In the light of Sri Lanka’s continuous step forward in digitising the economy, the Insurance Regulatory Commission of Sri Lanka (IRCSL) confirms the ongoing nature of discussions with the Ministry of Health in the IRCSL’s vision to become South Asia’s first country to fully adopt international healthcare standards across the country and implement a unified electronic health record system that integrates both modern medicine and traditional ayurveda by 2030.

However, the unveiling of Artificial Intelligence (AI) integration within the system brings forth concerns of security and privacy in a world where bias and discrimination stemming from social stigma may be perpetuated within the country.

AI-integrated electronic patient database

Despite being celebrated for its ‘free and universal public healthcare’ system, observers have pointed out that health information infrastructure within the country remains fragmented, insufficiently digitised, and prone to inaccuracies, which results in below-acceptable levels of disease coding accuracy in hospitals. This, in turn, leads to gaps in diagnostic records and inefficiencies in insurance claims processing. 

In an article written by IRCSL Chairman Dr. Ajith Raveendra De Mel, it was noted that this had resulted in the “misallocation of scarce resources, higher costs for both citizens and the State, and missed opportunities to align with global digital health ecosystems”.

Dr. De Mel states that the sustainability of Sri Lanka’s healthcare system and the insurance sector that supports it depends on how effectively data infrastructure can be modernised and international standards such as the International Classification of Diseases 11th Revision (ICD-11) can be adopted.

As such, a digitally transformed health ecosystem built around such standards means faster, safer, and more accurate care, making citizens’ coded medical history and insurance entitlements accessible anywhere, anytime through a secure digital health ID. This further enables doctors to make informed decisions, minimise diagnostic errors, and ensure continuity of care across hospitals. 

This initiative would also allow the verification of diagnoses and help prove claims without delay or disputes, as well as allow real-time verification and minimise fraudulent and duplicate claims. Accurate data further enables better forecasting of health trends, smarter public spending, and early detection of disease outbreaks.

When contacted by The Sunday Morning, Dr. De Mel said that this transformation would not happen overnight but rather as a practical and phased approach working towards a secure, effective, and inclusive system by 2030. He confirmed that discussions with the Ministry of Health and relevant healthcare professionals with regard to this initiative were presently underway.

Accessible personal data: Dangers and risks of AI

However, with such data being made accessible, security and privacy concerns rise. 

A patient’s history is one that is given to their medical officers and other staff who focus on improving illness and disorders in great confidentiality. The use of an electronic database opens avenues to threats such as hacking and other cybercrimes, where the release of such sensitive medical data could essentially ruin an individual’s life, especially within the scope of disabled individuals and those afflicted by Sexually Transmitted Diseases (STDs). 

Speaking on the matter, Digital Trust Alliance President Lakmal Embuldeniya noted that the whole concept of a digital health system depended on the three pillars: confidentiality, integrity, and availability. Confidentiality would ensure that only authorised personnel can access patients’ data, integrity would prevent tampering with and compromising medical records, and availability would ensure that information is accessible at any time, even from rural or underprivileged areas.

Embuldeniya also emphasised that the success and effectiveness of such a system would both be dependent not just on technology, but equally among the people and the process as well. “People are the most vulnerable component of any system. Even though it is difficult, they need to be trained on how to use these systems as most of the issues of data breaching or malicious attacks happen due to some person clicking on the wrong thing,” he said.

“There is no perfect solution against systems getting hacked. We may build really good systems, but the other side of the world also gets equally good at breaching these and the only solution is to make people aware in order to minimise the risk,” Embuldeniya continued. “In my view, when the Government plans to put forward this kind of project, it has to follow the 3Cs: competency, capacity, and commitment. So holistically, the whole thing is about governance.”

While Dr. De Mel’s article brings up the use of AI-powered analytics to predict disease trends, identify emerging risks, and proactively design innovative insurance products, there is yet to be a specific service chosen for this integration. 

Bringing up the risk of international services being given access to sensitive medical information pertaining to Sri Lanka citizens, Dr. De Mel stated that a Memorandum of Understanding that followed national privacy laws to safeguard such information would be signed with the Foreign Ministry, therefore providing a framework of safety.

Speaking on the AI aspect, Asela Waidyalankara, an AI policy expert, remarked that the first challenge would be digitising the medical data to be machine-readable. Secondly, an AI model should be built from scratch to serve the specific purpose, as commercial tools cannot be used for this purpose.

