Share:
Bridging the gap between policy and people.
Bridging the gap between policy and people.
The issue of healthcare data in India, whether collection or protection, had predated the concerns raised by privacy advocates when the Government of India introduced the Aarogya Setu app. Criticized for being a threat to the privacy of users, the app was briefly mandatory, inviting disapproval from 45 organizations and more than 100 prominent individuals. While the mandatory status was rolled back, it was still being enforced arbitrarily. Furthermore, recent reports have shown that the app, in spite of its intrusive permissions, failed to curtail the spread of the virus, thus failing the proportionality principle (in addition to legality) put down by the Puttaswamy Privacy Framework
The National Digital Health Mission (NDHM) and Health Data Management Policy (HDMP), and the United Health Interface (UHI) have also received criticism and suggestions in part from relevant sections of society. These issues don’t stem from specific acts or policies but rather from the lack of a comprehensive data protection bill that can cater to our modern needs
On 27th September, 2021, Prime Minister Narendra Modi launched the Pradhan Mantri Digital Health Mission (PM-DHM). This rollout of PM-DHM coincides with the National Health Authority (NHA) celebrating the third anniversary of Ayushman Bharat Pradhan Mantri Jan Arogya Yojana (AB PM-JAY). On this occasion, we shall examine how and where the scheme can make an impact, and where it needs to focus.
Source – How India’s National Digital Health Mission Is Set To Revolutionize Healthcare
Personal Health Data can include an individual’s data consisting of detailed information about their health condition and treatments. It can further include any data with personally identifiable information of stakeholders like information about their healthcare professionals. On the other hand, Non-Personal Health Data is aggregated health data (e.g., number of covid cases) and anonymized health data where all personally identifiable information has been scrubbed. It can also include information about health facilities, drugs, etc., that do not involve personally identifiable information.
The current legal framework governing the protection of e-health data and Sensitive Personal Data or Information (SPDI) is covered under the combined readings of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. These offer only a limited degree of protection to the collection, disclosure, and transfer of sensitive personal data, including medical records and history. The current policies, which were once considered modern, haven’t been updated with the advancements in the field. Legislation has not kept pace with developments in the field of e-health, especially when healthcare has transcended hospitals and clinics and manifests in different ways such as telehealth apps. Such services existed even before Covid-19, but the lockdown resulted in a surge in their popularity, as doctors could be consulted while at home.
Section 3 (21) of the PDP 2019 – ‘data related to the state of physical or mental health of the data principle and includes records regarding the past, present or future state of the health of such data principle, data collected in the course of registration for, or provision of health services, data associating the data principle to the provision of specific health services.’
On ‘sensitive personal data’ Section 3 (36) of PDP 2019 refers to such data that personal data, which may reveal, be related to, or constitute – (i) financial data; (ii) health data; (iii) official identifier; (iv) sex life; (v) sexual orientation; (vi) biometric data; (vii) genetic data; (viii) transgender status; (ix) intersex status; (x) caste or tribe; (xi) religious or political belief or affiliation; or (xii) any other data categorised as sensitive personal data under Section 15.
Announced by Prime Minister Narendra Modi on the 74th Independence Day, the NDHM is a complete digital health ecosystem. To improve the quality of medical care, along with its access to vulnerable sections and achieve Universal Healthcare Coverage, NDHM introduces measures such as a Health ID. This health account will include details on every test, disease, doctor’s visit, prescribed medicines, and diagnosis. Even if the patient shifts or changes doctors, this information will be easily accessible because it is portable. NDHM is a voluntary healthcare program, unifying doctors, hospitals, pharmacies, and insurance companies to create a digital health infrastructure. The unique Health ID card is created with Aadhar details and the mobile number of the user. Under the ambit of NDHM, one can also find coverage of services such as telemedicine and ePharmacy.
Source – ABDM (ndhm.gov.in)
Despite positives such as a focus on consent, privacy, and user autonomy, concerns were raised about the data management policy of this scheme. The Internet Freedom Foundation and the Centre for Health Equity, Law and Policy’s working paper titled ‘Analysing the NDHM Health Data Management Policy’ highlights the background of digital health data frameworks in India. It also details the need for NDHM, the foundations required by such undertakings, the governance framework, and the areas where it is lacking. Its relevance lies in the fact that it reflects the current framework to the policymakers and provides certain insights into how the policy can be improved. Some of the learnings are listed below.
