Lack of strong privacy law in healthcare a big worry

What’s in a name, the Bard famously asked over 400 years ago. If you ask the stream of those calling themselves Einsteins and Aishwarya Rais while visiting the Humsafar Trust’s drop-in centre in Mumbai, the answer could well be ‘everything.’

“We don’t really care what people call themselves. This is meant to be a safe space,” says Ashok Rao Kavi, the trust’s founder and one of the most vocal campaigners for the rights and health of the sexual minorities in the country. The privacy that organisations like the trust have offered has been at the core of their success and helped them draw out and counsel hard-to-reach members of the LGBT (lesbian, gay, bisexual, and transgender) community. This is now under threat.

Speaking at the recent All India Privacy Symposium in Delhi, Kavi said though the drop-in centre continues to function, much of the trust’s work in the field has been affected. Reason: The health authorities’ insistence that outreach workers note down the names and addresses of each person they meet and hand over all the details to the government for inclusion in a digitised database.

It started a few years ago, ostensibly in the interests of efficiency. The health ministry’s new computerised management information system seeks to closely monitor various interventions, including those targeting groups like men who have sex with men. But health activists working with such groups argue that the name-based reporting system is driving sexual minorities underground, undermining years of HIV prevention efforts and other health campaigns.

Humsafar Trust is not the only one uncomfortable with the government’s new rules. Last year, the Delhi-based Naz Foundation chose to return money (Rs78,598) given by the Delhi State Aids Control Society rather than supply names. “We have to ensure confidentiality. There are better ways to find out if a particular NGO is actually doing field work than getting the list of names and addresses of people it works with. Surprise visits at support-group meetings (of MSMs), for example, would give a pretty good idea of work on the ground. How will knowing names and addresses help?” asks Anjali Gopalan, director of the Naz Foundation, which works in the area of HIV/AIDS and sexual health.

The Foundation’s campaign against India’s anti-sodomy law, Section 377, led to the Delhi high court legalising gay sex among consenting adults in 2009. The historic judgment notwithstanding, gays and other sexual minorities continue to be socially ostracised in India, which brings us back to the question of privacy and health.

Electronic medical records are seen as a crucial component in creating a system that’s more efficient. But there is an equally important issue. How will sensitive health data be kept confidential and secure in digital data-sharing environments? Patients across continents are demanding a satisfactory answer to that question.

In the US, there is the Health Insurance Portability and Accountability Act (also known as the Standards for Privacy of Individually Identifiable Health Information) which seeks to prevent fraud and abuse in the delivery of sensitive healthcare information. The rules give patients control over how their health information is used. But despite this, there have been many reported instances of data breaches leading to a demand for more stringent regulations. From July 2012, Australians will be able to sign up for a Personally Controlled Electronic Health Record.

How safe is electronic storage of highly sensitive personal information relating to sexuality and health in India, which does not yet have a privacy law, where there are vast pools of illiteracy and where, despite stated principles, there are umpteen breaches of confidentiality? NGOs working with sexual minorities have been among the first to sound the alert about privacy and health but the concerns are by no means limited to such groups.

Talish  Ray and Prasanth Sugathan, who work with the Delhi-headquartered Software Freedom Law Centre, point out that there are concerns about what the government as well as companies can do with digitised, aggregated data on medical conditions in the absence of a strong privacy law and stringent implementation. Under Section 43A of the Indian Information Technology (Amendment) Act 2008, a company that holds sensitive personal data in a computer system that it owns, controls or operates, and is negligent in implementing and maintaining reasonable security practices and procedures, and causes wrongful loss or wrongful gain to another person, has to pay damages to the person so affected. But as Ray points out, the “onus is on the complainant to prove that wrongful loss has taken place.”

All this underscores the need for a strong privacy law that addresses patient rights and the concerns of health advocates. The right to privacy has not been a big issue in India. But with today’s quick changes in information and communication technology, we cannot afford not to care.

— The author is a Delhi-based writer