Healthcare

Role Of The DPDP Act 2023 In India's Digital Healthcare Transformation

__
<div><p style="text-align: justify;" role="heading" aria-level="1"><span xml:lang="EN-US" data-contrast="none">The Digital Personal Data Protection Act, 2023 (DPDP Act) is a new law regulating personal data processing in India. It aims to protect people's right to privacy and establish a framework for data accountability and governance. The Indian healthcare sector, which is still in the early phases of its digital transformation, will be greatly impacted by the DPDP Act.</span></p><p style="text-align: justify;" role="heading" aria-level="1">&nbsp;</p><h2 style="text-align: justify;" role="heading" aria-level="1"><span style="font-size: 14pt;" xml:lang="EN-US" data-contrast="none"><span data-ccp-parastyle="heading 3">Impact of the&nbsp;DPDP Act on the Indian Healthcare Sector</span></span> </h2><p style="text-align: justify;" role="heading" aria-level="1"><span xml:lang="EN-US" data-contrast="none">The Digital Personal Data Protection Act, 2023 (DPDP Act) will have various implications in the healthcare sector in India, such as:</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></p></div><div style="text-align: justify;"><p><strong><span xml:lang="EN-US" data-contrast="none">Adoption of Data Privacy Measures</span></strong><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></p></div><div style="text-align: justify;"><p><span xml:lang="EN-US" data-contrast="none">Healthcare organizations and providers must embrace data-responsible and privacy-aware procedures, including obtaining express consent, implementing security measures, evaluating the effects of data protection, and designating data protection officers.&nbsp;</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></p></div><div style="text-align: justify;"><p><strong><span xml:lang="EN-US" data-contrast="none">Enhance Patient Trust</span></strong><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></p></div><div style="text-align: justify;"><p><span xml:lang="EN-US" data-contrast="none">It will increase patient confidence and trust in using their sensitive personal data&mdash;personal health information&mdash;as defined by law.</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></p></div><div style="text-align: justify;"><p><strong><span xml:lang="EN-US" data-contrast="none">New Opportunities in the Healthcare Sector</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></strong></p></div><div style="text-align: justify;"><p><span xml:lang="EN-US" data-contrast="none">Certain restrictions and safety measures will open up new possibilities for innovation and cooperation in using personal health data for research, public health, emergency response, and other uses.&nbsp;</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></p></div><div style="text-align: justify;"><p><strong><span xml:lang="EN-US" data-contrast="none">Use of Data-driven Technologies</span></strong><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></p></div><div style="text-align: justify;"><p><span xml:lang="EN-US" data-contrast="none">It will also make it more difficult to develop and implement data-driven technologies like machine learning and artificial intelligence, which may require balancing the potential of these tools with patient privacy protection.&nbsp;</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></p></div><div style="text-align: justify;"><p><span xml:lang="EN-US" data-contrast="none">It will interact with other existing or proposed laws and policies related to health data, such as the Ayushman Bharat Digital Mission (ABDM), which aims to create a unique health ID named ABHA and a digital health record for each person.</span> </p><p>&nbsp;</p><h2><span style="font-size: 14pt;" xml:lang="EN-US" data-contrast="none"><span data-ccp-parastyle="heading 3">Government Initiatives to Protect Patient Data</span></span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></h2></div><div style="text-align: justify;"><p><span xml:lang="EN-US" data-contrast="none">Protected Health Information (PHI) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 are governed by the Information Technology Act 2000.&nbsp;</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></p></div><div style="text-align: justify;"><p><span xml:lang="EN-US" data-contrast="none">Under the IT Act, the collection, disclosure, and transfer of sensitive personal data is somewhat protected. Patient data, including health information, is classified as sensitive personal data or information.&nbsp;&nbsp;</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></p></div><div style="text-align: justify;"><p><span xml:lang="EN-US" data-contrast="none">The Government introduced the Digital Information Security in Healthcare Act (DISHA), India's version of the Health Insurance Portability and Accountability Act (HIPAA), long before the DPDP Act 2023. Its goals included standardizing healthcare data protection, privacy, and security and establishing the National Electronic Health Authority (NeHA) and Health Information Exchanges. Although DISHA has not yet been put into effect, its goal is to promote the adoption of e-health standards throughout India.&nbsp;</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></p></div><div style="text-align: justify;"><p role="heading" aria-level="3">&nbsp;</p><h2 role="heading" aria-level="3"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-parastyle="heading 3"><span style="font-size: 14pt;">Penalties in Digital Personal Data Protection Act 2023</span> </span></span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></h2></div><div style="text-align: justify;"><p><span xml:lang="EN-US" data-contrast="none">According to the DPDP Act, 2023, if you believe or encounter any non-compliance by a third party that gathers or uses your personal data, you have the right to complain to the Data Protection Board of India (DPB), the enforcement authority set up under the act. The DPB has the authority to investigate the complaint, order corrective or mitigating actions, examine any document, call someone in and demand their presence, and apply penalties for non-compliance.