Introduction: The steering committee on health in its report submitted to 12th Planning commission has emphasized necessity of Health Information Systems in chapter 3. Following are specific references in this document to various legal aspects related to health information systems and we propose wider discussion and debate on these issues.
3.0 Data fidelity should be assured by triangulation with data from periodic surveys and community based monitoring, which should continue with a greater frequency. Strict compliance with the right of privacy should also be maintained.
3.2.4 Out-patient and in-patient information through Electronic Medical Records (EMR). This will help provide the best care based on Standard Treatment Guidelines, reduce response time in emergencies, support the organ retrieval and transplantation programme and improve general hospital administration. It would also help estimate burden of disease and facilitate policy decisions at State and national levels.
3.3.1 The MoHFW, in consultation with the Department of Information Technology, should
mandate, in a participatory and scientific way, the data definitions, data standards, data quality requirements and standards of interoperability, which all publicly financed
applications of information technology in the health sector must necessarily subscribe to. A certification and monitoring mechanism should be put in place to check and enforce compliance with the HIS standards. A data policy should also be put in place that would define how long the health data must be stored, in what electronic form and with what backups. It should also lay out provisions detailing both the right of access and the right to privacy and security of information. The Central Government would also have to develop procurement policies, which permit open source technologies and which allow arrangements that could support software that is constantly evolving.
Since there are no clear cut guidelines regarding duration for which medical records should be retained and whether medical records in electronic format are legally acceptable, there is need of wider discussion and debate on several issues involved in this regard. I have tried to write below as many issues I could think of.
I have referred to
1. Indian Evidence Act 1963
(http://www.vakilno1.com/bareacts/indianevidenceact/indianevidenceact.htm )
2. Limitaition act 1963
( http://www.vakilno1.com/bareacts/limitationact/limitationact.htm)
3. Indian Information Technology Act 2010
(http://www.vakilno1.com/bareacts/informationtechnologyact/informationtechnologyact.htm)
I have also referred to Textbooks of forensic medicine viz
1. Parikh’s textbook of Medical jurisprudence, forensic medicine and toxicology, sixth edition, CBS publishers and distriutors.
2. Modi’s textbook of Medical Jurisprudence and toxicology edited by N. J. Modi., N M Tripathi Private Limited Booksellers and Publishers.
Unfortunately none of these books gives any information regarding duration of preservation of medical records. Therefore we need to rely on IEA, ITA and Limitation Act only.
The Explanation section under any clause of any act refers to explanation given in bare act.
Examples, importance and comments describe my viewpoint. I am aware that some will agree, and there will be several, who may have different views. Purpose of this article is to initiate discussion on all these issues and come to some consensus so that we could together write a white paper, which can be submitted, to concerned authorities who will finally formulate guidelines or law, which will be uniformly applicable to all healthcare providers.
Limitation Act
3. Bar of limitation
(1) Subject to the provisions contained in sections 4 to 24 (inclusive) every suit instituted, appeal preferred, and application made after the prescribed period shall be dismissed although limitation has not been set up as defense;
Explanation: Limitation is a question of jurisdiction. S3 puts an embargo on the court to entertain a suit if it is found to be barred by limitation. Therefore it is essential for the doctor to maintain record till such time any suit asking for
6. Legal disability –
(1) Where a person entitled to institute a suit or make an application for the execution of a decree is, at the time from which the prescribed period is to be reckoned, a minor or insane, or an idiot, he may institute the suit or make the application within the same period after the disability has ceases, as would otherwise have been allowed from the time specified therefor in the third column of the Schedule.
(2) Where such person is, at the time from which the prescribed period it to be reckoned, affected by two such disabilities, or where, before his disability has ceased, he is affected by another disability, he may institute the suit or make the application within the same period after both disabilities have ceased, as would otherwise have been allowed from the time so specified.
(3) Where the disability continues upto the death of that person, his legal representative may institute the suit or make the application within the same period after the death, as would otherwise have been allowed from the time so specified.
(4) Where the legal representative referred to in sub-section (3) is, at the date of the death of the person whom he represents. affected by any such disability, the rules contained in sub-sections (1) and (2) shall apply.
(5) Where a person under disability dies after the disability ceases but within the period allowed to him under this section, his legal representative may institute the suit or make the application within the same period after the death, as would otherwise have been available to that person had he not died.
Explanation - For the purposes of this section 'minor' includes a child in the womb.
Example: A widow died during delivery of her child. The child spent his childhood in an orphanage as relatives and neighbors could not take responsibility. After becoming 18 years of age, the child came to know that the mother died due to negligence of the doctor. Can he file suit for compensation before he becomes 21 years of age?
8. Special exceptions - Nothing in section 6 or in section 7 applies to suits to enforce rights of pre-emotion, or shall be deemed to extend, for more than three years from the cessation of the disability or the death of the person affected thereby the period of limitation for any suit or application.
15. Exclusion of time in certain other cases –
(6) In computing the period of limitation for any suit the time during which the defendant has been absent from India and from the territories outside India under the administration of the Central Government, shall be excluded.
16. Effect of death on or before the accrual of the right to sue -
(1) Where a person who would, if he were living, have a right to institute a suit or make an application dies before the right accrues, or where a right to institute a suit or make an application accrues only on the death of a person, the period of limitation shall be computed from the time when there is a legal representative of the deceased capable of instituting such suit or making such application.
(2) Where a person against whom, if he were living, a right to institute a suit or make an application would have accrued dies before the right accrues, or where a right to institute a suit or make an application against any person accrues on the death of such person, the period of limitation shall be computed from the time when there is a legal representative of the deceased against whom the plaintiff may institute such suit or make such application.
(3) Nothing in sub-section (1) or sub-section (2) applies to suits to enforce rights of preemption or to suit for the possession of immovable property or of a hereditary office.
Importance: Does clause 2 mean that even after death of a doctor, patient or his relative can file a suit against legal representative of doctor who treated the patient charging medical negligence on part of doctor?
17. Effect of fraud or mistake –
(1) Where, in the case of any suit or application for which a period of limitation is prescribed by this Act-
(c) The suit or application is for relief from the consequences of a mistake; or
(d) Where any document necessary to establish the right of the plaintiff or applicant has been fraudulently concealed from him;
The period of limitation shall not begin to run until the plaintiff or applicant has discovered the fraud or the mistake or could, with reasonable diligence, has discovered it, or in the case of concealed document, until the plaintiff or the applicant first had the means of producing the concealed document or compelling its production:
Provided that nothing in this section shall enable any suit to be instituted or application to be made to recover or enforce any charge against or set aside any transaction affecting, any property which-
(ii) In the case of mistake, has been purchased for valuable consideration subsequently to the transaction in which the mistake was made, by a person who did not know, or have reason to believe, that the mistake had been made, or
(iii) In the case of a concealed document, has been purchased for valuable consideration by a person who was not a party to the concealment and, did not at the time of purchase know, or have reason to believe, that the document had been concealed.
Provided that such application is made within one year from the date of the discovery of the fraud or the cessation of force, as the case may be.
Example: During hysterectomy of a patient, her ureter was injured and sutured by a doctor. She was not informed regarding this “accident” during surgery. She developed stricture 4 years after surgery, which another doctor attributes to “mistake” during hysterectomy. Since doctor had not informed her regarding the “complication” and consequences thereof, will she be able to file suit for compensation?
21. Effect of substituting or adding new plaintiff or defendant -
(1) Where after the institution of a suit, a new plaintiff or defendant is substituted or added, the suit shall, as regards him, be deemed to have been instituted when he was made a party:
Provided that were the court is satisfied that the omission to include a new plaintiff or defendant was due to a mistake in good faith it may direct that the suit as regards such plaintiff or defendant shall be deemed to have been instituted on any earlier date.
Example: During surgery patient died due to complication of anaesthesia. Two years and nine months later relatives filed case for compensation for negligence against the hospital and surgeon. Six months later, during hearing of the case they understood that the death was due to complication of anaesthesia . Since they did not know this fact, they request court to add anaesthetist as defendant. Will the anesthetist have to defend himself or he will be able to say that the case should be dismissed as being time bar.
SL. NO DESCRIPTION OF SUIT : PERIOD OF LIMITATION : TIME FROM WHICH PERIOD BEGINS TO RUN :
55. For compensation for the breach of any contract, express or implied, not herein specially provided for.
Three years When the contract is broken or (where there are successive breaches) when the breach in respect of which the suit is instituted occurs or (where the breach is continuing) when it ceases.
112. Any suit (except a suit before the Supreme Court in the exercise of its original jurisdiction) by or on behalf of the Central Government, or any State Government including the Government of the State of Jammu and Kashmir. Thirty years When the period of limitation would begin to run under this Act against a like suit by a private person.
113. Any suit for which no period of limitation is provided elsewhere in this Schedule. Three years When the right to sue accrues.
* Medical negligence in consumer court ? ?
* Medical negligence in criminal court ? ?
* Medical negligence in civil court ? ?
Evidence Act
3. Interpretation clause –
“Evidence”.—“Evidence” means and includes—
(1) all statements which the Court permits or requires to be made before it by witnesses, in relation to matters of fact under inquiry, such statements are called oral evidence;
(2) 6[all documents including electronic records produced for the inspection of the Court],
such documents are called documentary evidence.
[the expressions “Certifying Authority”, “digital signature”, “Digital Signature Certificate”, “electronic form”, “electronic records”, “information”, “secure electronic record”, “secure digital signature” and “subscriber” shall have the meanings respectively assigned to them in the Information Technology Act, 2000.] (* given below)
6. Relevancy of facts forming part of same transaction -
Facts which, though not in issue are so connected with a fact in issue as to form part of the same transaction, are relevant, whether they occurred at the same time and place or at different times and places.
Example: OPD record of patient who was admitted, may be considered as important evidence in addition to Indoor record. This may include prescription issued to the patient before admission, note giving advise to do investigations etc. (these are with patient and usually there is no record with the doctor.)
9. Facts necessary to explain or introduce relevant facts -
Facts necessary to explain or introduce a fact in issue or relevant fact, or which support or rebut an inference suggested by a fact in issue or relevant fact, or which establish the identity of any thing or person whose identity is relevant, or fix the time or place at which any fact in issue or relevant fact happened, or which show the relation of parties by whom any such fact was transacted, are relevant in so far as they are necessary for that purpose.
