Introduction
In the 21st Century, digital technology has reshaped the healthcare system.[i] The need for remote medical consultation, e-prescription and remote monitoring has created a 45 billion USD market as of 2019.[ii] This phenomenon creates the need to address challenges around data governance and technological maturity among other legal concerns.
Digital Health includes a wide-range of aspects such as m-health, telemedicine and remote consultation. This article seeks to tackle the issue of telemedicine and the cross-border jurisdictional issues that arise in its legal framework pertaining to data privacy. The manner in which data is shared across borders is in flux not just because of barriers of inoperability but also due to concerns about protecting the privacy and security of the patients’ health data.[iii]
Telemedicine, according to the World Health Organisation, involves a healthcare delivery system, where distance is a critical factor, using IT and communication technology in the interest of the advancement of the individuals’ and communities’ health.[iv] Therefore, this setup would include an exchange between patient and his physician, often with the involvement of an intermediary – creating several legal considerations under various statutes across jurisdictions.
In India, there is no telemedicine-specific legislation as of 2020. The COVID-19 pandemic compelled the Ministry of Health and Family Welfare to roll out guidelines pertaining to telemedicine.[v] However, these are not legally enforceable and lack clarity while addressing data usage and patients’ privacy concerns. It should be noted that while there is an attempt to restrict a Registered Medical Practioner’s [“RMP”] liability in the event of a technological breach, it may not restrict a prosecution against the impugned RMP under specific statutes including the Consumer Protection Act, 1986 and the Indian Contract Act, 1872.
Cross-border Jurisdictional Issues in Telemedicine
The ability to transcend national and international borders is the factor that revolutionised digital healthcare and telemedicine in India. However, it also presented challenges in the legal arena.
By the wide access of digital healthcare, a number of jurisdictional issues arise, such as the cause of action of any dispute and its appropriate redressal mechanism become blurry. Before having a proper system of implementation, it is paramount to have a system in place that defines the jurisdiction of matters so far as disputes regarding telemedicine are concerned.
In determining the question of cross border jurisdiction, we must break down the issue into its fundamental components. These include the:
Applicable law, i.e. which system of law is applicable to the digital health contract under consideration?
International jurisdiction, i.e. whose courts and/or tribunals should decide the case between the parties?
The territorial scope of relevant applicable or mandatory law, i.e. how the courts and tribunals decide what statutory rights the parties have.
The necessary and proper parties in the suit.
Generally, parties have the freedom to choose both the jurisdiction as well as the applicable law. However, where parties have failed to exercise their freedom to choose or are prevented from doing so, it should be noted that there are no provisions under the Information Technology (Reasonable security practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 [“2011 Rules”] determining jurisdiction and applicable law to ensure such consistency. This becomes a pertinent issue in digital health because often the service provider, the intermediary and the end user are located in different jurisdictions altogether.
The problem in digital health becomes multi-faceted with the presence of multiple intermediaries and service providers. In case of wearables that track health related information such as calorie count or heart rate, the general practice is to enforce standardised contracts wherein the end user is given a blanket option of ‘Agreeing to Terms and Conditions’ or ‘Disagreeing’ to the same. However, this in itself becomes problematic on two accounts.
Firstly, it doesn’t allow the end user to have any freedom of reservation to any part of the contract be it the sharing of the users private information or secondly, deciding where the matter will be filed in case of a dispute.
The question of jurisdiction eclipses on the competency of a court to hear a matter as well. The majority of cases in telemedicine belong to consumer disputes. Thus, it follows that telemedicine contracts be consumer focused rather than create a protective barrier around organizations and service providers from any kind of legal spill over.
Emerging economies like ours rely on a combination of telecommunication laws, consumer protection statutes and the constitutionally protected right to privacy, in the absence of a specific privacy protection statute. As there is an escalation in the usage of online platforms in the delivery of government welfare schemes and benefits, there is a critical need for the legal infrastructure to be ramped up simultaneously.
Data Privacy and the Digital Health Ecosystem
Data privacy becomes relevant for two primary reasons. First, in the abeyance of a legislature protecting information of the users, the only thread holding back corporations from releasing personal data of users becomes the moral obligation placed on them to not do so. Second, the healthcare information comprises sensitive information of an individual that should not be given in the hands of any party not desired by the individual.
