On August 26, 2020, the Ministry of Health & Family Welfare (MoHFW) published the draft Health Data Management Policy (Policy). MoHFW has been advocating for digitisation of health records, creation of registries, and adoption of a federated health data management structure to ensure interoperability and transferability of health data within the healthcare ecosystem. A federated structure, simply put, allows collection, processing and storage of data at all levels, instead of a centralised repository. The bigger picture – creation of a “national digital health ecosystem”, where health records can be collected, processed and transferred inter se stakeholders with patient consent for universal and continued health care (NDHE). Consequently, it is essential that a detailed data management framework is put in place to maintain confidentiality of health data and patient privacy.
The Personal Data Protection Bill, 2019 (PDP Bill) is still being debated by the parliament and is unlikely to be notified before 2021. There is absence of a comprehensive data protection framework, and minimal binding rules are prescribed under the Information Technology (Reasonable Security Practices & Procedures and Sensitive Personal Data) Rules, 2011. The Policy aims at bridging the gap, and currently, pilots are being implemented in union territories. This post aims at providing an overview of the Policy while comparing it with PDP Bill, with an aim to evaluate the efficacy and necessity of a specialised health data management guideline.
1. Nature and objectives: The Policy aims to achieve the following:
- establish national portability of health records across stakeholders;
- set out framework for secure data processing in NDHE;
- stipulate adequate technical and organizational measures within NDHE;
- create and promote a “voluntary” system of digital health records processing and transferability based on consent;
- follow international standards such as ISO/TS 17975:2015 and other interoperability and data sharing standards as may be notified;
- increase awareness of privacy to create a privacy mindset amongst NDHE players; and
- establish institutional mechanisms for audits, checks and balances
The Policy is nonbinding, and provides guidelines which will be read in conjunct with applicable laws, existing or new ones that may be notified in future. In strict sense, the Policy is not law, and is an attempt at laying out best practices. Until such time, PDP Bill is notified, stakeholders dealing with health data have to comply with IT Rules, and to that effect, the Policy may not change anything in how health data is processed or managed. The lacuna in the current legal regime is bound to defeat the Policy’s objectives. Owing to the high sensitivity involved with health data and the potential harm that can ensue when misused, it is imperative that the government focuses on prescribing binding rules, instead of self-regulatory structures like the Policy.
2. Application: The Policy states that the guidelines apply to all participants in NDHE i.e., data principal being the patient, data fiduciaries and processors. Data fiduciary is the person who decides the means and purposes of processing, while processor is one who carries out the processing. It will include (i) government and its agencies including MoHFW, ICMR, MCI, (ii) healthcare professionals like doctors, nurses, lab technicians, (iii) health information providers such as hospitals, diagnostic centres, public health programs or other such entities registered with National Health Infrastructure Registry (to be created), who act as information providers in NDHE, (iv) health facilities like hospitals, clinics, diagnostic centres, health & wellness centres, mobile units, ambulances, pharmacies, etc., and (v) health information users i.e., those who are permitted to access health data in NDHE with consent from concerned individual like pharmaceutical companies and supply chain players, research bodies, charitable organizations. Further, the Policy will apply to all methods of health data collection, be it in-person, written or oral. Thus, the Policy applies to all players in data lifecycle and is agnostic to collection method.
3. Fundamental blocks of NDHE: Several defined concepts in the Policy such as anonymisation, biometric data, processing, harm, and significant harm are similar to PDP Bill. Additionally, principles of accountability, transparency, data minimisation, purpose and storage limitation, lawful processing, privacy by design, implementation of reasonable security practices and data principal’s rights have been added from PDP Bill to the Policy. In essence, the Policy is aligned with PDP Bill, and as such does not solve any added purpose.
Nonetheless, the Policy brings in 3 fundamental components which are essential for NDHE – electronic health records (EHR), a system of unique identifiers, and health lockers.
