Naavi.org

(This is a continuation of the series of articles on this subject)

Article1 : Article 2 : Article 3: Article 4 : Article 5

(Easy to Read copy of the Bill)

Who Is a Consumer?

According to the proposed Consumer Protection Act 2015 ,  “consumer” means any person who—

(i) buys any goods for a consideration which has been paid or promised or partly paid and partly promised, or under any system of deferred payment and includes any user of such goods other than the person who buys such goods for consideration paid or promised or partly paid or partly promised, or under any system of deferred payment

when such use is made with the approval of such person,

but does not include a person who obtains such goods for resale or for any commercial purpose; or

(ii) hires or avails of any services for a consideration which has been paid or promised or partly paid and partly promised, or under any system of deferred payment and includes any beneficiary of such services other than the person who hires or avails of the services for consideration paid or promised, or partly paid and partly promised, or under any system of deferred payment,

when such services are availed of with the approval of the first mentioned person

(but does not include a person who avails of such services of any commercial purpose).

Explanation.—For the purposes of this clause,—

(a) the expression “commercial purpose” does not include use by a consumer of goods bought and used by him exclusively for the purpose of earning his livelihood, by means of self-employment;

(b) the expression “buys any goods” and “hires or avails any services” include the transactions made through any mode, inclusive of but not limited to, offline, online through electronic means, teleshopping or direct selling or multi level marketing;

We may note that the definition of a “Consumer” is not restricted to the person who actually buys or pays for the goods or services but any user or beneficiary of the product.

The definition also clearly excludes the cases of a person using the goods or services without the approval of the “first mentioned person” which should mean the “buyer” or “owner”.

Understandably the definition excludes the buyer/user who obtains the goods or service for “Commercial Purpose”.

It is interesting to note that the Act does not omit to add the definition of a “Person” which is inherent in our law as well as the General Clauses Act to avoid the kind of confusion that may occur as in the case of ITA 2000/8 which was raised in the Adjudication Cases in Karnataka.

Accordingly, it clarifies that the term “Person” includes

(i) a firm whether registered or not;

(ii) a Hindu Undivided Family;

(iii) a co-operative society;

(iv) an association of persons whether registered under the Societies Registration Act, 1860 or not;

(v) any individual, corporation, company, association, firm, partnership, society, joint stock company, or any other entity including any government entity or unincorporated association of persons;

Naavi

Article1 : Article 2 : Article 3: Article 4

(This is part of a series of articles on this subject)

Article1 : Article 2 : Article 3: Article 4 : Article 5

(Easy to Read copy of the Bill)

The Government of India has introduced the Consumer Protection Bill 2015 (CPB2015) in the Parliament and is likely to be passed in the next Parliamentary session. The emerging Consumer Protection Act 2015 (CPA2015) will replace the current Consumer Protection Act 1986.

A copy of the Bill is available here

The salient features of the Bill can be summarised here and later analysed in detail.

1. The definition of a “Consumer” includes the consumer of a “Service” and includes online services. One who obtains goods for resale or for commercial purpose is excluded. Consideration is essential for a consumer.
2. A Central Consumer Protection Authority (CCPA) will be set up to promote,protect and enforce the rights of the Consumers.
3. Product Liability for defects in manufacture,service,marketing etc will be recognized
4. Consumer Dispute Redressal Commissions at District level will function along with the State and National Level commissions for appeal. Final appeal will rest with Supreme Court.
5. Consumer Mediation Cells will be established and attached to the rederessal commissions.
6. Penalties will include imprisonment from one month to 3 years and fine from Rs 10000/- to Rs 50000/-

The detailed analysis can be found below and in continuing articles.

Applicability

CPA2015 shall be applicable for whole of India except the state of Jammu and Kashmir and will apply to all goods and services.

“goods” means goods as defined in sub-section (7) of section 2 of the Sale of Goods Act, 1930, and includes “food” as defined in clause (j) of sub-section (1) of section 3 of the Food Safety and Standards Act, 2006;

“service” means service of any description which is made available to potential users and includes but not limited to, the provision of facilities in connection with banking, financing, insurance, transport, processing, supply of electrical or other energy, telecom, board or lodging or both, housing construction, entertainment, amusement or the purveying of news or other information, but does not include the rendering of any service free of charge or under a contract of personal service;

It may be noted that the exclusions include any service given free of charge or under a contract of personal service.

