Data Protection

Settling the Debate Around the Unmonitored Exchange of Health Data: A Case Study from Around the World


In the past few decades, the role of technology in the field of healthcare has significantly increased. Today, with the use of technology, doctors are able to access their patient’s healthcare data in a much more convenient manner. However, there are many security and privacy concerns related to the exchange of healthcare data. These concerns become much more prominent when there is an unmonitored exchange of health data. The following article shall explore the various merits and demerits of unmonitored exchange of health data with reference to different legal frameworks across the world. Before we proceed to discuss the various aspects of health data exchange though, it is important that we first understand what exactly constitutes health data and the way it is used.

Given the fact that India is a highly populous country, it has become very difficult for medical practitioners to keep track of their patients’ data without relying on technology. Health data generally constitute personal information and medical history of a patient such as – age, sex, immunizations, disease history, etc. Earlier, this information was privy to the doctor besides the patient. But technology has changed all that. Today, health data is being exchanged with pharmaceutical companies, insurance companies, human resources departments, and other third parties. Most of the time patients are not even aware that their health data has been shared or exchanged. This unmonitored and unfettered exchange of health data generally takes place for the purpose of commercialization or maximizing profits. For example, a pharmaceutical company that has access to the medical records of the patients knows which products to advertise. Similarly, insurance companies which know their customer’s medical background can charge higher insurance premiums. In such a scenario, it becomes important to regulate or monitor the exchange of health data.

What is Health Information Exchange?

The sharing of health data across different platforms is known as the Health Information Exchange (HIE). HIE is shared through electronic means such as fax and emails so that the doctors, pharmacists, and other medical practitioners involved can access the patient’s data in a less time consuming and cost-friendly manner. There are mainly three types of health information exchange- directed exchange, query-based exchange, and consumer mediated exchange. Health Care exchange enables doctors to share HIE with other health care providers involved and query-based exchange enables doctors to access a patient’s HIE from other health care providers. This generally happens when a doctor requires HIE in cases of emergency. In case a patient needs to share his HIE with different health care providers, they do so through a consumer-mediated exchange.

Though the health Information Exchange ecosystem has been lauded for easing up the process of accessing patient’s health data, critics argue that it should be monitored closely as it has certain risks associated with it. The HIE ecosystem can result in health data due to hacking activities, data availability, trust access controls, etc. However, the most important concern associated with HIE is the breach of privacy. It is essential that the critical health data or information that has been shared by the patients with the doctors remain solely between the two. Despite these challenges, the global health information market has grown substantially in the past few years.  In the global context, the HIE market accounted for US 988.6 million in 2015 [i].

India and Digital Health Data

In India, the government has put an increased focus on securing the privacy of patients by introducing iron-clad legislation to prevent the breach of data security and protect the patient’s health data. However, the legislation is still pending approval. In March 2020, the Ministry of Health and Family Welfare released the Telemedicine Practice Guidelines. These guidelines allow registered medical practitioners to use telemedicine for the purpose of delivering healthcare. The term telemedicine can be defined as a way through which medical practitioners share health data through the use of information and communication technology. The introduction of these guidelines proved to be a turning point for the healthcare industry as earlier there were no uniform set of rules or legislation that provided for regulation of telemedicine in India.

Introduction of DISHA

DISHA or Digital Information Security in Healthcare Act has been introduced by the government with the objective of securing the healthcare data of patients [i]. With the advent of technology, privacy breaches have become quite common. Over the course of the past few years, there have been several instances where private health data has been exchanged or circulated without any regulation and consent of the patient. In such a scenario, legislation like DISHA will prove to be highly beneficial for the healthcare industry. Through DISHA, regulatory bodies or authorities will be set up both at the central and the state level. National Electronic Health Authority (NeHA) is the apex body that will be responsible for overseeing the storage, generation, and exchange of digital health data at the national level. State Electronic Health Authority (SeHA) will have to ensure that DISHA is implemented at the grassroots level [ii]. During the Covid-19 pandemic, the role of NeHA has increased substantially.

Concerns Regarding Ownership and Privacy of Health Data

DISHA aims to address various concerns surrounding the ownership and privacy of health data [i]. DISHA protects the individual or the patient by making him the sole owner of his health data. In order for storing a patient’s health data, his consent becomes paramount under DISHA. Further, if he changes his mind, he has the option of withdrawing his consent for storage or exchange of his data. Additionally, DISHA contains stringent provisions that protect the consent related rights of the patient. Firstly, the patient has complete authority to decide how his health data is used. In other words, without a patient’s consent, his data cannot be exchanged or used in any manner. Secondly, even if a patient refused to give consent for the storage or use of data, he cannot be denied healthcare. These provisions have been incorporated so that a patient can be given complete control over the storage and exchange of his health data. Moreover, these provisions make it clear that a patient’s consent is of utmost importance for the storage or use of his data in any manner. What sets DISHA apart from other digital healthcare data legislations is that it has been drafted in such a way that the consent of the patient is required at each and every step. This ensures complete transparency and prevents any unauthorized use of data.

