Data Privacy and Security

Foundations & Framework - Code Keepers

Key Indian Legislation & Guidelines:
- Digital Personal Data Protection (DPDP) Act, 2023: Principal law for personal data protection, including sensitive health data. Emphasizes explicit consent, data fiduciary obligations, significant penalties.
- Information Technology (IT) Act, 2000 (Amended 2008): Legal framework for e-transactions, digital signatures, cybercrime. Key sections: 43A (compensation for corporate body's failure to protect data), 72A (punishment for unlawful disclosure).
- Telemedicine Practice Guidelines, 2020 (NMC): Mandates explicit patient consent, data privacy, security, and record maintenance for teleconsultations.
- Electronic Health Record (EHR) Standards for India, 2016 (MoHFW): Aims for standardization, interoperability, and security of health data.
- Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002: Upholds patient confidentiality as a core medical ethic.
Core Data Governance Principles:
- Lawfulness, Fairness, Transparency
- Purpose Limitation
- Data Minimization
- Accuracy
- Storage Limitation
- Integrity & Confidentiality (Security)
- Accountability (Data Fiduciary)

⭐ The Digital Personal Data Protection (DPDP) Act, 2023, a landmark legislation, introduces 'Consent Managers' and establishes the Data Protection Board of India for robust enforcement.

Threats & Safeguards - Digital Fortress

Key Digital Threats:
- Malware: Ransomware, viruses, spyware.
- Phishing/Vishing: Deceptive attempts for credentials. 📌 "Verify, then trust."
- Insider Threats: Malicious or negligent staff actions.
- Data Breaches: Unauthorized access/theft of Sensitive Patient Data (SPD).
- DoS/DDoS Attacks: Disrupting service availability.
- Physical Lapses: Device theft, improper record disposal.
- Weak Authentication: Poor passwords, no MFA.
Essential Safeguards (Layered Defense):
- Technical:
  - Access Control (RBAC, least privilege).
  - Encryption (End-to-end; AES-256 for data at rest).
  - Network Security (Firewalls, IDS/IPS).
  - Endpoint Security (Antivirus, patching).
  - Strong Authentication (MFA mandatory).
  - Audit Logs & Real-time Monitoring.
  - Regular Data Backup & Disaster Recovery.
- Administrative:
  - Clear Security Policies & Procedures.
  - Mandatory Staff Training (Phishing awareness).
  - Periodic Risk Assessment & Management.
  - Defined Incident Response Plan.
  - Vendor Due Diligence (DPAs).
- Physical:
  - Secure Facility Access Controls.
  - Workstation & Mobile Device Security.
  - Secure Data & Hardware Disposal.

Cybersecurity shield protecting digital health data

⭐ The Digital Personal Data Protection (DPDP) Act, 2023, mandates Data Fiduciaries to implement robust technical and organizational measures to prevent data breaches.

Patient Rights & Responsibilities - Trust Triangle

The Trust Triangle (Patient, Doctor/Provider, Technology/Platform) relies on robust data protection and clear roles.

Patient Rights (Key Principles):
- Informed Consent: Explicit approval for data collection, use, sharing.
- Access & Review: View and get copies of health records.
- Correction: Amend inaccurate health information.
- Confidentiality: Expectation of data privacy.
- Breach Notification: Promptly informed of data breaches.
- Grievance Redressal: Access to complaint mechanisms.
Patient Responsibilities:
- Accurate Information: Provide truthful health details.
- Secure Credentials: Protect logins, passwords, OTPs.
- Understand Consent: Clarify terms before agreeing.

⭐ The Telemedicine Practice Guidelines (2020) mandate explicit patient consent for teleconsultation & data handling, crucial for trust.

High‑Yield Points - ⚡ Biggest Takeaways

Informed consent is paramount for patient data collection, use, and sharing in digital health.

Data encryption (both at rest and in transit) is vital for secure telemedicine and protecting PHI.

Implement strict access controls, authentication, and audit trails for EHR security.

Adherence to India's Telemedicine Practice Guidelines (2020) regarding data privacy is mandatory.