Example: Pathology / Radiology reports / reports of tests which were done outside hospital in which patient was treated may be with the patient’s relative, and these documents will be essential in deciding the suit for compensation. Should hospital record have provision for storing these records (copy / scan / data entry)
10. Things said or done by conspirator in reference to common design -
Where there is reasonable ground to believe that two or more persons have conspired together to commit an offence or an actionable wrong, anything said, done or written by any one of such persons in reference to their common intention, after the time when such intention was first entertained by any one of them is a relevant fact as against each of the persons believed to be so conspiring, as well as for the purpose of proving the existence of the conspiracy as for the purpose showing that any such persons was a party to it.
Example: 1. Surgeon and anesthetist conspire to create incorrect medical record so as to hide mistake of any one or both of them. 2. Treating doctor and database administrator conspire to edit record in database in such a manner that software control for creating change log is bypassed and certain entries in database are edited by doctor using admin password etc.
14. Facts showing existence of state of mind or of body or bodily feeling -
Facts showing the existence of any state of mind, such as intention, knowledge, good faith, negligence, rashness, ill-will or goodwill towards any particular person, or showing the existence of any state of body or bodily feeling, are relevant, when the existence of any such state of mind or body or bodily feeling is in issue or relevant.
Explanation 1 - A fact relevant as showing the existence of a relevant state of mind must show that the state of mind exists, not generally but in reference to the particular matter in question.
Explanation 2. - But where, upon the trail of a person accused of an offence, the previous commission by the accused of an offence is relevant within the meaning of this Section, the previous conviction of such person shall also be a relevant fact.
Example: What was the status of a patient’s health at the time when assurance on his life was effected? A medical record may be called for by a patient / court / insurance company in case of any suit. Is it mandatory for the doctor to produce such record without patient’s consent?
16. Existence of course of business when relevant -
When there is a question whether a particular act was done, the existence of any course of business, according to which it naturally would have been done, is a relevant fact.
Importance: If EMR is used to store information relating all patients, then one can say that it was done “during course of business”
22. When oral admission as to contents of documents are relevant –
Oral admissions as to the contents of a document are not relevant unless and until the party proposing them shows that he is entitled to give secondary evidence of the contents of such document under the rules hereinafter contained, or unless the genuineness of a document produced is in question.
[22A. When oral admissions as to contents of electronic records are relevant.—Oral admissions as to the contents of electronic records are not relevant, unless the genuineness of the electronic record produced is in question.]
32. Case in which statement of relevant fact by person who is dead or cannot be found, etc. is relevant -
Statements, written or verbal, of relevant facts made by a person who is dead, or who cannot be found, or who has become incapable of giving evidence, or whose attendance cannot be procured without an amount of delay or expense which, under the circumstances of the case, appears to the Court unreasonable, are themselves relevant facts in the following cases -
. . . . . . . . . .
(2) Or is made in course of business - When the statement was made by such person in the ordinary course of business, and in particular when it consists of any entry or memorandum made by him in books kept in the ordinary course of business, or in the discharge of professional duty; or of an acknowledgement written or signed by him of the receipt of money, goods securities or property of any kind; or of a document used in commerce written or signed by him or of the date of a letter or other document usually dated, written or signed by him.
Importance : Records kept by deceased doctor in course of business.
34. [Entries in books of account including those maintained in an electronic form] when relevant - 1Entries in books of accounts including those maintained in an electronic form], regularly kept in the course of business, are relevant whenever they refer to a matter into which the Court has to inquire, but such statements shall not alone be sufficient evidence to charge any person with liability.
Note : Unbound sheets of paper are not books of account and cannot be relied upon; Dharam Chand Joshi v. Satya Narayan Bazaz, AIR 1993 Gau 35.
35. Relevancy of entry in public [record or an electronic record] made in performance of duty -
An entry in any public or other official book, register or 1[record or an electronic record], stating a fact in issue or relevant fact, and made by a public servant in the discharge of his official duty, or by any other person in performance of a duty specially enjoined by the law of the country in which such book, register, or 1[record or an electronic record] is kept, is itself a relevant fact.
Importance : OPD, IPD and other Statutory registers required to be maintained by the doctor,
clinic or hospital.
39. What evidence to be given when statement forms part of a conversation, document, electronic record, book or series of letters or papers.—When any statement of which evidence is given forms part of a longer statement, or of a conversation or part of an isolated document, or is contained in a document which forms part of a book, or is contained in part of electronic record or of a connected series of letters or papers, evidence shall be given of so much and no more of the statement, conversation, document, electronic record, book or series of letters or papers as the Court considers necessary in that particular case to the full understanding of the nature and effect of the statement, and of the circumstances under which it was made.]
Importance: Court may call for entire record / record of relevant period / entire record of the patient under consideration.
45. Opinions of experts -
When the Court has to form an opinion upon a point of foreign law, or of science, or art, or as to identity of hand writing 1or finger-impressions, the opinions upon that point of persons specially skilled in such foreign law, science or art, 2or in questions as to identity of handwriting 1or finger impressions, are relevant facts.
Such person called experts.
45A. Opinion of Examiner of Electronic Evidence.-When in a proceeding, the court has to form an opinion on any matter relating to any information transmitted or stored in any computer resource or any other electronic or digital form, the opinion of the Examiner of Electronic Evidence referred to in section 79A of the Information Technology Act, 2000(21 of 2000)., is a relevant fact.
Explanation.--For the purposes of this section, an Examiner of Electronic Evidence shall be an expert.
47. Opinions as to handwriting, when relevant - When the Court has to form an opinion as to the person by whom document was written or signed, the opinion of any person acquainted with the handwriting of the person by whom it is supposed to be written or signed that it was or was not written or signed by that person, is a relevant fact.
Section 47-A Opinion as to digital signature where relevant When the Court has to form an opinion as to the digital signature or any person, the opinion of the Certifying Authority which has issued the Digital Signature Certificate is a relevant fact.
59. Proof of facts by oral evidence -
All facts, except the 1[contents of documents or electronic records], may be proved by oral evidence.
61. Proof of contents of documents -
The contents of documents may be proved either by primary or by secondary evidence.
64. Proof of documents by primary evidence -
Documents must be proved by primary evidence except in the cases hereinafter mentioned.
65. Cases in which secondary evidence relating to documents may be given -
Secondary evidence may be given of the existence, condition or contents of a document in the following cases:
(a) When the original is shown or appears to be in the possession or power of the person against whom the document is sought to be proved, or of any person out of reach of, or not subject to, the process of the Court, or of any person legally bound to produce it, and when, after the notice mentioned in Section 66, such person does not produce it;
(b) When the existence, condition or contents of the original have been proved to be admitted in writing by the person against whom it is proved or by his representative in interest;
(c) When the original has been destroyed or lost, or when the party offering evidence of its contents cannot, for any other reason not arising from his own default or neglect, produce it in reasonable time;
(d) When the original is of such a nature as not to be easily movable;
(e) When the original is a public document within the meaning of Section 74;
(f) When the original is a document of which a certified copy is permitted by this Act, or by any other law in force in 1India to be given in evidence2;
(g) When the originals consist of numerous accounts or other documents which cannot conveniently be examined in Court, and the fact to be proved is the general result of the whole collections.
In cases (a), (c) and (d), any secondary evidence of the contents of the documents is admissible.
In case (b), the written admission is admissible.
In case (e) or (f), a certified copy of the document, but no other kind of secondary evidence, is admissible.
In case (g), evidence may be given as to the general result of the documents by any person who has examined them, and who is skilled in the examination of such documents.
65A.Special provisions as to evidence relating to electronic record.- The contents of electronic records may be proved in accordance with the provisions of section 65B
65B. Admissibility of electronic records.- (1) Notwithstanding anything contained in this Act, any information contained in an electronic record which is printed on a paper, stored, recorded or copied in optical or magnetic media produced by a computer (hereinafter referred to as the computer output) shall be deemed to be also a document, if the conditions mentioned in this section are satisfied in relation to the information and computer in question and shall be admissible in any proceedings, without further proof or production of the original, as evidence of any contents of the original or of any fact stated therein of which direct evidence would be admissible.
(2) The conditions referred to in sub-section (1) in respect of a computer output shall be the following, namely:—
(a) the computer output containing the information was produced by the computer during the period over which the computer was used regularly to store or process information for the purposes of any activities regularly carried on over that period by the person having lawful control over the use of the computer;
(b) during the said period, information of the kind contained in the electronic record or of the kind from which the information so contained is derived was regularly fed into the computer in the ordinary course of the said activities;
(c) throughout the material part of the said period, the computer was operating properly or, if not, then in respect of any period in which it was not operating properly or was out of operation during that part of the period, was not such as to affect the electronic record or the accuracy of its contents; and
(d) the information contained in the electronic record reproduces or is derived from such information fed into the computer in the ordinary course of the said activities.
(3) Where over any period, the function of storing or processing information for the purposes of any activities regularly carried on over that period as mentioned in clause (a) of sub-section (2) was regularly performed by computers, whether—
(a) by a combination of computers operating over that period; or
(b) by different computers operating in succession over that period; or
(c) by different combinations of computers operating in succession over that period; or
(d) in any other manner involving the successive operation over that period, in whatever order, of one or more computers and one or more combinations of computers, all the computers used for that purpose during that period shall be treated for the purposes of this section as constituting a single computer; and references in this section to a computer shall be construed accordingly.
(4) In any proceedings where it is desired to give a statement in evidence by virtue of this section, a certificate doing any of the following things, that is to say,—
(a) identifying the electronic record containing the statement and describing the manner in which it was produced;
(b) giving such particulars of any device involved in the production of that electronic record as may be appropriate for the purpose of showing that the electronic record was produced by a computer;
(c) dealing with any of the matters to which the conditions mentioned in sub-section (2) relate, and purporting to be signed by a person occupying a responsible official position in relation to the operation of the relevant device or the management of the relevant activities (whichever is appropriate) shall be evidence of any matter stated in the certificate; and for the purposes of this sub-section it shall be sufficient for a matter to be stated to the best of the knowledge and belief of the person stating it.
(5) For the purposes of this section,—
(a) infomation shall be taken to be supplied to a computer if it is supplied thereto in any appropriate form and whether it is so supplied directly or (with or without human intervention) by means of any appropriate equipment;
(b) whether in the course of activities carried on by any official information is supplied with a view to its being stored or processed for the purposes of those activities by a computer operated otherwise than in the course of those activities, that information, if duly supplied to that computer, shall be taken to be supplied to it in the course of those activities;
(c) a computer output shall be taken to have been produced by a computer whether it was produced by it directly or (with or without human intervention) by means of any appropriate equipment.
Explanation.—For the purposes of this section any reference to information being derived from other information shall be a reference to its being derived therefrom by calculation, comparison or any other process.
