The issue of healthcare data in India, whether collection or protection, had predated the concerns raised by privacy advocates when the Government of India introduced the Aarogya Setu app. Criticized for being a threat to the privacy of users, the app was briefly mandatory, inviting disapproval from 45 organizations and more than 100 prominent individuals. While the mandatory status was rolled back, it was still being enforced arbitrarily. Furthermore, recent reports have shown that the app, in spite of its intrusive permissions, failed to curtail the spread of the virus, thus failing the proportionality principle (in addition to legality) put down by the Puttaswamy Privacy Framework.
The National Digital Health Mission (NDHM) and Health Data Management Policy (HDMP), and the United Health Interface (UHI) have also received criticism and suggestions in part from relevant sections of society. These issues don’t stem from specific acts or policies but rather from the lack of a comprehensive data protection bill that can cater to our modern needs.
On 27th September, 2021, Prime Minister Narendra Modi launched the Pradhan Mantri Digital Health Mission (PM-DHM). This rollout of PM-DHM coincides with the National Health Authority (NHA) celebrating the third anniversary of Ayushman Bharat Pradhan Mantri Jan Arogya Yojana (AB PM-JAY). On this occasion, we shall examine how and where the scheme can make an impact, and where it needs to focus.
WHAT IS HEALTH DATA?
Personal Health Data can include an individual’s data consisting of detailed information about their health condition and treatments. It can further include any data with personally identifiable information of stakeholders like information about their healthcare professionals. On the other hand, Non-Personal Health Data is aggregated health data (e.g., number of covid cases) and anonymized health data where all personally identifiable information has been scrubbed. It can also include information about health facilities, drugs, etc., that do not involve personally identifiable information.
The current legal framework governing the protection of e-health data and Sensitive Personal Data or Information (SPDI) is covered under the combined readings of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. These offer only a limited degree of protection to the collection, disclosure, and transfer of sensitive personal data, including medical records and history. The current policies, which were once considered modern, haven’t been updated with the advancements in the field. Legislation has not kept pace with developments in the field of e-health, especially when healthcare has transcended hospitals and clinics and manifests in different ways such as telehealth apps. Such services existed even before Covid-19, but the lockdown resulted in a surge in their popularity, as doctors could be consulted while at home.
To progress with changing times, the Government introduced DISHA (Digital Information Security in Healthcare Act) and the Personal Data Protection Bill, 2019 (referred to as PDP hereafter). PDP makes some additions to what constitutes health data –
Section 3 (21) of the PDP 2019 – ‘data related to the state of physical or mental health of the data principle and includes records regarding the past, present or future state of the health of such data principle, data collected in the course of registration for, or provision of health services, data associating the data principle to the provision of specific health services.’
On ‘sensitive personal data’ Section 3 (36) of PDP 2019 refers to such data that personal data, which may reveal, be related to, or constitute – (i) financial data; (ii) health data; (iii) official identifier; (iv) sex life; (v) sexual orientation; (vi) biometric data; (vii) genetic data; (viii) transgender status; (ix) intersex status; (x) caste or tribe; (xi) religious or political belief or affiliation; or (xii) any other data categorised as sensitive personal data under Section 15.
NATIONAL DIGITAL HEALTH MISSION AND ITS DATA MANAGEMENT POLICY
Announced by Prime Minister Narendra Modi on the 74th Independence Day, the NDHM is a complete digital health ecosystem. To improve the quality of medical care, along with its access to vulnerable sections and achieve Universal Healthcare Coverage, NDHM introduces measures such as a Health ID. This health account will include details on every test, disease, doctor’s visit, prescribed medicines, and diagnosis. Even if the patient shifts or changes doctors, this information will be easily accessible because it is portable. NDHM is a voluntary healthcare program, unifying doctors, hospitals, pharmacies, and insurance companies to create a digital health infrastructure. The unique Health ID card is created with Aadhar details and the mobile number of the user. Under the ambit of NDHM, one can also find coverage of services such as telemedicine and ePharmacy.
