Telemedicine guidelines need to be revised to be on a par with global health data protection rules
The Medical Council of India, in partnership with the NITI Aayog, has released the Telemedicine Practice Guidelines, 2020.
By V Sridhar, Deep Inder Mohan & Arjun Pilikudale
Developments in telecommunication and broadband connectivity have enabled telemedicine consultations. Telemedicine allows remote consultation, diagnosis, treatment, follow-up, monitoring and supervised treatment of patients or training of physicians, and is primarily used to deliver healthcare services to remote regions. India recently launched the DigiGaon—to make telemedicine accessible in villages.
Covid-19 has accelerated deployment and use of telemedicine. In a recent issue of the ‘New England Journal of Medicine’, it was argued whether in-person visits should become the second, third or even the last option for meeting patient needs. The pandemic has forced the use of tech such as telemedicine to enable ‘forward triaging’ that allows patients to be efficiently screened without face-to-face contact, as the first step. It also enables self-quarantine of patients who do not need hospitalisation—through the provision of continuous monitoring and support. It not only protects patients, but also clinicians, hospital staff and the community at large from the virus. It can allow physicians and patients to communicate 24×7, using smartphones or webcam-enabled computers, to monitor symptoms on a regular basis.
The Medical Council of India, in partnership with the NITI Aayog, has released the Telemedicine Practice Guidelines, 2020. But there is a missing piece in these guidelines—protecting privacy and confidentiality of patients. It is very easy for consulting sessions between patients and physicians to be digitally recorded and processed. It is this ease that will probably cause nervousness to patients. Digitally-captured sessions are prone to breach of patient confidentiality and can have a negative impact on the already somewhat socially-relegated Covid-19 patients.
Most data protection regulations take care of privacy issues by enacting appropriate rules. For example, in the US, the Health Insurance Portability and Accountability Act (HIPAA) has specific provisions related to telemedicine. It states only authorised entities should have access to e-Personal Health Information (e-PHI) captured through telemedicine sessions. It mandates secure communication during the session. A major clause included in HIPAA guidelines is with respect to third-party service providers (intermediaries) who facilitate telemedicine sessions, such as WhatsApp, Facebook, FaceTime, Skype and Microsoft Teams. If the history of the session is stored by a third party, the healthcare provider is required to have a business associate agreement (BAA) with the third party storing the data. This BAA must include methods used by the third party to ensure protection of data, and provisions for regular auditing of the data’s security. For example, if a telemedicine session uses Skype or Zoom, then according to the HIPAA the healthcare provider/hospital providing telemedicine consultations should have a binding BAA with these intermediaries to protect the personally identifiable information of patients. If an intermediary does not enter into BAAs with a healthcare provider for these services, the healthcare provider is liable for fines or civil action should an unauthorised disclosure of e-PHI occur due to the third party’s lack of HIPAA-compliant security measures.
But such BAA clauses are absent in India’s telemedicine guidelines. Though the guidelines point to the IT Act, 2000, it requires only registered medical practitioners to comply with the Act in protecting the security and confidentiality of patients. The guidelines are silent about the responsibility and liability of intermediaries (in India, in addition to platforms such as WhatsApp or Skype, there are intermediaries including Practo, Protea, 1mg and Lybrate). While the IT Act provides immunity to intermediaries, the Draft IT Act Intermediary Guidelines (Amendment) Rules, 2018, make intermediaries accountable and necessitate them to deploy measures to provide security and privacy of the information they carry, but it is yet to be notified by the government. A controversial clause in this draft that requires intermediaries to deploy automated technologies to do proactive monitoring is one of the reasons it has been stalled for two years. The Personal Data Protection Bill provides adequate privacy rights to citizens, but with it yet to be enacted, patients who consult via telemedicine do not have any protection if their e-PHI is shared or disclosed. It’s time telemedicine guidelines are revised to be on a par with global health data protection rules.
Sridhar is professor, and Mohan and Pilikudale are students, IIIT Bangalore