During the COVID-19 pandemic, many states have adopted the practice of telemedicine to continue treating individuals in isolation. Telemedicine allows health care professionals to offer their services and treat patients at a distance through virtual consultations. Thanks to the advancement of technology and artificial intelligence, a doctor sitting in their home or clinic can evaluate and diagnose patients also in their homes through virtual meetings—either phone calls or video chat. As the WHO defines it, telemedicine helps one to heal from a distance. In an age where social distancing is necessary to save lives and prevent exposure to the novel coronavirus, this practice has sharply risen around the world.
THREATS TO PRIVACY
Although the practice of telehealth is a noble contribution to the field of science and brings many benefits, some experts criticise it for jeopardising individual privacy. The right to privacy is codified in the international human rights legal framework—both in article 12 of the non-binding Universal Declaration of Human Rights (UDHR) and article 17 of the International Covenant on Civil and Political Rights (ICCPR), among other international instruments. Many states have ratified the right to privacy in their domestic laws as well. Practising telemedicine without adequate cybersecurity risks the leaking of sensitive data to unauthorised third parties.
Practitioners of virtual medicine must record sensitive data of their patients in order to conduct tests and properly diagnose and treat those seeking care. As widely recognised, the typical smartphone or computer is not equipped with proper software to ensure patient privacy. Some software programs used for consultations, including Zoom, are not end-to-end encrypted and lack essential security, opening up these programs to malicious online actors.
For example, some Zoom platform users have complained of private recording of meetings, including those of a sensitive nature, being easily available online. In addition, unauthorised third parties have hijacked Zoom meetings—commonly referred to as “Zoom bombing”—further exposing private users of Zoom and in particular the private data of persons engaging in telehealth over the platform. Users have also accused Facebook of recording phone calls without their consent in order to glean ad-oriented data. When these cyber applications jeopardise private communication, it raises a serious threat to the safe practice of telemedicine.
The Supreme Court of India, in a landmark judgment, held that data and information privacy are facets of the fundamental right to privacy. The constitutional bench recognised that, in the private sector many institutions, including hospitals, collect a “vast amount of private or personal information about individuals”.
The court affirmed that:
There is tremendous scope for both commercial exploitation of this information without the consent/ knowledge of the individual consent and also for embarrassing an individual whose personal particulars can be made public by any of these private entities.
Telemedicine opens up the same risks. When a patient gives consent to their healthcare providers to record sensitive data during a virtual appointment, they do not consent to commercial exploitation of their data and must be protected of such intrusions.
STATES DUTY TO PROTECT PRIVACY
In many states, even though privacy as a human right is codified in international treaties, to be given effect, it has to be ratified by domestic legislatures. Every state that allows the practice of telemedicine should develop proper guidelines and have a comprehensive framework that both informs patients of how their sensitive data will be used and protected as well as actively protects the privacy of the patients. The US passed a relevant law in the Health Insurance Portability and Accountability Act (HIPPA), which provides data privacy and security provisions for safeguarding medical information. In India, the Telemedicine Practice Guidelines are intended to aid Registered Medical Practitioners (RMP) in effectively practising telemedicine. Legislation like this helps to lay the groundwork for other states to codify privacy protections for the medical data shared via telemedicine both during this time of a global pandemic and beyond.
The European Court of Human Rights, in the case of Biriuk v. Lithuania, correctly held that it is crucial for the domestic laws of a state to provide a safety net for patient confidentiality and to discourage any disclosures of personal data. The Court said that “respecting the confidentiality of health data is crucial not only for the protection of a patient’s privacy but also for the maintenance of that person’s confidence in the medical profession”. State governments must be responsive in protecting human rights, including the right to privacy, as science and technology continues to evolve. A comprehensive telehealth system will only succeed in the long-term if the issues of privacy are adequately addressed, safeguarding patient rights across the board.
Sahajveer is a third-year B.A.LL.B. student at Rajiv Gandhi National University of Law, Patiala. His areas of interest are Human Rights, Criminal Law, and International Trade Law. As an active member of his college Legal Aid society, he is trying to build a safer place for every human being.