How should I maintain the records of patient in electronic form?
Section 7 of the Information Technology Act, 2000 (“Act”) requires such documents, records or information to be retained in the electronic form in such a manner that—
- the information contained therein remains accessible so as to be usable for a subsequent reference;
- the electronic record is retained in the format in which it was originally generated, sent or received or in a format which can be demonstrated to represent accurately the information originally generated, sent or received;
- the details which will facilitate the identification of the origin, destination, date and time of despatch or receipt of such electronic record are available in the electronic record.
Section 2(ze) of the Act defines ‘secure system’ as- “computer hardware, software, and procedure that—
- are reasonably secure from unauthorised access and misuse;
- provide a reasonable level of reliability and correct operation;
- are reasonably suited to performing the intended functions; and
- adhere to generally accepted security procedures;”
Further, the medical records of a patient comes under the purview of ‘sensitive personal data or information of a person’ as defined in Rule 3 of Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Rules”). Rule 5(8) of these Rules mandates that the body corporate (or any person on its behalf) to keep such information secure in accordance with Rule 8. Rule 8 provides that a body corporate (or a person on its behalf) is considered to have complied with reasonable security practices and procedures, if- (a) they have implemented such security practices and standards and, (b) have a comprehensive documented information security programme and information security policies addressing managerial, technical, operational and physical security control measures commensurate with the information assets being protected with the nature of business. Rule 8 further cites the International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” as one such standard security measure. It also provides that if a body corporate is following security practices other than IS/ISO/IEC codes of best practices for data protection, it should get its codes of best practices duly approved and notified by the Central Government for effective implementation. Further, such standard or the codes of best practices need to be certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government at least once a year or as and when the body corporate or a person on its behalf undertake significant up-gradation of its process and computer resource.
What is the penalty for negligence in implementing and maintaining reasonable security practices and procedures for such electronic records under the Act?
Section 43A of the Act provides penal consequences for negligence in implementing and maintaining reasonable security practices and procedures in relation to sensitive personal data or information by a body corporate. Compensation for the violation of Section 43A, can even extend to the tune of Rs. 5 Crores. Similarly, Section 72-A of the Act deals with personal information and provides punishment for disclosure of such information without the information provider’s consent. Further, not maintaining confidentiality of patient information can also give rise to a case for medical negligence.
Section 85 of the Act provides that every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, will be liable to be proceeded against and punished accordingly. However, it is to be noted that if such person proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention, he may not be held liable.
Further, if the contravention takes place with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer will also be deemed to be guilty of the contravention and will be liable to be proceeded against and punished accordingly.
How long should I maintain these electronic records for?
Rule 5 (4) of these Rules provide that a body corporate or any person on its behalf, holding sensitive personal data or information, cannot retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force. Under the provisions of the Limitation Act 1963 and Section 24A of the Consumer Protection Act 1986, which dictates the time within which a complaint has to be filed, it is advisable to maintain records for at least three years. Regulation 1.3.1 of Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002 also insists every physician to preserve the patient’s records for 3 years from the commencement of treatment in a standard pro forma prescribed by the Medical Council of India. However, looking at it from the practical point of view, the actual period for which you may have to maintain these records, whether in electronic or physical form, can be more than three years. For instance, the Consumer Protection Act, 1986 has provision to allow for condoning the delay in filing the complaint in appropriate cases. Similarly, in pediatric medical cases, a suit for medical negligence can be filed by the child once he/she acquires the majority. Further, the records pertaining to medico-legal cases should be maintained until the final disposal of the suit and for another two years in case of any appeal.
Featured image from here