Be aware of DISHA principles for health data protection, emphasizing patient rights.

Establish clear data breach notification protocols for patients and authorities.

Data Privacy and Security Indian Medical PG Practice Questions and MCQs

Practice Indian Medical PG questions for Data Privacy and Security. These multiple choice questions (MCQs) cover important concepts and help you prepare for your exams.

Data Privacy and Security Indian Medical PG Question 1: Res ipsa loquitur is?

A. Oral evidence
B. Fact speaks for itself (Correct Answer)
C. Medical maloccurrence
D. Common knowledge

Data Privacy and Security Explanation: ***Fact speaks for itself*** - **Res ipsa loquitur** is a legal doctrine meaning "the thing speaks for itself," implying that the very nature of an accident or injury suggests negligence. - This doctrine is applied when an injury typically would not occur without **negligence**, and the defendant had exclusive control over the instrumentality causing the injury. *Oral evidence* - **Oral evidence** refers to testimony given verbally in court by a witness. - While evidence is presented in court, "res ipsa loquitur" is a principle of inference, not a specific type of evidence. *Medical maloccurrence* - A **medical maloccurrence** is an undesirable or unexpected outcome in medical treatment that may or may not be due to negligence. - It describes an event, whereas "res ipsa loquitur" is a legal principle used to infer negligence. *Common knowledge* - **Common knowledge** refers to facts or information that are generally known by the public. - While the application of "res ipsa loquitur" might sometimes rely on common sense, it is a specific legal doctrine, not just a general acknowledgment of common facts.

Data Privacy and Security Indian Medical PG Question 2: Which of the following diseases is not covered under the Integrated Disease Surveillance Project (IDSP)?

A. Tuberculosis
B. Cholera
C. Herpes zoster (Correct Answer)
D. Meningococcal disease

Data Privacy and Security Explanation: ***Herpes zoster*** - **Herpes zoster** (shingles) is not included in the Integrated Disease Surveillance Project (IDSP) as it is neither an epidemic-prone disease nor a notifiable disease under the program. - IDSP focuses on diseases with significant public health impact, epidemic potential, or those requiring immediate public health response. - While herpes zoster can cause morbidity in immunocompromised individuals, it does not pose a widespread public health threat requiring national surveillance. *Tuberculosis* - **Tuberculosis (TB)** is explicitly covered under IDSP as a major notifiable disease due to its high burden in India and significant public health importance. - TB surveillance under IDSP helps monitor disease trends, detect outbreaks, and evaluate the effectiveness of the National Tuberculosis Elimination Programme. - Regular reporting and surveillance are essential for achieving TB elimination goals. *Cholera* - **Cholera** is a priority disease under IDSP as an epidemic-prone disease with potential for rapid outbreaks and high mortality if untreated. - It is part of the core surveillance list due to its ability to cause severe dehydration and waterborne epidemics. - Early detection through IDSP enables timely implementation of control measures including safe water supply and oral rehydration therapy. *Meningococcal disease* - **Meningococcal disease** (acute bacterial meningitis) is covered under IDSP due to its high case fatality rate, epidemic potential, and need for urgent public health response. - Surveillance is critical for early outbreak detection and implementation of preventive measures such as mass vaccination and chemoprophylaxis. - Close monitoring helps identify circulating serotypes and guide vaccination strategies.

Data Privacy and Security Indian Medical PG Question 3: Provision of the Mental Health Act 2017, based on WHO guidelines, includes all, except:

A. Social support
B. Screening family members (Correct Answer)
C. Human rights
D. Communication regarding care and treatment

