The passage of HIPAA (Health Information Portability and Accountability Act-1996) in USA was a major policy initiative which had wide ramifications in the health industry. The impact of the act was also felt in the IT industry since it became a key instrument in ensuring compliance through appropriate software support.

The proposed Telemedicine guidelines which may become a legislation in due course could become the Indian version of HIPAA since it incorporates the key provisions such as "Universal Indicators" and "Privacy Protection". HIPAA as a comprehensive legislation is more detailed and covers the penal provisions also.

Indian Telemedicine Practices Act-if it comes through will also have suitable penal provisions. We have to therefore look at the guidelines today with the understanding that these could become a law in future and any violation could have penal consequences.

The main motivation behind HIPAA in USA was to facilitate the smooth functioning of the Health Insurance scheme. The Act therefore proceeded to mandate "Universal Identifiers" for patients, health intermediaries etc. Authentication of different authorities such as the doctor, the dispensary owner etc and the consent of the patient were therefore made an integral part of the system so that the disputes in insurance claims could be settled properly. Since there was in existence a national Social Security Number to identify every citizen, it was used as the key identifier for the patient and to track the transactions.

Identifiers Under Telemedicine Guidelines

The telemedicine guidelines of India suggest the following three types of identifiers to monitor the system.

a) Health Care Provider Identifier

b) Doctor Identifier

c) Universal Patient Identifier

Several advantages are foreseen in such identifier systems. It may avoid duplication of bills, prevent fraudulent health care operators, consolidation of information, management of licenses etc.

In the absence of a Social Security Number in India, it is however going to be difficult to map a patient identifier to any national identity base. The Passport, PAN, Driving License etc are all special identifiers and not universal.

Hence the Patient Identifier Number, if introduced can become a major exercise of providing a fundamental identification number to every Citizen of India who would register himself for Telemedicinal services. This could be the Social Security Identification number by itself.

Since this could later have linkages to issue of death certificates, settlement of insurance claims etc, there has to be an appropriate registration system for this purpose which would avoid duplication. The system of allocating, and managing the patient identifier system can therefore the biggest task under the proposed laws. No details have however been given in this regard in the guideline.

Need For a New Digital ID Card

Under the circumstances, it appears  that it would be inevitable for citizens to add one more ID card  to the wallet   to the existing set of  IDs such as PAN, Passport, Driving License, Ration Card, Credit Card, Voter's Card etc if he wants to avail of the telemedicinal facilities.

In order to reduce the multiplicity of ID cards, we must explore if this opportunity can be used to integrate at lest the PAN and Voter's ID card with the Health Information ID card now proposed.

This card can be mapped to a Digital Certificate so that the Citizen can use it not only for availing Telemedicine facilities but also e-Governance and E-Tax services. This could be the "Digital Transaction ID card" which cyberdemocracy.org has been advocating for some time. One univesral Digital ID card that can support all Digital activities of an individual.

It will be even more ideal if we have one universal ID card which is a "Brick and Click" mechanism serving both the offline and online ID requirements of the public. Such a solution is technically and commercially feasible and would be appreciated by the public.

The doctor's identifier as well as the  Health provider Identifier  would  incorporate the license for Telemedicinal practice/Consultancy/Business and has to be linked to the Registerd medical Practitioner license or such other licenses already monitored by the medical profession..

It would be necessary for every medical practitioner under the system to carry a Digital Certificate so that all his communication is authenticated and encrypted. In view of this a special Digital Certificate which incorporates the attributes such as the License number etc has to be made available by the Certifying Authorities. Handling of such Certificates will require a special CPS (Certification Practice Statement) to be drafted.

Perhaps just as IDRBT and NIC are trying to develop themselves into sector specific Certifying Authorities, there may be a need for the All India Medical Council to develop a separate Certifying Authority to take care of the Digital Certificate Needs of the Telemedicine industry.

Privacy of Information

Privacy rights over the individual health information is already recognized as a tight and perhaps the telemedicinal law would only reinforce the same in the light of creation of a massive centralized data.

The Role of Embedded Digital Signature Systems

In order to ensure confidentiality of information, any data either under storage or in transmission has to be digitally signed and encrypted and every user of the system as well as the system itself has to be have an inherent capability to affix digital signatures.

In case data is being transmitted directly from a diagnostic equipment online, either in the form of text or static picture or video, it will  also have to be encrypted and digitally signed.

The present equipments and embedded software in these equipments need to be upgraded to incorporate communication capabilities as well as digital signature capabilities. A CT Scan report sent by the scanner will therefore has to be digitally signed by the scanner and delivered through the modem to the network communication channel for onward transmission on the Internet or a VPN.

It is not clear if such applications are presently available. If they become available, it will be required to perhaps replace the existing equipments with a new generation of communicating devices. The cost of such replacement will be prohibitive.

Real time communication therefore may not be a viable proposition in the immediate future. The guidelines has to accept this constraint and avoid imposing standards that are not practically relevant for the time being. In comparision, "Store and Forward" system is simpler and technically and commercially feasible in the short run.

Security Issues

Any of the equipments using communication tools for transmission of data will have to be adequately secured against Hacking and Virus  which may cause  loss of life of the patients.

From the security point of view, it would be better to segregate the principal medical diagnostic equipment from the communication devices and prevent any form of external access to the system. The output from the systems should be invariably delivered in a digitally signed electronic form or in print form which would be authenticated by the operator as per the provisions of the ITA-2000 (Amendments to Indian Evidence Act).

Even the stored data in electronic form has to be secure against manipulations and the only way it can be done is by digital signatures by the doctor/operator/store in charge. Each time the data is retrieved, the signatures have to be verified.

