Privacy In The Context Of Mental Healthcare Act, 2017

I. Introduction

  1. The Mental Healthcare Act, 2017 (“Mental Healthcare Act”) effectuated in 2018 replaced the then extant – and archaic – 1987 law on the treatment of mental health and illness in India. Aimed to protect the rights of persons with mental illnesses, the Mental Healthcare Act goes a step further than the 1987 legislation with an establishment of a protective framework.
  2. The law expressly sets out the right of individuals with mental illnesses to access mental healthcare from the government, live with dignity, and be protected against segregation from society. Separately, it also sets out the presumption that a person attempting suicide – a criminal (and controversial) offense under the provisions of the Indian Penal Code, 1860 – shall be presumed to have severe stress, and shall not be punished, effectively rendering the criminal provision obsolete. In this regard, the Mental Healthcare Act has been considered a progressive step in combatting prejudices underlying mental illnesses in India.
  3. While this note specifically examines the privacy-related aspects of the law, it is useful to consider the scope of what constitutes a mental illness. A “mental illness” under the Mental Healthcare Act is defined as a “substantial disorder of thinking, mood, perception, orientation, or memory that grossly impairs judgment, behaviour, capacity to recognise reality, or the ability to meet the ordinary demands of life”, and includes conditions associated with drug and alcohol addiction. The relatively wide-wording of this definition is useful: its broad ambit allows different mental illnesses to be grouped under the umbrella definition, thereby allowing this law to extend to various types and facets of illnesses that may not have otherwise been recognised as a mental illness.

II. Rights of persons with “mental illness”

  1. The Mental Healthcare Act sets out the contours of ensuring the privacy of persons with mental illnesses. Individuals have a right to confidentiality with respect to their mental health, treatment, and both, physical and mental healthcare. Information pertaining to and photographs of a person with a mental illness cannot be released to the media without the person’s consent. This right of confidentiality applies to electronic information as well, including any information stored virtually.
  2. Health professionals have an express duty to ensure that information in relation to their patients with mental illnesses is kept confidential, with certain exceptions. While the Mental Healthcare Act does not define “health professionals”, “mental health professionals” include psychiatrists, individuals with post-graduate degrees in Ayurveda and homeopathy, and individuals who may be registered with the State Mental Health Authority set up under the law, such as social workers, nurses, etc.

III. Exceptions to duties under the Act

  1. Mental health professionals may release information to other professionals to enable them to provide care and treatment to the patient, upon an order by the Mental Health Review Board or Central Mental Health Authority, both of which are set up under the Mental Healthcare Act, the Supreme Court or a High Court, or a competent statutory authority, or in the interest of public safety and security.
  2. Health professionals may also release information if it is necessary to prevent the threat of life or protect other people from harm or violence, and only such information that is necessary to protect the identified harm – these wide contours, however, raises questions on the types of harm and determination of harm, without providing any clear answers.
  3. Finally, professionals also have the right to release information to “nominated representatives” who are, under the law, persons nominated by those with mental illnesses, and are duty-bound to act as caregivers of sorts to their nominators.

IV. Penalties under the Act

The first breach of confidentiality may attract a monetary penalty of up to INR 10,000 or imprisonment for six months. Subsequent breaches may attract imprisonment of up to two years or fines that may extend between INR 50,000 to INR 500,000. It is worth noting that these penalties far exceed the relatively up-in-air penalty of damages in the case of a breach of the Information Technology (Reasonable Security Practices and Procedures) Rules, 2011 that lays out India’s existing data protection framework.

V. Comments

While a step in the right direction, the Mental Healthcare Act still poses loopholes: the scope of those covered by confidentiality obligations is limited, especially considering that the types of individuals and entities that interact with mental healthcare data – and healthcare data in general – far exceed the limited categorisation of “healthcare professionals”, as considered under the law. The draft of the Digital Information Security in Healthcare Act (or “DISHA”), a proposed law to regulate electronic health data, provides a more nuanced approach to issues regarding confidentiality and privacy. The scope of DISHA is wide enough to cover mental health information, and separately, limits the possibilities of the use of such information, thereby having the potential to address some of the issues posed by the open-ended nature of the privacy provisions of the Mental Healthcare Act.

For any comments or queries, do reach out to us

Leave a Comment

Your email address will not be published. Required fields are marked *