A Contract of “Personal Service”  is A contract in which the skills or talents of a party are material. Employer and Employee Contracts fall into this category.

The CPA2015 will be in addition to and not in derogation of the provisions of any other law for the time being in force.

(To Be continued)

Naavi

Article1 : Article 2 : Article 3: Article 4

I am happy to announce that a new website www.hdpsa.in has been activated to present the news and views about the proposed “Healthcare Data Protection and Security Act”. (HDPSA).

This HDPSA is similar to HIPAA of USA and is expected to bring in enormous change to the lives of Health Care professionals including Hospitals, Pharmacies, Medical Practitioners as well as all IT Companies who have an exposure to Indian hospitals and healthcare operations.

We all know that HIPAA and later HITECH Act stimulated the US economy and brought long term benefits to the IT industry though they were actually meant to benefit the Health Insurance sector. Even in India it is expected that the IT industry in general will benefit from this law.

The law is presently being considered by the Ministry of Health and Family Welfare.

We are aware that earlier attempts to bring in an omnibus Privacy law in India has not been successful. But this time the sectoral law on Healthcare privacy should go through. However we donot know the time line at which the law may get implemented. It would be no surprise if it takes an year or so for it to be notified.

However, for somebody who has been actively involved in HIPAA compliance in India, the undersigned has always highlighted that ITA 2000/8 made the provisions of HIPAA almost a standard for Indian Health Care industry. Many Indian companies therefore adopted the principles of HIPAA privacy and security mandates though they did not have exposure to US health information.

Now it becomes imperative for Indian Health Care companies to follow almost the same standards as are imposed in USA for Covered Entities and Business Associates in USA.

Though this is good news for privacy advocates, the financial and administrative burden on the companies will be significant and having observed the attitude on “Compliance ” of Indian companies over several decades, there would be every attempt made by the industry to postpone the inevitable.

We need to await the final law to really understand how the enforcement mechanism will shape up since this alone will let us know how the law will progress in terms of adoption.

But having driven the ITA 2000 compliance for the last 16 years, it is natural for the undersigned to pick up the HDPSA compliance as an important area of my activity. Obviously it starts with awareness building which the website www.hdpsa.in should do and will be followed by the consultancy for conducting gap analysis and implementing necessary mitigation efforts to achieve a reasonable level of compliance.

I wish the Government keeps in touch with the experts in the field at the time of designing the law itself so that there will be less need for us to be critical of any provisions subsequently.

It is expected that a forum of interested experts will come together under the website and try to provide guidance to the Government whether solicited or not.

I therefore invite participation of professionals in this activity first by contributing their views in the form of articles on the website.

Naavi

The RBI directions of September 29, 2016 on Aadhaar based authentication for Card Present Transactions is yet another intiative taken by RBI to improve the security of Card transactions and reducing the fraud possibilities.

The policy reiterates and sets a deadline of January 1, 2017 by which the Card present transactions should be equipped to be authenticated with biometric and aadhaar identity.

This would require some additional efforts at the POS points and switching of the instruments to the new versions equipped with biometric verification and connectivity to enable aadhaar verification.

The advantage is that while the EMV Chip and PIN based authentication is now fortified with the biometric of the card owner preventing even the family members of the card owners using the card on behalf of others.

The downside to the new practice is that the biometric information of card users will get transmitted through the various POS systems and along with the card data, could pose a security risk. Mitigating this risk requires a serious effort on the part of the Banks to educate their merchant customers and also ensure proper security measures at the POS points.

Naavi

The UID or the Aadhar started as an ID that could separate Indian Citizens in border areas from illegal migrants and serve the national security purpose.

Subsequently, it has become a project to provide a control mechanism to reduce pilferage in Government subsidies reaching the target citizens.

When the system began the only concern about Privacy in Aadhaar was about the collection of “biometrics” and its possible misuse. Arguments were both on the technical issues of false rejections and positives as also the use of unreliable vendors who could steal the biometric data either at the time of creation or when it was in storage.

