Privacy in Healthcare

Privacy in Healthcare

A large number of tourists visit India to get access to the wide array of healthcare services due to affordable prices, large number of highly skilled medical professionals, world class infrastructure, quality and cost effective treatments, ease of communication and travel, limited waiting time and medical technology which is at par with the Global industry standards.

Services opted for by the tourists range from basic elective procedures to complex specialized surgeries. With the steps taken by the Ministry of Tourism1 to promote India as a Medical and Health Tourism Destination and the introduction of the ‘e-Medical Visa’, which enable travellers of 166 countries to visit India for medical treatments, it is expected that the number of tourists visiting India for healthcare services will constantly increase each year.

India’s draft Personal data protection bill (PDPB) 2019, emphasises the core requirement of protecting the personal data of data principal. Among other significant provisions, the PDPB 2019 proposes substantial penalty for violation of the stated requirements of INR 5 Cr (~ USD1M) to INR 15 Cr (~ USD3M) or 2-4 %of its total worldwide turnover of the preceding financial year, whichever is higher. It is covered under Penalties and Compensation, Chapter X, Section 57, Clause 1, 2 and 3 of Draft India PDPB 2019.  And it states as:

Section 57      (1)    Where the data fiduciary contravenes any of the following provisions:

  • Obligation to take prompt and appropriate action in response to a data security breach under section 25;
  • Failure to register with the Authority under sub-section (2) of Section 26;
  • Obligation to undertake a data protection impact assessment by a significant data fiduciary under section 27;
  • Obligation to conduct a data audit by a significant data fiduciary under section 29;
  • Appointment of a data protection officer by a significant data fiduciary under section 30.

It shall be liable to a penalty which may extend to INR five crore rupees(~USD 1Million) or two percent of its total worldwide turnover of the preceding financial year, whichever is higher;

                   (2)      Where a data fiduciary contravenes any of the following provisions:

(a)  Processing of personal data in violation of the provisions of Chapter II or Chapter III;

(b)  Processing of personal data of children in violation of the provisions of Chapter IV;

(c)  Failure to adhere to security safeguards as per section 24; or

(d)  Transfer of personal data outside India in violation of the provisions of Chapter VII.

It shall be liable to a penalty which may extend to INR fifteen crore rupees(~USD 3Million) or four percent of its total worldwide turnover of the preceding financial year, whichever is higher.

                   (3)      For the purpose of this section–

(a)  The expression “total worldwide turnover” means the gross amount of revenue recognised in the profit and loss account or any other equivalent statement, as applicable, from the sale, supply or distribution of goods or services or on account of services rendered, or both, and where such revenue is generated within India and outside India.

(b)  it is hereby, clarified that total worldwide turnover in relation to data fiduciary is the total worldwide turnover of the data fiduciary and the total worldwide turnover of any group entity of the data fiduciary where such turnover of a group entity arises as a result of the processing activities of the data fiduciary, having regard to factors, including

(i)  The alignment of the overall economic interests of the data fiduciary and the group entity

(ii)  The relationship between the data fiduciary and the group entity specifically in relation to the processing activity undertaken by the data fiduciary; and

(iii)  the degree of control exercised by the group entity over the data fiduciary or vice versa, as the case may be.

(c )  Where of any provisions referred to in this section has been contravened by the state, the maximum penalty shall not exceed five crore rupees under subsection 1 and 15 crore rupees under subsection 2, respectively.

Such provisions, along with heightened focus on collection and use of personal data, will require organizations (referred in the bill as Data fiduciary and Data processor) to revisit their processes and operations and establish a robust privacy and data protection framework.

With the requirements of multiple privacy regulations, Healthcare laws and increasing use of technology in medical devices and service delivery, use of mobile apps and aggregator platforms to access healthcare services, the awareness of privacy and data protection in the healthcare industry becomes more and more pertinent. Although healthcare organisations are now starting to adopt best practices w.r.t. privacy and data protection in their service delivery and device interfaces, major improvements are still needed at an operational level.

Key issues faced by healthcare organisations w.r.t. Privacy and data protection and practices adopted by organisations are as follows:

Challenge 1 – Segregation and treatment of data received from multiple sources including IoT enabled devices

  • Information Footprinting: Organisations are now tracking data in order to identify and understand where personal data lies at all time. In order to support this, data discovery exercises (manual and tool based) are being conducted. The mapping of data helps determine the lifecycle of data, security controls, associated devices through which the data is generated, level of access to be provided to staff (doctors, nurses, contractual staff, etc.) and sharing of information outside the organisation so that the right information is accessed by the right stakeholders. Additionally, identifiers are being added to data sets to identify the source of the data, the associated consent provided, the validity of consent and also the region of origin of the user.
  • Asset management controls: Organisations have started taking into consideration key Privacy and security factors which can embed Privacy by design in existing and well as planned systems e.g. identifying privacy and security checks before new IoT device is purchased, security configurations around data stored or held by the device, retention periods of the data stored on the device, etc.
  • Privacy and Data Protection trainings and awareness sessions: Healthcare organisations have started conducting role based Privacy trainings in order to make the staff (doctors, nurses, contractual staff, etc.)aware of the risk associated with mishandling and misuse of data.
  • Security controls: Healthcare organisations now provide local access or access via multi factor authentication for patient records and reports. Mobile access to patient records and healthcare systems is restricted and is enabled only for devices with appropriate security certificates installed.
  • Handling data of family members: In cases where a family member of one of the healthcare professionals is being treated, Organisations monitor accesses to ensure that the healthcare professionals are not accessing records of family members unless authorized by them to do so.

