INNOCENTS ABROAD?

HEALTH DATA SAFEGUARDS FOR MEDICAL TOURISTS IN INDIA

By Kenneth N. Rashbaum and Sajai Singh

India has long been a highly popular destination for visitors from around the globe, and growth in the travel & tourism sector has been steadily increasing. But with all due respect to the heritage attractions of the country, the increase is attributable, in large part, to the increasing attraction of medical tourism. India has built hospitals with cutting edge medical technology, and boasts of physicians educated in the finest medical schools in the world. Medical procedures and hospital admissions cost a fraction of that in the U.S. Information about a patient can be sent in milliseconds from the patients home caregiver to the facilities in India, and back again when the procedure has been completed. Doctors on opposite sides of the globe can consult over the Internet or email in real time, sometimes even during surgery. But what happens to that information in transit and in the offices of the physicians and hospitals? Medical records are increasingly created, transmitted and stored in electronic formats. Recent media reports of personal data breaches, many from distinguished medical centers such as Stanford and University of California Los Angeles (UCLA), can serve to reduce trust in electronic medical record systems and, by extension, the caregivers themselves. This was not such a looming concern in the word of paper records but in the digital age, where information can be stolen, accessed or lost in milliseconds, and where identity theft is a constant shadow, the development of medical tourism may well be linked to the means by which patients health information the most sensitive of personal data is appropriately safeguarded through laws, and information management practices of India and the U.S.

Given these concerns about the security of their health information, a threshold question may arise as to why people would rush to India, a country in which information protection is still in an evolutionary state, for treatment. One simple reason is that medical treatment package prices in India are 35% to 40% less than the total treatment cost in U.S. or U.K. According to the Indian industry association, Associated Chambers of Commerce and Industry (ASSOCHAM), medical tourism industry is a growing sector in India. The medical tourism industry in India, which is currently poised at around Rs. 4,500 crore is likely to be worth Rs. 10,800 crore by 2015. The cost of certain surgical procedures is one-tenth of what it is in the U.S. and Western Europe and sometimes even lesser. According to a survey report conducted by Wockhardt Hospitals, the number of outsourced patients has nearly doubled in the last few years. No wonder: one of the patients of Wockhardt has said that his surgery cost him $11,000, a bargain-basement price that was a quarter of what hospitals in North Carolina were quoting. With the debate raging over health care reform, growing numbers of Americans aren't waiting for Washington: they are, in effect, outsourcing their own medical care to India. Yet, there are very few studies on the management of patient medical information, between India and the U.S. The absence of an internationally agreed definition of medical tourism, and of a common methodology for data collection, is one of the main reasons for the paucity of such data. It is possible, though, to compare the schemes for protection of the confidentiality and security of medical information in the U.S. and India, and in so

Page 1

doing ascertain potential effects of the distinctions in medical confidentiality on the future growth of Indian medical tourism.

proceedings, to levy fines of up to $1,000,000 USD per violation. It recently has imposed a number of monetary sanctions, and has begun a program of spot (surprise) audits of medical facilities. HIPAA was supplemented and strengthened in 2009 by the HITECH Act (Health Information Technology for Economic and Clinical Health), which became effective in February, 2010. HITECH sets forth requirements for responses to data breaches, including notification to affected patients. If the breach comprises more than five hundred patients, the entity is required to also notify the media and the Secretary of DHHS. HITECH also gave states attorneys general jurisdictions to bring proceedings for HIPAA violations if DHHS declines to do so. The HITECH Act extends the reach of HIPAA to Business Associates, such as law firms, consulting firms and outsourced medical records and billing entities in the U.S. and, significantly, it also provides a basis for liability to healthcare providers if they fail to exercise due diligence in selecting Business Associates who then breach patient confidentiality through data breaches. HIPAA is a minimum standard for the security and privacy of medical information. U.S. states may impose stricter requirements that HIPAA and many have done so (these include California, Massachusetts, North Carolina and New York, among others). Medical Information Privacy in India Protections for medical information in India may be found in the Constitution and two legislative Acts. The key to whether this network of provisions can provide sufficient protection to assure U.S. patients of confidentiality, however, depends upon the rigor of enforcement. India has a strong network of provisions that cover medical information privacy. Article 21 of

Privacy of Medical Information in the United States A physician or medical center that sends patient information to caregivers in India must do so in a manner that complies with applicable law, and must safeguard any such information received from India with regard to their patients. Privacy law in the U.S. healthcare system is defined by the basic law for healthcare confidentiality, the Health Information Portability and Accountability Act of 1996 (HIPAA). HIPAA is most widely known for its regulations governing medical confidentiality, the HIPAA Privacy Rule and the HIPAA Security Rule. The former comprises of more than 800 pages of standards and requirements that, distilled to their essence, require the caregiver to implement practices to assure that patient-identifiable health information is not disclosed to anyone without authorization of the patient, except for uses of that information that concern treatment, payment or operations of the particular caregiver, and other derogations. In this way, HIPAA greatly resembles the privacy scheme of the European Union in Privacy Directives EC 94/46. The HIPAA Security Rule, which is far shorter, was promulgated to enable privacy in the age of digital medical records. Its standards require physical, technical and administrative (policy and procedure) safeguards for uses, disclosures and storage of electronic medical information. Examples of such safeguards include encryption of patient-identifiable information in storage and transit; access controls, including passwords or biometrics; and due diligence in the selection of business associates who may access that information or to whom it is disclosed. The Privacy and Security Rules are enforced by the Office For Civil Rights of the U.S. Department of Health and Human Services (DHHS), which has the authority, after appropriate administrative