Data Privacy and Security Explanation: ***Screening family members*** - The Mental Health Act 2017 focuses on the **rights, treatment, and support of individuals with mental illness**, not routine screening of their family members. - The Act does not contain provisions mandating **screening of asymptomatic family members**, though family history may be relevant for clinical assessment. - This is **not a provision** outlined in the Act based on WHO guidelines. *Human rights* - The Act is explicitly grounded in the **protection and promotion of human rights** for persons with mental illness (Chapter I). - Ensures care with **dignity, respect, and freedom from discrimination** as core principles. - Aligns with WHO's mental health action plan and human rights framework. *Communication regarding care and treatment* - **Section 4** emphasizes the right to information and **informed consent** for all treatment decisions. - Patients must receive clear communication about their **diagnosis, treatment options, and care plans**. - Includes provisions for **advance directives** and involvement in treatment decisions. *Social support* - **Chapter V** addresses rehabilitation and community-based services, emphasizing the role of **social support systems**. - Promotes **community integration** and access to social resources for recovery. - Recognizes family and community support as essential for long-term mental health management.

Data Privacy and Security Indian Medical PG Question 4: In civil negligence, onus of proof lies on -

A. Police not below the level of sub inspector
B. Judicial first degree magistrate
C. Patients (Correct Answer)
D. Doctor

Data Privacy and Security Explanation: ***Patients*** - In civil negligence cases, the **onus of proof** (burden of proof) generally lies with the **plaintiff**, who is the patient (or their legal representatives) alleging negligence. - The patient must demonstrate that the doctor owed a **duty of care**, breached that duty, and this breach directly caused their **injury** or harm. *Police not below the level of sub inspector* - The police are primarily involved in **criminal investigations** and maintaining law and order, not typically in initiating civil negligence claims or bearing the burden of proof in such cases. - Their role in medical matters would usually be restricted to investigating potential **criminal acts**, such as severe assault or malpractice leading to death, rather than civil negligence. *Judicial first degree magistrate* - A magistrate is a **judicial officer** who presides over minor legal proceedings and preliminary matters, primarily in criminal cases. - Magistrates are members of the judiciary and are responsible for **adjudicating** cases, not for initiating or proving negligence claims themselves. *Doctor* - While the doctor is the **defendant** in a medical negligence case, they do not bear the initial **onus of proof** to show they were not negligent. - The doctor may have to present evidence to **rebut** the patient's claims, but the primary burden remains on the patient to establish negligence.

Data Privacy and Security Indian Medical PG Question 5: In which context are leading questions allowed?

A. Cross-examination (Correct Answer)
B. Direct examination
C. Re-examination
D. Dying declaration

Data Privacy and Security Explanation: ***Cross-examination*** - Leading questions are permissible during **cross-examination** to challenge the witness's testimony and test credibility. - The purpose is to **elicit specific details**, confirm facts, or highlight inconsistencies in prior statements. *Direct examination* - Leading questions are **generally not allowed** during direct examination because it is the phase where a party questions its own witness. - The goal is for the witness to provide testimony in their **own words**, without suggestions from the attorney. *Re-examination* - Leading questions are **not allowed** during re-examination, which occurs after cross-examination to clarify points raised. - The scope of re-examination is **limited to the matters** brought up during cross-examination, and leading questions would be inappropriate. *Dying declaration* - A dying declaration is a statement made by a person who believes they are about to die, concerning the cause of their death. - The admissibility of a dying declaration as evidence is an **exception to the hearsay rule** and does not involve questioning by attorneys in a formal court setting at the time the declaration is made.

Data Privacy and Security Indian Medical PG Question 6: What is the typical duration for implementing a comprehensive Electronic Health Record (EHR) system in a tertiary care hospital?

A. 12-18 months (Correct Answer)
B. 3-6 months
C. 2-4 weeks
D. 1-2 weeks

Data Privacy and Security Explanation: ***12-18 months*** - Implementing a comprehensive **EHR system** in a large, complex organization like a tertiary care hospital involves numerous phases, including planning, vendor selection, customization, data migration, testing, training, and phased rollout. - This extensive process typically requires a significant time commitment to ensure proper integration and adoption across multiple departments and specialties. *3-6 months* - This timeframe is typically too short for a comprehensive **EHR implementation** in a tertiary care hospital, which has complex workflows and a large number of users and departments. - Such a short duration might be feasible for smaller clinics or basic EMR systems with limited functionalities. *2-4 weeks* - This duration is highly unrealistic for even a partial **EHR implementation**. - It would be insufficient for even the initial planning and assessment phases in a large hospital setting. *1-2 weeks* - This timeframe is severely inadequate for any meaningful **EHR implementation** in a healthcare setting, especially a tertiary care hospital. - It does not allow for necessary vendor engagement, system configuration, or staff training.

