In a landmark judgement delivered yesterday, the Supreme Court of India unanimously ruled that privacy is a fundamental right.
In its order, the nine-judge constitutional bench headed by Chief Justice of India said “The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution”.
Article 21 ensures protection of life and personal liberty.”No person shall be deprived of his life or personal liberty except according to procedure established by law.”
In doing so, the Bench overruled the two earlier judgements, also by the Apex Court, which had ruled against privacy as a fundamental right.
Right to privacy will be now find a place along with the other six fundamental rights recognized by the constitution of India.
- Right to equality
- Right to freedom
- Right against exploitation
- Cultural and educational rights
- Right to constitutional remedies
Privacy and confidentiality are important tenets of ethical medical practice. They are the foundation of the doctor-patient relationship built on trust.
The terms, privacy and confidentiality have often been considered as synonyms. But, the two are not the same and it is important to know the difference between the two.
Privacy is the right of a person (patient) to keep his health information, including any other personal information, private and undisclosed. Doctors are often privy to private information shared by the patients during the course of history taking and treatment.
Confidentiality, on the other hand, is what we, as doctors (or other concerned persons) do with the information that has been entrusted to us. Confidentiality implies the duty of everyone entrusted with any information to keep that information private.
Health information is a part of personal information and includes information for example demographic data (name, address, phone no etc.), insurance information, identification data, medical history. Such information along with medical examination, clinical images during consultation and treatment is considered as information private to the patient.
Clinical images e.g. photos of a body part/skin lesion/injury, lab reports, x-rays/scan reports, audio/video recordings are also health information. They can be taken and shared only after consent of the patient.
Protecting the privacy of patient information is the ethical duty of the doctor as also mandated in the MCI Code of Ethics Regulations.
“2.2 Patience, Delicacy and Secrecy: Patience and delicacy should characterize the physician. Confidences concerning individual or domestic life entrusted by patients to a physician and defects in the disposition or character of patients observed during medical attendance should never be revealed unless their revelation is required by the laws of the State. Sometimes, however, a physician must determine whether his duty to society requires him to employ knowledge, obtained through confidence as a physician, to protect a healthy person against a communicable disease to which he is about to be exposed. In such instance, the physician should act as he would wish another to act toward one of his own family in like circumstances.
7.14 The registered medical practitioner shall not disclose the secrets of a patient that have been learnt in the exercise of his / her profession except –
- in a court of law under orders of the Presiding Judge;
- in circumstances where there is a serious and identified risk to a specific person and / or community; and
- notifiable diseases.
In case of communicable / notifiable diseases, concerned public health authorities should be informed immediately.
7.17 A registered medical practitioner shall not publish photographs or case reports of his / her patients without their permission, in any medical or other journal in a manner by which their identity could be made out. If the identity is not to be disclosed, the consent is not needed.”
Privacy and confidentiality has been included among the important principles of bioethics (Article 9) defined by UNESCO under its Universal Declaration on Bioethics and Human Rights that should be respected. “The privacy of the persons concerned and the confidentiality of their personal information should be respected. To the greatest extent possible, such information should not be used or disclosed for purposes other than those for which it was collected or consented to, consistent with international law, in particular international human rights law.”
Another very important aspect that should be understood and kept in mind is that while hospitals or healthcare establishments own the physical (or electronic) records, they are only “held in trust by them on behalf of the patient”. The information or data in the records are owned by the patient. This information is protected health information.
What constitutes protected health information? The Electronic Health Records Standards for India 2016 notified last year have elaborated on this.
“Protected Health Information (PHI) would refer to any individually identifiable information whether oral or recorded in any form or medium that (1) is created, or received by a stakeholder; and (2) relates to past, present, or future physical or mental health conditions of an individual; the provision of health care to the individual; or past, present, or future payment for health care to an individual.
Electronic Protected Health Information (ePHI) would refer to any protected health information (PHI) that is created, stored, transmitted, or received electronically. Electronic protected health information includes any medium used to store, transmit, or receive PHI electronically.
As per the Information Technology Act 2000, Data Privacy Rules, refers to ‘sensitive personal data or information’ (SPI) as the subject of protection, but also refers, with respect to certain obligations, to ‘personal information’ (PI). Sensitive personal information is defined as a subset of personal information. Followings are Sensitive personal information that relates to:
- Financial information such as bank account or credit card or debit card or other payment instrument details
- Physical, psychological and mental health condition
- Sexual orientation
- Medical records and history
- Biometric information
- Any detail relating to (1) – (6) above received by the body corporate for provision of services
- Any information relating to (1) – (7) that is received, stored or processed by the body corporate under a lawful contract or otherwise”
The patient is the supreme consent giver, and no action pertaining to his/her health information can be taken without consent from the patient. Any protected health information can be shared only after patient consent and that too only with the authorized person. Divulging this information to any unauthorized person without consent of the patient is breach of privacy and confidentiality.
This judgement will have huge implications on how information can be used.
In light of this judgement, privacy is no longer a common law right. And, it’s not just our ethical duty to respect the right to privacy of a patient simply because it is prescribed by the MCI Ethics Code or any other regulatory bodies.
Privacy is now a fundamental ‘inviolable’ right under the Constitution of India.
Disclaimer: The views expressed in this write up are entirely my own.