Indian Journal of Medical Ethics

LETTER


Ethical implications of online healthcare data sharing in the Indian context

Published online first on March 26, 2022. DOI:10.20529/IJME.2022.025

Technology is not only changing the way doctors and patients communicate, but also how physicians interact with other healthcare providers. This interaction has increasingly begun to be over online media such as telemedicine networks/instant messaging apps/social media/emails. The Covid-19 pandemic has further spurred the rapid adoption of these digital healthcare technologies, amplifying the potential risks for data breach of sensitive personal information.

Patient privacy and confidentiality are considered the cornerstones of medical ethics. These encourage the patient to provide the doctor with relevant information which forms the basis for making correct diagnoses and offering treatment. Physicians, in turn, have a moral, ethical and legal obligation to keep all patient information confidential. To this end, the Supreme Court of India, in 2017, ruled that privacy is an intrinsic element of the fundamental right to life and liberty [1].

The general attitude towards patient privacy and confidentiality remains a major problem in India. Neurologists, for instance, have frequently started using online platforms that are not designed to protect privacy, placing the security of patient information under constant threat of data breaches. It has become commonplace to see patients’ MRI images, clinical videos and other investigation results being shared among physician groups on these media with the intention of seeking an expert/second opinion. De-identification is often not observed in such circumstances because of a lack of awareness about what constitutes a breach of confidentiality. Alarmingly, in a recent survey, 13% of participating doctors expressed no reservations about sharing identifiable patient data [2]. Lack of awareness amongst patients about the possible risks involved in providing their own personal data over the internet complicates matters further. Patients often have limited understanding of how their data entrusted to third party healthcare apps is being shared and used. A recent study in this regard from the University of Massachusetts and Stony Brook University revealed that over 70% of smartphone apps send users’ personal data to third-party tracking companies [3]. These apps can be used to track users across multiple platforms and can harvest unique identifiers that can be misused for identity theft, posing significant financial and health risks.

Moreover, the laws governing health data privacy are still in their infancy in India. Currently, collection, storage and transfer of sensitive personal data in electronic form is subject to the Information Technology Rules, 2011 [4]. This law is, however, only limited to obtaining consent prior to collection or transfer of the data. More recently, telemedicine guidelines were issued by the Ministry of Health and Family Welfare (MoHFW) in March 2020. Under these guidelines, a registered medical practitioner (RMP) would be required to fully abide by Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002, for protecting patient privacy and confidentiality. Additionally, a new bill proposed by the Ministry of Health and Family Welfare, still under review, known as the Digital Information Security in Healthcare Act (‘DISHA’), focuses primarily on healthcare data privacy, confidentiality, security and standardisation. A negligent breach of healthcare data that is not de-identified or anonymised is, in fact, considered a serious violation under this Act, with the person responsible being punishable with imprisonment up to 5 years [5].

Although stringent rules, laws and regulation are urgently called for, there are definitely other ways of minimising risk, even though it cannot be completely eliminated. It is important for doctors to educate themselves to be vigilant and aware while sharing patient related information over any online medium even if it is de-identified. Doctors also need to make sure that the data being communicated is shared only within the circle of care and that too with the patient’s explicit consent. Additionally, this discussion with the patient needs to be documented in patient records. Physicians need to be mindful that they are governed by the same legal and professional standards when consulting online/sharing information as would apply in an in-person setting. Appropriate use of encryption software would prove valuable in protecting electronic messages. From the patients’ perspective, campaigns educating patients on the impact of sharing sensitive health information can be carried out through social media or during first contact with the health care agency [6]. Frequent discussions about protecting privacy and confidentiality need to take place between physicians, involved third-parties, patient advocates and various other stakeholders.

In conclusion, despite the convenience of online platforms, these methods of communication are often the least secure and the least private. Both physicians and patients should be mindful of what is being shared online and with whom. Doctors need to become ardent advocates for patients in this regard. These data sharing challenges necessitate implementation of additional laws to help patients and doctors in navigating this complex data sharing landscape with greater confidence.

Devavrat Nene (corresponding author – doctordforu@gmail.com), Department of Medicine, Division of Neurology, The University of British Columbia, Vancouver, CANADA; Gayatri Saraf (drgayatrisaraf@gmail.com), Department of Psychiatry, The University of British Columbia, Vancouver, Canada.

Conflict of interest and funding support: None declared.

Statement of similar work: None submitted earlier, either to this journal or elsewhere.

References

  1. Supreme Court of India. Justice KS Puttuswamy and Anr vs Union of India and Ors. Writ Petition (Civil) No 494 of 2012. para 183. 2017 Aug 18[cited 2021 Oct 22]. Available from: https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf
  2. Bal AM. WhatsApp, Doc? Indian J Med Ethics. 2017 Jan;2(1):65. Doi: https://ijme.in/articles/whatsapp-doc/?galley=html
  3. Vallina-Rodriguez N, Sundaresan S. 7 in 10 smartphone apps share your data with third-party services. 2017 May 30[cited 2021 Oct 22]. Available from: http://theconversation.com/7-in-10-smartphone-apps-share-your-data-with-third-party-services-72404
  4. The Information Technology (Intermediaries Guidelines) Rules, 2011. Notification. The Gazette of India: Extraordinary [PART II-SEC. 3(i)]. 2011 Apr 11[cited 2021Oct 22]. Available from: https://www.dispur.nic.in/itact/it-intermediaries-guidelines-rules-2011.pdf
  5. Antani M. Punnen D, Shukla A. DISHA: The First Step Towards Securing Patient Health Data In India. Mondaq.com. 2018 [cited 2021 Oct 22]. Available from: https://www.mondaq.com/india/healthcare/723960/disha-the-first-step-towards-securing-patient-health-data-in-india
  6. Asiri E, Khalifa M, Shabir S-A, Hossain MN, Iqbal U, Househ M. Sharing sensitive health information through social media in the Arab world. Int J Qual Health Care. 2017 Feb;29(1): 68-74. Available from: http://dx.doi.org/10.1093/intqhc/mzw137