Government brushed aside the objections and went ahead with linking the Aadhaar with the Banking information of an individual extending the privacy concerns to the financial information.

Presently we see that KYC system in Banking is completely dependent on the Aadhaar number being provided as a “Photocopy of the Aadhaar document” which exposes all the parameters attached to the ID (except biometric) in the form of a paper document. Similar paper documents are available with Gas dealers, Mobile Companies, schools and many others who may have little understanding of the meaning of “Privacy” let alone the legal concept of “Privacy Protection”.

To this risk of biometric and financial information being combined and spread all over in an insecure manner, we are now adding the healthcare information since the UID is set to be the “Universal ID” to be associated with patient information in the proposed HDPSA (HealthCare Privacy and Data Security Act).

Though the details of the proposed act are not yet available, the document which the Government of India (Department of Health and Family Welfare) released for public comments in 2013 on the “Electronic Health Standards of India” contained detailed guidelines on what the Government intends to do.

This Circular which was released earlier gets a new life with the recent public announcement that a “Draft Health Care Privacy and Data Security Act” is now under the consideration of the Government. We should logically presume that many of the suggestions made in the earlier circular will be adopted in the new Act as and when it becomes a reality. Afterall the circular was founded on a time tested framework adopted in US under the HIPAA in 1996 which carries to date.

According to the circular, the standaridization of healthcare information collection, storage, transmission and processing will adopt a system of using unique IDs for every patient, every medical practitioner, every hospital, every pharmacy, along with adoption of medical codes for diseases, procedures, health encounters etc.

In this process the circular speaks of “UHID” which is the Unique Health Identifier to act as a Patient identifier, for which UID will be used in all EMR systems.

This would now mean that Aadhaar details will now be available in all hospital records of the patients and gets integrated with the Bank details and the associated biometric data.

In principle there is nothing wrong in adopting this nationally unique ID which integrates a person with health and financial data. However this raises the issue of how the information security is handled by all the entities who may have access to any one of these fundamental parameters.

The Information Security community which deals with the sensitive personal information in electronic form as well as the physical security community in health care organizations where the sensitive personal information is available in the form of paper, will now need to devise their strategies to upgrade their security arrangements.

The needs in “Hospitals” which includes the neighborhood clinics and other health care entities such as pharmacies need to start their learning of the principles of Privacy.

I am not sure if the medical colleges teach Information Security and Privacy as a part of their curriculum in the MBBS and Pharmacopoeia qualifications. If not it is time the students of medicine are exposed to information technology and related issues of Privacy in the coming days.

Naavi

The proposed  HDPSA (Health Data Privacy and Security Act) which is being worked on by the Health and Family Welfare department of the Union Government is likely to draw a lot from the HIPAA (Health Insurance Portability and Accountability Act) of USA. HIPAA was drafted around 1996 and then modified/upgraded with the HITECH Act (Health Information Technology for Clinical and Economic Health Act). For some body following HIPAA and its implementation for more than a decade, it appears that India is exactly tracing the same path of development which we saw in HIPAA.

Firstly, HIPAA came into being a law when the Health Insurance Industry was trying to force more digitization into medical record keeping so that the processing of health insurance could be more efficient and less fraud prone. The Insurance industry therefore wanted a push for greater use of Electronic Health Records( EHR) by medical professionals. At the same time, Privacy advocates were skeptical that increased use of EHR would result in higher risk for Privacy of the patients. Hence Privacy Protection and a standard for Information Security was built into the HIPAA. HITECH Act expanded the security measures and at the same time strengthened the Privacy obligations of the covered entities. It also introduced incentives and disincentives to promote accelerated use of EHR which wa felt necessary even 12 years after HIPAA. (HITECH Act came into operation in January 2009).

We in India are retracing similar steps through the actions sorrounding HDPSA.

One of the provisions of the proposed HDPSA is to bring in interoperability of electronic data captured and processed across different systems. This requires defined common standards for identification of health entities as well as different parameters of health data and also structuring of data transmission codes.

