to protect the confidentiality of patients.
There are certain situations in which disclosure of personal health information is permitted and does not amount to a violation of privacy. For example, during referral, when demanded by the court or by the police on a written requisition, when demanded by insurance companies as provided by the Insurance Act when the patient has relinquished his rights on taking the insurance, and when required for specific provisions of work men's compensation cases, consumer protection cases, or for income tax authorities, for disease registration, communicable disease investigations, vaccination studies, or drug adverse event reporting etc. There have been instances where the court allowed the hospital to inform the patient’s future wife that the patient is HIV positive[iv].In that case petitioner’s claim that his right to privacy is violated doesn't sustain before the court.
Invasion of patient privacy is a growing concern nowadays. An incident reported in Forbes magazine raises an alarm over this patient's privacy. In the report, it was mentioned that the Target Corporation sent baby care coupons to a teen-age girl unknown to her parents[v]. She was presumed to be pregnant based on details collected by them. Later her father filed a complaint against the corporation for making her high school going daughter motivated to get pregnant.
The increased use of mobile devices, embedded devices, virtualization software, social media and the commercialization of IT are some of the major security threats for today’s health care organizations.
Mobile device users are increasing at an alarming rate in today's society, and the number and types of devices used by physicians, nurses, clinicians, specialists, administrators and staff – as well as patients and visitors – is growing at health care organizations across the country. But these devices are launched daily with upgraded versions of operating systems in them that contribute to infection. Also as users increasingly adopt their own devices for professional use, health care organizations will see more network security threats. In this way, the consumerization of IT adversely affects the healthcare industry.
HIPPA ACT, 1996
The American system has made stringent laws for controlling and safeguarding the usage of medical data and private information of patients coming to the health industry seeking medical aid. HIPAA (Health Insurance Portability and Accountability Act of 1996) may be legislation that gives data privacy and security provisions for safeguarding medical information.
The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule and its major goal is to assure that individuals’ health information is properly protected while allowing the accurate flow of health information required for promoting high-quality health care to the people of the country
INDIAN SCENARIO AND EHR
The necessity of EHR in a country like India is inevitable. The involvement of citizens across the country in health records leads to an inclusive health care system for that country. Different languages are being used in different states of India. So conversion of EHR from one language to another language is very much possible by a single click on the electronic device. The language translator APIs also become cheaper to be employed in the EHR system based on the cloud because of the mass subscription base. Literacy is an issue in the encouragement of using the EHR system. Hopefully, the literacy rate of India is growing at an alarming rate each year and it is visible from the census records of the country from the time of independence.
From the year 1951 to 2011, the literacy rate went from 20% to 80%. This trend clearly shows within this decade (till 2021) the Indian literacy rates will touch to 100%, enabling a positive environment for using the EHR for all the citizens of India. High literacy will drive most people to get acquainted with electronic devices like mobiles, laptops and computers. Also, most of the population of our country is English speaking when compared to other developing countries. This also gives the added advantage to the suitability of EHR in the Indian health care system. The government is in the process of setting up an IHIP(Integrated Health Information Platform), which will ensure the interoperability of health records in any corner of the country and the National e-Health Authority (Neha) has been proposed to develop this IHIP. It also aims to encourage the adoption and promotion of e-health standards and enforcement of the laws and regulations relating to the privacy and security of patient health information and records.
The Government of India has begun the process of updating the infrastructural facilities in district and sub-district hospitals under the National Health Mission and about 36 large government hospitals are currently registering patients online.
To operationalise these measures, the Government of India issued the Electronic Health Record Standards (EHRS) in 2013, which introduced a uniform system for the maintenance of Electronic Medical Records or Electronic Health Records by the health care providers in the country. In April 2013 Government of India came out with definitive guidelines for EHR standards in India and they were based on the recommendations made by the EMR standards committee, which was constituted by an order of the Ministry of Health and Family Welfare. The guidelines suggested a set of standards to be followed by different health care service providers in India to make medical data become portable and easily transferable[vi].
As health is very important for anyone in the universe, innovations in the field of health care should not be restrained. The technology and tools being used in the medical sector are evolving day by day and thus we can't control the development of EHR technology but we can try to protect it and reduce the privacy issues concerned.
Different strategies are available to reduce risks and overcome barriers in the implementation of digital health records. Some of the measures include:
Security measures such as firewalls, antivirus software, and intrusion detection software must be included to protect data integrity in the medical field.
Portable EHRs can be made more secure by using methods like password protection, cloud storage and encryption. Using a two-factor authentication system with password and security tokens helps in securing EHRs.
Specific policies and procedures should be implemented to maintain patient privacy and confidentiality.
Regular random audits should be strictly conducted regularly to ensure compliance with the hospital policy. All system activity can be tracked by audit trails.
According to my opinion, there is a need for effective enforcement of medical data protection policies and the continuous assessment of these policies to ensure confidentiality, security and privacy of a patient’s information in the medical field. Not only the health should be protected, also the privacy of every patient considering hospitals as their last hope for life should be protected. The only thing to be kept in mind is that e-health shouldn't be made without safeguarding the privacy of the individuals in society.
[ii]Sharda v Dharampal AIR 2003 SC 3450
[iii]Indian Medical Council Act,1952
[iv]Mr X.v. Hospital ZAIR 1998 SCC 296
[vi]E.H.R. Standards for India: GOI Report. 2013