Second time’s not the charm: Health Data Management Policy misses the mark again

tl;dr

IFF wrote to the National Health Authority (NHA) as part of the consultation conducted for the Ayushman Bharat Digital Mission’s Draft Health Data Management Policy (“Draft policy"). Through our inputs, we have tried to highlight the existence of a weak legal foundation and inadequate preparatory groundwork; excessive delegation; a constricted digital consent, confidentiality and privacy framework; over-reliance on an Aadhaar-based authentication system; and, vague systems for anonymisation and de-identification, as well as the complete absence of strict access control requirements for personal health data.

Why should you care?

Increasing levels of digitisation across sectors come with opportunities as well as challenges. There can also be significant risks when accompanied by insufficient safeguards and or attention to privacy. These concerns are exacerbated in the health sector since healthcare data can also be sensitive personal data. Such data is also of great value to data brokers who may sell this data to private companies and researchers. As these records and databases transition to an online setting, users of healthcare services face an uphill challenge to protect this data.

Background

In September 2020, we sent comments on the National Digital Health Mission’s Health Data Management Policy (NDHM-HDMP) as a part of a consultation process. Subsequently, in June 2021, the Centre for Health Equity, Law, and Policy, and IFF drafted a working paper analysing the NDHM-HDMP. The earlier version of the Policy (NDHM-HDMP) was the subject of intense controversy. In a petition filed before the Delhi High Court by Dr. Satendra Singh, a noted disability rights activist, concerns were raised about the unreasonably short deadline for submission of feedback at the height of the COVID-19 pandemic. The petition also highlighted how the existing process excludes persons with disabilities, non-English speakers and people without internet access (Read more here). While the latest version of the Draft policy provided a reasonable deadline for inviting comments during the consultation process, it didn’t address many of the other concerns. The concerns  and demands voiced in our earlier comments and working paper are echoed in our latest comments, since most concerns around the policy remain unaddressed. Through our comments, we have highlighted related legal, socio-economic and implementation issues, by analysing the Draft policy based on six criteria:

(a) Prerequisites to a digital health records system;

(b) Governance framework;

(c) Consent and confidentiality;

(d) Data privacy and security;

(e) Inclusion; and

(f) Access to health data by private entities.

For the purpose of this post and in the interest of not being repetitive, we will only point out the fresh changes in the draft policy and its concerns.

What’s new (...and worse)

  • What’s in a name: Multiple names have changed under the National Digital Health Ecosystem, with the primary one being National Digital Health Mission (“NDHM”) changing to Ayushman Bharat Digital Mission (“ABDM”). Similarly, the Unique Health IDs (“UHIDs”) as conceived by the earlier version are now referred to as Ayushman Bharat Health Account (“ABHA”).
  • Out of sight, out of mind: The detailed standards that the policy would adhere to have been diluted. From explicitly mentioning “international standards and/or other relevant standards related to data interoperability and data sharing as may be notified for the implementation of NDHM from time to time”, the Draft policy just restricts compliance to “relevant standards” and omits “international standards”. Furthermore, the shortened objective in the latest policy takes away the obligation from the Ministry of Health and Family Welfare (MoHFW) for notifying relevant standards related to data interoperability and data sharing to enable the implementation of ABDM.
  • Issued in public (dis)interest: Clause 13.5 of the draft HDMP adds new exceptions that allow the processing of data without consent in the following three situations: a) Medical emergency where there is a threat to the life or health of the data principal; or b) Interest of Public health; or c) Order of the competent court. The first condition was a feature of the NDHM-HDMP as well, while the third condition may be understandable. However, the second condition’s ambiguous framing implies a considerable amount of arbitrariness that may provide the discretion to extract significant amounts of personal data in the name of public health. Additionally, the NDHM-HDMP explicitly provided users with the Right to correction and erasure, something which is conspicuously absent in the draft HDMP. Another notable change is that while the previous version provided that “a data principal may request for the creation of a Health ID at no cost”, the latest version reads “ABHA (number) may be created at no cost”, essentially taking away the agency from the patient to decide whether or not to get an ABHA number (Clause 15.1).
  • My data, their rules: Clause 26.1 in the NDHM-HDMP, which states the obligations of the data fiduciaries while processing personal data, reads, “They will be accountable for complying with measures which give effect to the privacy principles while processing any personal data by it or on its behalf. However, the true ownership and control of the personal data will remain with data principals.”  The draft policy, in the same Clause, has removed the term “ownership’’, which is a huge blow to the idea that and demand that data principals should be owners of their personal data.

