Diagnostics and Patient Data Privacy

What is the significance of patient data privacy during COVID time? "Patient data privacy is always critical compliance for the healthcare industry. While COVID-19 is a notifiable disease, patient information has now an even larger significance as misuse or wrong information directly impacts an individual and his/her family and society at large. Also, as social media could spread information, wrong or right, very fast to a large population, we have observed panic situations, social stigma during this pandemic. Further, the treatment protocols for COVID is also based upon the patient's clinical conditions, and many patients may not require any active treatment or hospitalisation. Therefore data privacy needs to be maintained to avoid unnecessary chaotic situations and increase the burden of the healthcare system at large," says Vijender Singh, Chief Executive Officer at Metropolis Healthcare Ltd.

What sort of measures does Metropolis take to protect patient data? "The patient data and test reports are under strict access control mechanisms. Also, the diagnostic reports are created on password-protected PDF files that are sent to email IDs provided by patients during the registration process. Metropolis also uses QR codes on diagnostic reports for maintaining the authenticity of the reports," he explains.

Digitisation is the buzzword now. Aren't there pitfalls for the digitisation of health data? "Maintaining security and protecting data from unauthorised access has been a big challenge and could create a huge adverse impact if leaked. Also, from the perspective of the end patients, ease of use and spreading awareness of proper usage to millions of households in India is an enormous challenge. Another major challenge is, securely sharing electronic health records with clinicians and hospitals as per need," he explains.

So, are electronic health records necessary? "Electronic health records are increasingly becoming a necessity. The digital health records become an easy way to carry all health records by the individuals. It reduces the worry of missing out any old records that might be required for effective assessment while consulting a doctor or when admitted to a clinic and may significantly reduce time to actual treatment. Also, it becomes convenient to access healthcare anywhere in the world, especially for people on frequent overseas travel. Carrying physical health records have high chances of missing, wear-and-tear of records which eventually may result in additional expenses for redoing certain tests again, and could cause a delay in the treatment. A structured manner of maintaining the electronic health records shall ensure an effective diagnosis based on the patient's health history and lead to quality treatment for the patients. It leads to a possibility of maintaining a National Health Database of Citizens, which may be very useful for hospitals during any emergency health support needs for any individual citizen," he explains.

A patient's personal information, contact details and demographics are a necessary piece of information while treating or testing a patient. These combined with the disease and health markers make for an essential personal data set. The relationship between a patient and a diagnostic centre is a confidential, trust-based relationship, and hence this information must be kept safe and secure.

Suburban Diagnostics has devised a unique 'Patient ID' for each patient that can be retrieved by the patient by using his/her mobile number/email address. This unique Patient ID works as a unique identifier for each patient and all his/her medical records and reports are attached to this ID; which can be accessed only through an OTP sent by the system to the patient's registered mobile number.

"Suburban Diagnostics ensures patient data safety through secure, encrypted on-premise data servers where the patient information and laboratory information systems operate. The data is also made secure through back-up on secure cloud data-servers. All key systems are deployed at a Tier-4 data centre with all necessary security precautions to ensure that access to database servers is protected. Providers should use secure platforms for storage of data— whether it is on-premise server or cloud. For the cloud, password-protected, reputed cloud servers should be taken. An important element to note is that data should never be downloadable in excels, or other formats, where patient data can be circulated. Laboratory or Hospital Information Systems (LIS/HIS) should have multi-factor authentication, so no password sharing is possible between employees. Data privacy or data sharing framework needs to be designed and laid down by the government to ensure that there is a policy framework available for labs to adhere to and that it is not left to interpretation," says Pankaj Dutta, Head, IT Systems, Suburban Diagnostics.

He also adds that COVID has necessitated the adoption of digital in delivering health care services. "Record keep and process management have all moved to digital. Hence, there is even more need for adopting secure, reputed platforms for data storage and transfer. Labs testing for COVID-19 are required to share the patient information with the state government/ health departments. Data sharing has been an important element for the government to assess and manage the current pandemic effectively. At Suburban, we were agile at the beginning of the pandemic in creating an online network of systems for retail and BMC to capture data digitally that integrated with our key systems. Customer's COVID-19 data stays protected even within the organisation as authorised access is given to only the staff that is dedicated to COVID-19 testing and reporting," he concludes.

Anand, K, CEO of SRL diagnostics, has a different take on the issue. "A patient reveals his/her most personal, private information to their healthcare provider, and therefore there's an unsaid establishment of a trust that the patient seeks to keep their information in confidence. Protecting the privacy of patients and maintaining the confidentiality of their data has been paramount in the diagnostics sector and a fundamental tenet of our business. 70 per cent of a patient's medical record consists of laboratory data. So, data security becomes a significant focus area for us, especially when most of the health records today are digitally stored and maintained," he explains.

At SRL, security is one of the critical cultural aspects, and they regularly train and update their employees on new technologies and security aspects. "We are ISO-27001:2020 certified, which is the leading ISO standard in information security and indicates we have strict policies and procedures in place to ensure data protection. There are regular vulnerability assessments to ensure our updates and systems are in place. Through our app and website, we make patients records available and accessible to the patients. At any given time, they can access their reports through a secured login, which are password protected with a higher degree of complexity to secure patient-data and information. From the time a patient's books their appointment till they finally receive the report, the entire process uses encryption technology to secure the patient data. The entire chain is connected through a seamless digital experience – across all stages pre-analytical, analytical and post-analytical. Information security is a continuous process, and to ensure complete protection for our patients, we keep adopting new technology as we move forward," he explains.

Dr. Shankar Narang, COO, Paras Healthcare, points out that there are more than 1,00,000 diagnostic centres across India, out of which 70 per cent cater to pathology services, and 30 per cent cater to radiology and imaging services.

"Even though a few renowned players are grasping a significant part of the market share, a considerable part of this industry remains unorganised and fragmented. Interestingly, around 70 per cent of clinical decisions are taken based on a diagnostic report, and all it requires to open a medical laboratory is to register under a simple shop and commercial establishment act. Reliable and timely diagnosis is crucial for correct treatment as well as to lower the overall healthcare cost. But despite being a crucial part of the delivery process, diagnostic centres suffer from a lack of established guidelines that set minimum standards for technology, quality, infrastructure, and qualification of staff to set up and run the lab. With limited entry barriers, there has been a significant rise in the number of small laboratories with varying practices and standards. Therefore, it is the need of the hour to update and upgrade the regulations that would ensure quality, standardisation and reliability," concludes Narang.