How has the Covid-19 Pandemic Impacted Health Data?

The Covid-19 pandemic has engulfed the entire world in a short span of time. Most of the countries today are trying to contain the coronavirus that has wreaked havoc on their medical systems. Against this backdrop, technology has come to play a very crucial role as it has enabled the storage and use of data in a much more convenient manner. However, there are many who believe that governments across the world will have unlimited access to citizen’s health data in a post-Covid-19 world. Several privacy concerns have also been raised about the various apps that governments have launched to keep track of Covid-19 cases.

The debate around privacy and unmonitored exchange of digital health data is not a new one. However, it has gained renewed importance in the context of the Covid-19 pandemic. For example, in the UK, the National Health Service (NHS) has been storing health data on a large scale through ‘datastore’. Though the NHS has tried to quell the citizen’s fear about the unauthorized use of their data, it remains very likely that this won’t be the case. What makes the citizens so skeptical about ‘datastore’ is that it has been created in collaboration with private health tech companies. This means that there is a very high chance that the datastore can be used by private tech companies in a post-Covid-19 world. The citizens’ concerns about the privacy of their health data have already been confirmed. According to several reports, Britain’s NHS has allowed a U.S tech firm to access the personal health data of its citizens without their consent [v]. According to the contract between NHS and Palantir, the health data that can be accessed by Palantir consists of a patient’s name, sex, age, past medical history including X-rays results, allergies, etc. Such contracts are known as data sharing contracts and the NHS has entered into similar contracts with other tech companies as well. In response to NHS’s callous handling of health data, several digital rights groups have criticized and questioned the NHS for exchanging data in such a manner. It is the NHS’s justification that a tie-up with private tech firms has become essential to face the challenges presented by the Covid-19 pandemic. However, the NHS should still be held liable for this unmonitored exchange of data as it has threatened the privacy of millions of its citizens.

Exchange of Health Data Across Europe

The European Union has an elaborate system in place for the sharing of health data across different member states. This system has come into effect after the EU adopted a recommendation on a European Electronic Health Record Exchange Format [vi]. The recommendation has been adopted with the objective of regulation or monitoring the exchange of health data across different EU member states. Through the adoption of this recommendation, it has become much easier for citizens of member states to share their health data with the health care practitioners in case they are seeking medical treatment in other member states of the EU. It is important to note here that the General Data Protection Regulations provide citizens with the right to access their personal data along with a comprehensive legal framework for the protection of such data [vii]. This personal data also includes citizens health data. Additionally, the Directive of Patient’s Right in cross-border healthcare provides for rules that facilitate the sharing of health data in a much more convenient and safe manner.

Health Data in the U.S

In the U.S, there are three legislations that regulate health information or health data [viii]. Owing to the fact that health information is highly sensitive, it is federally protected by law. It is important to note here that health information falls under one of those few categories of information that are given protection under federal law. The first legislation is the Health Insurance Portability & Accountability Act (HIPAA). Under this legislation, an individual’s private health information is protected. HIPAA provides for the exchange of health data in a secure and legal manner. The second legislation dealing with patient’s health information is the Health Information Technology for Economic and Clinical Health Act (HITECH). This act has expanded the scope of data protection requirements as provided under HIPAA. Apart from that, the HITECH act also increased the legal liability in case of unauthorized use of health data. The HITECH was introduced with the objective of increasing the adoption of electronic health records so that individual patient health care could be improved as well as the overall public health outcomes. The third legislation that was introduced to safeguard the health data from employers and insurance companies is the Genetic Information Nondiscrimination Act(GINA). This act ensures that employees are not compelled to disclose their genetic history to their employers. It also prevents employers from financially incentivizing employees so that they can access the employee’s genetic history. Under the GINA, employees cannot be discriminated against by employers on the basis of their genetic history i.e. they cannot be denied employment or health care benefits. 

This article can be cited as:

Vaishnavi Chaudhry, Settling the Debate Around the Unmonitored Exchange of Health Data: A Case Study from Around the World, Metacept- InfoTech and IPR, accessible at .


[1] How Does Health Information Exchange Benefit Health Care, ehealth, Nov. 6, 2018,

[2] Ahona Sengupta, DISHA to Secure Patient’s Data Under New Health Protection Scheme, News 18, March 27, 2018,

[3] Mohana Roy, Regulating E- Health Delivery System: The dawn of healthcare delivery in India, lexology, April 22, 2020,

[4] Dr.Milind Antani, Disha: The First Step Towards Securing Patient Health Data in India, mondaq, Aug. 3, 2018,

[5] Sam Shead, Britain Gave Palantir access to sensitive medical records of Covid-19 patients, CNBC, June 8, 2020,

[6] European Electronic Health Record exchange format, EUbusiness, Feb. 6, 2019,

[7] Victoria Hordern, The Final GDPR Text and What it Will Mean for Health Data, HR Chronicle of Data Protection,  Jan 20th, 2016,

[8] Patsy Bailin, Executive Summary: Evolution of Health Data Regulation, Medium, April 2, 2019,


Related Articles

Leave a Reply