4. EHR: EHR refers to repositories of digital data relating to wellness, health and healthcare of an individual, that is (i) capable of being stored, (ii) communicated securely such as end-to-end encrypted data transmission, (iii) accessible by multiple authorized users, and (iv) represented in a standardized or commonly agreed logical information model. EHR is thus, collection of various medical records that get generated during any clinical encounter or events. The ambit is wide and will include conventional health services (like in-person consult), wellness program, telemedicine, telehealth and derivative records, whether in identifiable or de-identified form.
EHR is not an entirely new concept and is borrowed from EHR Guidelines, 2016, that was issued in December 2016, and continues to remain on the side line owing to its self-regulatory nature. In any event, if NDHE were to work out, it is essential that EHR is in a standardized machine-readable format, failing which interoperability, secure transmission and multiple access features are difficult to achieve. Further, secure transmission and multiple access points will require re-evaluation of government’s stance on encryption technologies. As it stands today, encryption technologies deployed by intermediary platforms prevents them from accessing PD and SPD exchanged via the platform, thereby preserving individual’s privacy. However, the government views encryption as a threat to public order and national security. The draft Intermediary Guidelines, 2018 proposes to make encryption illegal, and should this be the future law, it is unfathomable how government seeks to ensure secure transmission of health data within NDHE.
5. Policy IDs: The second key block for NDHE is a system of unique identifiers for patients, healthcare practitioners, and health facilities. This is the only additional feature, in an otherwise repetitive Policy, which is pari materia similar to PDP Bill. Unique identifiers aim at verification and authenticity of stakeholders creating and processing health data. Any patient, health facility or health professional who wishes to participate in NDHE and avail its benefits, must have Health ID, Health Professional ID (HPID), or Health Facility ID (HFID), respectively. The manner in which these will be created, the data required for generating them, processing techniques, and verification process (either by using AADHAR, or other credentials) will be prescribed by National Health Authority (NHA). NHA can contract out this rile to a private party. Nonetheless, the Policy states that in the process of creating Policy IDs, the fiduciary must comply with the guidelines, and it is only to this limited extent that the Policy can be considered binding. The key points:
- Health ID is the identification number allocated to a data principal. All health data and the individual’s consent for processing EHR within NDHE must be linked with Health ID. The principal can choose to withdraw or modify consent, restrict data sharing, or require removal of PD linked with Health ID. However, Health ID will not be a pre-requisite for benefitting under any government scheme such as PM-JAY, state insurance, etc.
- HPID is the unique ID allocated to practitioners and professionals. This is essential to authenticate practitioner’s identity who seeks to access patient’s PD. HPID can also be used for signing e-prescriptions and reports, and e-claims. Similar to Health ID, practitioner can opt-out, cancel or require removal of HPID.
- HFID is the unique ID allocated to health facility, and is similar to HPID. Owners or managers of health facilities shall have the responsibility to keep facility’s details up-to-date. Further, participating health facilities can be subjected to audits.
As of now, Policy IDs are optional. But, remembering the AADHAR narrative, there is surmounting scepticism that the government may move to make them mandatory condition for participating in government funded and public health projects. Health ID in particular is also viewed by critiques as a secret surveillance tool to track and trace sexual minorities and persons with disabilities. On an objective scale, for NDHE interoperability to work out in practice, it is important to have unique identifiers as suggested in the Policy. Quite naturally, this will essentially mean that a breach, misuse or unauthorised access to IDs or the linked PD can result in significant personal harm to the person, and may also affect her fundamental human rights. Hence, it is essential that adequate legal principles, and not just a Policy framework is put in place before NDHE is made reality.
6. Health lockers: The third component of NDHE are health lockers. These are the services required for NDHE to work seamlessly. These services are most likely to be provided by data processors. They will allow access and creation of records by principal, plus access and transfer of EHRs inter se fiduciaries or processors with consent. For example, telemedicine and telehealth platforms can provide health locker services to allow creation, access and further processing of health data. However, the Policy is silent on how health lockers are proposed to be regulated.