As mentioned above, a health data management policy must be built on the bedrock of certain prerequisites. These prerequisites mentioned in the IFF-CHELP paper include having a robust legal foundation that can protect against identity fraud, data theft, reidentification, state surveillance, and commercial profiling. Data that can’t be kept secure shouldn’t be stored. In January 2021, a technology portal reported the leaking of COVID-19 test results and the personal information of thousands of patients from multiple Indian government departmental websites. Without a statutory foundation or an independent regulatory authority, implementing a digital health records system that shares data with diverse entities across digital technology services runs the risk of violating rights to informed consent and confidentiality. Data breach threats loom over any data management entity. Health data is always sensitive, and the inclusion of Aadhar when healthcare sector executives recognize the cybersecurity risks posed by the NDHM makes a patient’s data more vulnerable without a personal data protection bill.
Another prerequisite is a robust state capacity to manage and store healthcare data. An internal audit of capacities and capabilities for managing data and assessment on-ground for data collection is required before undertaking data documentation. India currently suffers from several deficiencies in relation to the quality of data being recorded. It is further hindered by poor internet connectivity, power outages, and a lack of technical support. Thus, the outcomes from these policies will be negatively affected. A digital health records system can revolutionize healthcare in India, especially for those living in rural areas. It can help them transfer their medical records across doctors and locations and potentially avail services of better doctors elsewhere. However, implementing the system hastily, at a national level, is a complex process and must be approached strategically.
The United States Federal Trade Commission’s Fair Information Practice Principles, or FIPPs, have widely accepted guidelines and concepts concerning fair information practice in an electronic marketplace. In the context of healthcare and data, some of these principles include:
(i) a notice about what data will be collected, why and how it will be used, and with whom it will be shared;
(ii) using data for appropriate purposes;
(iii) emphasis on individual choice, including an opt-in and opt-out system to avoid “yes-to-all” kinds of consent;
(iv) access and correction of stored data, and;
(v) security to protect stored data.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is an American federal law responsible for national standards intended to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. Best known for its privacy practices, it lists a number of measures, Covered Entities (entities engaged in facilitating treatment between the patient and the doctor, be it from a healthcare perspective, data storage/transmission, or billing/financial perspective). It appropriates FIPPs and lays down focused, stringent measures, such as having 20 elements required to be listed in Notices, an acknowledgment receipt that requires consent, mentions choices available to patients in terms of with whom the data can be shared, etc. It is not absolute, and certain limitations to privacy exist in cases of social order and public safety, but these are highly regulated by the courts and require specific court mandates.
Source – What is HIPAA and why should I care?
In Europe, the General Data Protection Regulation, or GDPR, gives EU citizens enhanced control over their personal data. It streamlines the regulatory environment for business so both citizens and industries in the European Union can fully benefit from the digital economy. From a health data perspective, it provides for Breach Notifications in events of data breaches and hacks. In essence, if the name, address, date of birth, health records, bank details, or any personal data about customers is breached, the breached organization is obliged to inform the compromised as well as the relevant regulatory body so action can be taken to mitigate the damage. Breach notifications are often public, putting the reputation of the company on the line. Such laws put down stringent measures to place privacy first.
DISHA, while still tabled, provides a new turn for how healthcare data can be secured. The Draft Bill defines Digital Health Data (DHD) as ‘an electronic record of health-related information about an individual’. Its provisions deal with physical and mental health information of an individual, health services provided and collected while providing said services to an individual, donation, testing, and information obtained from the act, and details about the clinical establishment accessed by the individual.
Provisions to regulate the generation, collection, access, storage, transmission, and usage of DHD and associated Personally Identifiable Information (PII) are provided. The latter is information that can uniquely identify, contact, or locate an individual specifically, using sources like name, address, date of birth, financial information, etc. The Draft Bill states that health data such as physical, physiological, mental health conditions, sexual orientation, medical records, medical history, and biometric data qualify as information that can only be the property of the person it belongs to.