Our suggestions

Our recommendations to remedy the aforementioned issues remain consistent. There still exists a necessity to identify the need, purpose, and safeguards for healthcare data. The digitisation of health records and creation of digital health IDs must be reassessed by comprehensively studying the same in the context of efficacy and privacy concerns. An underlying legal foundation and a data protection framework along with a thorough evaluation of health system preparedness and government capacity must form prerequisites to a digital health records system. Doing so would shift the focus onto the protection of citizens’ digital rights and ensure robust regulatory mechanisms. For specific recommendations, please see the table below.

Summary of our recommendations

S. No

Area(s) of concern

IFF Recommendations

1.

Prerequisites to a digital health records system

  • A robust legal foundation underpinning the system, that protects against loss of privacy and security of individual data.

  • A thorough evaluation of health system preparedness and government capacity to implement the system and resolve grievances.

2.

Undesirable governance framework

  • Due consideration must be given while determining the composition of the framework governing ABDM, which needs to include expertise across fields.

  • Ensure independence of ABDM CEO and DPO.

  • Greater clarity needed in the grievance redressal process.

  • A graded system of penalties for violations or non-compliance must be prescribed instead of the current one-size-fits-all system.

3.

Consent and confidentiality

  • Explicitly extend the requirement of taking informed consent to the creation of a Universal health ID (UHID).

  • In addition to the broad consent taken in the beginning, specific consent must also be taken at each instance of data processing and sharing. 

  • ​​Data processors must be required to put in place systems and processes for ‘masking’ of data.

  • All exceptions to processing data with consent (such as in the “interest of public health”) must be narrowly tailored and must contain explicit definitions of the data allowed to be processed under such exceptions. 

  • Personal Data Processing Model Consent Form must explicitly mention that the collection of data is voluntary and refusal will not lead to exclusion from services.

  • The draft HDMP must directly provide users with the right to correction and erasure.

4.

Diluted provisions for data privacy and security

  • The stated objectives must also include compliance with international standards, which has been deleted in the latest version.

  • Strict conditions for processing and usage of anonymised personal data must be implemented that limits access to the extent necessary for the fulfilment of a defined purpose or objective.

5.

Exclusion errors and ‘coercion-based inclusion’

  • Situations such as exclusion from availing medical services due to compulsory use of Aadhaar must be avoided under the ABHA and EHRs project.

  • Aadhaar-based verification should be removed so as to ensure that issues related to privacy are at the very least partially addressed.

6.

Access to health data by private entities

  • The Draft Policy should limit the sharing of health data for medical and public health research purposes, as well as expressly prohibit sharing of such data for insurance and other commercial purposes.

Important Documents

  1. IFF’s comment on the Draft Health Data Management Policy (link)
  2. Ayushman Bharat Digital Mission’s Health Data Management Policy (link)
  3. National Digital Health Mission’s Health Data Management Policy (link)
  4. IFF and C-HELP Working Paper: ‘Analysing the NDHM Health Data Management Policy’ (link)
  5. IFF’s comments on the National Digital Health Mission’s Health Data Management Policy (link)

This post was primarily drafted by Tejasi Panjiar, Associate Policy Counsel, and reviewed by Prateek Waghre, Policy Director.