Cybersecurity Compliance For Healthcare Providers: HIPAA And Beyond

Posted On - 3 July, 2024 • By - King Stubb & Kasiva

In today’s digital age, healthcare data privacy and security have become paramount concerns in India. The widespread adoption of Electronic Health Records (“EHRs”) offers numerous benefits such as streamlining patient care and record-keeping. However, this increased reliance on digital information creates new vulnerabilities. Cybercriminals are increasingly targeting healthcare providers, recognizing the vast value of sensitive patient data including medical history, diagnoses, and financial information.

The major question that arises is – what is Health Data?

Health data, as outlined by the Ayushman Bharat Digital Mission, is categorized into personal and non-personal health data. ^[1]
Personal health data refers to information related to an individual’s health conditions and treatments, containing personally identifiable details of various stakeholders, including healthcare professionals.
Non-personal health data encompasses aggregated health statistics, such as the number of dengue cases, and anonymised health data from which all personally identifiable information has been removed. It also includes information about health facilities, drugs, and other non-personally identifiable information.
Furthermore, per Section 3(e) of the Digital Information Security in Healthcare Act (“DISHA”), digital health data is defined as an electronic record of health-related information about an individual.

While regulations like the US-based Health Insurance Portability and Accountability Act (“HIPAA”) establish guidelines for data protection, their reach is limited. India requires a more comprehensive approach to cybersecurity compliance, safeguarding patient information and ensuring the integrity of healthcare systems.^[2] This article will explore the current regulatory landscape in India, and address unique challenges specific to the Indian context.

Current Regulatory Landscape in India

India’s healthcare sector operates within a multifaceted legal framework governing data privacy and security. The key regulations shaping this landscape are as follows:

The Information Technology Act, 2000 (“IT Act”) and its rules^{^[3]}

This legislation establishes the legal framework for electronic transactions in India. It includes specific provisions under its rules with reference to data security, particularly focusing on the protection of “Sensitive Personal Data” (“SPD”).^[4]
SPD encompasses a wide range of patient information, including medical history, diagnoses, treatment plans, and even genetic data.
The IT Act mandates reasonable security practices for handling SPD, such as encryption and access controls.
Additionally, it outlines specific procedures for data breach reporting and prescribes penalties for non-compliance, which can be significant fines or even imprisonment.

The Digital Personal Data Protection Act (“DPDPA”)

This recently enacted legislation marks a significant step forward in data privacy protection.
While its full implementation is still ongoing, the DPDPA is expected to have a substantial impact on healthcare data privacy. ^[5]
It establishes stricter controls on how healthcare providers collect, store, and disclose patient information.
For instance, the DPDPA may require explicit patient consent for specific data uses beyond core treatment purposes.
Additionally, it empowers patients with greater rights over their data, including the right to access, rectify, or erase their personal information held by healthcare providers.

Comparison with HIPAA

The US-based HIPPA offers a similar focus on protecting patient health information. However, there are key distinctions.
HIPAA primarily applies to covered entities like health plans, healthcare providers, and healthcare clearinghouses.
The Indian regulations have a broader scope: the IT Act applies to any organization handling electronic data, potentially encompassing a wider range of healthcare entities involved in patient care or data management.
Furthermore, the DPDPA, when fully implemented, is expected to offer patients more comprehensive control over their data compared to HIPAA. For instance, the right to erasure under the DPDPA may require healthcare providers to permanently delete patient data upon request, whereas HIPAA allows for retention for certain legal or healthcare operations purposes.

The Indian Challenges

The Indian healthcare sector faces unique challenges in implementing robust cybersecurity measures, such as limited resources and outdated IT systems.
Collaborating with managed security service providers (“MSSPs”) or outsourcing specific security tasks can help leverage external expertise, and prioritizing IT infrastructure modernization, including phased upgrades or cloud-based solutions, can offer enhanced security features.
The increasing adoption of telemedicine and mobile health solutions presents new avenues for potential breaches, making it essential to ensure secure communication channels for telemedicine consultations, implement strong authentication protocols for mobile health apps, and educate patients on secure practices for remote healthcare data access.

The Need of the Hour

The Indian healthcare sector is facing a critical challenge: ensuring the privacy and security of patient data. Cloud storage, while offering potential benefits, often lacks proper implementation and oversight, leaving sensitive information vulnerable.

DISHA: A Promising Start, Awaiting Completion

While India has attempted to address these concerns with the draft legislation, the DISHA, its progress has stalled.
Similar to HIPAA in the US, DISHA aimed to establish a framework for data security and breach reporting. However, its delay in implementation necessitates a complete overhaul to effectively address evolving cyber threats.
DISHA defines anonymization as an irreversible process that transforms personal data into a form where the data principal cannot be identified through any means reasonably likely to be used for identification.
Sensitive personal data includes physical, physiological, and mental health data, encompassing information on various health conditions and treatments such as EHR, electronic medical records, and personal health records.
The Privacy Guide for the Healthcare Sector issued by the Data Security Council of India (“DSCI”) further stipulates that all personal data collected during the provision of health services must be anonymised, ensuring that direct and indirect identifiers are removed or manipulated with mathematical and technical guarantees to prevent reidentification.^[6]

Way Forward

A cohesive approach to data privacy and security in Indian healthcare requires a strong regulatory framework with clear guidelines and enforceable compliance mechanisms. Organizations cannot be solely responsible for robust security practices without proper regulations and updated policies. The current state fosters an environment ripe for scams, data breaches, and a general sense of insecurity. The discussion on cybersecurity in Indian healthcare must move beyond awareness. A robust framework and a commitment to compliance are essential to safeguard sensitive patient data, rebuild trust, and ensure the sector’s continued growth and success.

^[1] https://abdm.gov.in:8081/uploads/privacypolicy_178041845b.pdf.

^[2] https://www.ncbi.nlm.nih.gov/books/NBK500019/.

^[3] https://www.meity.gov.in/content/information-technology-act-2000-0.

^[4] https://www.indiacode.nic.in/handle/123456789/1362/simple-search?query=The%20Information%20Technology%20(Reasonable%20Security%20Practices%20and%20Procedures%20and%20Sensitive%20Personal%20Data%20or%20Information)%20Rules,%202011.&searchradio=rules.

^[5] https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf.

^[6] https://www.dsci.in/sectoral-privacy-project/wp-content/uploads/2021/08/DSCI_Sectoral-Privacy-Healthcare-Guide1136279132045723835.pdf.

King Stubb & Kasiva,
Advocates & Attorneys

Click Here to Get in Touch