New Delhi: With registries for cancer, stroke and cardiovascular diseases thought to be vulnerable to a major personal data breach, the Indian Council of Medical Research (ICMR) has come up with a policy to safeguard medical records.
The National Centre for Disease Informatics and Research (NCDIR), Bengaluru, under ICMR, has developed the draft policy on data processing and disclosure that aims to protect patient confidentiality and privacy in disease registries.
The registry data comes from hospitals and laboratories and are extracted from medical records, pathology reports, radiotherapy charts etc. that have been collected for several years.
“In the near future, there may be a statutory mandate for hospitals and other sources to supply data on non- communicable diseases such as cancer, cardiovascular diseases, diabetes, stroke to the ICMR-NCDIR. Keeping this in mind, such a policy is much needed," said Ravi Mehrotra, director, National Institute of Cancer Prevention and Research, ICMR.
The data to be protected will be on physical, physiological and mental health condition; sexual orientation, medical records or history and biometric information; or any information which, either directly or indirectly in combination with other information, is capable of identifying a patient.
ICMR has mandated that the data will only be used for research purposes or in the larger public interest. “The third party, i.e. legal person, public agency or any other body, shall use the data strictly in compliance with the terms of the policy, and cannot further share or transfer the data with any other individual or organization within or outside India. Only after ICMR-NCDIR approval shall this research be released for publication," the draft policy documents say.
“Any non-research activity, purpose or commercial interest in relevance only to the mandate of the applicant will not be entertained. The data will be allowed for sharing for medical or public health research or the administration of cancer-related public health," the draft adds.
The risk of data breach runs across sectors—government, non-profit and private.
In the government, NCDIR develops and maintains a national research database on various diseases to facilitate etiological, epidemiological, clinical and control research. The National Cancer Registry Programme alone has datasets from 29 population-based registries. In addition, there are several non-profit registries working on data security. The DATRI blood stem cell donors registry, a non-government organization based in Chennai, houses a diverse database of potential blood stem cell donors that can be accessed by any patient, living anywhere in the world, in need of a blood stem cell transplant.
“At DATRI, data stored in the database is in an encrypted format and same is the case while taking a back-up. The physical forms are stored in a room with fingerprint access and monitored 24/7. Limited people have access to both of these data. Personally identifiable information is not shared with anyone outside the organization," said Raghu Rajagopal, CEO of the registry.
In the private sector, Washington-based American College of Cardiology has recently partnered with Translumina Therapeutics Llp in New Delhi on an international centre of excellence programme in India through which a clinical data registry will be introduced to track delivery and outcomes of cardiovascular treatments at participating hospitals.
“Protecting patient data is very important yet challenging. As per the global mandates, we will strictly adhere to the protocols so as to ensure that the data is protected and the confidential information is not breached," said Gurmit Singh Chugh, managing director of Translumina.