Telemedicine’s Ubers, personal data protection and more – Telemedicine Practice Guidelines, 2020 [Part 2]

Telemedicine’s Ubers, personal data protection and more – Telemedicine Practice Guidelines, 2020 [Part 2]
Published on

[dropcap]T[/dropcap]ELEMEDICINE Guidelines were issued on March 25, 2020. Ever since I have been asked a fair number of queries by both medical practitioners and app-based businesses. In the process of addressing such queries, I have had the benefit of analysing Telemedicine Guidelines with stellar remote assistance from my junior colleague Mr N. Sasank Iyer, my online intern Mr Shreesh Chadha and subsequently my online intern Mr Vignesh Ganesh.

However, no potential seeker of telemedicine asked me anything about these guidelines, hence, I decided to compose this piece, in 2 parts.

Part 1 deals with the definition of telemedicine and the foundational aspects of Telemedicine Guidelines, like their recognition, entitlement of RMPs to provide telemedicine consultation, the legal sanctity of these guidelines, the necessity of these guidelines, the scope of these guidelines and their stated purpose, the tools and the guidelines of telemedicine. As far as possible, Part 1 avoids jargon.

This part i.e., Part 2 deals with:

  1. Duties and responsibilities of RMPs in general
  2. Guidelines for technology platforms enabling telemedicine
  3. Some aspects of Personal Data Protection Bill, 2019 ("PDP Bill")

Guideline 3.7.1 at page 23 to Guideline 3.7.3 at page 24 of Telemedicine Guidelines list out duties and responsibilities of RMPs in general. Guideline 5 at page 33 of Telemedicine Guidelines lists out guidelines for technology platforms enabling telemedicine.

When PDP Bill is passed and it comes into force, it would have implications on telemedicine services. In the context of Telemedicine Guidelines, for the purpose of PDP Bill, patients would be data principals, RMPs would be data fiduciaries and technology platforms enabling telemedicine would be data processors.

Guideline 3.5 of Telemedicine Guidelines mandates that RMPs must make all efforts to gather sufficient medical information about the patient's condition before making any professional judgment. This transaction is squarely covered by Clause 2(A) of PDP Bill.

On account of a close interplay between PDP Bill and Telemedicine Guidelines, in this Part, some aspects of PDP Bill have been discussed.

Duties and responsibilities of RMPs in General

Medical ethics, data privacy and confidentiality

In the context of medical ethics, data privacy and confidentiality, the twin requirements stipulated by Telemedicine Guidelines are:

  1. It is the responsibility of an RMP to be cognisant of the current data protection and privacy laws.
  2. RMPs shall not breach the patient's confidentiality akin to an in-person consultation.

These twin requirements are explained by way of an illustration i.e. when an RMP is planning to create a virtual support group to disseminate health education for patients suffering from a particular disease condition, the RMP shall be wary of the patients' willingness and not violate the patients' privacy and confidentiality by adding the patients to the group without the patients' consent.

"In the context of Telemedicine Guidelines, for the purpose of Personal Data Protection Bill 2019, patients would be data principals, RMPs would be data fiduciaries and technology platforms enabling telemedicine would be data processors".

Bearing in mind these twin requirements, the following aspects need to be appreciated:

1. Principles of medical ethics, including professional norms for protecting patient privacy and confidentiality as per IMC Act, shall be binding and must be upheld and practised.

2. The following shall be binding and must be upheld and practised:

2.1. RMPs would be required to fully abide by Ethics Regulations.

2.2. RMPs would be required to fully abide by the relevant provisions of Information Technology Act, 2000, data protection and privacy laws or any applicable rules notified from time to time:

2.2.1. to protect patient privacy and confidentiality; and

2.2.2. regarding the handling and transfer of such personal information pertaining to the patient.

Once PDP Bill is passed and it comes into force, in the event that the patient is a child, Clause 16 of PDP Bill would govern the processing of personal data and sensitive personal data of children. Clause 16 of PDP Bill seeks to provide for obligations on data fiduciaries processing personal data of children.

3. At the time of hiring the services of persons who are not RMPs and at the time of hiring technology services, RMPs should ensure that a reasonable degree of care is undertaken by them.

4. In the event of a compromise of the patient's privacy and confidentiality, if there is reasonable evidence to believe that such compromise is by a technology breach or by a person other than an RMP, then, the RMP will not be held responsible for breach of confidentiality.

It would not be out of place to mention that such immunity does not extend to a compromise of the patient's privacy.

5. In the context of misconduct, Telemedicine Guidelines specifically prescribe that in addition to all general requirements under IMC Act for professional conduct, ethics et cetera, while using telemedicine, the following actions are explicitly impermissible:

5.1. Wilful compromise of patient care or privacy and confidentiality, or,

5.2. violation of any prevailing law.