Page 2

Constitution of India, 1950 states that No person shall be deprived of his life or personal liberty except according to procedure established by law. The Right to Privacy has been read into this Section, as an integral part of the fundamental right to live life with dignity. Courts in India have held that the Right of Privacy may, apart from contract, also arise out of a particular specific relationship that may be commercial, matrimonial, or even political. A doctor-patient relationship is considered fiduciary in nature, but is also professionally a matter of confidence. Therefore, doctors are morally and ethically bound to maintain confidentiality. In such a situation, public disclosure of even true private facts may amount to an invasion of the Right of Privacy, which may sometimes lead to the clash of one person's right to be let alone" with another person's right to be informed. The Right to Privacy is an essential component of right to life envisaged by Article 21. The right however, is not absolute. It may be lawfully restricted for the prevention of crime, disorder or protection of health or morals or protection of rights and freedom of others, as in the case of Mr. X v. Hospital Z [(1998) 8 SCC 296], wherein the apex court of India held that the hospital owes a duty of care to disclose the HIV positive condition of the patient to the person he was likely to be married to. Such disclosure was held to be a reasonable restriction on the right to privacy of the patient. Apart from the essential fundamental right to privacy granted to citizens under the Constitution of India, specific protections have been granted to information relating to medical history, records, biometric information, physical and mental condition etc. under two important enactments, namely, the Indian Medical Council Act, 1956 and the Information Technology Act, 2000 and the rules formulated thereunder, as detailed hereafter. The Indian Medical Council Act, 1956

Regulations 2.2 and 7.14 framed under the Indian Medical Council Act hold that information about a patients ailment cannot be disclosed without patient consent. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Privacy Rules) These Rules have been formulated under the Information Technology Act, 2000, and are the first of its kind in relation to data protection and privacy in India. Rule 3 provides an inclusive definition of Sensitive Personal Data or Information. It states that sensitive personal data or information includes, amongst other things, (c) Physical, physiological and mental health condition, (d) Sexual orientation, (e) Medical records and History, (f) Biometric information, (g) any details relating to above clauses as provided to body corporate for providing service and (h) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise. Rule 6 sets forth that disclosure of sensitive personal data or information by a body corporate to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation. Rule 8 requires Reasonable Security Practices and Procedures to be maintained by bodies corporate. A body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such

Page 3

security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. In the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies. The Rule provides that the International Standard IS/ISO/IEC 27001 on Information Security is one such standard that may be followed by bodies corporate. If a body corporate chooses its own standards of selfregulation, it is required to get its codes of best practices duly approved and notified by the Central Government for effective implementation. Information Technology Act, 2000 (IT Act) Section 43 A of the IT Act permits Compensation for failure to protect data. Where a body corporate is negligent in implementing and maintaining reasonable security practices and procedures regarding sensitive personal data and thereby causes wrongful loss or wrongful gain to any person, it shall be liable to pay damages by way of compensation to the person so effected. However, this must be read with the Privacy Rules, which provide that a body corporate or person on its behalf, who has implemented reasonable security standards and procedures as prescribed under Rule 8 above, shall be deemed to have complied with the expected duty of care under the IT Act. Section 66 E of the IT Act prescribes punishment for violation of privacy. It states that whoever intentionally or knowingly captures, publishes or transmits the image of a private area of any

person without his or her consent, under circumstances violating the privacy of that person shall be punished with imprisonment, which may extend to three years or with fine not exceeding Rs. 2,00,000, or with both. Section 72 of the Information Technology Act, 2000 lays down the penalty for breach of confidentiality and privacy, as imprisonment for a term which may extend to two years, or fine which may extend to Rs. 1,00,000, or with both. Section 72 A of the Information Technology Act, 2000 lays down the punishment for disclosure of information in breach of lawful contract, and provides for penalties for intentional unauthorized access to personal information of another. Although there may have been numerous civil and criminal proceedings initiated against the violators of the IT Act, enforcement of these provisions may still be characterized as work in progress. The legislature has created various statutory bodies/courts to try matters related to the IT Act, but it is underutilized. Breaches under the Privacy Rules have not been reported, consequently giving rise to a lack of jurisprudential data on the efficacy of enforcement. Accordingly, patients may take little comfort from the presence of a robust legislative mechanism to enforce the IT Act and Privacy Rules until there is evidence of specific proceedings to enforce the Privacy Rules. India has various statutes, rules and regulations that govern and regulate the protection of personal data, information, and privacy of individuals, and. the Constitution of India has been read to include a right to privacy as a part of the fundamental right to life of individuals,, But it is the enforcement of these laws that will eventually determine whether medical tourism consumers will retain sufficient confidence in the privacy of their medical information

Page 4

transmitted between India and the U.S. to fuel the growth of the medical tourism industry.

Kenneth N. Rashbaum, Esq., is Principal of Rashbaum Associates, LLC, in New York (www.rashbaumassociates.com). He focuses his practice on information governance and data protection compliance for multinational corporations and healthcare providers. A counselor, litigator and trial lawyer with over twenty-five years experience in representation of life sciences entities, Ken is an active member of the American Bar Association Section of International Law, and writes and speaks extensively on international data protection and data privacy issues. He can be contacted at krashbaum@rashbaumassociates.com. Sajai Singh is a Partner with J. Sagar Associates (JSA), a full service corporate law firm in India. As a head of the Technology Practice of JSA, he focuses on emerging technologies, business process outsourcing and biotechnology. He also undertakes transactional work with a focus on representing emerging technology companies in areas of inbound investments in India, venture capital investments, joint ventures, strategic alliances, mergers and acquisitions. He can be contacted at sajai@jsalaw.com.

Page 5