India has millions of medical records online but no law to keep the data safe

India has millions of medical records online but no law to keep the data safe
  • With the growing number of healthtech startups, India is in the need of a healthcare data privacy bill.
  • The Indian government has proposed a law that will bring the ownership of the data to the consumer.
  • Healthtech startups like Practo, Healthifyme too agree to the need of consumer ownership in the privacy bill.
Over the years, with the growth of internet businesses, data privacy has gained even more importance. And when it comes to healthcare data, the importance of data privacy only increases. India has been toying with the idea of a healthcare data privacy bill since 2018, but it hasn’t come into effect yet.

In March 2018, the Indian Ministry of Health and Family Welfare said that it plans to set up a nodal body called National Digital Health Authority, that would enforce privacy and security measures for electronic health data in India.

However, while the setting up of the regulatory body is awaited, there are multiple healthtech startups out there today with millions of users that have access to medical records.

Recently, healthcare platform Practo released a report on India’s healthcare map citing “key consumer healthcare trends, concerns and behaviour.” The report was generated from the doctors appointment bookings made through their platform. An official statement from the company said the report was made “of hundreds of thousands of searches and appointments, by over 13 crore patients, across 50+ cities and 250+ specialities, in 2018.”

But doesn’t that put the privacy of a patient at risk? Experts don't believe so as the anonymity of the user is still in place.


Varun Dubey, VP, Marketing at Practo spoke to Business Insider and said “We feel this data itself is powerful as it shows the healthcare trends in the country. There is a real need for conversation around the issues in the sector,” he said.

It’s similar to when Google releases a report about what people are searching for, it is quite generic as well as anonymised, he added.

Experts from the healthcare industry too stress on the importance of such reports. “If without sharing the name of the individual, if the remaining quantifiable and quality data is shared for the purpose of innovation, I don’t think it’s a bad thing. It's like a necessary evil for the greater good of mankind,” Dr. Siddhant Bhargava, Co-founder, Fitness & Nutritional Scientist - Food Darzee told Business Insider.

So how does Practo, a company which has about 2.5 crore patients booking appointments through them, keep the data safe?

“We have cared and given importance to data security and privacy for years now. Probably, we are the only ISO 27000 certified company in healthtech. As we work in other countries too, we don’t have to just comply with Indian laws but across many other countries. We have a lot of external and internal audits that take place. Our servers are Health Insurance Portability and Accountability Act (hipaa) compliant, even though India doesn’t need one. We also have a 256 bit encryption code, which is much stronger than security codes in Indian banks,” said Dubey.

The Health Ministry is also looking to bring about a strict law that would give individuals the ownership of their data.

It is the “consumer ownership” of data that makes the law important.

While Dubey believes that not just healthcare but data privacy overall is utmost important, he said that the bill is moving towards giving more power to the consumer.

Other healthcare startups too agree. Tushar Vashisht, co-founder and CEO of Healthifyme, said that it is the government’s mandate to figure out how strict the norms should be. “I would personally ask for the consumer to be king. They should define how they want to control or secure their data,” Vashisht told Business Insider.

See Also:
Indian government commits to increasing public health spending to 2.5% of GDP by 2025—but is that enough?
India’s fintech cos are growing but cybersecurity fails to make the mark