This is a collection of codified Indian legislation that governs health-related data.
The Information Technology Act, 2000 and Information Technology (Reasonable Security Practices) Rules, 2011
The Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002
The Mental Healthcare (Rights of Persons with Mental Illness) Rules, 2018
The Pre-Conception & Pre-Natal Diagnostic Techniques Act, 1994
The Insurance Regulatory and Development Authority of India (Third Party Administrators - Health Services) Regulations, 2016
The Transplantation of Human Organs Act and the Transplantation of Human Organs and Tissues Rules, 2014.
The Digital Information Security in Healthcare Act (DISHA) is a draft law released in 2018, intending to serve as the basis of digital health records in India. The objectives of this law are to provide for establishment of National and State e-Health Authorities and Health Information Exchanges, and to standardize and regulate data processes associated with digital health data. The act also aims to “ensure reliability, data privacy, confidentiality and security of digital health data.” DISHA contains provisions that enable the sharing of personal health records with hospitals and other medical establishments, as well as between medical establishments, and also define conditions for the collection and use of personal health data.
The IT Rules, 2011 defines sensitive data or personal information (SPDI) to include intern alia information regarding medical records. Section 43A and Section 72 of the Information Technology Act provide protection against breach of security concerning SPDI, or non-consensual disclosure of SPDI by service providers (including body corporates) with the intention of causing wrongful loss or wrongful gain.
The authorities under this Act have to maintain a National Register of clinical establishments5 and a State Register of clinical establishments.6 A certificate is issued to the clinical establishments, who are bound by the procedure prescribed under this Act. The Act mandates the disclosure of certain information to the authorities. Any disobedience of direction, obstruction and refusal of information can result in punishment.7
These Regulations provide guidelines for the maintenance of medical records pertaining to the indoor patients for a period of 3 years from the date of commencement. Information can be disclosed to the patient/ authorised attendant or legal authorities involved within the period of 72 hours.
The Registered medical practitioner shall maintain a Register of Medical Certificates giving full details of certificates issued. Further, the Regulations state that registered medical practitioners must take efforts to keep computerized medical records for quick retrieval.
The Regulations protect the confidential information of the patient, and provides for exceptional circumstances where such information can be disclosed without consent. In case of communicable / notifiable diseases, concerned public health authorities should be informed immediately.
It prescribes measures to be taken to protect the consent forms of the pregnant woman, along with the certified opinion recorded under Section 3 or Section 5. The Consent forms are to be marked as “SECRET”.
A serial number is assigned to the pregnant woman in the Admission Register. This Amendment also laid down the procedure to be followed by the hospitals for maintenance of the Admission Register, which is treated as a secret document and cannot be disclosed. It is not open to inspection, and shall be kept in safe custody. None of the entries in the registers shall refer to the pregnant woman’s name, and shall refer only to the serial number assigned.
The Regulations prohibit the disclosure of matters relating to treatment for termination of pregnancy to anyone other than the Chief Medical Officer of the State.11 The Register of women who have terminated their pregnancy, as maintained by the hospital, must be destroyed on the expiry of a period of five years from the date of the last entry.12 The Regulations prescribe that the information collected must be securely stored and used. The medical practitioner assigns a serial number for the woman terminating her pregnancy.13Additionally, the admission register is stored in safe custody of the head of the hospital.14
The Act mandates disclosure of the name of the manufacturer, etc. to the Inspector, as required by law.16 If the same is not disclosed, the person is liable to be punished.17 Every person holding a licence under clause (c) of Section 18 shall keep and maintain such records, registers and other and shall furnish to any officer or authority under this Act such information as is required.18 Section 28A also prescribes a penalty for not keeping documents, etc., and for non-disclosure of information.
Under Rule 65, the licensees are mandated to maintain a register for records of drugs purchased and supplied, as stipulated. Rule 53 prohibits disclosure of information except for the purposes of official business or when required by a Court of Law. The Government can gain access to these registers upon inspection.
Under Section 22 a person with mental illness and his nominated representative shall have the rights to the information specified in Section 22 of the Act. As per Section 23(1), every person with mental illness shall have the right to confidentiality in respect of his mental health, mental healthcare, treatment and physical healthcare. Section 23(2) stipulates what information must be collected and stored by the health professionals providing care or treatment.
Under Section 24, no photograph or any other information relating to a person with mental illness undergoing treatment at a mental health establishment shall be released to the media without the consent of the person. Section 25 grants all persons with mental illness the right to access their basic medical records as may be prescribed. The mental health professional in charge of such records has the right to withhold disclosure of the medical records if it would harm the patient.
The Board constituted under Section 82 can receive and decide applications in respect non-disclosure of information specified under sub-section (3) of Section 25.
As per Rule 6, a person suffering from a mental illness has the right to access basic medical records. If a mental health professional or mental health establishment, as the case may be, is unable to decide, whether to disclose information or provide basic inpatient medical records or any other records to the applicant for ethical, legal or other sensitive issues, he or it may make an application to the Mental Health Review Board.
Form-B framed as per Rule 6 (3) stipulates that the mental health establishment shall maintain specific minimum records in a graded manner for various types of patients they 'are dealing with. Further, Rule 4 lays down the Basic Minimum Standard Guidelines for Recording of Therapy Report.
In order to avail the facilities of pre-natal techniques, the pregnant woman would have to disclose her age, previous abortions or foetal loss, family history of mental retardation or physical deformities or such other genetic diseases, other conditions stipulated by the Central Government.22
Section 29 lays down the manner in which the records should be maintained. All records, charts, forms, reports, consent letters and all other documents required to be maintained under this Act and the rules shall be preserved for a period of two years or for such period as may be prescribed. All such records shall, be made available for inspection to the Appropriate Authority or to any other person authorised by the Appropriate Authority in this behalf. Further, the appropriate authorities have the power to search and seize records, etc.
These Regulations lay down obligations on the Third Party Administrators (TPA) TPA to maintain books of account, records, and confidentiality of information, for submission of annual report to Authority.24 Such records, documents, evidence, books etc., and any information contained therein shall be made available to the insurer, the Authority or to such person appointed by the Authority for investigation into or inspection of the functions of the TPA. The TPA is strictly bound by professional confidentiality between the parties. Disclosure can only be made in exceptional cases for legal compliances and investigative activities. The Regulations also stipulate the establishment of electronic systems for seamless flow of data, furnishing of annual report to the insurer and the Authority, as prescribed.
Regulation 23, Schedule - II lays down a Code of Conduct for TPAs to put in place systems and internal processes for detection of fraud and its mitigation.
The Act envisages setting up a national registry for organ transplant registry. The Act lays down the information to be included in the National Registry regarding donors and recipients of human organ and tissue. It also stipulates the frequency of data collection hospital information to be collected, yearly reports to be prepared, details of persons who have pledged organs for donation, data protection and confidentiality of information, etc.
Forms 12, 13, 14 enlist the hospital information to be collected for application for registration of hospital to carry out organ or tissue transplantation other than cornea.
As per Section 13C a National Human Organs and Tissues Removal and Storage Network has been set up.