Source – ABDM (ndhm.gov.in)
Despite positives such as a focus on consent, privacy, and user autonomy, concerns were raised about the data management policy of this scheme. The Internet Freedom Foundation and the Centre for Health Equity, Law and Policy’s working paper titled ‘Analysing the NDHM Health Data Management Policy’ highlights the background of digital health data frameworks in India. It also details the need for NDHM, the foundations required by such undertakings, the governance framework, and the areas where it is lacking. Its relevance lies in the fact that it reflects the current framework to the policymakers and provides certain insights into how the policy can be improved. Some of the learnings are listed below.
Some of the areas where it lacks –
- Consent is a big part of data collection. The current policy framework operates on a one-time, opt-in consent framework where a “yes” is a “yes to everything”. For example, the mandatory requirement of taking informed consent is limited to the collection and processing of personal data and is not explicitly extended to the creation of a Universal Health ID (UHID). However, there are reports of the Central Government generating UHID numbers for all individuals getting their COVID-19 vaccines by presenting their Aadhaar, without their consent. Users can also not withhold or refuse consent to the digitization of specific information, such as abortion, substance use/dependence, HIV status, mental illnesses, etc.
- Government and private institutions make UHID mandatory, thus contradicting the voluntary status. For example, the Caravan reported on doctors in Chandigarh being forced to register for what is supposedly a voluntary National Health ID. Citizens residing in Chandigarh hoping to avail of the COVID-19 vaccine were asked to generate UHIDs, with the compulsion of linking Aadhar to it (also not mandatory).
- HDMP allows health data companies (insurance and pharmaceutical companies) to share health data with entities for research purposes. This research must not use personal health data in individual patient care, and individual data processors can’t grant access. However, the collection and usage of aggregated health data by private commercial entities poses the risk of market abuse and unfair competition. For example, insurance companies may use digital health records to profile and score individuals in a bid to offer individualized insurance contracts and premiums, potentially leading to coverage denial for high-risk individuals. For others, there may be volatility in premium amounts depending on their health data.
- There are concerns regarding the re-identification of anonymized data. A study from Washington State shows researchers were able to re-identify 43% of known patients by matching de-identified data sets against news reports. Adequate addressing of this issue is required for data to be safe.
As mentioned above, a health data management policy must be built on the bedrock of certain prerequisites. These prerequisites mentioned in the IFF-CHELP paper include having a robust legal foundation that can protect against identity fraud, data theft, reidentification, state surveillance, and commercial profiling. Data that can’t be kept secure shouldn’t be stored. In January 2021, a technology portal reported the leaking of COVID-19 test results and the personal information of thousands of patients from multiple Indian government departmental websites. Without a statutory foundation or an independent regulatory authority, implementing a digital health records system that shares data with diverse entities across digital technology services runs the risk of violating rights to informed consent and confidentiality. Data breach threats loom over any data management entity. Health data is always sensitive, and the inclusion of Aadhar when healthcare sector executives recognize the cybersecurity risks posed by the NDHM makes a patient’s data more vulnerable without a personal data protection bill.
Another prerequisite is a robust state capacity to manage and store healthcare data. An internal audit of capacities and capabilities for managing data and assessment on-ground for data collection is required before undertaking data documentation. India currently suffers from several deficiencies in relation to the quality of data being recorded. It is further hindered by poor internet connectivity, power outages, and a lack of technical support. Thus, the outcomes from these policies will be negatively affected. A digital health records system can revolutionize healthcare in India, especially for those living in rural areas. It can help them transfer their medical records across doctors and locations and potentially avail services of better doctors elsewhere. However, implementing the system hastily, at a national level, is a complex process and must be approached strategically.
