Data analytics in the healthcare space is a major commercial and social opportunity for stakeholders to transform healthcare delivery capabilities for the people of India. It is also an opportunity for creating a more intelligent way of understanding diseases affecting the Indian populace and ensuring better preparation in handling epidemics and other chronic diseases.

Considering the National Digital Health Blueprint (“NDHB”) that was published by the Government of India in July of 2019, there is no doubt going to be an immense level of traction in this space in the coming years.

It is curious to also see the evolution of this specific space in the healthcare industry, especially when considering the recently proposed Personal Data Protection Bill 2018, that is currently pending before Parliament. The introduction of GDPR in the European Union as well as the greater emphasis on privacy protection laws and consent related requirements raise a few issues that are worthy of consideration in this particular space.

This write up focuses on two issues that arise in this specific instance, those being record keeping obligations in the healthcare and medical law space as well as the consent that are expected to be obtained in this specific context.

Under the Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002, a physician is legally obligated to maintain records relating to patients for a period of 3 years from the date of commencement of treatment. These records are further required to be kept in formats as are prescribed by the Medical Council of India. There is a further obligation to ‘computerize medical records for quick retrieval’.

In addition to the above, the Ministry of Health & Family Welfare (“MOHFW”) has, in 2016, prescribed certain standards for the creation & maintenance of electronic health records. This initiative has been further augmented by the NDHB (which is again the brainchild of the MOHFW), which records that the principles outlined in the 2016 standards should be incorporated into any framework designed towards health record maintenance.

Taking all of this into account, the basic legal issue that potentially needs to be conveyed in clear terms here is who remains the legal owner of the electronic health records and how such ownership or rights may mutate or change, depending on the anonymization of the underlying data.

As per the 2016 EHR standards, the ownership of the records lies with the patient involved and the hospital or physician in charge is deemed to hold the records on trust for such patient. The assumption when referring to such data is that it remains capable of personally identifying the patient or the patient’s identity is ascertainable from a review of such data.

The question that arises here is that does the patient have the legal right to bar the anonymization of such data? Or can the patient legally opt out for having his or her data anonymised? While the knee jerk answer in times like this is to simply obtain an advance consent towards anonymization of such data, one pertinent question to ask is does the public necessarily understand what is meant by anonymization? What is the nature of disclosure and consent that needs to be conveyed and obtained in order for such anonymization to commence?

Also, since the whole purpose of data collection would be for future reference and consideration, anonymised data would presumably be kept for much longer periods than the average medical record (based on the 2002 Regulations). Would the Government of India become the exclusive owner of such data or would it be permissible for private parties to hold such data, subject to specific access rights for appropriate government agencies in times of crisis, investigation or other specific circumstances?

The next question that comes up in this case is the nature of consent that needs to be obtained from patients. This notion of consent here is often either conflated with the consent requirement that exists under the current rules of the Information Technology Act 2000 or otherwise the notion of medical consent that is provided for the performance of medical procedures.

It is this latter aspect that needs to be studied further in this case; patient consent as a concept has been closely examined in the US and the UK. The US and UK courts have closely scrutinized this concept, and have created two separate legal tests on the constitution of adequate consent, namely “informed consent” under US laws and “real / true consent” under UK law.

Universally, “patient consent” in legal terms is underpinned by: (i) the voluntariness of the patient’s consent; (ii) the patient’s capacity to render consent; and (iii) the patient having an identified threshold of information about the nature of the procedure to which the consent is being provided. The differences between the US and UK approaches towards consent hinge entirely on this third limb, on what constitutes an acceptable threshold of information being provided by the doctor to the patient. While US laws emphasize a patient centric approach where the patient is provided with all of the information necessary in order to arrive at an “informed opinion” on the matter, the UK approach is a physician centric one, where the Doctor advising the patient is expected to evaluate and provide the relevant or pertinent information for this aspect.

In India, Regulation 7.16 of the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002, set outs the requirements for obtaining consent where there is a need to carry out an operation or surgery on a patient. These regulations however do not cover the consent requirements for other kinds of medical treatments or procedures. Up to this point in Indian legal history, Indian courts appear to show a leaning towards the UK principle of “real / true consent”, as opposed to the US notion of “informed consent”.

The reason for delving into the multitude of these questions is to understand what is the kind of legal framework that is needed in order to ensure that consents obtained from patients for record keeping and data anonymization arise from duly considered principles of fairness and equity; this would ensure absolute certainty for businesses engaged in data analytics and at the same time offer appropriate assurances for patients and members of the public.

This inherent clarity that is needed will also ensure that the roles and responsibilities of patients, physicians, healthcare centres and technology partners are clearly chalked out.