Along with the Centre for Health Equity, Law, and Policy, we have drafted a working paper analysing the National Digital Health Mission’s Health Data Management Policy. We will be explaining our analysis of the Policy in a two part series. This post provides an introduction to the issue, discusses the various prerequisites required for implementing a robust digital health records system, and looks at the governance structure underlying the Policy.
On August 20th last year, the National Health Authority had issued a press release announcing the public consultation for the Draft Health Data Management Policy (HDMP) for the National Digital Health Mission (NDHM). We had provided legal support to a petition that challenged the consultation process for the HDMP. After hearing the petition, the Delhi High Court directed the government to consider the consultation process in accordance with existing policies such as the Pre-legislative Consultation Policy, after which the government extended the deadline to September 21st, 2020. However, several issues remained, such as the inaccessibility for persons with visual impairments as well as the online-only and english-only mode of consultation. Thus, we wrote to the Ministry of Health and Family Welfare regarding these issues.
Subsequently, we also submitted our comments on the HDMP. Our comments centred on the following themes:
- Lack of data protection legislation: Ensuring health data privacy requires legislation at three levels- comprehensive laws, sectoral laws and informal rules. Since the Personal Data Protection Bill, 2019 is still pending in Parliament, the Draft Policy can at best be considered a set of informal rules which lack any statutory basis. UNAIDS has also emphasized that national level privacy legislation is necessary to address privacy concerns associated with national health IDs.
- De facto mandatory nature of Digital Health ID Programme: As reported by various media publications, registration for a health ID under the NDHM may be voluntary on paper but it is being made mandatory in practice by hospital administrators and heads of departments. The de facto mandatory nature of the digital health ID programme under NDHM can be addressed only if it supported by an underlying legislation which clearly places a bar on denial of healthcare services because of lack of a digital health ID, and prescribes strict penalties for erring government officials who make use of such health IDs mandatory.
- Linkage of Aadhaar with Digital Health ID: The use of Aadhaar for the purposes of authentication of identity at the time of registration raises serious privacy concerns about linkage of a person’s health data with other databases, and it increases the likelihood of the National Digital Health Ecosystem being connected with systems beyond the health sector. Additionally, the non-inclusion of official identifiers like Aadhaar number within the definition of sensitive personal data under the Draft Policy is inconsistent with the government’s own Personal Data Protection Bill and may lead to inadequate protection being provided to Aadhaar details shared by participants in NDHM.
- Risk of re-identification of anonymized data: The Draft Policy does not adequately address concerns about reidentification of de-identified or anonymized health data which is now widely understood to be a real threat. For instance, researchers have been able to re-identify 43% of known patients by matching de-identified data sets against news reports. Researchers have also found that 87% of the population in the United States can be uniquely identified based on only three characteristics - ZIP, gender, date of birth - and proven that any data set which includes these highly identifying characteristics cannot not be considered anonymized.
- Threat of data breaches: Executives in the healthcare sector have recognized the cybersecurity risks posed by the NDHM. Further, India has a past record of breaches of sensitive personal data like financial information. For instance, in 2016, 3.2 million debit cards were recalled by various banks due to a data breach. Any similar leak of sensitive health data collected as part of NDHM would cause severe and irreparable harm to millions of citizens which cannot be quantified or compensated in monetary terms. For this reason, it is essential that independent technical experts are provided more time to thoroughly scrutinize the National Digital Health Ecosystem’s technical design and there should be full disclosure of all information that is necessary to conduct such an independent evaluation.
Our Working Paper
On 14th December 2020, the government approved the final version of the HDMP. Throughout the past year, we have engaged with the emerging health data paradigms, and so we set about analysing the HDMP. To this extent, given our lack of domain expertise, we collaborated with various key stakeholders such as public health groups and health policy experts. Our main collaborator in these endeavours was the Centre for Health Equity, Law, and Policy, with whom we jointly organised an internal stakeholder conference to discuss the various aspects of the HDMP.
We are now able to finally present to you the fruits of our joint labour on the HDMP; our working paper ‘Analysing the NDHM Health Data Management Policy’. In a two part series, we will be explaining our paper in detail. This post will discuss the essential prerequisites required for implementing a digital health records system, while also taking a look at the governance system proposed by the HDMP.
Prerequisites for a Digital Health Records System
To implement an digital health records system adequately, two fundamental prerequisites are required:
- A robust legal foundation: The NDHM-HDMP seeks to digitise health records and link these records with a digital health ID, entailing significant risks to confidentiality and privacy. A study on identity management systems in Europe describes UHIDs as ‘one of the most privacy-invasive tools of eHealth’, especially because of the potential of linking health data with other data sources. For example, the use of Aadhaar to create a UHID can be linked with other personal information, creating the potential for state surveillance and profiling for commercial purposes. A recent RTI query revealed that the chief medical officer of the Kulgam district in Jammu and Kashmir was sharing Aarogya Setu users’ data (without the users’ knowledge and consent) with local police authorities. Apart from this, identity fraud, data theft and reidentification are some other risks posed by a digital health ID. In January 2021, a technology portal reported leaking of COVID-19 test results and personal information of thousands of patients, from the websites of multiple Indian government departments. Such breaches can cause embarrassment, humiliation, loss of reputation and stigmatization of individuals, especially vulnerable populations; and unregulated access by third parties can lead to discrimination against individuals, such as denial of insurance and discrimination at workplace. Furthermore, without any statutory foundation and an independent regulatory authority, establishing and implementing a digital health records system; and sharing data with government bodies and private entities across different digital technology products, services and applications, risks fundamental rights to informed consent, confidentiality and privacy. Such an action may be contrary to the Constitution of India.