In 2013, the Department of Health and Family Welfare  (D-HFW) published the “Electronic Health Record Standards for India” and a copy was placed on the website for stakeholders to comment. The copy is available here.

The goals of suggesting the standards were indicated as follows:

•  Promote interoperability and where necessary be specific about certain content exchange and vocabulary standards to establish a path forward toward semantic interoperability

• Support the evolution and timely maintenance of adopted standards

• Promote technical innovation using adopted standards

• Encourage participation and adoption by all vendors and stakeholders

• Keep implementation costs as low as reasonably possible

• Consider best practices, experiences, policies and frameworks

• To the extent possible, adopt standards that are modular and not interdependent.

Within the standards, guidelines were also incorporated for hardware, networking and connectivity, as well as software standards to be complied with the industry.

The standards also touched on the Ethical, Legal, Social Issues (ELSI) guidelines for Electronic Health Record (EHR) to define the Privacy and Security Requirements of EHR with the recommendations following HIPAA  requirements of Privacy and Security.

If  HDPSA becomes a law, it is a reasonable presumption that there will be a need to adopt some of the provisions which was available as the Standards document. Similarly it needs to also adopt some of the provisions of the Tele Medicine Act which was drafted several years back and simply forgotten.

The HDPSA will also have to contend with the co-existence with ITA 2008 which would interfere in the Privacy and Information Security issues but not on the data standards issues.

Overall there are interesting days ahead to watch how the legislation is likely to unfold. So far, the draft law which was discussed in the news report has not been made public and hence it is difficult to comment on the exact provisions that have been included there in. We wait for the Government to release the draft for public comment.

We may also remember that in 2006, a “Personal Data Privacy Bill” was drafted and even placed before the Parliament along with the amendments envisaged for ITA 2000. Subsequently, in 2008, the ITA amendments passed through but the Privacy Bill lapsed. Since then there are other versions of the Privacy Bill which were presented in the Parliament but have failed to get the consensus since they directly interfered with the national security issues involved in “Intereception of communication” and also the issues related to Aadhaar implementation.

The Sector specific approach now proposed in  HDSPA addressing only the Heath Care Data Privacy and Security is unlikely to receive much of opposition except from the Health Care industry itself which would be seriously affected in the process of implementation of the Act.

While the larger hospital chains are likely to implement the provisions of HDPSA, there will be numerous number of smaller nursing homes, neighborhood doctors, pharmacies, mobile App companies dealing in Health information who will simply be unable to comply with the provisions of the Act and will remain non compliant.

Even in the advanced US market, HITECH Act had to set aside US$ 17.2 billion for providing various kinds of incentives to make the industry comply with HIPAA. This would be an equivalent of over Rs 1 lakh crores. Will the Government make such investments? obviously not.

This means that we are in for a long haul as regards the real implementation of the provisions as and when implemented.

HIPAA actually gave compliance deadlines which extended from 1996 to beyond 2003 and yet they had to postpone some provisions of data breach notification provisions into the Omnibus Rule in 2014.

If therefore the law makers are serious about adoption of HDSPA, then there has to be a strategization of how the compliance will be pushed. We know that even after 16 years, ITA 2000 compliance is still at the nascent stage. If so, it is anybody’s guess about what should be the time line for HDSPA implementation.

If there is no proper strategization of the compliance, we will have an industry domain which will be living under the umbrella of non compliance with the constant fear that the regulator could crush then down any time.

This “Living under Fear” will be the biggest threat to the Health Care industry which they need to avoid.

I therefore suggest the industry to organize themselves properly so that when the next phase of roll out of this draft legislation happens, the interest of survival of the industry is not forgotten.

If the industry is complacent, there would be a “Globalization” of the hospital and health care industry to such an extend that just like the K-Marts eating away our neighborhood kirana store, the international hospital brands may eat away all our domestic medical practitioners. In the process, health care in India will become more expensive and dependent on heath insurance industry.

Keeping all these things in mind, it is necessary to ensure that the proposed legislation builds adequate safeguards to protect the interests of the consumers.

Has the health ministry factored all these aspects?… God knows..

Comments please…

Naavi