Data Privacy and Security Indian Medical PG Question 7: What is the web-based program for monitoring Tuberculosis (TB)?

A. Nikshay (Correct Answer)
B. Nischay
C. Nikusth
D. e-DOTS

Data Privacy and Security Explanation: **Explanation:** **Nikshay** is the correct answer. It is the unified web-based ICT (Information and Communication Technology) platform for TB surveillance in India, developed by the Ministry of Health and Family Welfare (MoHFW) in collaboration with NIC. It serves as the backbone of the **National Tuberculosis Elimination Program (NTEP)**, allowing for the notification of TB cases from both public and private sectors, tracking patient adherence, and facilitating the Direct Benefit Transfer (DBT) of incentives like the *Nikshay Poshan Yojana*. **Analysis of Incorrect Options:** * **Nischay:** This is a home-based pregnancy test kit provided under the National Health Mission (NHM) to ASHAs for early detection of pregnancy in the community. * **Nikusth:** This is the web-based reporting and monitoring system specifically designed for the **National Leprosy Eradication Programme (NLEP)**. * **e-DOTS:** While DOTS (Directly Observed Treatment, Short-course) is the strategy for TB treatment, "e-DOTS" is a generic term for electronic monitoring (like 99DOTS or MERM) rather than the name of the primary national web-based monitoring portal. **Clinical Pearls for NEET-PG:** * **Nikshay Poshan Yojana:** Provides ₹500/month to all TB patients for nutritional support throughout their treatment. * **Notification:** TB is a **notifiable disease** in India (since 2012); failure to notify by clinical establishments is a punishable offense under Section 269/270 of the IPC. * **Goal:** India aims to eliminate TB by **2025**, five years ahead of the global Sustainable Development Goal (SDG) of 2030.

Data Privacy and Security Indian Medical PG Question 8: Which IT-based platform is used for monitoring Tuberculosis (TB) cases in India?

A. e DOTS
B. Nischay
C. Nikshay (Correct Answer)
D. Ujjwala

Data Privacy and Security Explanation: **Explanation:** **Nikshay** is the correct answer. It is the unified web-based IT platform developed by the National Health Mission (NHM) and Central TB Division (CTD) for the **National Tuberculosis Elimination Program (NTEP)**. The name is derived from "Ni" (End) and "Kshay" (Tuberculosis). It serves as a centralized database for monitoring TB notification, treatment adherence, and clinical outcomes across both public and private sectors in India. **Analysis of Options:** * **e-DOTS:** This is a generic term for electronic Directly Observed Treatment, Short-course (using tools like 99DOTS or MERM). While it is a *component* used within the program, it is not the name of the primary national monitoring platform. * **Nischay:** This is a common distractor. **Nischay** refers to the pregnancy detection kits provided under the National Family Planning program. * **Ujjwala:** This refers to the **Pradhan Mantri Ujjwala Yojana**, which provides LPG connections to BPL households to reduce indoor air pollution, or the **Ujjawala Scheme** for the prevention of trafficking. **High-Yield Clinical Pearls for NEET-PG:** * **Nikshay Poshan Yojana:** A Centrally Sponsored Scheme under NTEP that provides financial incentive of **₹500/month** for nutritional support to all notified TB patients for the duration of their treatment. * **Public-Private Coordination:** It is mandatory for private practitioners to notify TB cases on Nikshay under the Clinical Establishments Act. * **Nikshay 2.0:** The updated portal now includes modules for Latent TB Infection (LTBI) management and integrated TB-HIV tracking. * **Target:** India aims to achieve the "End TB" targets by **2025**, five years ahead of the global Sustainable Development Goals (SDG) target of 2030.