85B. Presumption as to electronic records and digital signatures.- (1) In any proceedings involving a secure electronic record, the Court shall presume unless contrary is proved, that the secure electronic record has not been altered since the specific point of time to which the secure status relates.
(2) In any proceedings, involving secure digital signature, the Court shall presume unless the contrary is proved that—
(a) the secure digital signature is affixed by subscriber with the intention of signing or approving the electronic record;
(b) except in the case of a secure electronic record or a secure digital signature, nothing in this section shall cerate any presumption, relating to authenticity and integrity of the electronic record or any digital signature.
90. Presumption as to documents thirty years old -
Where any document, purporting or proved to be thirty years old, is produced from any custody which the Court in the particular case considers proper, the Court may presume that the signature and every other part of such document, which purports to be in the handwriting of any particular person, is in that person’s handwriting, and, in the case of a document executed or attested, that it was duly executed and attested by the persons by whom it purports to be executed and attested.
90A. Presumption as to electronic records five years old.- Where any electronic record, purporting or proved to be five years old, is produced from any custody which the Court in the particular case considers proper, the Court may presume that the digital signature which purports to be the digital signature of any particular person was so affixed by him or any person authorised by him in this behalf.
Explanation: Electronic records are said to be in proper custody if they are in the place in which, and under the care of the person with whom, they naturally be; but no custody is improper if it is proved to have had a legitimate origin, or the circumstances of the particular case are such as to render such an origin probable.
131. Production of documents or electronic records which another person, having possession, could refuse to produce.- No one shall be compelled to produce documents in his possession or electronic records under his control, which any other person would be entitled to refuse to produce if they were in his possession, or control, unless such last-mentioned person consents to their production.
Importance: Hospital Record Room Person can not be compelled to produce record created by the doctor.
144. Evidence as to matters in writing -
Any witness may be asked whilst under examination, whether any contract, grant or other disposition of property as to which he is giving evidence, was not contained in a document, and if he says that it was, or if he is about to make any statement as to the contents of any document, which, in the opinion of the Court, ought to be produced, the adverse party may object to such evidence being given until such document is produced, or until facts have been proved which entitle the party who called the witness to give secondary evidence of it.Explanation - A witness may give oral evidence of statements made by other persons about the contents of documents if such statements are in themselves relevant facts.
159. Refreshing memory. -
A witness may, while under examination refresh his memory by referring to any writing made by himself at the time of the transaction concerning which he questioned, or so soon afterwards that the Court considers it likely that the transaction was at that time fresh in his memory.
The witness may also refer to any such writing made by any other person and read by the witness within time aforesaid, if when he read it he knew it to be correct
When witness may use copy of document to refresh his memory -
Whenever a witness may refresh his ness may refresh his memory by reference to any document, he may, with the permission of the Court, refer to a copy of such document.
Provided the Court be satisfied that there is sufficient reason for the non-production of the original.
An expert may refresh his memory by reference to professional treatises.
164. Using, as evidence, of document, production of which was refused on notice -
When a party refuses to produce a document which he has had notice to produce, he cannot afterwards use the document as evidence without the consent of the other party or the order of the Court.
Importance : This clause clearly indicates that producing record when asked for is in the interest of the doctor who is treating the patient, as at a later date doctor may not be permitted to place certain facts on record. E.g. if the patient’s hemoglobin on admission was 7 gm% and in spite of arranging and administering blood, the patient died of post partum hemorrhage; doctor can protect himself from the charges of negligence, if he is able to produce before the court; evidence of fact that hemoglobin was 7gm% at admission, and the fact that he had reserved one bag of blood in a blood bank, and the fact that he ordered for it.
Information Technology Act
Amendment Act 10 of 2009 : Statement of Objects and Reasons :
With proliferation of information technology enabled services such as e-governance, e-commerce and e-transactions; data security, data privacy and implementation of security practices and procedures relating to these applications of electronic communications have assumed greater importance and they required harmonization with the provisions of the Information Technology Act. Further, protection of Critical Information Infrastructure is pivotal to national security, economy, public health and safety, thus it had become necessary to declare such infrastructure as protected system, so as to restrict unauthorised access.
Further, a rapid increase in the use of computer and Internet has given rise to new forms of crimes like publishing sexually explicit materials in electronic form, video voyeurism, breach of confidentiality and leakage of data by intermediary, e-commerce frauds like cheating by personation - commonly known as phishing, identity theft and offensive messages through communication services. So, penal provisions were required to be included in the Information Technology Act, The indian penal code, the Indian Evidence Act and the code of criminal procedure to prevent such crimes.
Importance: Amendment act specifically mentions that protection of critical information infrastructure is pivotal to … public health. Hence we need to work towards use of information technology in such a manner that public health decisions are supported.
2. Definitions. -
(1) In this Act, unless the context otherwise requires,- (a) "access", with its grammatical variation and cognate expressions, means gaining entry into, instructing or communicating with the logical, arithmetical or memory function resources of a computer, computer system or computer network;
(b) "addressee" means a person who is intended by the originator to receive the electronic record but does not include any intermediary;
(c) "adjudicating officer" means an adjudicating officer appointed under sub-section (1) of section 46;
"affixing digital signature", with its grammatical variations and cognate expressions means adoption of any methodology or procedure by a person for the purpose of authenticating an electronic record by means of digital signature;
"appropriate Government " means as respects any matter- enumerated in List II of the Seventh Schedule to the Constitution; relating to any State law enacted under List III of the Seventh Schedule to the Constitution, the State Government and in any other case, the Central Government.
"asymmetric crypto system" means a system of a secure key pair consisting of a private key for creating a digital signature and a public key to verify the digital signature;
"Certifying Authority" means a person who has been granted a licence to issue a Digital Signature Certificate under section 24;
"certification practice statement" issued by a Certifying Authority to specify the practices that the Certifying Authority employs in issuing Digital Signature Certificates;
"computer" means electronic, magnetic, optical or other high-speed date processing device or system which performs logical, arithmetic and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software or communication facilities which are connected or relates to the computer in a computer system or computer network;
"computer network" means the inter-connection of one or more computers through-
(i) the use of satellite, microwave, terrestrial lime or other communication media; and
(ii) terminals or a complex consisting of two or more interconnected computers whether or not the interconnection is continuously maintained;
"computer resources" means computer, computer system, computer network, data, computer database or software;
"computer system" means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable being used in conjunction with external files which contain computer programmes, electronic instructions, input data and output data that performs logic, arithmetic, data storage and retrieval, communication control and other functions;
"Controller" means the Controller of Certifying Authorities appointed under sub-section (1) of section 17’
"Cyber Appellate Tribunal" means the cyber Regulations Appellate Tribunal established under sub-section (1) of section 48;
"data" means a representation of information, knowledge, facts, concepts or instruction which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.
"digital signature" means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of section 3;
"Digital Signature Certificate " means a Digital Signature Certificate issued under sub-section (4) of section 35;
"electronic from", with reference to information. Means, any information generated, sent, received or stored in media, magnetic, optical, computer memory, micro film, computer generated micro fiche or similar device
"Electronic Gazette" means Official Gazette published in the electronic form;
"electronic record" means date, record or date generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche;
"function", in relation to a computer, includes logic, control, arithmetical process, deletion, storage and retrieval and retrieval and communication or telecommunication from or within a computer;
"information’ includes data, taxt, images, sound, voice, codes, computer programmes, software and databases or micro film or computer generated micro fiche;
"intermediary" with respect to any particular electronic message, means any person who on behalf of another person receives, stores or transmits that message or provides any service with respect to that message;
"key pair", in an asymmetric crypto system, means a private key and its mathematically related public key., which are so related that the public key can verify a digital signature created by the private key;
"law" includes any Act of Parliament or of a State Legislature, Ordinances promulgated by the President under article 240, Bills enacted as President’s Act under sub-clause (a) of clause
(1) of article 375 of the Constitution and includes rules, regulations, bye-laws and order issued or made thereunder;
"licence" means a licence granted to a Certifying Authority under section 24;
(za) "originator" means a licence granted to a Certifying Aauthority under section 24;
(zb) "prescribed" means prescribed by rules made under the Act;
(zc) "private key" means the key of a key pair used to create a digital signature;
(zd) "public key" means the key of a key pair used to verify a digital
signature and listed in the Digital Signature Certificate;
(ze) "secure system" means computer hardware, software and procedure that-
(a) are reasonably secure from unauthorised access and misuses;
(b) provide a reasonable level of reliability and correct operation
(c) are reasonably suited to performing the intended functions; and
(d) adhere to generally accepted security procedures;
(zf) "security procedure" means the security procedure prescribed under section 16 by the Central Government;
(zg) "subscriber" means a person in whose name the Digital Signature Certificate is issued;
(zh) "verify", in relation to a digital signature, electronic record or public key, with its grammatical variations and cognate expressions, means to determine whether-
(a) the initial electronic record was affixed with the digital signature by the sue of private key corresponding to the public key of the subscriber;
(b) the initial electronic record is retained intact or has been altered since such electronic record was so affixed with the digital signature.
(2) Any reference in this Act to any enactment or any provision thereof shall, in relation to an area in which such enactment or such provision is not in force, be construed as a reference to the corresponding law or the relevant provision of the corresponding law, if any, in force in that area.
4. Legal recognition of electronic records -
Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is-
(a) Rendered or made available in an electronic form; and
(b) Accessible so as to be usable for a subsequent reference.
7. Retention of electronic records.-
(1) Where any law provides that documents, records or information shall be retained for any specific period, the, that requirement shall be deemed to have been satisfied if such documents, records or information are retained in the electronic form, if-
(a) the manner and format therein remains accessible so as to be usable for a subsequent reference;
(b) the electronic record is retained in the format in which it was originally generated, sent or received or in a format which can be demonstrated to represent accurately the information originally generated, sent or received;
(c) the details which will facilitate the identification of the origin, destination, date and time of dispatch or receipt of such electronic record:
Provided that this clause does not apply to any information which is automatically generated solely for the purpose of enabling a record to be dispatched or received.
(3) Nothing in this section shall apply to any law that expressly provides for the retention of documents, records or information in the form of electronic records.
9. Section 6, 7 and 8 not to confer right to insist document should be accepted in electronic form.-
Nothing contained in section 6, 7 and 8 shall be confer a right upon any person to insist that any Ministry or Department of the Central Government or the State Government or any authority or body established by or under any law or controlled or funded by the Central or State Government should accept, issue, create, retain and preserve any document in the form of electronic records or effect any monetary transaction in the electronic form.