DISHA hails from the Ministry of Health and Welfare’s attempt, in 2015, to establish the National Electronic Health Authority (NeHA) to regulate the usage of electronic mediums in healthcare and maintaining e-Health records and digital health information across India. Prior legislation such as the Clinical Establishments (Registration and Regulation) Act 2010 mandated the maintenance and provision of EMR (Electronic Medical Records). Similarly, EHR (Electronic Health Records) were covered under a uniform standard-based system for the creation and maintenance by the healthcare providers, rules courtesy of MoHFW. At a point when data was increasingly stored in the electronic format, there was a need to protect said data as well. It is the bridge that DISHA seeks to build.
DISHA needs to be complemented by an overarching personal data protection bill, protecting SPDI (such as financial information, biometric information, physical, physiological, and mental health conditions). In April of 2020, the Kerala High Court, in the interim order in the case of Balu Gopalakrishnan v State of Kerala (Kerala High Court, WP (C) Temp No. 84 (2020), 24 April 2020), warned against a ‘Data Epidemic’. From such cases, it is evident that anecdotal-based cases can pave the way for better data protection measures, but there is a need for a comprehensive law.
DISHA’s emphasis on anonymization and de-identification rules, actions on obtained data being subject to explicit consent, and the right to correct inaccurate digital health data are steps in the right direction but are subject to proper enforcement on the ground level. A point that needs special attention is the absolute prohibition of access to digital health data (whether anonymized or otherwise) to insurance companies, employers, human resource consultants and pharmaceutical companies, or any other entity as may be specified by the Central Government. It directly covers up one of the flaws that the NDHM-HDMP suffers from.
One possible flaw that emerges out of DISHA is that it permits NeHA to use the information for certain limited purposes such as public health research, as long as the confidentiality of the data owner is not compromised. In theory, this seems suitable, but precautions need to be taken as national databases of sensitive information have been breached in the past. Additionally, internal security measures should be taken to ensure that data is only under the purview of relevant figureheads. Minimization of data access can go a long way in preventing insider leaks.
Healthcare data management policies are important as we are increasingly becoming the sum of our interconnected data and digital identities. At this juncture, a breach of one kind of data can lead to another being compromised. Password leaks can be very alarming, but what happens when your test reports, health status, and UHID linked to services you avail through your Aadhar are exposed? It is for this very reason that discussions around minimization need to be had. Past experiences with Aadhar leaks serve as sufficient evidence for limiting its usage and integration with health IDs and mandating it equally.
While solutions such as 256-bit encryption for protecting data or blockchain for decentralized data can be utilized, what matters is bringing about a culture of enforcing a process rather than an outcome. Rather than giving a ready-to-go checklist that entities can use for privacy and security, it may be beneficial to create a system where accountability and privacy are ingrained with everything the entities do. At the policy design level, it is important to have privacy principles, or ‘security and privacy by design’ in place. While this is a principle HDMP claims it abides by, there are still concerns related to large-scale data processing and the lack of a data protection bill.
As for the policies mentioned here, it is beneficial to teach people digital literacy, informing them more about how consent works and what their digital rights and choices are. For example, hospital administration employees can explain the terms and conditions to privacy and consent to patients, taking away the fear of long, complex forms. It can be a part of the National Digital Health Mission as an outreach campaign.
The White Paper on Data Protection Framework for India lists certain key principles that all Indian tech policies can utilize in order to keep user’s privacy front and center, all the while providing top-notch coverage. One such principle is that of data minimization. The essential idea is that while data protection is important, data privacy must be valued first as data that isn’t required to be collected and thus never collected doesn’t stand the risk of being breached. To this end, mandates regarding linking Aadhar to UHID and other eHealth documents, whether arbitrary or lawful, must be re-examined.
Medical data doesn’t exist in isolation, and relevant data such as financial information should also be covered under the ambit of personal information. HIPAA covers healthcare clearinghouses (middleman between healthcare providers insurance payers/providers). It is something Indian healthcare data protection policies can also take into consideration. Compliance measures and risk assessments need to account for industry-standard methods, as is the case in HIPAA regulations as well.
As has been mentioned above, a Health ID can be concerning, especially its linkage to Aadhar. While voluntary, institutional mandates could make it compulsory. As the scheme gets ready for implementation, the government should note that despite various positives, there are certain loopholes that should be accounted for in order to make digital healthcare a comprehensive, inclusive revolution.