Negotiating privacy, confidentiality and security issues pertaining to electronic medical records in Sri Lanka: A comparative legal analysis

Sri Lanka is set to adapt electronic medical records (EMR) at an ever increasing rate in the coming decade. However, handling of EMRs pose considerable legal challenge in relation to its privacy and confidentiality, quality of records and tort based liability. While the Sri Lankan legislation recognise electronic records as legally valid in most instances, it does not provide sufficient legal backing when it comes to sensitive personal health data. Methodology This paper adapts a comparative method of legal research. The author believes this to be an appropriate methodology for answering the research questions as it is primarily used for the purpose of “promotion of mutual understanding by acquiring knowledge of foreign legal systems”. Findings The paper recognizes that the existing Sri Lankan legislation does not provide for sensitive personal data such as EMR. However, the Sri Lankan legislation has already established the legal validity of electronic records. The paper discusses various legislations from the US including the Health Insurance Portability and Accountability Act (HIPAA) of 1996, The Patient Safety and Quality Improvement Act (PSQIA) of 2005 and Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 as reference legislation. It also discusses the Data Protection Act of 1998 in the UK and the EU Directives as reference legislation for establishing a legal framework for Sri Lanka that would address the needs of EMRs. Recommendations Following the legal analysis, the paper proposes a way forward in adapting suitable legislations from the ones discussed. Some of these adaptations include defining the criteria in which a valid legal record can be established, the creation of the role data controller, laying down a clear framework in which personal health data can be shared, defining the criteria that should be met when using EMR for research, measures to encourage the adaption of EMRs and the standards set forth and the necessity to amend the Computer Crimes Act to include specific provisions to deal with crimes involving EMRs. Conclusion The paper concludes by stating the need to obtain wider consensus from all relevant stakeholders before such legislation is implemented and that the same should not hinder the IT industry which can promote the efficiency of the country’s health care system.