29. Access to computers and data. -
(1) Without prejudice to the provisions of sub-section (1) of section 68, the Controller or any person authorised by him shall, if he has reasonable cause to suspect that any contravention of the provisions of this Act, rules or regulations made thereunder their has been committed, have access to any computer system, any apparatus, data or any other material connected with such system, for the purpose of searching or causing a search to be made for obtaining any information or data contained in or data contained in or available to such computer system.
(2) For the purposes of sub-section (1), the Controller or any person authorised by him may, by order, direct any person incharge of, or otherwise concerned with the operation of, the computer system, data apparatus or material, to provide him with such reasonable technical and other assistance as he may consider necessary.
Importance: Healthcare provider can not oppose any verification of electronic medical record by authorized person.
60. Limitation. - The provisions of the Limitation Act, 12963f (36 of 1963), shall, as far as may be, apply to an appeal made to the Cyber Appellate Tribunal.
43. Penalty for damage to computer, computer system, etc.-
If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network,-
(a) accesses or secures access to such computer, computer system or computer network or computer resource
(b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;
(c) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;
(d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;
(e) disrupts or causes disruption of any computer, computer system or computer network;
(f) denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means;
(g) provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder,
(h) charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network,
(i) destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means
(j) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage, he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected.
Explanation.-For the purposes of this section.- (i) "computer contaminant" means any set of computer instructions that are designed –
(a) to modify, destroy, record, transmit date or programme residing within a computer, computer system or computer network; or
(b) by any means to usurp the normal operation of the computer, compute system, or computer network;
(ii) "computer database" means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepare in a formalised manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network;
(iii) "computer virus" means any computer instruction, information, data or programme that destroys, damages, degrades adversely affects the performance of a computer resources or attaches itself to another itself to another computer resources and operates when a programme, date or instruction is executed or some other even takes place in that computer resource;
(iv) "damage" means to destroy, alter, delete, add, modify or re-arrange any computer resource by any means.
Sec 43A Compensation for failure to protect data
“Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.
Explanation. — For the purposes of this section,—
(i) “body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;
(ii) “reasonable security practices and procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;”
(iii) “sensitive and personal data or information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;”
Here, it was not defined by the law “What is sensitive personal data or information” and though explanation of “reasonable security practices and procedures” has been provided it is too vague and open for interpretation.
Hence, to address the issue, on February 7, 2011, the Department of Information Technology, published draft rules titled (The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011) in exercise of the powers conferred by Section 87(2) (ob), read with Section 43A of the Information Technology Act, 2000. These rules are reproduced below for ready reference as they talk about medical records and history, and have certain provisions, which needs detailed consideration.
The information technology (reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
In exercise of the powers conferred by clause (ob) of subsection (2) of section 87 read with section 43A of the Information Technology Act, 2000 (21 of 2000), the Central Government hereby makes the following rules, namely.―
1. Short title and commencement. (1) These rules may be called the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. (2) They shall come into force on the date of their publication in the Official Gazette.
2. Definitions. (1) In these rules, unless the context otherwise requires,-- (a) “Act” means the Information Technology Act, 2000 (21 of 2000);
(b) “Biometrics” means the technologies that measure and analyse human body characteristics, such as ‘fingerprints’, ‘eye retinas and irises’, ‘voice patterns’, ‘facial patterns’, ‘hand measurements’ and ‘DNA’ for authentication purposes;
(c) “Body corporate” means the body corporate as defined in clause (i) of explanation to section 43A of the Act;
(d) “Cyber incidents” means any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation;
(e) “Data” means data as defined in clause (o) of sub-section (1) of section 2 of the Act;
(f) “Information” means information as defined in clause (v) of sub-section (1) of section 2 of the Act;
(g) “Intermediary” means an intermediary as defined in clause (w) of sub-section (1) of section 2 of the Act;
(h) “Password” means a secret word or phrase or code or passphrase or secret key, or encryption or decryption keys that one uses to gain admittance or access to information;
(i) “Personal information” means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.
(2) All other words and expressions used and not defined in these rules but defined in the Act shall have the meanings respectively assigned to them in the Act.
3. Sensitive personal data or information.— Sensitive personal data or information of a person means such personal information which consists of information relating to;
(i) password;
(ii) financial information such as Bank account or credit card or debit card or other payment instrument details ;
(iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for providing service; and
(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise, provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.
4. Body corporate to provide policy for privacy and disclosure of information.— (1) The body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy shall be published on website of body corporate or any person on its behalf and shall provide for
(i) clear and easily accessible statements of its practices and policies;
(ii) type of personal or sensitive personal data or information collected under rule 3;
(iii) purpose of collection and usage of such information;
(iv) disclosure of information including sensitive personal data or information as provided in rule 6;
(v) reasonable security practices and procedures as provided under rule 8.
5. Collection of information.— (1) Body corporate or any person on its behalf shall obtain consent in writing through letter or fax or email from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information.
(2) Body corporate or any person on its behalf shall not collect sensitive personal data or information unless
(a) the information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf; and
(b) the collection of the sensitive personal data or information is considered necessary for that purpose.
(3) While collecting information directly from the person concerned, the body corporate or any person on its behalf shall take such steps as are, in the circumstances, reasonable to ensure that the person concerned is having the knowledge of
(a) the fact that the information is being collected;
(b) the purpose for which the information is being collected;
(c) the intended recipients of the information; and
(d) the name and address of
(i) the agency that is collecting the information; and
(ii) the agency that will retain the information.
(4) Body corporate or any person on its behalf holding sensitive personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.
(5) The information collected shall be used for the purpose for which it has been collected.
(6) Body corporate or any person on its behalf shall permit the providers of information, as and when requested by them, to review the information they had provided and ensure that any personal information or sensitive personal data or information found to be inaccurate or deficient shall be corrected or amended as feasible: provided that a body corporate shall not be responsible for the authenticity of the personal information or sensitive personal data or information supplied by the provider of information to such body corporate or any other person acting on behalf of such body corporate.
(7) Body corporate or any person on its behalf shall, prior to the collection of information including sensitive personal data or information, provide an option to the provider of the information to not to provide the data or information sought to be collected. The provider of information shall, at any time while availing the services or otherwise, also have an option to withdraw its consent given earlier to the body corporate. Such withdrawal of the consent shall be sent in writing to the body corporate. In the case of provider of information not providing or later on withdrawing his consent, the body corporate shall have the option not to provide goods or services for which the said information was sought.
(8) Body corporate or any person on its behalf shall keep the information secure as provided in rule 8.
(9) Body corporate shall address any discrepancies and grievances of their provider of the information with respect to processing of information in a time bound manner. For this purpose, the body corporate shall designate a Grievance Officer and publish his name and contact details on its website. The Grievance Officer shall redress the grievances of provider of information expeditiously but within one month from the date of receipt of grievance.
6. Disclosure of information.— (1) Disclosure of sensitive personal data or information by body corporate to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation: Provided that the information shall be shared, without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences. The Government agency shall send a request in writing to the body corporate possessing the sensitive personal data or information stating clearly the purpose of seeking such information. The Government agency shall also state that the information so obtained shall not be published or shared with any other person.
(2) Notwithstanding anything contained in sub-rule (1), any sensitive personal data or Information shall be disclosed to any third party by an order under the law for the time being in force.
(3) The body corporate or any person on its behalf shall not publish the sensitive personal data or information.
(4) The third party receiving the sensitive personal data or information from body corporate or any person on its behalf under sub-rule (1) shall not disclose it further.
7. Transfer of information.-A body corporate or any person on its behalf may transfer sensitive personal data or information including any information, to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under these Rules. The transfer may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.
8. Reasonable Security Practices and Procedures.— (1) A body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. In the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies.
(2) The International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” is one such standard referred to in sub-rule (1).
(3) Any industry association or an entity formed by such an association, whose members are self-regulating by following other than IS/ISO/IEC codes of best practices for data protection as per sub-rule(1), shall get its codes of best practices duly approved and notified by the Central Government for effective implementation.
(4) The body corporate or a person on its behalf who have implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government. The audit of reasonable security practices and procedures shall be carried out by an auditor at least once a year or as and when the body corporate or a person on its behalf undertake significant upgradation of its process and computer resource.
Importance: 4. Since all healthcare providers need to have have similar policy framed by IMA / IAMI. Therefore these association should have web-page which can be used by all providers.
5.1 : Need draft of consent which will be required taking into consideration various issues.
5.2 a and b : EMR is necessity of healthcare providers activity. Therefore any registered doctor, hospital, laboratory or diagnostic center should be allowed to use EMR (certified)
5.4 : Need clearer guidelines as indicated elsewhere
5.6: Example : If patient has not given information to the doctor that he is allergic to xyz or suffering from disease abc, will he be allowed to correct the information at a later date. If yes what are the consequences and will the entry bear time stamp of correction and how to record the fact that patient has given inadequate info in the beginning and corrected it later.
5.7: Will the patient have choice whether doctor should record history in electronic format or not. If we desire to use the information for analytical purposes e.g. epidemic detection, then some data on paper and some data on electronic media will not serve the purpose. Therefore the patient should not have any such option, if the hospital is using EMR.
6.1: Government should have on-going permission to receive health-related information from various EMRs so that information can be used for epidemiological analysis. For this purpose there should be specific legal provision as to what data should be sent to government health department, in what format so that de-identified information is shared and if required person specific sensitive information can also be shared (e.g. Patient data in case of H1N1 epidemic)
8.1 Need certification of software to the effect that required security measures are taken.
8.3 Legal provision for IMA / IAMI to formulate guidelines and seek approval from govt.
8.4 Provision for annual audit of such systems by independent organization.
Conclusion:
Doctors, Clinics, Hospitals and other Healthcare providers need to know provisions of above acts, especially the clauses, which have been reproduced here. Some of the clauses are specifically applicable to electronic medical records, some clauses are applicable to the time frame for which record needs to be preserved and how it should be preserved; while some clauses are related to evidence act.
I request you to let me know if any further clauses are important to be considered w.r.t. Electronic Medical Records. If you can add some examples from your experience, they will be useful to explain various issues further. I have done this compilation to stimulate thought process, discuss and debate what should be the provisions of ideal policy regarding electronic medical records which will help creation of health information systems at national level. I would be extremely happy to include your name in list of acknowledgement.
I would like to know if you would like to join me as co-author for this effort. Please send your contribution in following format: Act, clause, sub clause, importance / example on my email address rajeevdjoshi@gmail.com with consent to include your name as co-author. Please note that in case of similar comment from two individuals, I will decide which name should be as co-author and which name should be in acknowledgement.
