by Ritika Sharma, University Institute of Legal Studies, Panjab University
Medical privacy is one of the essential rights for every patient. The ethics of the medical professionals also upheld this right. There are several statutes which make provisions to ensure the privacy rights of the patients in US and UK and Indians have a great hope in the proposal named DISHA which take into consideration the privacy concerns of the patients. However, COVID-19 pandemic has surged the apprehensions around privacy. The purpose of this blog is to examine such issues in India, US and UK.
Technological advancements have paved the way for threats to the Right to Privacy of every person and it has become more visible in case of the privacy of patients. In the landmark case of Mr. X v. Hospital Z, a person was diagnosed with HIV AIDS at a hospital and the hospital informed his family about the disease. Consequently, his marriage was cancelled and he was ostracized. The Court, in this case, examined the Right to Privacy of Patients and although this particular case was treated as an exception to this medical privacy, the Court made an important observation which says, “Doctor-patient relationship, though basically commercial, is, professionally, a matter of confidence and, therefore, doctors are morally and ethically bound to maintain confidentiality. In such a situation, public disclosure of even true private facts may amount to an invasion of the Right of Privacy which may sometimes lead to the clash of one person’s “right to be let alone” with another person’s right to be informed. Disclosure of even true private facts has the tendency to disturb a person’s tranquility. It may generate many complexes in him and may even lead to psychological problems”. Right to Privacy of patients is integral to their lives and the leak of vital information may disrupt their state of mind. However, as it was held in Mr. X v. Hospital Z, this right cannot be absolute. The outbreak of pandemic has invigorated the discussion on medical privacy giving rise to several questions such as what are the laws which assure medical privacy. What are the exceptions which reflect that this right is not absolute? What are the specific duties of medical professionals and organisations towards protecting children’s privacy?
In the United States, the law that regulates the disclosure of patients’ records is the Health Insurance Portability and Accountability Act, 1996 [HIPPA]. Similarly, in UK, the Data Protection Act, 2018, aims at maintaining confidentiality. However, the codification of this right in India is still in its infancy.
Right to Privacy of Patients in India
The Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002 imposes a duty on physicians to keep the personal and domestic lives of the patients confidential. Furthermore, the Medical Treatment of Pregnancy Act, 1971, protects the privacy of a pregnant woman who wants to terminate her pregnancy. Her medical records are to be destroyed within 5 years of the termination of her pregnancy.
However, there is no effective legislation that guarantees patients’ privacy in general but there are some recent proposals that highlight the concerns and the need to build a robust privacy law that can ensure medical privacy. The Personal Data Protection Bill, 2019, [PDPB] provides a comprehensive framework that includes several domains, health being one of them. The specific legislation in the area of medical privacy is the Digital Information Security in Healthcare Act [DISHA]. It is the most significant legislative proposal which contains provisions that mandate taking the consent of the individuals before using or transferring their information.
In addition to the disclosure of medical records to third parties which infringe the privacy rights of the patients, “identity thefts” also occur in which the patients’ information is hacked from the computer systems of healthcare organisations. This information could be bank and card details which lead to cybercrimes. Thus, complete protection of the information stored in healthcare organizations is essential.
The ongoing pandemic has raised serious concerns with respect to patient’s privacy. Whenever a person is tested COVID positive, a Government application Arogya Setu informs the people who have come in close proximity of the infected person. While speaking on the effective way of contact tracing, K. Vijayraghavan, Principal Scientific Advisor to the Government said, “The app will have all this information (age, gender, history of diseases, recent international travel) on the phone and when its Bluetooth, GPS are on. If you come close to a variety of people that information is not used until someone turns positive amongst your proximal contacts, and then you are told that a few days ago you were close to a person who became positive and you need to do certain things – look after yourself, isolate, need to get tested or be careful depending on the nature of the contact. Your phone number and contact details are known to no one, nor are the details of those who turn positive known to you. There is high security, high privacy, yet there is a high level of ability to trace and deal with the disease”. The guidelines of Arogya Setu ensures that the gathered information is uploaded to the server in two cases, first, when the person is COVID positive and second, when they have “self-declared symptoms”. In January 2021, the Karnataka High Court highlighted the importance of medical privacy by passing an interim order restricting the National Informatics Centre and the Government of India from sharing medical information of the people without their “informed consent”.
Right to Privacy of patients in the US
HIPPA has been enacted in the US with the objective of promoting “the efficiency and effectiveness of the healthcare system by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information”. Some of the key characteristics of HIPPA include – (i) it protects against “reasonable anticipated threats or hazards to the security of information”; (ii) it guarantees the confidentiality of all electronic information of the patients; (iii) it provides protection against “reasonably anticipated use of disclosure” of the information which is not allowed as per the law.
