How is EHR related standards & regulations safeguarding a person’s personal health information?
On 17th July 2019, Union Ministry of Health initiated its great efforts to build a comprehensive, nationwide integrated e-Health system under National Digital Health Blueprint. This initiative was a step towards creating a national healthcare ecosystem. The government has also welcomed feedback and inputs by contributors to make this system both robust and thoroughly efficient. However, how does it benefit the patients? Do the patients get authority over their healthcare information? Are the information secure against data breaches?
There are a lot of questions that are still unanswered on the part of the government and there still is no specific privacy regulation for healthcare medical industry. The existing adoption of EHR are based on the present legal framework of India, under The Information Technology Act, 2000 (IT Act), The Information Technology Rules, 2011 (IT Rules) and The Indian Medical Council Regulation, 2002 (MCI Code of Ethics).
The Digital Health Record structure to support privacy and e-health standard
Back in 2016, the government had proposed the National e-Health Authority (NeHA) to promote Integrated Health Information Platform (IHIP) to standardize and enforce laws and policy to maintain privacy of healthcare information of patients. What will be the patient’s rights over their healthcare information guaranteed by the above initiatives?
- The term privacy refers to the authority that the owner of the data has over it.
- The data would be subjected to end to end encryption between all public and private entites. As per the rules, the encryption techniques used in transferring information must be best of breed and follow industry standards.
- The engagement of any third party would be based on trust and consent of the owner.
Data Ownership
- The data contained data in EHR which are the protected health information of the patient is owned by the patient himself / herself.
- The physical or electronic records, which are generated by the healthcare provider, are held in trust by them on behalf of the patient
- The medium of storage or transmission of such electronic medical record will be owned by the healthcare provider.
- The “sensitive personal information (SPI) and personal information (PI)” of the patient is owned by the patient herself. Refer to IT Act 2000 for the definition of SPI and PI.
The regulations of preserving electronic healthcare information of patients
- According to the proposed regulations, all healthcare records of a patient, whether recorded verbally or through any other form of medium, must be preserved by the medical institution during the life-time of the person.
- Further to this, this information can be removed from active records or put to inactive status upon the patients’ demise only after confirmation of certain criterion; A. No pending court cases on the owners name B. Three years subsequent to the owners death.
- The records should never be destroyed or removed permanently from the system.
- Even after the demise of the owner, the data is accessible by the person(s) designated by the individual.
- Only after seeking specific permission from the designated person, the institution can to use the patients’ information for any purpose.
It is important to note that the above rules and regulations to apply the entire healthcare industry – both modern and traditional. Ayurveda, Yoga and Naturopathy practices would also be required to adopt system that support the above requirements. Unfortunately the limited software options that currently cater to the AYUSH are ill equipped to address this evolving requirement and will put a strain on small and medium practices.
AyushEHR is designed to abide by these rules and regulations. It has been designed with the principle of ‘Privacy by design’ in context and provides utmost protection and security to its patients and medical practitioners information. We always remains compliant to the privacy and security guidelines and regulations and serve as digital healthcare system of the future.
References:
- Https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/consumers/privacy-security-electronic-records.pdf
- Https://thewire.in/law/without-data-security-and-privacy-laws-medical-records-in-india-are-highly-vulnerable
- Https://www.business-standard.com/article/economy-policy/india-to-be-first-to-protect-health-data-of-citizens-with-iron-clad-law-118053100126_1.html
- Https://blogs.docengage.in/patient-data-make-it-more-secure-than-your-bank-data-6fa53b474f99
- Https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5116537/
- Https://www.legallyindia.com/views/entry/digitisation-of-health-medical-records-is-the-law-keeping-up
- https://www.mohfw.gov.in/sites/default/files/EMR-EHR_Standards_for_India_as_notified_by_MOHFW_2016.pdf