RMPs are not permitted to solicit patients for telemedicine through any advertisements or inducements.

The penalties for misconduct are as per IMC Act, Ethics Regulations and other prevailing laws. In the context of misconduct, Telemedicine Guidelines give the following illustrations:

i. RMPs insisting on telemedicine, when the patient is willing to travel to a facility and/or requests an in-person consultation.

ii. RMPs misusing patient images and data, especially private and sensitive in nature, which includes an RMP uploading an explicit picture of a patient on social media.

iii. RMPs who use telemedicine to prescribe medicines from the specific restricted list.

Maintaining digital trail/documentation of consultation

In the context of maintaining digital trail/documentation, Telemedicine Guidelines mandate that:

1. It is incumbent on RMPs to maintain the following records/documents for the period as prescribed from time to time:

2. Log or record of a telemedicine interaction, for example, phone logs, email records, chat/text records, video interaction logs et cetera.

3. RMPs have to retain patient records, reports, documents, images, diagnostics, data et cetera (digital or non-digital) utilised in the telemedicine consultation.

4. Specifically, in case a prescription is shared with the patient, the RMP is required to maintain the prescription records as required for in-person consultations.

Fee for telemedicine consultation

From a fee perspective, telemedicine consultations should be treated at par with in-person consultations. RMPs may charge an appropriate fee for the telemedicine consultation provided. RMPs should also give a receipt/invoice for the fee charged for providing telemedicine-based consultation.

Some observations

A breach of confidentiality and an invasion of privacy are intertwined, as the former is broader than the latter. However, they are distinguishable. In the event that the information is public, the likelihood of maintaining a claim for confidentiality generally does not arise.

The focus of privacy law is on the invasion and the breach of privacy rights. Privacy protection is not merely a subject matter of protection under a claim for the breach of confidentiality. In other words, privacy protection is independent.

"When an RMP is planning to create a virtual support group to disseminate health education for patients suffering from a particular disease condition, the RMP shall be wary of the patients' willingness and not violate the patients' privacy and confidentiality by adding the patients to the group without the patients' consent".

The focus of the right to privacy is on the protection of human autonomy and dignity, which includes the right to control the dissemination of information about one's private life. However, the law of confidentiality is rooted in the duty of good faith.

Telemedicine Guidelines do maintain a distinction between privacy and confidentiality. Privacy and confidentiality include a bundle of rights. These rights include the right to protect the identity and even anonymity.

If a person seeks freedom from identification even when in a public space and despite being in a public space, then, the person claims anonymity. The Right to Privacy Judgment, (2017) 10 SCC 1 refers to Spencer v. R, 2014 SCC Online Can SC 34, which had set out 3 chief constituents of informational privacy, namely:

  • Privacy as secrecy
  • Privacy as a control
  • Privacy as anonymity

Privacy and confidentiality, therefore, include information about one's identity. Pertinently, Telemedicine Guidelines mandate that telemedicine consultation should not be anonymous i.e., the patient and the RMP need to know each other's identity.

In fact, one of the 7 elements which need to be considered before beginning any telemedicine consultation is the identification of RMP and patient. It would not be out of place to mention that Guideline 3.2.2 of Telemedicine Guidelines requires an RMP to verify and confirm the patient's identity by name, age, address, email ID, phone number, registered ID or any other identification as may be deemed to be appropriate.

The said provision also requires the RMP to ensure that there is a mechanism for a patient to verify the credentials and contact details of the RMP. These guidelines do not protect anonymity between an RMP and a patient. However, these guidelines do ensure that the patient is anonymous to the world.

Once PDP Bill is passed and it comes into force, among other chapters, Chapters II and VI of PDP Bill will be very relevant to telemedicine services.

Guidelines for technological platforms enabling Telemedicine

Telemedicine Guidelines contain specific guidelines for those technology platforms which work across a network of RMPs and enable patients to consult with RMPs through them.

To put it simply, Telemedicine Guidelines contain specific guidelines for Ubers and Olas of telemedicine. Such platforms could be mobile apps or websites, which provide telemedicine services to consumers.

Specific guidelines in respect of technology platforms:

1. They shall be obligated to ensure that the consumers are consulting with RMPs and are legally compliant.

2. Only after conducting due diligence, they can list any RMP on their online portals.

3. They must provide the name, qualification, registration number and contact details of every listed RMP.

4. If some non-compliance is noted, they shall be required to report the same to BoG, in supersession of MCI, which may take appropriate action.

5. If the platform is based on Artificial Intelligence / Machine Learning, then, it is not allowed to counsel the patients or prescribe any medicines to a patient. Only RMPs are entitled to counsel or prescribe and they have to directly communicate with the patient in this regard. New technologies like Artificial Intelligence, Internet of Things, advanced data science-based decision support systems et cetera could assist and support an RMP on patient evaluation, diagnosis or management. However, the final prescription or counselling has to be directly delivered by the RMP.

