Digital Personal Data Protection Act 2023: Impact On Indian Healthcare Industry

The Digital Personal Data Protection Act, 2023 (DPDP Act) is a new law regulating personal data processing in India. It aims to protect the privacy rights of individuals and create a framework for data governance and accountability. The DPDP Act will significantly impact the Indian healthcare industry, which is still in its early stages of digital evolution. Some of the key impacts are:

• The DPDP Act will require healthcare providers and entities to obtain explicit consent from data principals (individuals whose data is processed) before collecting, using, or sharing their personal health data, which is classified as sensitive personal data under the law

• The DPDP Act will also mandate healthcare providers and entities to implement appropriate security measures, conduct data protection impact assessments, appoint data protection officers, and comply with the codes of practice and standards issued by the Data Protection Board of India

• The DPDP Act will enable data principals to access, correct, erase, port, and restrict the processing of their personal health data and seek redressal for any grievances or violations of their rights

• The DPDP Act will create new opportunities for innovation and collaboration in the healthcare industry, as it will facilitate the use of personal health data for research, public health, emergency response, and other purposes, subject to certain conditions and safeguards

Implications of Digital Personal Data Protection Act 2023 in Healthcare Sector

The Digital Personal Data Protection Act, 2023 (DPDP Act) will have various implications in the healthcare sector in India, such as:

• It will require healthcare providers and entities to adopt privacy-conscious and data-responsible practices, such as obtaining explicit consent, implementing security measures, conducting data protection impact assessments, and appointing data protection officers

• It will enhance patient trust and confidence in using their personal health data, which is classified as sensitive personal data under the law.

• It will create new opportunities for innovation and collaboration in using personal health data for research, public health, emergency response, and other purposes, subject to certain conditions and safeguards

• It will also create challenges for developing and adopting data-driven technologies, such as artificial intelligence and machine learning, which may require balancing the protection of patient privacy and the potential of these technologies.

It will interact with other existing or proposed laws and policies related to health data, such as the Ayushman Bharat Digital Mission (ABDM), which aims to create a unique health ID named ABHA and a digital health record for each person. 

Government Initiatives to Protect Patient Data

The Information Technology Act 2000 governs provisions related to Protected Health Information (PHI) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. 

Patient data, including health information, is treated as sensitive personal data or information and, under the IT Act, offers some degree of protection to the collection, disclosure, and transfer of sensitive personal data. 

Also, long before DPDP Act 2023, the Government introduced the Digital Information Security in Healthcare Act (DISHA), India’s counterpart of the Health Insurance Portability and Accountability Act (HIPAA), aimed at providing healthcare data privacy, security, confidentiality, and standardization and establishment of the National Electronic Health Authority (NeHA) and Health Information Exchanges. While this act aims to encourage the pan-India adoption of e-health standards, DISHA has not yet come into force. 

Penalties in Digital Personal Data Protection Act 2023 

Under the DPDP Act, 2023, you have the right to file a complaint with the Data Protection Board of India (DPB), which is the enforcement body established under the act, if you suspect or experience any non-compliance by a third party that collects or processes your personal data. The DPB can inquire into the complaint, direct any remedial or mitigation measures, inspect any document, summon and enforce the attendance of any person, and impose penalties for non-compliance. 

The act allows only monetary penalties for breaches or non-compliance, ranging from INR 50 crore to INR 250 crore, with a maximum penalty of INR 500 crore for significant data breaches. You can also seek compensation from the DPB for any harm caused to you due to the non-compliance by the third party. However, the act does not provide criminal liability or imprisonment for non-compliance. 

Data Principal

A key ingredient in laws in other countries is the power to impose penalties up to a particular amount as prescribed for offenses or as a percentage of total worldwide turnover, whichever is higher.

A data principal is under an obligation to not register a false or frivolous complaint with a data fiduciary or the Board, not to furnish any false particulars or suppress any material information. 

DPDP Act 2023 has introduced a penalty of up to ₹10,000/- (Rupees Ten Thousand) on the data principal for failure to comply with its proposed obligations.

The proposed DPDP Act 2023 introduces the concept of ‘Deemed Consent’, where the data principal is deemed to have given consent for processing their personal data. 

Consensual processing of personal data may be done in case of medical emergencies involving a threat to life or an immediate threat to the health of the Data Principal. In the context of such processing, a parallel may be drawn with India’s draft Health Data Management Policy by ABDM released in April 2022, which also envisages provisions relating to the processing of Personal Data in case of medical emergencies. 

Notably, the ABDM contemplates the appointment of a nominee to provide valid consent on behalf of the Data Principal in case such Data Principal becomes seriously ill or mentally incapacitated or where the Data Principal is facing a threat to life or a severe threat to health and is unable to give valid consent. 