Challenge 2 – Encrypting electronic medical records and associated performance issues in a network of connected medical devices and applications

  • Encryption of data at rest and in motion: Several standards and regulations recommend encryption amongst other data security efforts to reduce the risk of a cyber-attack however, every organisation follows their own approach to encryption based on their maturity, applicable regulatory requirements and risk appetite.
    • Some healthcare organisations do not encrypt data at rest as it may lead to issues in the performance of connected medical devices and other healthcare applications. It may also pose issues as the numerous devices and applications may have different encryption capabilities which may not necessarily be compatible with each other. Given the requirements for data access, organisations have also adopted models wherein the main devices and applications keep the data being processed currently and once the patient is discharged, the relevant data is transferred to a more secure environment/server and the original source is removed.
    • For other organisations, encrypting data at rest and in transit is a common best practice that is done quite efficiently when a proper PKI infrastructure is in place enabling combinations of symmetric encryption and hashing to efficiently encrypt data.
    • Organisations that follow encryption of data at rest, adopt the practice of encryption at multiple levels based on the data being handled in order to decrease the impact on the performance of the systems i.e. table level encryption, field level encryption, etc.
  • Blockchain is also being considered as a potential solution to ensure patient data confidentiality but it has not been implemented by organisations yet.

Challenge 3 – Handling data and communication via Whatsapp

  • While regulatory requirements may not allow the use of Whatsapp or may term the communication as one with insufficient safeguards, it is still being used by healthcare professionals and patients to interact with one another, share documents and advice.
    • Organisations that have discouraged the use of Whatsapp have enabled communication via chat applications, hospital portals or web forms which adhere to the requirements of applicable Privacy laws
    • Organisations that have accepted the use of Whatsapp have prepared organisational Whatsapp usage policies and guidelines in order to inform healthcare professionals of their responsibilities towards usage of Whatsapp for communication and for handling of the associated data. These policies and guidelines usually include practices such as:
      • On receipt of requests or information, informing the patient of the commitment to privacy of patient data, potential risks of using unsecure channels or modes of communication and other appropriate communication channels. Delete or archive the message once the patient has sent the request through the appropriate channel.
      • Interact with the patient, respond to the query on Whatsapp, upload necessary details as a part of the central patient record or print a copy of the communication and add it to the patient file, delete or archive the original information. In some cases, organisations allow communication only via organisation owned devices.

Challenge 4 – Managing Privacy and Data protection risks in the use of personal data for Business Intelligence (BI) and analysis

  • Organisations use BI tools for analysis and management reporting of patient data. Reports include trends of users / customers in past few months, services most / least sought by users, etc.. Organisations deal with privacy and data protection risks in the use of BI tools and associated analysis in the following ways :
    • Documenting the personal data used by the BI tool for the analysis, the purpose of the analysis and making the patients aware of the same.
    • Pseudonymising or anonymising patient data
    • Ensuring that secondary databases created for use or for references are aligned with the original purpose of the analysis
    • Identifying access levels and associated controls to restrict access and BI and analysis to a specific group
    • Identifying controls for retention of data
    • Limiting the involvement of third parties unless absolutely necessary
    • Frequent monitoring of data being processed and related accesses
    • Enabling in built encryption on tools and configuring the access per user role so that visualisations, worksheets, etc. can be encrypted/decrypted at the client side

Challenge 5 – Managing personal health data of VIPs/VVIPs/Celebrities 

  • Organisations that service VIPs, VVIPs and Celebrities have to consider an additional layer of security and privacy specifically for such personal data. The first task carried out is to restrict the access to such patient records by assigning permissions. Thereafter, an automated workflow is initiated wherein notifications are provided to the Privacy team every time the file is requested/accessed /updated. This can also be configured via the existing Security, Incident and Event Management (SIEM) or User and entity behaviour analytics (UEBA) tools. SIEM uses pre-defined rules to determine if certain scenarios are met and raises an issue as per the configured rules. UEBA on the other hand is able to monitor peer groups and compare the behaviour and deviation between the behaviour from a specific user and her/his peers.
  • In cases where the automated workflow is not initiated, Organisations perform an audit of the accesses to medical records of VIPs, VVIPs and Celebrities to identify unauthorized access. In such instances, the Data Protection Officer is informed without delay and the unauthorized accesses are dealt via the organisation disciplinary process
  • Some healthcare organisations use separate servers or modules and require multi-factor authentication to provide access to records of VIPs, VVIPs and Celebrities.

Since the Healthcare industry process high volumes of personal and sensitive personal data, they may be identified as Significant Data Fiduciaries which will impose more obligations on them. As the Healthcare ecosystem is very large and involves multiple stakeholders, it would be useful for organisations to perform readiness assessments and identify the best practices which can be adopted in order to ensure timely readiness as per the requirements of the Bill.


We at Data Secure(  can help you to understand Privacy and Trust while dealing with data and provide Privacy Training and Awareness sessions to improve upon the knowledge of Privacy what you already know.

For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA or Draft India PDPB 2019 and Secure Email transmission, kindly write to us at

For downloading various Global Privacy Laws kindly visit the Resources page in DATA SECURE – Privacy Automation Solution

Leave a Reply

Your email address will not be published. Required fields are marked *