HIPAA has been a trend setter in USA as regards Privacy and Information Security in the Health Care Industry. HITECH act has only enhanced the importance of HIPAA. With President Obama being elected for an extended presidential term and his focus on Health Care, the HIPAA-HITECH regime of information security will continue to dominate the US scene. India is an important business partner for the US Health Care industry and leading BPOs with a stake in US health care has made large strides in implementing HIPAA awareness and Â implementation in their role as the Business Associates.
Indian Hospitals and other health care operators are howeverÂ is in the initial stages of adopting IT into its operations and very few of the hospitals have gone beyond the first stages of implementation of IT. At the current stage the managements are more interested in the functional aspects of IT and are not providing the right priority to Information Security. They are therefore notÂ very much in tune with the HIPAA-HITECH Â standards as at this point of time.
It is however necessary to remind the Indian Health Care industry that India has a law that is similar to HIPAA in the form of Information Technology Act 2000 as amended in 2008 (ITA 2008). Under the provisions of this act and the rules notified under Section 43A on April 11, 2011, information relating to â€œPhysical, Physiological and Mental Health conditionâ€ (Health Information) is considered as â€œSensitive Personal Informationâ€ and requires to be protected by a â€œReasonable Security Practiceâ€. Failure in meeting this obligation will place a civil liability for payment of compensation under Section 43A of the Act. It may also result in criminal liability under Section 72A in certain cases.
In view of this provision of ITA 2008, it is essential for Indian Health Care industry to implement an information assurance program that may be considered as â€œReasonable Security Practiceâ€.
Naavi who has developed a general information security framework IISF-309 for ITA 2008 compliance and LIPS1008 framework for legal information protection in India has now developed a separate framework tailored for the Indian Health Care industry. This adopts the best practices of HIPAA and ISO 27001 already reflected in IISF309 and LIPS 1008 but is customized for the requirements of the Health Care industry.Â It takes into account the present status of the industry where the information security adoption is at a preliminary stage as compared to industries such as the banking industry. Though this framework is presented for the Health Care industry, it is also suitable for other industries where the use of IT is yet to mature.
The framework is tentatively recognized as â€˜Information Assurance Framework for Indian Health Care industryâ€ (IAF4HC). It is recommended for consideration by the industry for adoption as the industry standard.
The inaugural version of the framework would be referred to as IAF4HC (v1/1112).
The detailed specifications will be developed by Ujvala Consultants Pvt Ltd and explained through these columns in a series of articles.