Dr. Rajeev Joshi
3.0 Data fidelity should be assured by triangulation with data from periodic surveys and community based monitoring, which should continue with a greater frequency. Strict compliance with the right of privacy should also be maintained.
3.2.4 Out-patient and in-patient information through Electronic Medical Records (EMR). This will help provide the best care based on Standard Treatment Guidelines, reduce response time in emergencies, support the organ retrieval and transplantation programme and improve general hospital administration. It would also help estimate burden of disease and facilitate policy decisions at State and national levels.
3.3.1 The MoHFW, in consultation with the Department of Information Technology, should
mandate, in a participatory and scientific way, the data definitions, data standards, data quality requirements and standards of interoperability, which all publicly financed
applications of information technology in the health sector must necessarily subscribe to. A certification and monitoring mechanism should be put in place to check and enforce compliance with the HIS standards. A data policy should also be put in place that would define how long the health data must be stored, in what electronic form and with what backups. It should also lay out provisions detailing both the right of access and the right to privacy and security of information. The Central Government would also have to develop procurement policies, which permit open source technologies and which allow arrangements that could support software that is constantly evolving.
Since there are no clear cut guidelines regarding duration for which medical records should be retained and whether medical records in electronic format are legally acceptable, there is need of wider discussion and debate on several issues involved in this regard. I have tried to write below as many issues I could think of.
I have referred to
1. Indian Evidence Act 1963
(http://www.vakilno1.com/bareacts/indianevidenceact/indianevidenceact.htm )
2. Limitaition act 1963
( http://www.vakilno1.com/bareacts/limitationact/limitationact.htm)
3. Indian Information Technology Act 2010
(http://www.vakilno1.com/bareacts/informationtechnologyact/informationtechnologyact.htm)
I have also referred to Textbooks of forensic medicine viz
1. Parikh’s textbook of Medical jurisprudence, forensic medicine and toxicology, sixth edition, CBS publishers and distriutors.
2. Modi’s textbook of Medical Jurisprudence and toxicology edited by N. J. Modi., N M Tripathi Private Limited Booksellers and Publishers.
Unfortunately none of these books gives any information regarding duration of preservation of medical records. Therefore we need to rely on IEA, ITA and Limitation Act only.
The Explanation section under any clause of any act refers to explanation given in bare act.
Examples, importance and comments describe my viewpoint. I am aware that some will agree, and there will be several, who may have different views. Purpose of this article is to initiate discussion on all these issues and come to some consensus so that we could together write a white paper, which can be submitted, to concerned authorities who will finally formulate guidelines or law, which will be uniformly applicable to all healthcare providers.
Limitation Act
3. Bar of limitation
(1) Subject to the provisions contained in sections 4 to 24 (inclusive) every suit instituted, appeal preferred, and application made after the prescribed period shall be dismissed although limitation has not been set up as defense;
Explanation: Limitation is a question of jurisdiction. S3 puts an embargo on the court to entertain a suit if it is found to be barred by limitation. Therefore it is essential for the doctor to maintain record till such time any suit asking for
6. Legal disability –
(1) Where a person entitled to institute a suit or make an application for the execution of a decree is, at the time from which the prescribed period is to be reckoned, a minor or insane, or an idiot, he may institute the suit or make the application within the same period after the disability has ceases, as would otherwise have been allowed from the time specified therefor in the third column of the Schedule.
(2) Where such person is, at the time from which the prescribed period it to be reckoned, affected by two such disabilities, or where, before his disability has ceased, he is affected by another disability, he may institute the suit or make the application within the same period after both disabilities have ceased, as would otherwise have been allowed from the time so specified.
(3) Where the disability continues upto the death of that person, his legal representative may institute the suit or make the application within the same period after the death, as would otherwise have been allowed from the time so specified.
(4) Where the legal representative referred to in sub-section (3) is, at the date of the death of the person whom he represents. affected by any such disability, the rules contained in sub-sections (1) and (2) shall apply.
(5) Where a person under disability dies after the disability ceases but within the period allowed to him under this section, his legal representative may institute the suit or make the application within the same period after the death, as would otherwise have been available to that person had he not died.
Explanation - For the purposes of this section 'minor' includes a child in the womb.
Example: A widow died during delivery of her child. The child spent his childhood in an orphanage as relatives and neighbors could not take responsibility. After becoming 18 years of age, the child came to know that the mother died due to negligence of the doctor. Can he file suit for compensation before he becomes 21 years of age?
8. Special exceptions - Nothing in section 6 or in section 7 applies to suits to enforce rights of pre-emotion, or shall be deemed to extend, for more than three years from the cessation of the disability or the death of the person affected thereby the period of limitation for any suit or application.
15. Exclusion of time in certain other cases –
(6) In computing the period of limitation for any suit the time during which the defendant has been absent from India and from the territories outside India under the administration of the Central Government, shall be excluded.
16. Effect of death on or before the accrual of the right to sue -
(1) Where a person who would, if he were living, have a right to institute a suit or make an application dies before the right accrues, or where a right to institute a suit or make an application accrues only on the death of a person, the period of limitation shall be computed from the time when there is a legal representative of the deceased capable of instituting such suit or making such application.
(2) Where a person against whom, if he were living, a right to institute a suit or make an application would have accrued dies before the right accrues, or where a right to institute a suit or make an application against any person accrues on the death of such person, the period of limitation shall be computed from the time when there is a legal representative of the deceased against whom the plaintiff may institute such suit or make such application.
(3) Nothing in sub-section (1) or sub-section (2) applies to suits to enforce rights of preemption or to suit for the possession of immovable property or of a hereditary office.
Importance: Does clause 2 mean that even after death of a doctor, patient or his relative can file a suit against legal representative of doctor who treated the patient charging medical negligence on part of doctor?
17. Effect of fraud or mistake –
(1) Where, in the case of any suit or application for which a period of limitation is prescribed by this Act-
(c) The suit or application is for relief from the consequences of a mistake; or
(d) Where any document necessary to establish the right of the plaintiff or applicant has been fraudulently concealed from him;
The period of limitation shall not begin to run until the plaintiff or applicant has discovered the fraud or the mistake or could, with reasonable diligence, has discovered it, or in the case of concealed document, until the plaintiff or the applicant first had the means of producing the concealed document or compelling its production:
Provided that nothing in this section shall enable any suit to be instituted or application to be made to recover or enforce any charge against or set aside any transaction affecting, any property which-
(ii) In the case of mistake, has been purchased for valuable consideration subsequently to the transaction in which the mistake was made, by a person who did not know, or have reason to believe, that the mistake had been made, or
(iii) In the case of a concealed document, has been purchased for valuable consideration by a person who was not a party to the concealment and, did not at the time of purchase know, or have reason to believe, that the document had been concealed.
Provided that such application is made within one year from the date of the discovery of the fraud or the cessation of force, as the case may be.
Example: During hysterectomy of a patient, her ureter was injured and sutured by a doctor. She was not informed regarding this “accident” during surgery. She developed stricture 4 years after surgery, which another doctor attributes to “mistake” during hysterectomy. Since doctor had not informed her regarding the “complication” and consequences thereof, will she be able to file suit for compensation?
21. Effect of substituting or adding new plaintiff or defendant -
(1) Where after the institution of a suit, a new plaintiff or defendant is substituted or added, the suit shall, as regards him, be deemed to have been instituted when he was made a party:
Provided that were the court is satisfied that the omission to include a new plaintiff or defendant was due to a mistake in good faith it may direct that the suit as regards such plaintiff or defendant shall be deemed to have been instituted on any earlier date.
Example: During surgery patient died due to complication of anaesthesia. Two years and nine months later relatives filed case for compensation for negligence against the hospital and surgeon. Six months later, during hearing of the case they understood that the death was due to complication of anaesthesia . Since they did not know this fact, they request court to add anaesthetist as defendant. Will the anesthetist have to defend himself or he will be able to say that the case should be dismissed as being time bar.
SL. NO DESCRIPTION OF SUIT : PERIOD OF LIMITATION : TIME FROM WHICH PERIOD BEGINS TO RUN :
55. For compensation for the breach of any contract, express or implied, not herein specially provided for.
Three years When the contract is broken or (where there are successive breaches) when the breach in respect of which the suit is instituted occurs or (where the breach is continuing) when it ceases.
112. Any suit (except a suit before the Supreme Court in the exercise of its original jurisdiction) by or on behalf of the Central Government, or any State Government including the Government of the State of Jammu and Kashmir. Thirty years When the period of limitation would begin to run under this Act against a like suit by a private person.
113. Any suit for which no period of limitation is provided elsewhere in this Schedule. Three years When the right to sue accrues.
* Medical negligence in consumer court ? ?
* Medical negligence in criminal court ? ?
* Medical negligence in civil court ? ?
Evidence Act
3. Interpretation clause –
“Evidence”.—“Evidence” means and includes—
(1) all statements which the Court permits or requires to be made before it by witnesses, in relation to matters of fact under inquiry, such statements are called oral evidence;
(2) 6[all documents including electronic records produced for the inspection of the Court],
such documents are called documentary evidence.
[the expressions “Certifying Authority”, “digital signature”, “Digital Signature Certificate”, “electronic form”, “electronic records”, “information”, “secure electronic record”, “secure digital signature” and “subscriber” shall have the meanings respectively assigned to them in the Information Technology Act, 2000.] (* given below)
6. Relevancy of facts forming part of same transaction -
Facts which, though not in issue are so connected with a fact in issue as to form part of the same transaction, are relevant, whether they occurred at the same time and place or at different times and places.
Example: OPD record of patient who was admitted, may be considered as important evidence in addition to Indoor record. This may include prescription issued to the patient before admission, note giving advise to do investigations etc. (these are with patient and usually there is no record with the doctor.)
9. Facts necessary to explain or introduce relevant facts -
Facts necessary to explain or introduce a fact in issue or relevant fact, or which support or rebut an inference suggested by a fact in issue or relevant fact, or which establish the identity of any thing or person whose identity is relevant, or fix the time or place at which any fact in issue or relevant fact happened, or which show the relation of parties by whom any such fact was transacted, are relevant in so far as they are necessary for that purpose.
Example: Pathology / Radiology reports / reports of tests which were done outside hospital in which patient was treated may be with the patient’s relative, and these documents will be essential in deciding the suit for compensation. Should hospital record have provision for storing these records (copy / scan / data entry)
10. Things said or done by conspirator in reference to common design -
Where there is reasonable ground to believe that two or more persons have conspired together to commit an offence or an actionable wrong, anything said, done or written by any one of such persons in reference to their common intention, after the time when such intention was first entertained by any one of them is a relevant fact as against each of the persons believed to be so conspiring, as well as for the purpose of proving the existence of the conspiracy as for the purpose showing that any such persons was a party to it.