The WHO has carved a path for the future of global digital health[vi] but the legal ramifications of data privacy of patients in India is yet to be comprehensively addressed.
The Apex court of India in its landmark judgment recognised that informational privacy falls within the ambit of Right to Privacy.[vii] However, a comprehensive legislature covering the aspects of digital health and telemedicine still remains a rung of the ladder our nation is yet to climb on the path to safe and protected use of telemedicine.
Since telemedicine allows the free flow of information across national and international borders, the regulation and protection of this information becomes a challenge to say the least. The data privacy laws and regulations across jurisdictions create further turbulence in the protection of sensitive data.
Often, a particular piece of information regarded as sensitive information in one country may not be given the same status in another jurisdiction which may lead to misuse of data. An example of this is the disparity that lies in the treatment of browser cookies as personal data. In Argentina, the Argentina Personal Data Protection Act recognizes browser cookies as personal data[viii] whereas the 2011 Rules of India do not consider it to be a part of sensitive personal data.
This illustrates that India needs a legislation to protect personal data within domestic borders as well as rules governing data policy while dealing with international players.
Key International Players vis-à-vis India
It must be noted that regulators in most jurisdictions are still working on addressing eHealth services from a legal standpoint.[ix]
Taking into consideration the example of United States of America, states such as District of Columbia have introduced telemedicine specific-legislations.[x] Insofar as data privacy and patient confidentiality is concerned, the Health Insurance Portability and Accountability Act [“HIPAA”] provides guidelines for digital data usage. Further amendments to that Act[xi] have helped ensure that subcontractors with access to the health data are in compliance with the applicable statute, hence providing substantial protection to the data regardless of where it may be transferred. The providers must also use ‘fully encrypted transmission and secure connections.’ However, the pandemic has resulted in the shrugging off of these requisites, as the Trump administration waived the restrictions and declared, “Medicare patients can now visit any doctor by phone or videoconference at no additional cost, including with commonly used services like FaceTime and Skype”.[xii]
The EU’s General Data Protection Regulation [“GDPR”] adopts a framework wherein the individual is placed at the centre of the law and is considered to be one of the most stringent data protection laws.[xiii] The EU is not new to the discourse on telemedicine having published reports in the past with recommendations, which include holding doctors legally accountable for updating health records, ensuring the interoperability of impugned records, etc.[xiv]
Therefore, in this framework, wherein the active enforcement of HIPAA and GDPR is upon us, it is incumbent on policymakers to provide for intricate policies and systems that ensure the protection of the patients’ confidential health information. It is also essential to ensure that these policies address appropriately the concerns that may crop up with the provision of healthcare services to international patients.
Rule 3 of the 2011 Rules defines sensitive personal data or information of a person to mean such personal information which consists of information relating to “(i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) Biometric information.” [xv]
These data segments, individually or combined, hold a great value in modern society. The unwarranted accumulation of this data in the hands of private players is not only the violation of an individual’s privacy but also leads to criminal acts such as discrimination against the individual, identity theft and financial frauds to name a few.
For instance, in the Personal Data Protection Bill, 2019 [“PDP Bill”] , SPD has been broadly defined by the use of terms such as ‘physical, physiological and mental health condition’ which may include a wide array of information.[xvi] The scope of SPD under the PDP Bill is broader compared to the “special categories of data” in GDPR. In short, the lack of a strict definition implies that entities operating in India will face higher standards of data protection to extended data sets in comparison to the GDPR thereby creating a compliance friction.
It now becomes critical to fully comprehend and examine the foreign privacy legislations that may apply to international patients (For instance, residents of country X seeking medical advice from medical practitioners of Country Y) so as to set up appropriate protocols, especially when other jurisdictions have a more stringent threshold when it comes to protecting health-related information. Further, it is pertinent to ensure that the said policy addresses any potential issue while dealing with an international player.
Despite legal and regulatory concerns, the field of telemedicine promises a future based on the patient, and presents us with the possibility of an “evolutionary leap in healthcare.”[xvii] In order to do so, the policy formulation has to focus on aspects of interoperability that necessitates the protection of privacy as it connects patient, doctor and operator as well as an international framework of collaboration to harness the potential of upcoming health technologies while achieving an equilibrium with privacy and safety concerns.