  1. Technology platforms must ensure that there is a proper mechanism in place to address any queries or grievances that the end-customer may have.
  2. In case any specific technology platform is found in violation, BoG may designate the technology platform as blacklisted, and no RMP may then use that platform to provide telemedicine.

Personal Data Protection Bill 2019 and Telemedicine Guidelines – Some observations

Definitions in PDP Bill

Clause 3 of PDP Bill defines various words and phrases. It goes without saying that the definitions are contextual.  Clause 3(21) of PDP Bill defines "health data" in an exhaustive cum inclusive manner.

Health data means:

i. The data related to the state of physical or mental health of the data principal.

Health data includes:

i. Records regarding the past, present or future state of the health of such data principal.

ii. Data collected in the course of registration for, or provision of health services.

iii. Data associating the data principal to the provision of specific health services.

Clause 3(36) of PDP Bill provides that "sensitive personal data" means such personal data, which may, reveal, be related to, or constitute among other things health data.

Financial data, official identifier, caste or tribe, religious or political belief or affiliation or any other data categorised as sensitive personal data under Clause 15 of PDP Bill are also sensitive personal data.

Sex life, sexual orientation, biometric data, genetic data, transgender status and intersex status, which are sensitive personal data, are directly relevant to health data.

It would not be out of place to mention that the definition of "biometric data" under Clause 3(7) of PDP Bill and the definition of "biometric information" under Section 2(g) of Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 ("Aadhaar Act") are not consistent.

"Telemedicine Guidelines do maintain a distinction between privacy and confidentiality. Privacy and confidentiality include a bundle of rights. These rights include the right to protect the identity and even anonymity".

In my view, ensuring consistency between these definitions, to the extent possible, could infuse certainty and precision in the operation of Aadhaar Act and PDP Bill, especially, adjudications under Aadhaar Act and PDP Bill.

It is commendable that the definition of "anonymisation" in Clause 3(2) of PDP Bill is subjected to meeting the standards of irreversibility specified by Data Protection Authority of India ("Authority"). However, the definitions of "de-identification" and "re-identification" in Clauses 3(16) and 3(34) respectively of PDP Bill are not subjected to meeting the standards of de-identification and re-identification specified by Authority.

In my view, ensuring regulatory supervision of de-identification and re-identification would make these processes more effective.

The additional safeguards or restrictions for the purposes of repeated, continuous or systematic collection of sensitive personal data for profiling of such personal data

Clause 15 of PDP Bill seeks to provide for categorisation of personal data as sensitive personal data and lists out criteria for such categorisation. Clause 15(2) of PDP Bill is worded as under:

"(2) The Authority may specify, by regulations, the additional safeguards or restrictions for the purposes of repeated, continuous or systematic collection of sensitive personal data for profiling of such personal data."

In my view, the word 'shall' ought to be used in Clause 15(2) of PDP Bill instead of the word 'may'. Usage of the word 'shall' could make Clause 15(2) of PDP Bill more robust, by subjecting to mandatory regulatory supervision the additional safeguards or restrictions for the purposes of repeated or systematic collection of sensitive personal data for profiling of such personal data.

Medical emergencies

Clause 11 of PDP Bill seeks to expound the various aspects of consent which are necessary for processing of personal data. In essence, it provides that consent is necessary for processing of personal data. Clause 12 of PDP Bill seeks to list out certain cases which provide for the processing of personal data without consent.

One such case is to respond to any medical emergency involving a threat to the life or a severe threat to the health of the data principal or any other individual. Another such case is to undertake any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of disease or any other threat to public health.

Commendably Clause 33(2) of PDP Bill is to the effect that the critical personal data shall only be processed in India. However, Clause 34(2)(a) of PDP Bill is to the effect that any critical personal data may be transferred outside India to a person or entity engaged in the provision of health services or emergency services where such transfer is necessary for prompt action under Clause 12 of PDP Bill. Pertinently, Clause 34(3) of PDP Bill stipulates that any such transfer shall be notified to Authority within the prescribed period.

Conclusion

Undoubtedly Telemedicine Guidelines are a welcome step; not just because they have been issued at a time when we all are grappling with a pandemic, but also because on the other side of the pandemic, technology's role in our lives will be far greater than what it has been till now. At the same time, it is ironical that in the times to come, the word 'virus' would first remind us of a vaccine and then remind us of a software.

Arjun Natarajan is a Delhi-based advocate. The views expressed in this piece are personal.

[Full Disclosure: Arjun Natarajan has been advising and representing Telecom Regulatory Authority of India, since January 2018.

In his personal capacity, he submitted a memorandum containing his views/suggestions on PDP Bill to Joint Committee on PDP Bill, 2019]

logo
The Leaflet
theleaflet.in