Considering the many mistakes that are being committed in the E-Governance and Corporate Governance sector today in data management, it is not clear of the risks involved in telemedicinal data storage and transmission have been adequately considered before the guidelines have been formulated.

Even though the use of Digital Signatures is indicated in the guidelines the many complications involved in the process have not been dealt with adequately and this requires a detailed assessment.

Patient's Consent

The guidelines repeatedly mention that Patient's consent would be required in several cases including allowing people for video sessions etc. It must however be remembered that Tele Health consultancy would be used mostly in cases where the patient is in a critical condition and some times when none of the kith and kin of the patient is available. Hence it would not be possible to get the consent as desired.

It should therefore be left to the discretion of the attending doctor to act on behalf of the patient and take all reasonable steps necessary to save the patient including waiving the privacy rights of the individual. Perhaps the system may introduce a certification from the attending doctor to this respect as a replacement of the patient's consent.

Financial Settlement:

One of the grey areas in the guideline is regarding the settlement of professional charges between different consulting agencies and in particular the ethical issue of whether a medical practitioner can recommend diagnostic tests and consultancy from a specific source which may amount to "Commercial Canvassing".

The medical profession has to sort out this issue since it would be necessary to have service providers in Telemedicine area different from doctors and there cannot be more than a handful of such service providers in any one location.

The situation will be that the patient has to avail the services of only the available service provider if the doctor recommends that the diagnosis has to be done in a manner compatible for Telemedicinal consultancy.

It would become necessary for the medical community to show some kind of tolerance to such canvassing.

Inter-operability Issues

The guidelines mention the need to ensure inter operability of data and information between different users of the system.

This essentially boils down to adherence to standards which will perhaps not be dictated by some of the leading equipment manufacturers today. The issue is similar to the proprietory Windows Vs Open Source Unix standard for operating systems.

It should be ensured that the law is not misused to create monopolies in the hardware and software required for the system.

Inter operability is a desirable feature which should be sorted out by the equipment dealers and the consumers. The consumers have to be educated enough to demand universal standards and not tie themselves into vendor specific standards.

Intellectual Property Issues

The repeated mention of Intellectual property protection in the guideline raises some inconvenient feeling that the laws of telemedicine may be intended to be used for indirect creation of monopolies.

The intellectual property rights are well defined by other laws of Copyright and Patents and there is no reason why State Governments should take special steps to protect IPR in the Telemedicinal area.

Knowing the way IPR functions abroad, there would be situation when a CT Scan report or a Digital X-Ray report may become a subject matter of Copyright of the equipment manufacturer and its use may be restricted by licenses. We may even have situations where the software is programmed to block the information because the hospital has not paid the renewal fee on the software even though this may lead to delay in the treatment of the patient.

The patent issues in AIDS prevention drugs have been widely discussed in the global health care arena and this should be kept in mind before going too far in protecting IPR in health care equipments used in Telemedicine ara.

I would not hesitate to repeat that IPR in health systems has to be subordinated to the community need and all the provisions of Compulsory license etc has to be used to prevent mischief from IPR Predators.

One of the regulatory features to be incorporated is that all software and hardware licenses will involve one time fees only and there will be no renewal fees or compulsory upgradation fees.

Need For Simplification

It is necessary that the Telemedicinal laws if enacted have to be simple and only provide for Recognition of Telemedicinal participants, Mandatory use of Digital Signatures as a means of authentication and a burden on the vendors of hardware and software to provide open source and IPR unrestricted system only.

The law should not try to become a Tele Medicinal IPR Protection law or  Tele Medicinal Financial Fraud Prevention Law.

A Word of Caution to Software Vendors

There are several Indian software vendors who are having Hospital related products and doctor related products. These software vendors should remember that their products will become obsolete once the Telemedicine laws become effective and the users want to migrate to the new systems.

While at first glance this appears to be a new opportunity emerging, the Indian software vendors may be pushed to the sidelines with multi nationals who would come with software that is compatible with the new generation diagnostic equipments manufactured abroad and backed by IPR.

If the Indian software vendors want to remain in the market, they need to understand the standards being contemplated and ensure that they are not shut out of the market through unholy alliances struck abroad.

In order to protect the interests of the local software and hardware manufacturers, we urge the regulators to avoid provisions that will be detrimental to the Indian software industry.

In the mean time, the Indian software vendors having interest in Medical software should organize themselves in such a manner that they would participate with the Government in the formulation of Tele Medicine guidelines and protect their interests before it is too late.

Citizen Awareness

Lastly, it is necessary to remind the public that the Government of India has placed the draft guidelines before you and is seeking your comments and suggestions. It is upto you to use this opportunity and participate in the process of legislation. If you remain silent now, you will lose the right to question the laws after they are passed.

Professional in the community including Lawyers and Doctors should take additional interest in spreading the information about the proposed law, conduct informative seminars and ensure the participation of the public in the drafting of the laws which will be acceptable to them.

naavi.org would welcome the comments to be sent to them for publication in the website. Otherwise public can send their comments directly to Shri.B.S.Bedi, Director, Department of Information Technology, Electronics Niketan, 6 CGO Complex, Lodi Road, New Delhi - 110003. Tel / fax: 4360582 E-mail: bedi@mit.gov.in

Naavi

December 26, 2002

Related:

Telemedicine Legislation and Digital Divide

The Essential Impact of the Telemedicine Legislation

Are We Ready for Telemedicine Regulation?

Telemedicine Draft Guidelines Released for Public Comment

Rs 2860 crores Outlay for SMART Governance ?-April 2002

Legal Issues of Tele-Medicine Practice October 2000