- State capacity: Apart from a robust legal foundation, successful implementation of a digital health records system entails health system preparedness, i.e. an assessment of existing capacities for medical record documentation and health information exchange. The WHO recommends governments to do the groundwork on evaluating the state of healthcare documentation for data standardisation and accuracy, technical infrastructure capabilities, availability of skilled human resources and training for data entry and analysis, protocols for ensuring privacy, security and adequate quality of data, and other environmental issues like electricity and internet speed. Pushing the implementation of digital health without adequately taking into account and planning for these requirements will cause more harm than any stated benefit of digitization. Some studies, evaluating existing health information systems in India in India, find several deficiencies particularly in relation to the quality of data being recorded. Poor internet connectivity, long power outages and lack of technical support led to delays in recording data, as well as many cases going unrecorded altogether. A digital health records system has the potential to significantly enhance the effectiveness, efficiency and quality of healthcare. The success of such a system is contingent upon its widespread acceptability and reusability. However, implementing the system at a national level is a complex process, and requires strategic planning and stakeholder engagement. Hasty implementation without adequate safeguards not only risks the privacy and security of medical data, as well as exclusion and inequities; but it may also undermine general trust in the system leading to low uptake.
The key features of the governance framework envisaged under the NDHM-HDMP, are enumerated below:
- The governance structure will be the same as that for the National Digital Health Ecosystem (NDHE), and will be specified by NDHM. The National Digital Health Blueprint envisages that the NDHM will facilitate the evolution of NDHE, including establishing and implementing the National Health Electronic Registries and the Electronic Health Records Framework.
- The NDHB provides that the NDHM will be a government owned body comprising two separate arms: (a) governing council and board of directors responsible for policy formulation and regulation; and (b) CEO and operations team responsible for implementation of the policies. In addition to this, the NDHM-HDMP provides that the governance structure will consist of committees, authorities and officers at different levels. Specifically, it will consist of a data protection officer (NDHM-DPO) and a grievance redressal officer (NDHM-GRO).
- The Ministry of Health and Family Welfare and the Ministry of Electronics and Information Technology will provide overall guidance.
- Specific details in relation to the governance structure will be stipulated from time to time.
Although there is some clarity on the structure of NDHM, the NDHM-HDMP is silent on the size, composition, selection process, tenure, powers, functions, terms of removal, financing and the accountability framework governing NDHM. In effect, the governance structure of NDHM will be laid out by NDHM itself. This may lead to problems associated with excessive delegation, especially lack of transparency and a weak accountability framework. The appointment of government officers as the NDHM CEO and NDHM-DPO is also not desirable. The two members are responsible for implementing the UHID and EHR system, including the collection, management and sharing of health data. Government officers holding these key positions may expose the NDHM to pressures from the government and compromise its independence.
Next, the HDMP also lays out the grievance redress and enforcement framework. Ideally, a grievance redress mechanism should entail clear processes embedded in the rule of law, through which aggrieved parties can seek redress or challenge regulatory actions. Unfortunately, the grievance redress process contained in the NDHM-HDMP falls short on this count. As the HDMP provides data fiduciaries (entities that collect and store data) with significant amounts of discretion with respect to handling complaints, data principals face the risk of arbitrary rejection of complaints. As an example, one of the most common complaints against Indian health insurance companies, who are free to lay down their own procedure for settlement of insurance claims, is the rejection of claims without any reasoning. In order to avoid a similar problem, the NDHM-HDMP should lay down the procedure for the receipt and redress of complaints at all levels.
Data fiduciaries are also obligated to formulate and implement a personal data breach management procedure, for monitoring instances of non-compliance or unauthorised use. The provision can be strengthened in the following ways:
- Data fiduciaries should be obligated to disclose all information and any material change to the information on the personal data breach management procedure, directly to the user.
- This information should be presented in a legible and reasonably plain language to the user.
- Any instances of breach should not only be notified to NDHM, but also the user affected by such breach.
Finally, the NDHM-HDMP prescribes penalties for non-compliance. These include a ban from participating in the NDHE, and suspension or cancellation of digital IDs of health professionals and health facilities. While the NDHM-HDMP envisages various degrees of possible contraventions, the penalties are limited to a ban, suspension or cancellation of the digital health ID. This may lead to situations where either minor violations go completely unpunished or a large number of penalties are disproportionate to the violation. Both scenarios will undermine implementation of the NDHM-HDMP. Hence, there is a need for rationalisation of the penalty system. This may be achieved through the incorporation of a graded system of penalties for violations based on the cause of the violation, with penalties ranging from warnings, corrective actions and monetary penalties to suspension, cancellation and instituting criminal proceedings. This would ensure that the enforcement mechanism is embedded in the rule of law and in line with the principle of proportionality.
In the next post, we will look at other issues related to consent and confidentiality, data privacy and security, inclusion, and private sector access to health data.
- The National Digital Health Mission’s Health Data Management Policy (link)
- IFF and C-HELP Working Paper: ‘Analysing the NDHM Health Data Management Policy’ (link)
We would like to once again thank the Centre for Health Equity, Law, and Policy for all their help and support on this paper. In particular, we would like to mention Shefali Malhotra, who is a Research Consultant with the Centre for Health Equity, Law and Policy, and Shivangi Rai, who is Deputy Coordinator with the Centre for Health Equity, Law and Policy.