Health Data Privacy and the Legal framework around it

Gajendra Maheshwari and Ayushi Modi

This article aims to examine the concerns around the protection of health data and the legal framework around the world for enhancing the protection of such sensitive information.

Health data is one of the most crucial categories of personal data and covers data related to health status, personal choice about selecting a treatment, health security or policy number, treatment reports, causes of death, socio-economic parameters regarding health and wellness, healthcare background such as diseases in past years etc. Even information related to the physical or mental health of a person classify as health data.

Health data also include:

  • Information created by health and care professionals
    • Electronic health records
    • National healthcare databases holding items like prescriptions, laboratory tests, and details about chronic or fatal diseases like cancer
  • Information created by patients
    • monitoring illnesses using computer or mobile phone applications
    • wearable devices such as smartwatches for fitness monitoring and tracking changes relevant to medical conditions
    • how people prevent illness or detect illnesses early, such as screening tests and dietary monitoring
    • social media posts can be analysed anonymously in aggregate form, for example, to discover how many people are discussing certain side effects of a new treatment.

Such data amounts to important personal data and is very sensitive in nature. Thus, data processors should employ extra measures and practices to ensure that such sensitive personal data is protected.

Concerns for Health Care Organisations/ Professionals in Protecting Health Data

The processors of health data should be aware about the concerns associated in order to adopt suitable measures for protecting the data:

Integrated healthcare systems: The interconnectivity of the IT systems makes it easier for hackers to gain access to the systems, resulting in losses to the company as well as sensitive customer data. Online medical devices security is frequently lacking, making them easy targets for hackers.

Lack of sufficient security system in protection of healthcare system: As digitalization increases rapidly, data breaches and cyber-attacks have become much more common and patient information has become riskier than before. That is why the highest standard of security has to incorporated in healthcare systems.

Lack of training in data protection standards and effective working practices: Individuals in healthcare industry aren’t well-trained in ensuring that standard data protection measures are maintained. Unauthorized personnel or others could find sensitive information if open computers are connected to a data server.

Miscellaneous Errors, Privilege Misuse and Web Applications represent 81% of incidents within healthcare. Such data once leaked or illegally used, may cause discrimination against individuals or grave harm to personal or property security, including information on race, ethnicity, religious beliefs, individual biometric features, medical health, financial accounts, individual location tracking, etc.

For the protection of data subjects against such data breaches, data protection laws around the world have defined health data in the following way and introduced regulatory measures for protecting health data:

Name of the LawDefinitionRegulatory Measures
EU- General Data Protection Regulation (GDPR)As per Article 4 (15) ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. Data concerning health is included in Article 9 of GDPR, as a ‘Special Category of Personal Data’.Processing of special category personal data, including health, would be allowed only under the circumstances as mentioned under Article 9(2).[1]  
Germany- Federal Data Protection Act (BDSG)Under BDSG ‘Special Categories of Data’ include data concerning health. As per Section 22 of BDSG, processing of ‘Special Categories of Personal data’ shall be allowed (in derogation to Article 9 (1) for the ‘management of health or social care systems and services or pursuant to the data subject’s contract with a health professional and if these data are processed by health professionals or other persons subject to the obligation of professional secrecy or under their supervision’.[2]Appropriate and specific measures which are to be taken by the Controller to safeguard the interests of the data subject are mentioned under Section 22 (2) of the act. Measures such as encryption, pseudonymization and measures to ensure the ability, confidentiality, integrity, availability and resilience of processing systems and services related to the processing of personal data are required to be employed.
USA- The Health Insurance Portability and Accountability Act of 1996 (HIPAA)HIPAA defines medical data as ‘Public Health Information’ which is individually identifiable health information that is maintained and transmitted by electronic media or any other medium. It includes data that relates to the past, present or future health of an individual; the provision of healthcare to an individual; or the payment for the provision of healthcare to an individual.[3]HIPAA, determines the data privacy and security requirements of PHI (Protected Health Information) or health information that should be protected. All companies dealing with PHI, including hospitals, partners and related subcontractors, must implement all security measures to ensure they are HIPAA compliant.[4]
India- Data Protection Bill (DPB)Health data means the data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associating the data principal to the provision of specific health services;
Health data under DPB is also classified as ‘Sensitive personal data’. [5]
The data controller is required to comply with the conditions mentioned under Section 11 (3), for obtaining the consent of a data principal. It is also required to undertake a data protection impact assessment prior to the commencement of such processing involving sensitive personal data.


With the categorization of health data as a ‘special category of data’, there is an increasing requirement of adopting a legal basis for its collection and processing. Further there is also a need for establishing appropriate and specific safeguards for the protection of health data.

Thus, the health care industry should consider applying suitable measures to ensure the protection of health data and be compliant with the legal provisions in this respect.