Navigating the Contours of Privacy Laws in the Healthcare Sector on the Use of Data Analytics

By Aashana Chandak


Big Data once out, is like a genie and it cannot be put back into a bottle. The healthcare sector has amassed massive amounts of data in the past years while simultaneously undergoing regulatory and regime changes on privacy protection laws worldwide. The article attempts to analyse the intersection between providing healthcare and maintaining the privacy of the concerned patient. Medicine promises much aid by using the correct analytical tools to find targeted treatments, but the price remains the need for big data pooling and posing a threat to privacy concerns. This is a challenge of linking sensitive data back to an individual and putting one’s personal information at risk. While data is seen as the golden ticket to enhancing healthcare affordability, access, improving outcomes, and quicker solutions, the industry is unable to take complete advantage of data resources. Ethical guidelines for research, stress the importance of respect for privacy but due to lack of awareness, patients are often unable to get that respect. The article will further attempt to show examples of cases where big data analytics, when left unregulated, can lead to gross invasion of privacy.

Data analytics and the healthcare sector:

As stated, Big Data once out is like a genie and it cannot be put back into a bottle. Vast amounts of data are being produced, yet harnessing this data and making it instrumental for treatments is where the success of big data analytics lies in healthcare. Despite there being no universally accepted definition of big data, it can be identified by the five V’s. Voluminous data once collected provides variety which is produced with fast velocity and is reliable in its veracity, therefore, providing significant intrinsic value when analysed. The collection of big data not only ensures ease of collection and access but steps towards simpler drug assessments and their potential side effects in real-time.

Data analytics holds the key to transform the healthcare sector, but privacy concerns stand tall. As data is only as good as the framework being used to translate such information into significant meaningful assessments, if not managed with the utmost care, it can prove to be counterproductive. Analysing data constructively helps to address healthcare from multiple perspectives such as being diagnostic, preventive, or predictive. Commonly understood outputs of such data sets, are usually used for safety and caution alerts, coaching, health service planning, and identifying variations of potential care even possibly epidemiology. This is done by using processes such as data mining, data linkage, machine learning, and algorithms, which are mechanisms utilised to assemble and analyse the collected data. The opportunities for big data analytics under healthcare include data-driven medical diagnostics, which can help identify heart disease at a relatively early stage, reducing strain on future complex treatments.[1] Solutions such as different medical diagnostics, patient care /monitoring, accessible community health care, are possible opportunities if health care data is processed appropriately. Medical professionals and researchers gather a large quantity of data to study treatments, recovery rates to develop potential treatments having the highest effectiveness and success in real-time medicine. Relying upon such analysis, an American healthcare program discussed how certain cancer patients interact with varying medication and treatment patterns. Potentially, they find trends that lead to optimal patient plans for treating cancer[2]. Precision Medicine[3] is understood as a treatment and prevention approach almost like curating a Facebook profile. The success of precision medicine relies on analysing patterns and treatments, that emerge from volumes of past medical records (genetic and non-genetic) via big data analytics, promising fewer mistakes and possibly delivering cost-effective results at the price of one’s privacy.[4] Precision medicine using data analytics is touted to help curate early medicine solutions by tracking and tackling critical care for life-threatening health issues such as diabetes. Diabetes, as a disease, has had a massive impact on a population over the past few decades, leaving its mark on economies as a whole. Studies being currently undertaken using analytical tools, such as machine learning, have helped predict insulin requirements in individuals at times of hypoglycemic episodes.[5] Algorithms have helped provide warnings when organ functioning in diabetic patients is worsening, to kick start preventive medication. Diabetes can now be diagnosed by analysing electrocardiogram heart rates and all of this has helped better monitor diabetic patients and predict their disease.[6] As more data gets collated and studied, the advancements in curating precision treatment are bettering, and finally impacting the communities as a whole with improved healthcare and life expectancies.

Privacy Law Concerns:

Privacy can plainly be understood as a person’s right to be left alone. The Universal Declaration of Human Rights, as adopted in 1948 by the United Nations, has enshrined the right to privacy as a fundamental right without any arbitrary intrusions on one’s life and reputation. Seemingly, over time privacy has become a limiting tool to control the extent of personal information in the public domain. The breach of one’s privacy now comes with legal, ethical and social implications. Health information is inclusive of health status and healthcare payment of an individual, and such information is subjected to heavy security. As science races forward, laws are stumbling to keep up. Medical data continues to be compromised, and unlike replacing a credit card number, medical information once out in the public domain cannot be altered or replaced. Information such as HIV-AIDS, ancestry, unexpected parenthood, are considered highly sensitive, and they may end up in the public pool to put the genie back in the bottle. The fundamental challenge remains the lack of understanding between the common people on the degree of damage, access to their health data can do, and to recognise that complete informational transparency can lead to exploitation. The only safeguard a person has is through legal protections against the wrongdoers, which are more often reactionary rather than preventive.

A famous departmental store chain in the United States of America, through the process of data mining, was able to identify a girl’s pregnancy and sent her coupons for baby items before she had the chance to tell her parents, not realising the girl was merely a teenager. After this incident, the American people became aware of the level of intrusion big data analytics has on one’s personal sensitive information[7]. The United States public health law has a list of issues where information is protected and identities are not revealed, having the requirement of a confidentiality certificate being issued concerning such data, the requirement of consent for the disclosure of personal health information remains the standard for US public health services.[8]

 In India, data privacy laws have been unable to catch up with evolving healthcare technologies. The introduction of the Digital Information Security in Healthcare Act (“DISHA”)[9] , as well as the Personal Data Protection Bill, 2019 (“PDP 2019”),[10] are currently in the pipeline. DISHA has been set up to regulate healthcare data and digital health services in India, to establish the vision under National eHealth Authority (“NeHA”), by enabling easier online exchange of health information.[11]  Both the laws follow a unique approach, with DISHA offering better protection to an individual’s data, ensuring valid consent at every stage of processing. This is seen in provisions under DISHA which ban the use or disclosure of commercial usage of health data in both anonymised as well as the identifiable form to employers, insurance companies, human resource consultants and pharma companies.[12] The current laws in India that govern sensitive healthcare data are limited to the ambit of the Information Technology Act, 2011 and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. With the COVID-19 health crisis, the healthcare data being exchanged under the Arogaya Setu app and the Integrated Disease Surveillance Programme transferring health data of nearly millions of individuals is all taking place in a regulatory vacuum. The mass data leakages on account of the Aarogya Setu App have left the healthcare industry in India vulnerable and in dire need of a well-regulated data privacy regime.