Example: 1. Surgeon and anesthetist conspire to create incorrect medical record so as to hide mistake of any one or both of them. 2. Treating doctor and database administrator conspire to edit record in database in such a manner that software control for creating change log is bypassed and certain entries in database are edited by doctor using admin password etc.
14. Facts showing existence of state of mind or of body or bodily feeling -
Facts showing the existence of any state of mind, such as intention, knowledge, good faith, negligence, rashness, ill-will or goodwill towards any particular person, or showing the existence of any state of body or bodily feeling, are relevant, when the existence of any such state of mind or body or bodily feeling is in issue or relevant.
Explanation 1 - A fact relevant as showing the existence of a relevant state of mind must show that the state of mind exists, not generally but in reference to the particular matter in question.
Explanation 2. - But where, upon the trail of a person accused of an offence, the previous commission by the accused of an offence is relevant within the meaning of this Section, the previous conviction of such person shall also be a relevant fact.
Example: What was the status of a patient’s health at the time when assurance on his life was effected? A medical record may be called for by a patient / court / insurance company in case of any suit. Is it mandatory for the doctor to produce such record without patient’s consent?
16. Existence of course of business when relevant -
When there is a question whether a particular act was done, the existence of any course of business, according to which it naturally would have been done, is a relevant fact.
Importance: If EMR is used to store information relating all patients, then one can say that it was done “during course of business”
22. When oral admission as to contents of documents are relevant –
Oral admissions as to the contents of a document are not relevant unless and until the party proposing them shows that he is entitled to give secondary evidence of the contents of such document under the rules hereinafter contained, or unless the genuineness of a document produced is in question.
[22A. When oral admissions as to contents of electronic records are relevant.—Oral admissions as to the contents of electronic records are not relevant, unless the genuineness of the electronic record produced is in question.]
32. Case in which statement of relevant fact by person who is dead or cannot be found, etc. is relevant -
Statements, written or verbal, of relevant facts made by a person who is dead, or who cannot be found, or who has become incapable of giving evidence, or whose attendance cannot be procured without an amount of delay or expense which, under the circumstances of the case, appears to the Court unreasonable, are themselves relevant facts in the following cases -
. . . . . . . . . .
(2) Or is made in course of business - When the statement was made by such person in the ordinary course of business, and in particular when it consists of any entry or memorandum made by him in books kept in the ordinary course of business, or in the discharge of professional duty; or of an acknowledgement written or signed by him of the receipt of money, goods securities or property of any kind; or of a document used in commerce written or signed by him or of the date of a letter or other document usually dated, written or signed by him.
Importance : Records kept by deceased doctor in course of business.
34. [Entries in books of account including those maintained in an electronic form] when relevant - 1Entries in books of accounts including those maintained in an electronic form], regularly kept in the course of business, are relevant whenever they refer to a matter into which the Court has to inquire, but such statements shall not alone be sufficient evidence to charge any person with liability.
Note : Unbound sheets of paper are not books of account and cannot be relied upon; Dharam Chand Joshi v. Satya Narayan Bazaz, AIR 1993 Gau 35.
35. Relevancy of entry in public [record or an electronic record] made in performance of duty -
An entry in any public or other official book, register or 1[record or an electronic record], stating a fact in issue or relevant fact, and made by a public servant in the discharge of his official duty, or by any other person in performance of a duty specially enjoined by the law of the country in which such book, register, or 1[record or an electronic record] is kept, is itself a relevant fact.
Importance : OPD, IPD and other Statutory registers required to be maintained by the doctor,
clinic or hospital.
39. What evidence to be given when statement forms part of a conversation, document, electronic record, book or series of letters or papers.—When any statement of which evidence is given forms part of a longer statement, or of a conversation or part of an isolated document, or is contained in a document which forms part of a book, or is contained in part of electronic record or of a connected series of letters or papers, evidence shall be given of so much and no more of the statement, conversation, document, electronic record, book or series of letters or papers as the Court considers necessary in that particular case to the full understanding of the nature and effect of the statement, and of the circumstances under which it was made.]
Importance: Court may call for entire record / record of relevant period / entire record of the patient under consideration.
45. Opinions of experts -
When the Court has to form an opinion upon a point of foreign law, or of science, or art, or as to identity of hand writing 1or finger-impressions, the opinions upon that point of persons specially skilled in such foreign law, science or art, 2or in questions as to identity of handwriting 1or finger impressions, are relevant facts.
Such person called experts.
45A. Opinion of Examiner of Electronic Evidence.-When in a proceeding, the court has to form an opinion on any matter relating to any information transmitted or stored in any computer resource or any other electronic or digital form, the opinion of the Examiner of Electronic Evidence referred to in section 79A of the Information Technology Act, 2000(21 of 2000)., is a relevant fact.
Explanation.--For the purposes of this section, an Examiner of Electronic Evidence shall be an expert.
47. Opinions as to handwriting, when relevant - When the Court has to form an opinion as to the person by whom document was written or signed, the opinion of any person acquainted with the handwriting of the person by whom it is supposed to be written or signed that it was or was not written or signed by that person, is a relevant fact.
Section 47-A Opinion as to digital signature where relevant When the Court has to form an opinion as to the digital signature or any person, the opinion of the Certifying Authority which has issued the Digital Signature Certificate is a relevant fact.
59. Proof of facts by oral evidence -
All facts, except the 1[contents of documents or electronic records], may be proved by oral evidence.
61. Proof of contents of documents -
The contents of documents may be proved either by primary or by secondary evidence.
64. Proof of documents by primary evidence -
Documents must be proved by primary evidence except in the cases hereinafter mentioned.
65. Cases in which secondary evidence relating to documents may be given -
Secondary evidence may be given of the existence, condition or contents of a document in the following cases:
(a) When the original is shown or appears to be in the possession or power of the person against whom the document is sought to be proved, or of any person out of reach of, or not subject to, the process of the Court, or of any person legally bound to produce it, and when, after the notice mentioned in Section 66, such person does not produce it;
(b) When the existence, condition or contents of the original have been proved to be admitted in writing by the person against whom it is proved or by his representative in interest;
(c) When the original has been destroyed or lost, or when the party offering evidence of its contents cannot, for any other reason not arising from his own default or neglect, produce it in reasonable time;
(d) When the original is of such a nature as not to be easily movable;
(e) When the original is a public document within the meaning of Section 74;
(f) When the original is a document of which a certified copy is permitted by this Act, or by any other law in force in 1India to be given in evidence2;
(g) When the originals consist of numerous accounts or other documents which cannot conveniently be examined in Court, and the fact to be proved is the general result of the whole collections.
In cases (a), (c) and (d), any secondary evidence of the contents of the documents is admissible.
In case (b), the written admission is admissible.
In case (e) or (f), a certified copy of the document, but no other kind of secondary evidence, is admissible.
In case (g), evidence may be given as to the general result of the documents by any person who has examined them, and who is skilled in the examination of such documents.
65A.Special provisions as to evidence relating to electronic record.- The contents of electronic records may be proved in accordance with the provisions of section 65B
65B. Admissibility of electronic records.- (1) Notwithstanding anything contained in this Act, any information contained in an electronic record which is printed on a paper, stored, recorded or copied in optical or magnetic media produced by a computer (hereinafter referred to as the computer output) shall be deemed to be also a document, if the conditions mentioned in this section are satisfied in relation to the information and computer in question and shall be admissible in any proceedings, without further proof or production of the original, as evidence of any contents of the original or of any fact stated therein of which direct evidence would be admissible.
(2) The conditions referred to in sub-section (1) in respect of a computer output shall be the following, namely:—
(a) the computer output containing the information was produced by the computer during the period over which the computer was used regularly to store or process information for the purposes of any activities regularly carried on over that period by the person having lawful control over the use of the computer;
(b) during the said period, information of the kind contained in the electronic record or of the kind from which the information so contained is derived was regularly fed into the computer in the ordinary course of the said activities;
(c) throughout the material part of the said period, the computer was operating properly or, if not, then in respect of any period in which it was not operating properly or was out of operation during that part of the period, was not such as to affect the electronic record or the accuracy of its contents; and
(d) the information contained in the electronic record reproduces or is derived from such information fed into the computer in the ordinary course of the said activities.
(3) Where over any period, the function of storing or processing information for the purposes of any activities regularly carried on over that period as mentioned in clause (a) of sub-section (2) was regularly performed by computers, whether—
(a) by a combination of computers operating over that period; or
(b) by different computers operating in succession over that period; or
(c) by different combinations of computers operating in succession over that period; or
(d) in any other manner involving the successive operation over that period, in whatever order, of one or more computers and one or more combinations of computers, all the computers used for that purpose during that period shall be treated for the purposes of this section as constituting a single computer; and references in this section to a computer shall be construed accordingly.
(4) In any proceedings where it is desired to give a statement in evidence by virtue of this section, a certificate doing any of the following things, that is to say,—
(a) identifying the electronic record containing the statement and describing the manner in which it was produced;
(b) giving such particulars of any device involved in the production of that electronic record as may be appropriate for the purpose of showing that the electronic record was produced by a computer;
(c) dealing with any of the matters to which the conditions mentioned in sub-section (2) relate, and purporting to be signed by a person occupying a responsible official position in relation to the operation of the relevant device or the management of the relevant activities (whichever is appropriate) shall be evidence of any matter stated in the certificate; and for the purposes of this sub-section it shall be sufficient for a matter to be stated to the best of the knowledge and belief of the person stating it.
(5) For the purposes of this section,—
(a) infomation shall be taken to be supplied to a computer if it is supplied thereto in any appropriate form and whether it is so supplied directly or (with or without human intervention) by means of any appropriate equipment;
(b) whether in the course of activities carried on by any official information is supplied with a view to its being stored or processed for the purposes of those activities by a computer operated otherwise than in the course of those activities, that information, if duly supplied to that computer, shall be taken to be supplied to it in the course of those activities;
(c) a computer output shall be taken to have been produced by a computer whether it was produced by it directly or (with or without human intervention) by means of any appropriate equipment.
Explanation.—For the purposes of this section any reference to information being derived from other information shall be a reference to its being derived therefrom by calculation, comparison or any other process.