&nbsp;&nbsp;</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></p></div><div style="text-align: justify;"><p><span xml:lang="EN-US" data-contrast="none">The statute only permits financial penalties for violations or non-compliance, with a maximum fine of INR 500 crore for serious data breaches and a range of INR 50 crore to INR 250 crore. For any damages you may have suffered due to the third party's non-compliance, you may also file a compensation claim with the DPB. However, failure to comply with the legislation does not result in imprisonment or criminal penalties.&nbsp;</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></p></div><div style="text-align: justify;"><p role="heading" aria-level="3">&nbsp;</p><h2 role="heading" aria-level="3"><span style="font-size: 14pt;"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-parastyle="heading 3">Data Principal</span></span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></span></h2></div><div style="text-align: justify;"><p><span xml:lang="EN-US" data-contrast="none">The ability to impose fines up to a specific amount defined for offenses or as a percentage of total worldwide turnover, whichever is higher, is a crucial component according to laws in other nations.</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></p></div><div style="text-align: justify;"><p><span xml:lang="EN-US" data-contrast="none">A data principal is required not to withhold any material information, provide any incorrect information, or file a false or frivolous complaint with the Board or a data fiduciary.&nbsp;</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></p></div><div style="text-align: justify;"><p><span xml:lang="EN-US" data-contrast="none">The DPDP Act 2023 penalizes the data principal for non-compliance with its stipulated obligations up to ₹10,000/&mdash;(Rupees Ten Thousand).&nbsp;</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></p></div><div style="text-align: justify;"><p><span xml:lang="EN-US" data-contrast="none">The planned DPDP Act 2023 introduces the notion of "Deemed Consent," wherein the data principal is presumed to have granted consent for the processing of their personal data.&nbsp;</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></p></div><div style="text-align: justify;"><p><span xml:lang="EN-US" data-contrast="none">In a medical emergency where the data principal's life or health is in immediate danger, consent to handle their personal data may be given. This type of processing can be compared to the draft Health Data Management Policy by ABDM, which was announced in April 2022 in India. This policy also includes regulations about the processing of personal data in the event of a medical emergency.&nbsp;&nbsp;</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></p></div><div style="text-align: justify;"><p><span xml:lang="EN-US" data-contrast="none">Notably, the ABDM contemplates the appointment of a nominee to provide valid consent on behalf of the Data Principal in case such Data Principal becomes seriously ill or mentally incapacitated or where the data principal is facing a threat to life or a severe threat to health and is unable to give valid consent.&nbsp;</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></p></div><div style="text-align: justify;"><p><span xml:lang="EN-US" data-contrast="none">In contrast to the DPDP Act 2023, the ABDM transfers the authority to grant legitimate consent on behalf of the Data Principal to an adult member of the Data Principal's family rather than introducing Deemed Consent without a nominee.&nbsp;</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></p></div><div style="text-align: justify;"><p><span xml:lang="EN-US" data-contrast="none">Notably, if the data principal becomes gravely ill or mentally incapacitated, or if the data principal faces a serious threat to their life or health and is unable to give valid consent, the ABDM provides for the appointment of a nominee to provide consent on their behalf.&nbsp;</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></p></div><div style="text-align: justify;"><p><span xml:lang="EN-US" data-contrast="none">In contrast to the DPDP Act 2023, the ABDM transfers the authority to grant legitimate consent on behalf of the Data Principal to an adult member of the Data Principal's family rather than introducing Deemed Consent without a nominee.&nbsp;</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></p></div><div style="text-align: justify;"><p role="heading" aria-level="3">&nbsp;</p><h2 role="heading" aria-level="3"><span style="font-size: 14pt;" xml:lang="EN-US" data-contrast="none"><span data-ccp-parastyle="heading 3">Conclusion</span></span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></h2></div><div style="text-align: justify;"><p><span xml:lang="EN-US" data-contrast="none">By 2030, India is projected to be the world's third-largest economy and will have one of the world's largest digital personal data footprints in motion and at rest.&nbsp;</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></p></div><div style="text-align: justify;"><p><span xml:lang="EN-US" data-contrast="none">The DPDP 2023 Act's essentiality shines in our strengthening role in the global order. With the G20 Presidency and multiple Free Trade and Regional Trade Agreements in place, we must find solutions for Data Free Flow with Trust and cross-border data flows.</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}">&nbsp;</span></p></div><div><p style="text-align: justify;"><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}">&nbsp;</span></p><p style="text-align: justify;">&nbsp;</p><p style="text-align: justify;">&nbsp;</p><p style="text-align: justify;">&nbsp;</p></div>
KR Expert - Sujeet Katiyar

Core Services

Human insights are irreplaceable in business decision making. Businesses rely on Knowledge Ridge to access valuable insights from custom-vetted experts across diverse specialties and industries globally.

Get Expert Insights Today