The United States Federal Trade Commission’s Fair Information Practice Principles, or FIPPs, have widely accepted guidelines and concepts concerning fair information practice in an electronic marketplace. In the context of healthcare and data, some of these principles include:
(i) a notice about what data will be collected, why and how it will be used, and with whom it will be shared;
(ii) using data for appropriate purposes;
(iii) emphasis on individual choice, including an opt-in and opt-out system to avoid “yes-to-all” kinds of consent;
(iv) access and correction of stored data, and;
(v) security to protect stored data.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is an American federal law responsible for national standards intended to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. Best known for its privacy practices, it lists a number of measures, Covered Entities (entities engaged in facilitating treatment between the patient and the doctor, be it from a healthcare perspective, data storage/transmission, or billing/financial perspective). It appropriates FIPPs and lays down focused, stringent measures, such as having 20 elements required to be listed in Notices, an acknowledgment receipt that requires consent, mentions choices available to patients in terms of with whom the data can be shared, etc. It is not absolute, and certain limitations to privacy exist in cases of social order and public safety, but these are highly regulated by the courts and require specific court mandates.
Source – What is HIPAA and why should I care?
In Europe, the General Data Protection Regulation, or GDPR, gives EU citizens enhanced control over their personal data. It streamlines the regulatory environment for business so both citizens and industries in the European Union can fully benefit from the digital economy. From a health data perspective, it provides for Breach Notifications in events of data breaches and hacks. In essence, if the name, address, date of birth, health records, bank details, or any personal data about customers is breached, the breached organization is obliged to inform the compromised as well as the relevant regulatory body so action can be taken to mitigate the damage. Breach notifications are often public, putting the reputation of the company on the line. Such laws put down stringent measures to place privacy first.
DISHA IN INDIA AND ITS FEATURES
DISHA, while still tabled, provides a new turn for how healthcare data can be secured. The Draft Bill defines Digital Health Data (DHD) as ‘an electronic record of health-related information about an individual’. Its provisions deal with physical and mental health information of an individual, health services provided and collected while providing said services to an individual, donation, testing, and information obtained from the act, and details about the clinical establishment accessed by the individual.
Provisions to regulate the generation, collection, access, storage, transmission, and usage of DHD and associated Personally Identifiable Information (PII) are provided. The latter is information that can uniquely identify, contact, or locate an individual specifically, using sources like name, address, date of birth, financial information, etc. The Draft Bill states that health data such as physical, physiological, mental health conditions, sexual orientation, medical records, medical history, and biometric data qualify as information that can only be the property of the person it belongs to.
DISHA hails from the Ministry of Health and Welfare’s attempt, in 2015, to establish the National Electronic Health Authority (NeHA) to regulate the usage of electronic mediums in healthcare and maintaining e-Health records and digital health information across India. Prior legislation such as the Clinical Establishments (Registration and Regulation) Act 2010 mandated the maintenance and provision of EMR (Electronic Medical Records). Similarly, EHR (Electronic Health Records) were covered under a uniform standard-based system for the creation and maintenance by the healthcare providers, rules courtesy of MoHFW. At a point when data was increasingly stored in the electronic format, there was a need to protect said data as well. It is the bridge that DISHA seeks to build.
A few features of DISHA are as follows –
- The legislation calls for creating a central regulator – NeHA, accompanied by various State Electronic Health Authorities (SeHA) to execute the provisions of DISHA. These authorities will be responsible for defining protocols to safeguard data from possible breaches and provide data security measures, establish protocols for digital health data transmission, to and receiving it from other countries, and more.
- It establishes Digital Health Exchanges for the secure transmission, access, and communication of digital health information across doctors, nurses, pharmacists, and other healthcare providers and patients. It can enhance the speed, quality, safety, and cost of patient care. Standardization of digital health information through eHealth record standards will be followed. Indian data centers are required to facilitate this. DHIEs will be monitored and controlled by their respective Chief Health Information Executive, and they’ll be responsible for appropriate storage of data breach notification, etc.