85B. Presumption as to electronic records and digital signatures.- (1) In any proceedings involving a secure electronic record, the Court shall presume unless contrary is proved, that the secure electronic record has not been altered since the specific point of time to which the secure status relates.
(2) In any proceedings, involving secure digital signature, the Court shall presume unless the contrary is proved that—
(a) the secure digital signature is affixed by subscriber with the intention of signing or approving the electronic record;
(b) except in the case of a secure electronic record or a secure digital signature, nothing in this section shall cerate any presumption, relating to authenticity and integrity of the electronic record or any digital signature.
90. Presumption as to documents thirty years old -
Where any document, purporting or proved to be thirty years old, is produced from any custody which the Court in the particular case considers proper, the Court may presume that the signature and every other part of such document, which purports to be in the handwriting of any particular person, is in that person’s handwriting, and, in the case of a document executed or attested, that it was duly executed and attested by the persons by whom it purports to be executed and attested.
90A. Presumption as to electronic records five years old.- Where any electronic record, purporting or proved to be five years old, is produced from any custody which the Court in the particular case considers proper, the Court may presume that the digital signature which purports to be the digital signature of any particular person was so affixed by him or any person authorised by him in this behalf.
Explanation: Electronic records are said to be in proper custody if they are in the place in which, and under the care of the person with whom, they naturally be; but no custody is improper if it is proved to have had a legitimate origin, or the circumstances of the particular case are such as to render such an origin probable.
131. Production of documents or electronic records which another person, having possession, could refuse to produce.- No one shall be compelled to produce documents in his possession or electronic records under his control, which any other person would be entitled to refuse to produce if they were in his possession, or control, unless such last-mentioned person consents to their production.
Importance: Hospital Record Room Person can not be compelled to produce record created by the doctor.
144. Evidence as to matters in writing -
Any witness may be asked whilst under examination, whether any contract, grant or other disposition of property as to which he is giving evidence, was not contained in a document, and if he says that it was, or if he is about to make any statement as to the contents of any document, which, in the opinion of the Court, ought to be produced, the adverse party may object to such evidence being given until such document is produced, or until facts have been proved which entitle the party who called the witness to give secondary evidence of it.Explanation - A witness may give oral evidence of statements made by other persons about the contents of documents if such statements are in themselves relevant facts.
159. Refreshing memory. -
A witness may, while under examination refresh his memory by referring to any writing made by himself at the time of the transaction concerning which he questioned, or so soon afterwards that the Court considers it likely that the transaction was at that time fresh in his memory.
The witness may also refer to any such writing made by any other person and read by the witness within time aforesaid, if when he read it he knew it to be correct
When witness may use copy of document to refresh his memory -
Whenever a witness may refresh his ness may refresh his memory by reference to any document, he may, with the permission of the Court, refer to a copy of such document.
Provided the Court be satisfied that there is sufficient reason for the non-production of the original.
An expert may refresh his memory by reference to professional treatises.
164. Using, as evidence, of document, production of which was refused on notice -
When a party refuses to produce a document which he has had notice to produce, he cannot afterwards use the document as evidence without the consent of the other party or the order of the Court.
Importance : This clause clearly indicates that producing record when asked for is in the interest of the doctor who is treating the patient, as at a later date doctor may not be permitted to place certain facts on record. E.g. if the patient’s hemoglobin on admission was 7 gm% and in spite of arranging and administering blood, the patient died of post partum hemorrhage; doctor can protect himself from the charges of negligence, if he is able to produce before the court; evidence of fact that hemoglobin was 7gm% at admission, and the fact that he had reserved one bag of blood in a blood bank, and the fact that he ordered for it.
Information Technology Act
Amendment Act 10 of 2009 : Statement of Objects and Reasons :
With proliferation of information technology enabled services such as e-governance, e-commerce and e-transactions; data security, data privacy and implementation of security practices and procedures relating to these applications of electronic communications have assumed greater importance and they required harmonization with the provisions of the Information Technology Act. Further, protection of Critical Information Infrastructure is pivotal to national security, economy, public health and safety, thus it had become necessary to declare such infrastructure as protected system, so as to restrict unauthorised access.
Further, a rapid increase in the use of computer and Internet has given rise to new forms of crimes like publishing sexually explicit materials in electronic form, video voyeurism, breach of confidentiality and leakage of data by intermediary, e-commerce frauds like cheating by personation - commonly known as phishing, identity theft and offensive messages through communication services. So, penal provisions were required to be included in the Information Technology Act, The indian penal code, the Indian Evidence Act and the code of criminal procedure to prevent such crimes.
Importance: Amendment act specifically mentions that protection of critical information infrastructure is pivotal to … public health. Hence we need to work towards use of information technology in such a manner that public health decisions are supported.
2. Definitions. -
(1) In this Act, unless the context otherwise requires,- (a) "access", with its grammatical variation and cognate expressions, means gaining entry into, instructing or communicating with the logical, arithmetical or memory function resources of a computer, computer system or computer network;
(b) "addressee" means a person who is intended by the originator to receive the electronic record but does not include any intermediary;
(c) "adjudicating officer" means an adjudicating officer appointed under sub-section (1) of section 46;
"affixing digital signature", with its grammatical variations and cognate expressions means adoption of any methodology or procedure by a person for the purpose of authenticating an electronic record by means of digital signature;
"appropriate Government " means as respects any matter- enumerated in List II of the Seventh Schedule to the Constitution; relating to any State law enacted under List III of the Seventh Schedule to the Constitution, the State Government and in any other case, the Central Government.
"asymmetric crypto system" means a system of a secure key pair consisting of a private key for creating a digital signature and a public key to verify the digital signature;
"Certifying Authority" means a person who has been granted a licence to issue a Digital Signature Certificate under section 24;
"certification practice statement" issued by a Certifying Authority to specify the practices that the Certifying Authority employs in issuing Digital Signature Certificates;
"computer" means electronic, magnetic, optical or other high-speed date processing device or system which performs logical, arithmetic and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software or communication facilities which are connected or relates to the computer in a computer system or computer network;
"computer network" means the inter-connection of one or more computers through-
(i) the use of satellite, microwave, terrestrial lime or other communication media; and
(ii) terminals or a complex consisting of two or more interconnected computers whether or not the interconnection is continuously maintained;
"computer resources" means computer, computer system, computer network, data, computer database or software;
"computer system" means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable being used in conjunction with external files which contain computer programmes, electronic instructions, input data and output data that performs logic, arithmetic, data storage and retrieval, communication control and other functions;
"Controller" means the Controller of Certifying Authorities appointed under sub-section (1) of section 17’
"Cyber Appellate Tribunal" means the cyber Regulations Appellate Tribunal established under sub-section (1) of section 48;
"data" means a representation of information, knowledge, facts, concepts or instruction which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.
"digital signature" means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of section 3;
"Digital Signature Certificate " means a Digital Signature Certificate issued under sub-section (4) of section 35;
"electronic from", with reference to information. Means, any information generated, sent, received or stored in media, magnetic, optical, computer memory, micro film, computer generated micro fiche or similar device
"Electronic Gazette" means Official Gazette published in the electronic form;
"electronic record" means date, record or date generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche;
"function", in relation to a computer, includes logic, control, arithmetical process, deletion, storage and retrieval and retrieval and communication or telecommunication from or within a computer;
"information’ includes data, taxt, images, sound, voice, codes, computer programmes, software and databases or micro film or computer generated micro fiche;
"intermediary" with respect to any particular electronic message, means any person who on behalf of another person receives, stores or transmits that message or provides any service with respect to that message;
"key pair", in an asymmetric crypto system, means a private key and its mathematically related public key., which are so related that the public key can verify a digital signature created by the private key;
"law" includes any Act of Parliament or of a State Legislature, Ordinances promulgated by the President under article 240, Bills enacted as President’s Act under sub-clause (a) of clause
(1) of article 375 of the Constitution and includes rules, regulations, bye-laws and order issued or made thereunder;
"licence" means a licence granted to a Certifying Authority under section 24;
(za) "originator" means a licence granted to a Certifying Aauthority under section 24;
(zb) "prescribed" means prescribed by rules made under the Act;
(zc) "private key" means the key of a key pair used to create a digital signature;
(zd) "public key" means the key of a key pair used to verify a digital
signature and listed in the Digital Signature Certificate;
(ze) "secure system" means computer hardware, software and procedure that-
(a) are reasonably secure from unauthorised access and misuses;
(b) provide a reasonable level of reliability and correct operation
(c) are reasonably suited to performing the intended functions; and
(d) adhere to generally accepted security procedures;
(zf) "security procedure" means the security procedure prescribed under section 16 by the Central Government;
(zg) "subscriber" means a person in whose name the Digital Signature Certificate is issued;
(zh) "verify", in relation to a digital signature, electronic record or public key, with its grammatical variations and cognate expressions, means to determine whether-
(a) the initial electronic record was affixed with the digital signature by the sue of private key corresponding to the public key of the subscriber;
(b) the initial electronic record is retained intact or has been altered since such electronic record was so affixed with the digital signature.
(2) Any reference in this Act to any enactment or any provision thereof shall, in relation to an area in which such enactment or such provision is not in force, be construed as a reference to the corresponding law or the relevant provision of the corresponding law, if any, in force in that area.
4. Legal recognition of electronic records -
Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is-
(a) Rendered or made available in an electronic form; and
(b) Accessible so as to be usable for a subsequent reference.
7. Retention of electronic records.-
(1) Where any law provides that documents, records or information shall be retained for any specific period, the, that requirement shall be deemed to have been satisfied if such documents, records or information are retained in the electronic form, if-
(a) the manner and format therein remains accessible so as to be usable for a subsequent reference;
(b) the electronic record is retained in the format in which it was originally generated, sent or received or in a format which can be demonstrated to represent accurately the information originally generated, sent or received;
(c) the details which will facilitate the identification of the origin, destination, date and time of dispatch or receipt of such electronic record:
Provided that this clause does not apply to any information which is automatically generated solely for the purpose of enabling a record to be dispatched or received.
(3) Nothing in this section shall apply to any law that expressly provides for the retention of documents, records or information in the form of electronic records.
9. Section 6, 7 and 8 not to confer right to insist document should be accepted in electronic form.-
Nothing contained in section 6, 7 and 8 shall be confer a right upon any person to insist that any Ministry or Department of the Central Government or the State Government or any authority or body established by or under any law or controlled or funded by the Central or State Government should accept, issue, create, retain and preserve any document in the form of electronic records or effect any monetary transaction in the electronic form.