Possible solutions for enhancing privacy safeguards while analysing big data:

Since the question of whether privacy risks are necessary to avail precision tailored medicine remains unanswered. Better data privacy, measures of security, and protection are required using encryption, anonymisation, de-identification techniques, and data obfuscation, which can make information that is personal, difficult to interpret and impose transaction costs on those who want access to such obscure data sets, etc. These methods can act as potential safeguards for the data being collated and collected. Anonymisation is a commonly adopted practice that helps ensure that information out in the public domain, is difficult to trace back to the identity of the person. A pivotal drawback of such processes is re-identification through generally available records or news data which tend to provide a linkage, making it possible to connect the dots. Therefore, simple modifying of health information is not the most successful privacy safeguard. Existing studies show that nearly 45% of news records have matched with obscure data, which tends to lead to identifying the patient.[13] Precision medicine programs often resort to utilising such data obfuscation methods since recognising patients can often help in implementing the correct treatments. De-identification techniques of suppression or generalisation, by trying to remove specific dates from the birthdate and leaving only the birth year in the data sets, can be very helpful in cleaning the information. Using authentication techniques on whether the user accessing the data sets is who he claims to be, securing access modes for both private and corporate networks, protecting the identity of users from harm, encrypting network connections in transporting such sensitive data, and encrypting data can all ensure that data is protected from breaches. Data masking, data monitoring, and auditing, to ensure no intrusion has taken place, act as a preventive step to maintain privacy standards and access, controls limit data sharing to only essential parties, and ensures their usage is not done for commercial gains.[14] Synthetic databases are also seen as an alternative solution but regarded as costlier and cumbersome solutions. Specific and tested protocols for web browsing, email, or fax can be set out for the communication of such sensitive data, ensuring security from cyber breaches, while in use by health professionals. Most of the suggested methods are currently adopted in different parts of the world and are suggested to be taken up while analysing big data to maintain data confidentiality and to enable positive effects of big data analytics in the healthcare sector. Penalising the misuse of health data by heavier regulatory scrutiny, to find a balance, remains a largely advocated solution. In fact, in India, the proposed PDP Bill and DISHA suggest penalties ranging from five lakh rupees to a few crores or even about four percent of the global turnover of such entity in breach of data privacy.[15]


Data privacy risks are not equitable and must not be the price for big data analytics to successfully provide healthcare solutions. The concerned participants, professionals, and entities in the healthcare sector need to be strictly regulated, adhere to higher standards of transparency, and maintain an extraordinary threshold of responsibility. The use of data analytics is like a double-edged sword, where the ultimate requirement remains that the loss of an individual’s privacy must not be the absolute answer to big data analytics in predicting treatments and solutions.

[1] Wullianallur Raghupathi & Viju Raghupathi, Big data analytics in healthcare: Promise and potential, 2 Health Information Science and Systems (2014).

[2] Adamson D (2015) Big data in healthcare made simple (Health Catalyst, 2018) Adamson Doug, Big Data in Healthcare Made Simple Health Catalyst (2019), (last visited Nov 19, 2020).

[3] Michael Bainbridge, Big Data Challenges for Clinical and Precision Medicine, Big Data, Big Challenges: A Healthcare Perspective 17–31 (2018). (last visited Nov 19, 2020).

[4] Jennifer Kulynych, Privacy the price of precision medicine?, Journal of Law and Biosciences (2017) (last visited Nov 19, 2020).

[5] . J.M. Rumbold Big Data and diabetes: the applications of Big Data for diabetes care now and in the future (Wiley Online Library, 2019) <>

[6] Ibid.

[7] Kashmir Hill, How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did, Forbes, 2012.

[8]  Mehmet Kayaalp, Patient Privacy in the Era of Big Data, 35 Balkan Medical Journal 8–17 (2018).

[9] Placing the draft of “Digital Information Security in Healthcare, act (DISHA)” Ministry of Health and Family Notification No. F.No.Z-18015/23/2017-eGov  (March, 2018 <>

[10] Personal Data Protection Bill, Government of India (2019) <,2018.pdf> (last visited Nov18, 2020).

[11] Digital Health in India: Legal, Regulatory and Tax Overview, Nishith Desai Associates, (April 2020) < > (last visited Nov 20, 2020).

[12] The future of governance of health data in India: Ikigai Law, (2019), (last visited Nov 20, 2020).

[13] T J Kasperbauer, Protecting health privacy even when privacy is lost, 46 Journal of Medical Ethics 768–772 (2019).

[14] Karim Abouelmehdi & Abderrahim Beni‑Hessane, Big healthcare data: preserving security and privacy (2018), (last visited Nov 21, 2020).

[15] Personal Data Protection Bill, 2018 Chapter XI Penalties and Remedies (India) ; DISHA, 201 Chapter V, 8: Offences and Penalties (India).

About the Author

Aashna Chandak is a fifth year B.B.A.LL.B student at Jindal Global Law School. She is also an in-house researcher with The Digital Future – Privacy Team.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s