Government surveillance in the pandemic era has raised a debate between security versus privacy everywhere and the States is no exception. “Exposure Notification” is a technology that has been developed with the object of aiding in contact tracing. The interesting feature of this technology is that the medical information of a COVID positive person remains in the phone of the recipient only for 14 days and then it disappears. Secondly, it cannot be shared.  Regardless of these assurances, Americans are not willing to share their health information and want to maintain their privacy rights above all.
Right to Privacy of Patients in the UK
In the UK, the Data Protection Act, 2018 (also called EU GDPR) is the principal instrument that ensures the privacy rights of the people. Information is gathered and processed after taking consent and the consent should be free, specific, informed, unambiguous and withdrawable. However, some laws cast duties on the medical professionals to disclose patients’ information to the respective department or officer. First is the Abortion Regulations, 1991, in which the details of a patient who is terminating her pregnancy is to be reported to the Chief Medical Officer. Similarly, Health Protection (Notification) Regulations, 2010; Reporting of Injuries, Diseases and Dangerous Occurrences Regulations, 2013, and Female Genital Mutilation Act, 2013, require disclosure of information of the patients whose health conditions fall in the categories mentioned under these Acts.
A new guidance was issued in the year 2020 which empowered NHS to scrutinise confidential health information of the COVID positive patients subject to the condition that it will be used only for “COVID-19 purpose”. A “Covid-19 Purpose” includes but is not limited to understanding Covid-19; identifying and understanding information about patients or potential patients with, or at risk of, Covid-19; locating, contacting, screening and monitoring such patients; and delivering services to patients, clinicians, the health service and adult social care services workforce and the public in connection with Covid-19.
Children’s right to medical privacy
Minors when suffering from certain ailments, their information is shared by their parents with third parties or on social media without their consent. Although, sometimes sharing information is done in order to look for advice for the better treatment of children, this may hamper their future interests. In India, Chapter IV of PDPB protects the privacy of children by introducing the concept of “data fiduciary”. According to Section 3(13) of the Bill, “data fiduciary means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data”. This could imply that there is a “fiduciary obligation” on the parents to not disclose the details related to their child’s medical records to third parties. However, as the Act has not been enacted, its precise stance is still unknown.
Another question arises concerning the duty of health professionals towards their minor patients and whether they are obliged to disclose medical reports to their parents. According to HIPPA, the medical records can be accessed by the parents subject to three exceptions – (i) When the minor is the one who consents to care and the consent of the parent is not required under State or other applicable law; (ii) When the minor obtains care at the direction of a court or a person appointed by the court; and (iii) When, and to the extent that, the parent agrees that the minor and the health care provider may have a confidential relationship. The UK’s “General Medical Council” recognises the obligations of healthcare professionals’ towards their patients including children. But, in India, there is no such express duty or provision of preserving the Right to Privacy in case the patient is a child. Section 74 of the Juvenile Justice (Care and Protection) of Children Act, 2015, prohibits the disclosure of personal information (such as name, address or school) of the children who are in “conflict with the law” or who are child victims. But the primary objective of this provision is not to uphold the privacy rights of a child but to protect them from facing discrimination in society.
Unlike the US and UK, India has been enforcing privacy rights through judicial pronouncements only. The increase of electronic records of medical reports has acted as an impediment in protecting the privacy rights of patients.
As India hasn’t paid the required attention to the issues of medical privacy which is quite apparent from the lack of any effective law to protect the same, it is high time that essential steps are taken in this area which should include constructive implementation of the existing rules and regulations. Also, no legislation would become successful in the absence of consistent inspection by the healthcare organisations to prevent “insider data breaches” therefore; it demands collaborative efforts of the Government, healthcare professionals and healthcare departments.
Disclaimer – All views and opinions expressed in this article are personal and belong solely to the author(s) and do not necessarily represent those of the LAABh Foundation or the individuals and institutions associated with LAABh Foundation.
 (1998) 8 SCC 296.
 (1998) 8 SCC 296.
 COVIDGYAN https://covid-gyan.in/content/excerpts-speech-dr-k-vijayraghavan-principal-scientific-adviser-arogya-setu (Last visited August 4, 2021).
 THE NATIONAL LAW REVIEW https://www.natlawreview.com/article/privacy-vs-security-post-pandemic-world (Last visited August 17, 2021)
 NHS DIGITAL, https://digital.nhs.uk/services/national-data-opt-out/understanding-the-national-data-opt-out/protecting-patient-data (Last visited August 4, 2021).
 ELIZABETH PARKIN AND PHILIP LOFT, PATIENTS HEALTH RECORDS: ACCESS, SHARING AND CONFIDENTIALITY 10 (House of Commons Library 2020).
 HHS GOV, https://www.hhs.gov/hipaa/for-professionals/faq/227/can-i-access-medical-record-if-i-have-power-of-attorney/index.html (Last visited August 3, 2021)