Digital health technologies hold immense potential in transforming healthcare, not only in India but worldwide.
They offer a ray of hope in regions where traditional healthcare access remains challenging due to limited public resources. Particularly during the COVID-19 pandemic, their value has been recognized in India, as they enhance healthcare delivery and outcomes.
To ensure the well-being of individuals, it is crucial to establish robust privacy laws that safeguard their health data from unauthorized access, misuse, and any potential harm. The recent concerns about data leakage from the CoWin application underscore the urgent need for such legislation.
The Indian government has taken proactive measures to promote the adoption of digital health technologies.
Through the Ayushman Bharat Digital Health Mission (ABDM), they are building the National Health Stack—a secure and interoperable platform for exchanging healthcare data.
This infrastructure aims to create comprehensive electronic health records for every citizen, ensuring longitudinal and cross-sectional integration. Currently, over 38 crore Ayushman Bharat Health Accounts have been established, with more than 26 crore health records linked to the ABDM.
As India assumes the G20 presidency, its focus on digital health can serve as a blueprint for other nations. India intends to leverage this position to foster global health resilience.
It is unfortunate that India lacks a Personal Data Protection law. In the absence of such legislation, we can draw guidance from the Supreme Court’s landmark judgment in Justice KS Puttaswamy (Retd) Vs Union of India [AIR 2017 SC 4161].
This judgment establishes the privacy of personal data, including medical and health data, as a fundamental right under Article 21 of the Constitution.
Consequently, any policy significantly affecting this right must adhere to a four-pronged test outlined in the judgment: it must be a procedure established by law, aimed at a legitimate goal, just, fair, and reasonable, proportionate to the objective, and accompanied by procedural guarantees against abuse by state or non-state actors.
According to the “Cost of a Data Breach Report 2023” by IBM and Ponemon Institute, the healthcare sector has incurred the highest costs due to data breaches, averaging $10.10 million.
Health data breaches can inflict significant harm upon individuals, impacting their physical, mental, and financial well-being.
Such breaches expose sensitive and personal information, including medical history, social security numbers, and financial details. Consequently, they can lead to identity theft, fraud, and harassment.
Health data breaches may result in discrimination, particularly in employment and insurance contexts. For instance, leaked genetic information can be exploited to deny individuals employment opportunities or health insurance coverage.
The mental health repercussions of health data breaches are profound, causing anxiety, stress, and depression, especially when the breach involves sensitive information.
Various global institutional frameworks advocate for stronger privacy laws as a prerequisite for digitalization efforts. The Universal Declaration on Human Rights (Article 12) and the International Covenant on Civil and Political Rights (Article 17) guarantee the right to privacy, safeguarding individuals from arbitrary interference and attacks on their honor, reputation, family, home, or correspondence.
The World Health Organization’s Global Strategy on digital health 2020-2025 emphasizes that the accessibility of digital health hinges on a system that respects the privacy and security of patient health information.
The World Health Assembly recognizes the potential of digital technologies in supporting health systems but urges member states to develop legislation aligned with human rights obligations, addressing data access, sharing, consent, security, privacy, and inclusivity.
In the absence of data protection legislation, temporary guidelines can be issued under Section 2(1) of the Epidemic Diseases Act 1897, as was done during concerns about the safety and security of personal data in the contact-tracing application, ArogyaSetu.
These guidelines should establish standards and safeguards for storing and processing health data, including retention timelines and related policies. These regulations should remain in effect until data protection legislation is enacted and specific guidelines are issued for its ethical and secure implementation.
In addition to obtaining informed consent from patients before collecting their personal data, these guidelines should mandate entities to adopt appropriate security measures, such as encryption for sensitive data, access controls, and regular security audits to identify vulnerabilities.
Anonymization of personal health data, transparent privacy policies, and ethical data collection practices can also deter the misuse or exploitation of personal health data for commercial purposes, fostering public trust in the healthcare system. By establishing clear standards and regulations for data governance and interoperability, privacy laws can enhance public trust and awareness of digital health interventions.