Digital healthcare is a promising prospect. It allows for more efficiency in delivering healthcare if evolved with user welfare in mind. As with any digitisation effort, the data trail that such an effort leaves behind is substantial. From individual rights and a community benefit perspective, it is helpful to have the processes laid out when implementing Ayushman Bharat Digital Mission (ABDM).
In due consideration of this, the Nation Health Authority (NHA) has put out the National Health Data Management Policy, which aims to govern how the data will be handled in the ecosystem that ABDM aims to establish. The starting point for any protection of health data is the much-celebrated Puttaswamy Judgment. The judgment held informational privacy as a fundamental right, which includes health data. The proposed Personal Data Protection bill categorises health data as sensitive personal data, which would mean that there are enhanced protections in place that would grant more rights to the data principals and place more obligation on the data fiduciaries.
The ABDM’s Health Data Management Policy distinguishes between EHRs (electronic health records), EMRs (electronic medical records), personal data, and sensitive personal data. The policy framework needs to provide adequate information about the metadata that will be collected, or about the use of such data in policymaking or governance. As time progresses, greater transparency will help in enhancing trust in the system.
In the past, there was an attempt to bring in a legislation to regulate the flow of digital health data. The DISHA Act (Digital Information Security in Healthcare Act), as it was called, was never enacted. As of now, it remains to be seen how the monitoring of health data flows would be implemented. The proposed Data Protection Authority (DPA) under the Data Protection Bill would be de facto in charge of privacy monitoring and ensuring compliance; however, the size of the ecosystem and the swift changes that are happening in the sector makes one wonder how the capacity of a centralised DPA would add up to meet the mandate.
The current regulations around data protection are inadequate, and we have not finalised a data protection law yet. Health data, which is considered “Sensitive Personal Information”, is prone to cyber threats, and we need to evolve a more holistic approach to cyber security. Once the data protection law is in place, adequate security frameworks can evolve the system’s effectiveness in harmony with the enacted law. To ensure user grievances are addressed, a tiered structure of grievance redressal can be evolved. This will enhance the user trust in the system and improve feedback loops, which can help in implementing future changes.
The ABDM seeks to establish a unique health ID to identify health records and ensure continuity of care. There are two aspects to consider here. First, linking multiple databases raises privacy concerns. Research has shown time and again that linking personal databases can heighten the privacy risks upon breach. Second, it is crucial to ensure that the creation of digital IDs does not cause exclusion. While continuity of care is an ideal worth chasing, primacy must be given to health IDs so that exclusion does not take place due to the mandatory linking with other foundational IDs. If the patient is not interested in maintaining a single health ID, temporary IDs must also be provided, and the user agency must be protected.
Health data is sensitive personal data, and sharing requires protections such as pseudonymisation or anonymisation. This would mean that there needs to be a clear indication of the anonymisation standards to be followed for social and healthcare data. Similarly in India, we must evolve these standards for sharing healthcare data. While the report of the Committee of Experts on Non-Personal Data Governance Framework has suggested some possible anonymisation standards, we need greater consensus on what can be implemented at scale.
This becomes crucial especially when data sharing is to occur within the ecosystem. The manner in which data is shared, the protections/precautions that the persons sharing such data take before sharing are important to note. As is the basis of any data collection and processing, the purposes for which consent is sought for the processing of data must dictate the extent to which the data can be used by the persons processing it. Any other use must attract a fresh consent, where the fresh consent will specify the purposes for which it is being collected again. Moreover, if there are secondary uses for which the data will be used, it is crucial to have it in the form of a policy/legislation that would govern such secondary uses. For example, when data in anonymised format is used for statistical, research and allied purposes, the red-lines must be drawn in advance.
With the first comprehensive data protection framework close to finalisation, time is ripe for shifting to a digital health infrastructure as the progress will be rooted in ensuring user rights. To realise the true goal of universal healthcare, increased uptake stemming from increased user trust is crucial. Privacy is one of the many strategies that India must use to build trust.
Kazim Rizvi is a public policy entrepreneur and Founder of The Dialogue, a tech policy think-tank based out of New Delhi. The views expressed in this article are those of the author and do not represent the stand of this publication.
Read all the Latest Opinions here
Comments
0 comment