7. Patient consent: The principal is at the centre of NDHE, and her interests are supposed to have paramount importance in NDHE. Valid consent is the only basis for collection and processing of PD i.e., it must be (i) free as per Indian Contract Act, (ii) informed, having regard to the information that must be provided in a notice, so that principal understands the scope of consent and purpose of processing, (iii) specific, wherein principal can give consent for particular purpose, (iv) clearly given, and (v) capable of being withdrawn at any time with comparable ease with which it was obtained. Specific to SPD, consent will be obtained only after informing about the processing steps that can cause significant harm. Determining significant harm will take into account the impact, continuity, and persistence or irreversibility of the consequences. For instance, drug abuse testing information if provided to employers can cause significant harm in terms of job loss, prosecution and even social harm.
Thus, it appears that consent mechanism as provided under PDP Bill is incorporated in the Policy. But, what about the situations where PDP Bill allows processing of PD without consent, such as public health crisis, disaster management, pandemic, emergency use authorisation for vaccines, etc.? Since the Policy is recommendatory in nature, government or its authorised entity can access health registries, EHRs, and health locker facility to process principal’s data in any manner, without any prior notice. Hence, the Policy’s emphasis on consent is without any real consequence.
8. Interoperability: Additionally, the Policy states that technical design of consent management framework should ensure interoperability across all players, must be agnostic to applications, programming languages, and platforms, so as to ease sharing or disclosure. Interoperability means the ability of a system to exchange electronic records with other systems. It not only helps leveraging the real value of health data, but can actually give impetus to universal and continual access to healthcare services. Understood in this context, it is not enough to simply obtain consent from the individual for interoperability and data sharing. It will require devising of technology and standardized protocols that is deployed across NDHE, which in turn, necessitate that technology standards are made binding on stakeholders. These cannot be merely clothed as recommend practices. It is contemplated that NHA will come up with standards under the Policy, but since Policy is non-binding, the standards cannot be enforced as law. To draw a parallel, let us consider interoperability standards prescribed by US Office of the National Coordinator for Health Information Technology. These standards were recognised under a specific legislation, HITECH Act, that aims at ensuring interoperability without compromising on privacy. This law provides financial incentives for EHR adoption, and also provides for stricter penalties than HIPPA for breach of protocols. In essence, the Policy does not justify its lofty objectives, and interoperability issues can only be addressed through enforceable standards.
Conclusion: The Policy is a replica of PDP Bill in many ways, and does not value add to the existing legal regime. Despite the elaborate objectives stated in the Policy, the actual impact and purpose remain unclear. Health data deserves the highest privacy safeguards. This can be ensured through a detailed data protection regime that is binding on stakeholders and permits limited exceptions. The way forward for the government would be to focus on finalizing and notifying PDP Bill, instead of coming up with piece meal guidelines. Until such time, implementation of the Policy and NDHE will be without mandatory checks and balances for data protection that is bound to keep principal’s health data vulnerable and exposed.
 ISO/TS 17975:2015 Health Informatics – Principles and data requirements for consent in the Collection, Use or Disclosure of Personal Health Information)
 Encounter is defined under EHR guidelines as an instance of direct provider/practitioner to patient interaction, regardless of the medium such as ambulatory, inpatient, emergency, telemedicine, etc.
 Health lockers are comparable to health information exchanges in USA. Common forms are directed exchange (send and receive data between care providers), query-based exchange (find or request information on patients from others), and consumer mediated exchange (patients to aggregate and control use of their data); to understand more, access https://www.healthit.gov/topic/health-it-and-health-information-exchange-basics/health-information-exchange (last accessed on September 26, 2020)
 Some interoperability standards used include – (i) HL7-FHIR (Fast Healthcare Interoperability Resource) which can be used or enables interoperability across phone apps, cloud or server communications, and (ii) DS4P (Data Segmentation for Privacy) that allows segmented data sharing as per patient consent. Several other interoperability pilot projects are being spearheaded by United States’ Office of the National Coordinator for Health Information.