Data Privacy and Security Indian Medical PG Question 9: Mobile medical care constitutes all except?

A. Primary health care
B. Secondary health care
C. Tertiary health care (Correct Answer)
D. Near home based

Data Privacy and Security Explanation: **Explanation:** The concept of **Mobile Medical Care** (or Mobile Health Units) is designed to bridge the gap in healthcare accessibility by bringing essential services directly to the community. **Why Tertiary Health Care is the correct answer:** Tertiary health care involves specialized consultative care, usually on referral from primary or secondary medical care personnel. It requires advanced diagnostic technology, specialized intensive care units, and complex surgical interventions (e.g., neurosurgery, oncology, or cardiology). These facilities are resource-intensive and stationary; they cannot be effectively replicated in a mobile or "on-wheels" format. Therefore, tertiary care is **not** a component of mobile medical care. **Analysis of Incorrect Options:** * **Primary Health Care:** This is the core function of mobile units. They provide immunization, maternal and child health services, and treatment for common ailments in underserved areas. * **Secondary Health Care:** Mobile units often act as a bridge to secondary care by providing basic diagnostic facilities (like X-rays or lab tests) and specialist outreach (e.g., mobile ophthalmic or dental vans) that would otherwise require a visit to a District Hospital. * **Near home based:** The primary philosophy of mobile medical care is "reaching the unreached." By providing services at the doorstep or in the immediate vicinity of the community, it reduces geographical barriers to health. **High-Yield Clinical Pearls for NEET-PG:** * **Mobile Medical Units (MMUs):** Under the National Health Mission (NHM), MMUs are intended to provide a package of services including OPD, RCH services, and minor procedures in "difficult to reach" areas. * **Telemedicine:** Often complements mobile care by allowing a mobile paramedic to consult a remote specialist (Tele-consultation). * **Levels of Care:** Remember that as the level of care increases (Primary → Tertiary), the **complexity** increases while the **accessibility** typically decreases. Mobile care focuses on maximizing accessibility.

Data Privacy and Security Indian Medical PG Question 10: A girl with schizophrenia presents to a Primary Health Centre (PHC) in India. Which of the following online applications, provided by the Government of India (GOI), is used for mental health service support?

A. Tele MANAS (Correct Answer)
B. eSanjeevani
C. NIKSHAY
D. U-WIN

Data Privacy and Security Explanation: ***Tele MANAS*** - **Tele MANAS** (Tele Mental Health Assistance and Networking Across States) is the Government of India's national initiative providing **24/7 tele-counseling and mental health support** across the country, making it the correct service for a schizophrenia patient. - It functions as a **tele-mental health facility** under the National Mental Health Programme, offering critical assistance and linkage to specialized services. *eSanjeevani* - **eSanjeevani** is the GOI's national telemedicine platform providing **general healthcare consultations** through doctor-to-doctor (eSanjeevani HWC) and patient-to-doctor (eSanjeevani OPD) services. - While it offers broad healthcare services, it is **not the dedicated mental health support system** - that specific function is served by **Tele MANAS**. *NIKSHAY* - **NIKSHAY** is the standardized web-enabled application used for monitoring and tracking all patients diagnosed with **Tuberculosis (TB)** in India. - It handles notification, diagnosis, treatment adherence, and outcomes for **TB control**, having no operational role in providing mental health counseling. *U-WIN* - **U-WIN** is the digital platform developed by the GOI for managing and digitizing data related to the **Universal Immunization Programme (UIP)**. - It focuses specifically on **immunization records**, tracking vaccination status, scheduling, and overall coverage, making it unrelated to mental health services.

More Data Privacy and Security Indian Medical PG questions available in the OnCourse app. Practice MCQs, flashcards, and get detailed explanations.

Data Privacy and Security

On this page

Foundations & Framework - Code Keepers

Threats & Safeguards - Digital Fortress

Patient Rights & Responsibilities - Trust Triangle

High‑Yield Points - ⚡ Biggest Takeaways

Practice Questions: Data Privacy and Security

Flashcards: Data Privacy and Security

Enjoying this lesson?