29. Access to computers and data. -
(1) Without prejudice to the provisions of sub-section (1) of section 68, the Controller or any person authorised by him shall, if he has reasonable cause to suspect that any contravention of the provisions of this Act, rules or regulations made thereunder their has been committed, have access to any computer system, any apparatus, data or any other material connected with such system, for the purpose of searching or causing a search to be made for obtaining any information or data contained in or data contained in or available to such computer system.
(2) For the purposes of sub-section (1), the Controller or any person authorised by him may, by order, direct any person incharge of, or otherwise concerned with the operation of, the computer system, data apparatus or material, to provide him with such reasonable technical and other assistance as he may consider necessary.
Importance: Healthcare provider can not oppose any verification of electronic medical record by authorized person.
60. Limitation. - The provisions of the Limitation Act, 12963f (36 of 1963), shall, as far as may be, apply to an appeal made to the Cyber Appellate Tribunal.
43. Penalty for damage to computer, computer system, etc.-
If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network,-
(a) accesses or secures access to such computer, computer system or computer network or computer resource
(b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;
(c) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;
(d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;
(e) disrupts or causes disruption of any computer, computer system or computer network;
(f) denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means;
(g) provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder,
(h) charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network,
(i) destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means
(j) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage, he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected.
Explanation.-For the purposes of this section.- (i) "computer contaminant" means any set of computer instructions that are designed –
(a) to modify, destroy, record, transmit date or programme residing within a computer, computer system or computer network; or
(b) by any means to usurp the normal operation of the computer, compute system, or computer network;
(ii) "computer database" means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepare in a formalised manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network;
(iii) "computer virus" means any computer instruction, information, data or programme that destroys, damages, degrades adversely affects the performance of a computer resources or attaches itself to another itself to another computer resources and operates when a programme, date or instruction is executed or some other even takes place in that computer resource;
(iv) "damage" means to destroy, alter, delete, add, modify or re-arrange any computer resource by any means.
Sec 43A Compensation for failure to protect data
“Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.
Explanation. — For the purposes of this section,—
(i) “body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;
(ii) “reasonable security practices and procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;”
(iii) “sensitive and personal data or information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;”
Here, it was not defined by the law “What is sensitive personal data or information” and though explanation of “reasonable security practices and procedures” has been provided it is too vague and open for interpretation.
Hence, to address the issue, on February 7, 2011, the Department of Information Technology, published draft rules titled (The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011) in exercise of the powers conferred by Section 87(2) (ob), read with Section 43A of the Information Technology Act, 2000. These rules are reproduced below for ready reference as they talk about medical records and history, and have certain provisions, which needs detailed consideration.
The information technology (reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
In exercise of the powers conferred by clause (ob) of subsection (2) of section 87 read with section 43A of the Information Technology Act, 2000 (21 of 2000), the Central Government hereby makes the following rules, namely.―
1. Short title and commencement. (1) These rules may be called the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. (2) They shall come into force on the date of their publication in the Official Gazette.
2. Definitions. (1) In these rules, unless the context otherwise requires,-- (a) “Act” means the Information Technology Act, 2000 (21 of 2000);
(b) “Biometrics” means the technologies that measure and analyse human body characteristics, such as ‘fingerprints’, ‘eye retinas and irises’, ‘voice patterns’, ‘facial patterns’, ‘hand measurements’ and ‘DNA’ for authentication purposes;
(c) “Body corporate” means the body corporate as defined in clause (i) of explanation to section 43A of the Act;
(d) “Cyber incidents” means any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation;
(e) “Data” means data as defined in clause (o) of sub-section (1) of section 2 of the Act;
(f) “Information” means information as defined in clause (v) of sub-section (1) of section 2 of the Act;
(g) “Intermediary” means an intermediary as defined in clause (w) of sub-section (1) of section 2 of the Act;
(h) “Password” means a secret word or phrase or code or passphrase or secret key, or encryption or decryption keys that one uses to gain admittance or access to information;
(i) “Personal information” means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.
(2) All other words and expressions used and not defined in these rules but defined in the Act shall have the meanings respectively assigned to them in the Act.
3. Sensitive personal data or information.— Sensitive personal data or information of a person means such personal information which consists of information relating to;
(i) password;
(ii) financial information such as Bank account or credit card or debit card or other payment instrument details ;
(iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for providing service; and
(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise, provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.
4. Body corporate to provide policy for privacy and disclosure of information.— (1) The body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy shall be published on website of body corporate or any person on its behalf and shall provide for
(i) clear and easily accessible statements of its practices and policies;
(ii) type of personal or sensitive personal data or information collected under rule 3;
(iii) purpose of collection and usage of such information;
(iv) disclosure of information including sensitive personal data or information as provided in rule 6;
(v) reasonable security practices and procedures as provided under rule 8.
5. Collection of information.— (1) Body corporate or any person on its behalf shall obtain consent in writing through letter or fax or email from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information.
(2) Body corporate or any person on its behalf shall not collect sensitive personal data or information unless
(a) the information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf; and
(b) the collection of the sensitive personal data or information is considered necessary for that purpose.
(3) While collecting information directly from the person concerned, the body corporate or any person on its behalf shall take such steps as are, in the circumstances, reasonable to ensure that the person concerned is having the knowledge of
(a) the fact that the information is being collected;
(b) the purpose for which the information is being collected;
(c) the intended recipients of the information; and
(d) the name and address of
(i) the agency that is collecting the information; and
(ii) the agency that will retain the information.
(4) Body corporate or any person on its behalf holding sensitive personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.
(5) The information collected shall be used for the purpose for which it has been collected.
(6) Body corporate or any person on its behalf shall permit the providers of information, as and when requested by them, to review the information they had provided and ensure that any personal information or sensitive personal data or information found to be inaccurate or deficient shall be corrected or amended as feasible: provided that a body corporate shall not be responsible for the authenticity of the personal information or sensitive personal data or information supplied by the provider of information to such body corporate or any other person acting on behalf of such body corporate.
(7) Body corporate or any person on its behalf shall, prior to the collection of information including sensitive personal data or information, provide an option to the provider of the information to not to provide the data or information sought to be collected. The provider of information shall, at any time while availing the services or otherwise, also have an option to withdraw its consent given earlier to the body corporate. Such withdrawal of the consent shall be sent in writing to the body corporate. In the case of provider of information not providing or later on withdrawing his consent, the body corporate shall have the option not to provide goods or services for which the said information was sought.
(8) Body corporate or any person on its behalf shall keep the information secure as provided in rule 8.
(9) Body corporate shall address any discrepancies and grievances of their provider of the information with respect to processing of information in a time bound manner. For this purpose, the body corporate shall designate a Grievance Officer and publish his name and contact details on its website. The Grievance Officer shall redress the grievances of provider of information expeditiously but within one month from the date of receipt of grievance.
6. Disclosure of information.— (1) Disclosure of sensitive personal data or information by body corporate to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation: Provided that the information shall be shared, without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences. The Government agency shall send a request in writing to the body corporate possessing the sensitive personal data or information stating clearly the purpose of seeking such information. The Government agency shall also state that the information so obtained shall not be published or shared with any other person.
(2) Notwithstanding anything contained in sub-rule (1), any sensitive personal data or Information shall be disclosed to any third party by an order under the law for the time being in force.
(3) The body corporate or any person on its behalf shall not publish the sensitive personal data or information.
(4) The third party receiving the sensitive personal data or information from body corporate or any person on its behalf under sub-rule (1) shall not disclose it further.
7. Transfer of information.-A body corporate or any person on its behalf may transfer sensitive personal data or information including any information, to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under these Rules. The transfer may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.
8. Reasonable Security Practices and Procedures.— (1) A body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. In the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies.
(2) The International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” is one such standard referred to in sub-rule (1).
(3) Any industry association or an entity formed by such an association, whose members are self-regulating by following other than IS/ISO/IEC codes of best practices for data protection as per sub-rule(1), shall get its codes of best practices duly approved and notified by the Central Government for effective implementation.
(4) The body corporate or a person on its behalf who have implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government. The audit of reasonable security practices and procedures shall be carried out by an auditor at least once a year or as and when the body corporate or a person on its behalf undertake significant upgradation of its process and computer resource.
Importance: 4. Since all healthcare providers need to have have similar policy framed by IMA / IAMI. Therefore these association should have web-page which can be used by all providers.
5.1 : Need draft of consent which will be required taking into consideration various issues.
5.2 a and b : EMR is necessity of healthcare providers activity. Therefore any registered doctor, hospital, laboratory or diagnostic center should be allowed to use EMR (certified)
5.4 : Need clearer guidelines as indicated elsewhere
5.6: Example : If patient has not given information to the doctor that he is allergic to xyz or suffering from disease abc, will he be allowed to correct the information at a later date. If yes what are the consequences and will the entry bear time stamp of correction and how to record the fact that patient has given inadequate info in the beginning and corrected it later.
5.7: Will the patient have choice whether doctor should record history in electronic format or not. If we desire to use the information for analytical purposes e.g. epidemic detection, then some data on paper and some data on electronic media will not serve the purpose. Therefore the patient should not have any such option, if the hospital is using EMR.
6.1: Government should have on-going permission to receive health-related information from various EMRs so that information can be used for epidemiological analysis. For this purpose there should be specific legal provision as to what data should be sent to government health department, in what format so that de-identified information is shared and if required person specific sensitive information can also be shared (e.g. Patient data in case of H1N1 epidemic)
8.1 Need certification of software to the effect that required security measures are taken.
8.3 Legal provision for IMA / IAMI to formulate guidelines and seek approval from govt.
8.4 Provision for annual audit of such systems by independent organization.
Conclusion:
Doctors, Clinics, Hospitals and other Healthcare providers need to know provisions of above acts, especially the clauses, which have been reproduced here. Some of the clauses are specifically applicable to electronic medical records, some clauses are applicable to the time frame for which record needs to be preserved and how it should be preserved; while some clauses are related to evidence act.
I request you to let me know if any further clauses are important to be considered w.r.t. Electronic Medical Records. If you can add some examples from your experience, they will be useful to explain various issues further. I have done this compilation to stimulate thought process, discuss and debate what should be the provisions of ideal policy regarding electronic medical records which will help creation of health information systems at national level. I would be extremely happy to include your name in list of acknowledgement.
I would like to know if you would like to join me as co-author for this effort. Please send your contribution in following format: Act, clause, sub clause, importance / example on my email address rajeevdjoshi@gmail.com with consent to include your name as co-author. Please note that in case of similar comment from two individuals, I will decide which name should be as co-author and which name should be in acknowledgement.
Dr. Rajeev Joshi