Unlike the DPDP Act 2023, the ABDM does not propose Deemed Consent in the absence of a nominee but instead shifts the right to give valid consent on behalf of the Data Principal to an adult member of the family of the Data Principal.

Despite the recommendation under the JPC Report, the DPDP Act 2023 has kept the 'Non-Personal Data' of the individuals, such as information collected by the Government, NGOs, and other private sector entities, outside its ambit. The usage of phrases 'as it may be considered necessary' and 'as may be prescribed' can lead to administrative ambiguities. The autonomy of the Data Protection Board, which is entrusted with overseeing the protection of individual's personal data and ensuring compliance with the provisions of the law, is not reassuring. Further, the Government and its instrumentalities can retain personal data for an indefinite period irrespective of whether the purpose for which data was processed has been fulfilled. 

Conclusion

By 2030 India is projected to be the world’s third-largest economy and will have one of the world’s largest digital personal data footprints in motion and at rest. 

The DPDP 2023 Act’s essentiality shines in our strengthening role in the global order. With the G20 Presidency and multiple Free Trade and Regional Trade Agreements in place, we must find solutions for Data Free Flow with Trust and cross-border data flows.

The pros and cons of using ChatGPT in Healthcare

Generative Pre-trained Transformer, often known as GPT, is an innovative kind of #ArtificialIntelligence (#AI) that can produce writing that seems to have been written by a person. OpenAI created this AI language model called ChatGPT. It is built using the GPT architecture and is trained on a large corpus of text data to respond to natural language inquiries that resemble a person’s requirements. 

This technology has lots of applications in #healthcare. This technology has the potential to improve the way #patients interact with healthcare providers and enhance the overall quality of healthcare services. Some people will immediately embrace ChatGPT as a medical resource, while others will avoid it for as long as they can. Both feelings are justified. The man who ignited the home computer revolution, #BillGates, believes ChatGPT will 'change the world,' claiming that AI is just as important as the PC and the internet. The need for accurate and current data is one of the major obstacles to adopting ChatGPT in healthcare. GPT must have access to precise and up-to-date medical data to provide trustworthy suggestions and treatment options.

Pros of including ChatGPT in our health care system

1. ChatGPT can provide real-time information and support, answering patients' questions and offering guidance on health-related topics, including symptoms and treatments.
2. It can help healthcare professionals automate various tasks and provide better treatment.
3. ChatGPT can educate patients on various health topics, such as managing chronic conditions, understanding treatment options, and adopting healthy lifestyles.
4. It can provide information and answer questions about health and wellness so that people can make informed decisions about their health.
5. ChatGPT has the potential to revolutionize healthcare by providing patients and healthcare professionals with access to medical information and clinical decision support.
6. It helps patients access medical information, such as symptoms, diagnoses, and treatment options, before or instead an appointment.
7. ChatGPT can help reduce the workload of healthcare professionals by automating routine tasks such as appointment scheduling.
8. It can help improve patient outcomes by providing personalized care plans based on individual needs.
9. ChatGPT can help reduce healthcare costs by providing more efficient care.
10. It can help improve patient satisfaction by providing a more convenient way to access medical information.

Cons of including ChatGPT in our health care system

1. One critical limitation is the potential for bias in the training data, which can result in biased or inaccurate responses.
2. ChatGPT is a statistical model, lacking the medical expertise and judgment of a healthcare professional. Even if it does score over 60% on a medical test, it cannot diagnose or treat medical conditions.
3. ChatGPT cannot provide hands-on learning experiences. Medical education requires practical training, and ChatGPT cannot replace the importance of hands-on training in medical education.
4. ChatGPT may not be able to understand complex medical terminology or nuances that are important for accurate diagnosis and treatment.
5. It may not be able to provide personalized care plans based on individual needs.
6. ChatGPT may not be able to provide accurate information about rare diseases or conditions that are not well understood.
7. It may not be able to provide accurate information about medications or treatments that are not well understood.
8. ChatGPT may not be able to provide accurate information about alternative therapies or treatments that are not well understood.
9. It may not be able to provide accurate information about mental health conditions or treatments.
10. ChatGPT may not be able to provide accurate information about emergency situations.

Conclusion

ChatGPT is a state-of-the-art language model that has numerous advantages and applications in the healthcare and medical domains. It can assist medical professionals in various tasks, such as research, diagnosis, patient monitoring, and medical education. However, the use of ChatGPT also presents several ethical considerations and limitations such as credibility, plagiarism, copyright infringement, and biases. Therefore, before implementing ChatGPT, the potential limitations and ethical considerations need to be thoroughly assessed and addressed. Future research can focus on developing methods to mitigate these limitations while harnessing the benefits of ChatGPT in the healthcare and medical sectors.