How compliant is your Healthcare Organization with Electronic Health Records (EHR) Standard in India?

It is a Sunday morning, and you are sipping on the medical coffee as ordered by your physician and then you receive a call. It is a Life Science company telemarketing exec calling about his company's latest drug that is best fit for you as per your genome. You are shocked! And disturbingly irritated about the privacy of your health details which was so blatantly shared with another vendor by your healthcare provider (Hospital in common terminology). Or even worse, maybe hacked into!

Bill Clinton rightly said, "As more of our medical records are stored electronically, the threats to our security and privacy increase".

In a world dominated by super-bug bacteria and genome-based personalized medicine, it is high time India stood up to the challenge of how it takes care of its citizen's health records. India in August 2013, made history when the Ministry of Health & Family Welfare, Government of India (MoH&FW) approved the Healthcare IT and Electronic Health Records (EHR) standards for India, thereby becoming one among the few countries in the world that now boasts of approved EHR standards. But making a standard is not sufficient enough. Again in March 2015, MoH&FW showcased its intent to enforce this standard through a regulatory body for digital healthcare delivery in India — National eHealth Authority (NeHA), instituting it powers to ensure adoption of approved EHR standards by healthcare organizations.

Let us face it, the days of health care being a social cause are no longer valid and it is a thriving business in India. But when India boasts of being a world healthcare tourist destination, how strong are we in guarding the information of our patients. How patient-centric is the data that you collect from an IT perspective? As a business, the healthcare industry has a responsibility towards its customers (read - patients) to safeguard their private information. But are we prepared on a global scale for such a big responsibility when our own health-care system still runs on pens and papers?

Pulkit and Shelly talk about security issues such as authentication, availability, confidentiality, integrity, access control, data ownership, data protection policies, user profiles and standard model that needs to be taken into consideration for EHR. Although controlling access to health information is important, but is not sufficient for protecting the confidentiality. Additional security steps such as strong privacy and security policy enforcement are essential to secure patient's information. An area that is of utmost importance as far as EHR is concerned is the concept of shareable records, thereby inheriting the inter-operable standards and unique record identification. As per the EHR standards (released in August 2013 and further revised by February 2016, open to public by the Ministry of Health & Family Welfare, Government of India), “for creation of a true electronic health record of an individual, it is imperative that all clinical records created by the various care providers that a person visits during his/her lifetime be stored in a central clinical data repository or at least be shareable through the use of inter-operable standards. Adequate safeguards to ensure data privacy and security must strictly be adhered to at all times." 

With the concept of inter-operable and shareable records, stems the issue of privacy. From the perspective of Indian Healthcare system, patients visit several health providers, throughout their life span, right from visiting a sub-center, community center or primary health center in rural setups, or a general practitioner in his local vicinity, to a government /private hospital or clinic at the district, city, state or central level. Health records get generated with every clinical encounter during these ambulatory, inpatient or emergency visits.

The Centre for Internet and Society writes in one of its blog that that there exists no universally acceptable definition of the right to privacy. It is a continuously evolving concept whose nature and extent is largely context driven.

The standard EHR of India states that the following approaches be adopted wherever applicable:

• Privacy would refer to authorization by the owner of the data (the patient)
• Security would have as components both public and private key encryption; the encryption used in transit and at rest need to be through a different methodology.
• Trust would be accepted whenever a trusted third party confirms identify

Information of a patient should be released to others only with the patient's permission or allowed by law. When a patient is unable to do so because of age, mental incapacity the decisions about information sharing should be made by the legal representative or legal guardian of the patient. However, exceptions here rise in the following cases:

• During referral
• When demanded by the court or by the police on a written requisition
• When demanded by insurance companies as provided by the Insurance Act when the patient has relinquished his rights on taking the insurance
• When required for specific provisions of workmen's compensation cases
• Consumer protection cases
• For income tax authorities
• Disease registration
• Communicable disease investigations
• Vaccination studies
• Drug adverse event reporting

Violations in the present healthcare sector that stem from non-compliant policy formulation as well as implementation gaps include the disclosure of personal health information to third parties without consent, inadequate notification to a patient of a data breach, unlimited or unnecessary collection of personal health data, collection of personal health data that is not accurate or relevant, the purpose of collecting data is not specified, refusal to provide medical records upon request by client, provision of personal health data to public health, research, and commercial uses without de-identification of data and improper security standards, storage and disposal.

The standard also speaks of availability and integrity, "Patients must have the privilege to verify the accuracy of their health data and gain access whenever they wish to do so”.

 EHRs can bring a patient’s complete health information together for supporting better clinical decisions, and more coordinated care among various care providers. These standards specify the use of National UID or AADHAR number as the primary or secondary Unique Health Identifier (UHID) for a patient. The AADHAR number will serve as the unique patient identifier for all healthcare organizations across the nation. The other ID, may be used to identify the patient within the organization and as a reference in its EHR system. The EHR standards also define the Healthcare IT (HCIT) Standards applicable for India, besides the inclusion of National UID or AADHAR number. So, going forward, the AADHAR number will act as the unique identifier for the EHR of an Indian citizen, which will be a longitudinal health record of a citizen’s lifespan with several clinical encounters in different care settings.

Individually identifiable health information is information, including demographic information that relates to:

• The individual’s past, present, or future physical or mental health or condition,
• The provision of health care to the individual, or
• The past, present, or future payment for the provision of health care to the individual.

The EHR standards of India emphasize on ‘Patient’ as the authorized owner of his health data. This data, termed as ePHI in EHR Standard, is classified as

• Data at Rest
• Data in Transit

The standards aim to develop a system which would allow one to create, store, transmit or receive electronically, the ‘Electronic Protected Health Information (ePHI)’of a patient, using reliable media for data storage and transfer. 

The Indian EHR standard also talks about disclosure of such key information only after taking key consent from the patient.

Finally, standard also speaks strongly about duties of the health care provider towards the ePHI including its role as a custodian to such data and limitations to change/append/modify such a data. EHR brings in standards for Technical, Administrative and Physical Safeguards and also lays down guidelines for Hardware, Network & Connectivity, Software Standards. Special mention for Mobile Apps conformance to m-governance guidelines of DeitY, Ministry of Communication & Information Technology for design and usability is also part of the revised Standard.

Having worked in the middle-east market, I feel it is only matter of time, before India is under attack from cyber threats from all over the world (if not already). And when it comes to small time health-care providers to big multi-national players, the question to be is asked is not “If you will be compromised”, but “When”. Information is no longer just a side-product of operations but rather an asset big enough to be quantified in financial statements. When major businesses all over the world are hedging on the likes financial cyber-insurance, we cannot hold on to simple anti-virus and firewall and hope everything is fine in our backyard. We are the IT powerhouse to the world and if we cannot secure this asset so important to a billion-plus population of the world, what good are we in the stage of world health-informatics?

 Small, but definite steps are being taken towards a standardization of EHR. Take for example the likes of ORS program of Ministry of Communications and IT, Government of India.  We will not win a war with this, but definitely cannot win one without this.

Find out if you are compliant as an organization towards the EHR standard as laid out by Govt. of India. Let us help you in understanding where you stand and what gaps need to be plugged and help you and your patients breathe easy when it comes to information security.