Changing Data Laws in Healthcare: Implications, Challenges and Opportunities for Startups

The Indian Government has proposed data protection laws, which will impact every vertical of business directly or indirectly. One of the industries that will face a direct impact will be the healthcare sector. Expected to be passed by Parliament by the end of the year, the draft laws, that is the Personal Data Protection Bill, 2019, (PDPB) and the Digital Information Security in Healthcare Act (DISHA) have been subject of discussion and intense scrutiny by the various stakeholders—especially the founders of healthcare start-ups.

The importance of data, however, can be gauged by the fact that data is now touted as the next oil. Hence, the right handling of data is imperative, and more so in the healthcare sector, which by default deals with health-related information that is sensitive and if compromised, lost, or exposed, can be misused to harm, trigger violence, discriminate and embarrass the people it belongs to. The consequences range far and wide. It could land in the hands of unauthorised entities who might misuse it for their benefit or more extreme outcomes. Data breaches could impact entire industries like medical tourism and healthcare investments as they compromise confidential and sensitive information, exposing data owners to ransom and eroding stakeholder trust.

The threats of data leaks, and blackmailing and publishing information are among the tactics used by hackers. The most recent example, May 2021, is the cyberattack on the Waikato District Health Board , which is a district health board with a focus on providing healthcare to the Waikato region of New Zealand. The Waikato District Health Board (DHB) ransomware has been escalated to a national crisis with confidential patient notes and private contracts have been sent to media outlets by the alleged hackers.

In April 2020, The Interpol had warned member countries that cybercriminals were targeting major hospitals and other institutions at the forefront of the fight against COVID-19 with ransomware in an attempt to extort payments .
In a study in 2018, a researcher at Vanderbilt University in the US suggested that mortality rates at hospitals rise after a data breach because the standard of care drops. The researcher estimated that such data breaches may have caused as many as 2,100 deaths a year in the US . Cyberattacks can have a direct impact on patient care with malware crippling information systems and have forced healthcare providers to cancel appointments, while the lack of access to patient health records can cause treatment delays. Additionally, data breaches can be a distraction for physicians and the after-effects of breaches can last for years.

It can also be very exacting, in monetary terms, when there is a cyberattack on an institution. The City of Atlanta is a good example – after they suffered a ransomware attack in 2018, it cost them $2.6 million to recover, while the ransom itself was only $52,000 . The excess expenditure was related to incident response and digital forensics, extra staffing, and cloud infrastructure experts.

India’s GDPR moment for healthcare is here

Currently, in India, there is little provision from the law that makes storing personalized health records or other medical-related information a punishable offence.

India has had legislation regarding data privacy such as the Information Technology Act (2000) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (2011), as well as indirect safeguards including common-law rulings and the law of breach of confidence. However, the Personal Data Protection Bill, 2018 , (PDPB) and the Digital Information Security in Healthcare Act (DISHA) will be the first pieces of legislation to directly address data privacy and protection. The aim is to develop a consent-based framework to safeguard the privacy and data rights of the individual where the primary grounds for data collection and processing include explicit and informed consent by the individual.

The DISHA seeks to establish the National and State eHealth Authorities and Health Information Exchanges. It seeks to standardize and regulate the processes relating to the collection, storing, transmission and the use of digital health data; and ensure reliability, data privacy, confidentiality and the security of digital health data and such other matters. Data has to be stored in a secure server, anonymized, and the companies will not have access to individual patient records.
On the other hand, the PDPB seeks to regulate the use of individual’s data by the government and private companies. The PDPB seeks to protect the data rights and privacy of the citizen by making them the data owner — individuals are entitled to information about how and why their data is collected and processed. It requires that their data is processed fairly and only for purposes consented to by the data owner or that are connected to the consented purpose, and defines rules and regulations for businesses to follow for storage and processing of data, the people’s rights regarding personal information, the punishments for non-compliance and the access the government will have to data stored and processed. The PDPB classifies data used to identify an individual, either directly or indirectly, as personal data (eg: name, addresses, etc.). It also classifies sensitive personal data like financial data, health data, biometrics, etc., the processing of which entails stricter compliance.

The mentioned bills currently are drafts and have faced backlash around the ambiguity and stringency in them. The draft in its current state seems to cater to specific verticals and ignoring, for instance, continuous training of AI and ML models built on large databases or the steady move towards personalized medication. While all of us await newer versions of these bills, the proposed frameworks and guidelines have set the tone for what can be expected and the clear intention behind them.

Proactive Steps to Compliance

While the proposed bills might take some time before they are passed in parliament, startup founders can take a proactive approach towards compliance. This includes familiarizing themselves with the proposed data laws and taking proactive steps to work towards meeting the expected standards of data security and privacy. Startups can take this opportunity to build a strong data compliance and storage practice, which can be used to build a relationship with their customers.

Startups can begin their customer-centric privacy practice with anonymized and de-identification of collection of patient information. Founders can also explore role-based access to external and internal stakeholders to ensure crucial data is not exposed to non-key personnel, which can reduce the possibility of any data theft. Saving patient information in an anonymized encrypted format with patient IDs can be another approach. Startups can use consumer data for good and still maintain privacy – both these objectives can be achieved eventually leading to reduced fear on data collection and processing.

Additionally, companies have started providing policies like that of Google and Facebook to give the customers a ‘right to be forgotten’ along with understanding the data collected about them. Companies with additional resources are also hiring data and law specialists to ensure they take steps in the right direction to meet compliance.

The European Union has already started applying huge penalties for GDPR violations, which can be up to 4% of a company’s global revenue. Google was penalised $56.6 mn and H&M paid $41 mn while other companies have been fined similar fines for violating the various provisions of the GDPR. Such heavy penalties relatively applied to startups can certainly be the death knell and therefore a proactive approach can certainly be helpful.

Proactive practices such as anonymization and de-identification of collection of patient information, role-based access to data, right to be forgotten and showcasing data capture of a customer can truly give startups a leg up when the laws are eventually passed. These steps can be key for customer engagement and for building a relationship of trust which can be more fulfilling in the long run and lead to higher LTV (lifetime value). By educating customers on their rights to the data, steps being taken by companies to protect this data, the upside of storing data and the right to be forgotten, start-ups can build a strong customer-centric brand.

As data is king, given its pervasiveness, it has become imperative for all entities to take measures for ensuring data security. It is all the more important in the healthcare and associated sectors given that they relate to people’s lives and could endanger them in case of any breaches. The provisions in GDPR, HIPAA etc are indicative of how they may be implemented in the interests of public safety and dissuade risky behaviours from startups in the healthcare space.



NZ Herald;


Hipaa Journal;

Wired ;



Times of India;

BBC News;