Impact of PDP bill on Primary Healthcare in India

The Personal Data Protection (PDP) bill was introduced in the Lok Sabha in 2019 and is anticipated to get enacted soon. The bill intends to protect the personal data and rights of the citizens of India. According to the bill, the citizens will have the sole right to their data and are called data principals. As data principals, they have the right to delete and modify their data. They also have the right of accessibility and portability. The government of India, companies in India and foreign companies dealing with the data of the Indian citizens, fall under the jurisdiction of this law and are called data fiduciaries. The data fiduciaries are required to maintain transparency in the processing of the data. They are also required to encrypt and anonymize the data to prevent its misuse. If an organization fails to comply with the rules of the bill, they are obliged to pay a hefty fine.

Primary Healthcare industry and anticipated challenges

Healthcare is one of the major industries which falls under the scrutiny of the Indian PDP bill as most of the data which belongs to the patients is of sensitive and private nature for e.g. test results, medical history, sexual orientation, biometric information, prescription etc. The healthcare organizations deal with a vast amount of personal data of the individuals. They also have access to the financial data because of which they have fallen prey to various cyber attacks over the years and have been an easy target for the hackers due to weak security systems. Along with the hospitals and clinics, there are other organizations such as nursing homes, diagnostic centers and health insurance providers, which deal with the patients data and hence it should be in compliance with the PDP bill as data fiduciaries.

If the PDP bill is passed, all the previous and the current health records of the patients, with these organizations have to be anonymized and encrypted. The patient’s consent would be required to process any kind of data and transparency has to be maintained. The organizations would have to update all their security systems and use a good data privacy tool. They need to carry out certain necessary changes in the business processes as well as employees of these organizations would have to be educated and made aware of the bill to comply with the requirements.

Suggestions for the primary healthcare organizations

There are several things a primary healthcare organization can do to comply to the PDP bill

1. Classifying the data – The data that a primary healthcare organization deals with should be classified into sensitive or non-sensitive data. This is required so that only the sensitive or critical personal data gets more importance and handled in compliance with the bill. The data storage and data lineage (the flow of data) should be monitored by the organizations. It is a requirement of the bill that organizations appoint a Data protection officer (DPO) which can take care of the data governance and the data privacy issues.
2. Assessing the gaps – A proper risk assessment and impact assessment should be carried out for all the business processes in the organization to find out if there are any gaps with respect to the privacy of the data principals. And if there are third parties involved in the functioning, then a risk assessment should be carried out for their business processes as well.
3. Change in Policies – From the impact and the risk assessment, the policies of the organization should be aligned to the requirements under the bill for better transparency, accessibility, reporting and protection of data. Privacy by design should be carried out in the various business processes of the organization which is also outlined in the bill.
4. Educating the employees – The employees in the organizations which are handling these sensitive and critical data should be made aware of the various components of the PDP bill. Even the third-party vendors should be educated on these privacy aspects.
5. Using the best tools – There are various tools available in the market which can take care of an organization’s data privacy and data governance needs. They can manage the consent and rights of the data principals, required for further processing of the data and make an organization compliant with the bill.

Role of icareheal

With icareheal, doctors can do all kinds of online consultations within the safety of their homes. Icareheal has capability to digitally maintain all the health records of patients and prescriptions, in the form of EHR. icareheal will uphold all the requirements of the PDP bill and clinics onboarded with icareheal wouldn’t have to worry about the storage of the sensitive and critical data of the patients as it will being anonymized form and stored in an encrypted form. The requisite consent shall be obtained from the patients if their data is required to be shared with any other stakeholder so that the patients have the right to their data. clinics wouldn’t have to worry about being compliant to the PDP bill for all their transactions on icareheal.