The Need for DISHA and What it Should Aim For
DISHA needs to be complemented by an overarching personal data protection bill, protecting SPDI (such as financial information, biometric information, physical, physiological, and mental health conditions). In April of 2020, the Kerala High Court, in the interim order in the case of Balu Gopalakrishnan v State of Kerala (Kerala High Court, WP (C) Temp No. 84 (2020), 24 April 2020), warned against a ‘Data Epidemic’. From such cases, it is evident that anecdotal-based cases can pave the way for better data protection measures, but there is a need for a comprehensive law.
DISHA’s emphasis on anonymization and de-identification rules, actions on obtained data being subject to explicit consent, and the right to correct inaccurate digital health data are steps in the right direction but are subject to proper enforcement on the ground level. A point that needs special attention is the absolute prohibition of access to digital health data (whether anonymized or otherwise) to insurance companies, employers, human resource consultants and pharmaceutical companies, or any other entity as may be specified by the Central Government. It directly covers up one of the flaws that the NDHM-HDMP suffers from.
One possible flaw that emerges out of DISHA is that it permits NeHA to use the information for certain limited purposes such as public health research, as long as the confidentiality of the data owner is not compromised. In theory, this seems suitable, but precautions need to be taken as national databases of sensitive information have been breached in the past. Additionally, internal security measures should be taken to ensure that data is only under the purview of relevant figureheads. Minimization of data access can go a long way in preventing insider leaks.
THE PATH FORWARD
Healthcare data management policies are important as we are increasingly becoming the sum of our interconnected data and digital identities. At this juncture, a breach of one kind of data can lead to another being compromised. Password leaks can be very alarming, but what happens when your test reports, health status, and UHID linked to services you avail through your Aadhar are exposed? It is for this very reason that discussions around minimization need to be had. Past experiences with Aadhar leaks serve as sufficient evidence for limiting its usage and integration with health IDs and mandating it equally.
While solutions such as 256-bit encryption for protecting data or blockchain for decentralized data can be utilized, what matters is bringing about a culture of enforcing a process rather than an outcome. Rather than giving a ready-to-go checklist that entities can use for privacy and security, it may be beneficial to create a system where accountability and privacy are ingrained with everything the entities do. At the policy design level, it is important to have privacy principles, or ‘security and privacy by design’ in place. While this is a principle HDMP claims it abides by, there are still concerns related to large-scale data processing and the lack of a data protection bill.
As for the policies mentioned here, it is beneficial to teach people digital literacy, informing them more about how consent works and what their digital rights and choices are. For example, hospital administration employees can explain the terms and conditions to privacy and consent to patients, taking away the fear of long, complex forms. It can be a part of the National Digital Health Mission as an outreach campaign.
The White Paper on Data Protection Framework for India lists certain key principles that all Indian tech policies can utilize in order to keep user’s privacy front and center, all the while providing top-notch coverage. One such principle is that of data minimization. The essential idea is that while data protection is important, data privacy must be valued first as data that isn’t required to be collected and thus never collected doesn’t stand the risk of being breached. To this end, mandates regarding linking Aadhar to UHID and other eHealth documents, whether arbitrary or lawful, must be re-examined.
Medical data doesn’t exist in isolation, and relevant data such as financial information should also be covered under the ambit of personal information. HIPAA covers healthcare clearinghouses (middleman between healthcare providers insurance payers/providers). It is something Indian healthcare data protection policies can also take into consideration. Compliance measures and risk assessments need to account for industry-standard methods, as is the case in HIPAA regulations as well.
As has been mentioned above, a Health ID can be concerning, especially its linkage to Aadhar. While voluntary, institutional mandates could make it compulsory. As the scheme gets ready for implementation, the government should note that despite various positives, there are certain loopholes that should be accounted for in order to make digital healthcare a comprehensive, inclusive revolution.
Also read: Sweet Revolution or Mithi Kranthi