The Way Forward
In order to foster cooperation and collaboration in the arena of privacy protection, it is suggested that – first, the digital health ecosystem be capable of sharing health data with the infrastructure of other nations wherein functional and regulatory specifications and standards are established on the back of a legal framework that guarantees data protection.[xviii] Second, the health data itself be classified as sensitive information mandating the highest security standard.[xix] Such standard must be based on a common set of procedural requirements approved by the international community, for instance formulating UN working committees on the issue.
The vision of the international community shall be to pander to a global strategy that makes universal health care a reality using digital health technologies while respecting the individuals’ rights.[xx] This is essential in order to combat pandemic outbreaks such as the present one and prevent future outbreaks as well.
Conclusion
Permitting the free flow of data is pivotal for medical research, public health preparedness as the current pandemic has proved. Therefore, there is a need to come up with a uniform mechanism to overcome barriers to data exchange, particularly with reference to privacy concerns through an international framework. It must be noted that the crux of health data exchange is trust – be it between the patient and the doctor, or between nations.
[i] COVID-19 and digital health: What can digital health offer for COVID-19?, World Health Organization, Available at: https://www.who.int/china/news/feature-stories/detail/covid-19-and-digital-health-what-can-digital-health-offer-for-covid-19.
[ii] Matej Mikulic, Telemedicine market size worldwide 2019 v. 2026 Statista (2020), Available at: https://www.statista.com/statistics/671374/global-telemedicine-market-size/
[iii] The Global Information Technology Report 2012, World Economic Forum, Available at: http://www3.weforum.org/docs/Global_IT_Report_2012.pdf
[iv] Telehealth, Global Health Observatory data, World Health Organization, Available at: https://www.who.int/gho/goe/telehealth/en/.
[v] Telemedicine Practice Guidelines, 2020 – Appendix 5, Indian Medical Council (Professional Conduct, Etiquette and Ethics Regulation, 2002, Ministry of Health and Family Welfare. Available at: https://www.mohfw.gov.in/pdf/Telemedicine.pdf
[vi] Draft Global Strategy on Digital Health 2020-2024, World Health Organisation.
[vii] Justice K.S. Puttaswamy (Retd.) & Anr v Union of India & Ors, (2017) 10 SCC 1.
[viii] Section 2 , Argentina Personal Data Protection Act (2000).
[ix] Mars Maurice, Scott Richard, Global E-Health Policy: A Work In Progress (2010), Health Affairs (Project Hope).
[x] “.C. Mun. Regs. Tit. 17, § 4618” D.C. Mun. Regs. tit. 17 § 4618.
[xi] Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA rules. (2013). Federal register, 78(17), 5565–5702.
[xii] Lev Facher et al., Trump administration loosens telehealth regulations to combat coronavirus STAT (2020), Available at: https://www.statnews.com/2020/03/17/trump-telehealth-restrictions/
[xiii] Alexander Fortenko et al., Reimagining Health Data Exchange: An Application Programming Interface–Enabled Roadmap for India, Journal of Medical Internet Research, Available at: https://www.jmir.org/2018/7/e10725/#The-Law.
[xiv] Directive 2011/24/EU of The European Parliament.
[xv] Rule 3, Information Technology (Reasonable Security Practices and Procedures And Sensitive Personal Data Or Information) Rules, 2011.
[xvi] Clause 3 (36), PDP Bill.
[xvii] Jen Maki, Ph.D., Susan Manning, Ph.D., Digital Health 2020 – A practical cross-border insight into digital health law, International Comparative Legal Guides, Available at: https://www.jdsupra.com/legalnews/digital-health-2020-a-practical-cross-13950
[xviii] Draft Global Strategy on Digital Health 2020-2024, World Health Organisation. Available at: https://www.who.int/docs/default-source/documents/gs4dhdaa2a9f352b0445bafbc79ca799dce4d.pdf?sfvrsn=f112ede5_38.
[xix] Supra note xviii.
[xx] Supra note xviii.
By Neha Subodh Sharma and Aaryan Agarwal, 2nd year students of National Law University Jodhpur. This blog is part of the RSRR Blog Series on Digital Healthcare in India, in collaboration with Nishith Desai Associates.