“The model should incorporate concepts like AI policies and principles, guardrails to prevent data bias, transparency in reaching a decision, and explanation of the output, and adhere to the Personal Data Protection Act (PDPA) because it contains sensitive data like patient data,” he stated. 

To prevent data manipulation, data poisoning, data bias, incompleteness, or inaccuracy, Waidyalankara stated that technical controls and human oversight had to be used. “AI should be used ethically and responsibly with human oversight. Most risks are minimised with human oversight. To get the best results, human supervision must be involved every step of the way,” he noted. 

The Ministry of Labour and Labour Relations’ ‘National Policy on HIV and AIDS in the World of Work in Sri Lanka’ states: “At an individual level workers have experienced increasing healthcare costs, termination of employment, slashed incomes, social isolation, and unwarranted stigma and discrimination.”

While the policy does prohibit discrimination against employees or job applicants on the basis of their actual or perceived HIV status, it does not entirely eradicate it by itself. Similarly, disabled individuals are often overlooked within the educational system and hiring process as they are deemed a ‘hindrance.’ 

Combatting this, the Protection of the Rights of Persons with Disabilities Act No.28 of 1996, which prohibits discrimination in employment and education, guarantees equal rights and opportunity.

Govt. response

More controversy presents itself with regard to this initiative, with Ministry of Health Secretary Dr. Anil Jasinghe’s response in relation to it: “As far as I know, we didn’t start this kind of initiative with them.”

While discussions were confirmed to be ongoing by both IRCSL Chairman Dr. De Mel and Director General Damayanthi Fernando, the latter noted that there had been no positive development yet in relation to the discussions.

Attempts to contact Minister of Health and Mass Media Dr. Nalinda Jayatissa and Deputy Minister Dr. Hansaka Wijemuni to obtain further clarification on the ministry’s position on this matter proved futile.

AI-powered digital health: Unpacking the legalities

In relation to digitising healthcare records and incorporating AI, legality of data protection and patient confidentiality is a significant and vital part of the process.

Speaking to The Sunday Morning, Attorney-at-Law Thineth Korasagalla said that in Sri Lanka, the confidentiality of medical records was protected through constitutional principles, statutory law, and common law obligations. 

While the Constitution of Sri Lanka does not expressly recognise a standalone right to privacy, the Supreme Court has interpreted Fundamental Rights provisions under Article 12 and personal liberty protections under Article 14 as encompassing aspects of informational privacy.

“The Personal Data Protection Act No.9 of 2022 (PDPA) now provides a comprehensive statutory framework governing personal data. Health information is classified as sensitive personal data, subjected to heightened protection. Its processing requires explicit consent or lawful basis like medical necessity or public health purposes,” he said, adding that the act also granted patients enforceable rights, including the right to be informed, the right of access, the right to rectification, and in certain instances, the right to withdraw consent or object to processing.

On incorporating AI in healthcare, Korasagalla noted that Sri Lankan law did not prohibit the use of AI in healthcare and its legality depended on its implementation. “AI systems may lawfully function as decision-support tools, but they cannot replace the independent clinical judgement of a qualified medical practitioner. Under established medical negligence principles, the duty of care remains with the doctor,” he said, adding that if AI were to be used in diagnosis or treatment planning, the healthcare institution deploying it would qualify as a data controller under the PDPA.

Korasagalla added: “Sri Lanka’s legal framework is partially prepared, but not comprehensively equipped, for a fully digital healthcare system. The PDPA provides a modern foundation for regulating personal and sensitive health data, and traditional negligence principles remain adaptable to technology-assisted care.”

However, there is currently no AI-specific regulatory regime, no detailed statutory guidance on algorithmic accountability in medical settings, and limited jurisprudence on automated decision-making in healthcare.

In case of a misdiagnosis due to AI or system failure, he said that the existing principles of negligence, contract, and institutional responsibility would apply, as Sri Lanka did not have specific legislation governing AI liability yet.

Overall, he stressed that from a Sri Lankan legal perspective, the integration of digital health IDs and AI in healthcare had to adhere to the pillars of lawfulness, consent, transparency, accountability, and professional responsibility, adding that technological advances did not lessen the legal duties of confidentiality or medical care. 

Attorney-at-Law Chathura Galhena also cited the PDPA, stating that gathering of data was possible as long as it was within the legal framework set out in the PDPA and did not violate the law. 

“Anything that is not prohibited by law or deemed illegal by law is presumed to be legal. Since this is a Government-involved initiative, there will be consultations with the Attorney General and it will operate within the framework. As long as the PDPA is not violated, there is nothing wrong with digitising,” he said.