Med Tech

Privacy Concerns regarding the Digital Health ID

There have been several successful attempts in adopting information technology in various parts of the Indian Healthcare Sector. The Indian Government has implemented several policy initiatives, including the revised Electronic Health Record (EHR) Standards 2016, the National Health Policy 2017, the draft Digital Information Security in Healthcare Act, NITI Aayog’s National Health Stack 2018 and the National Digital Health Blueprint in 2019.

On 15th August, 2020 at Red Fort, Prime Minister Narendra Modi announced the launch of the National Digital Health Mission (NDHM), also known as Ayushman Bharat Digital Mission. A key aspect of the NDHM is the implementation of the Unique Health Identifier (UHID) or the Digital Health ID number which helps to identify and authenticate citizens, through e-Aadhaar or phone number, in a standardised manner. Currently, the project is being implemented in a pilot phase in six Union Territories.

The UHID aims to bring together medical records (personal health record) across various healthcare facilities and professionals, based on consented access. The UHID will contain details of tests, diagnosis, consultations and medicines, and can be linked to personal health data generated through fitness apps, etc. This will result in accessibility of health records generated over an individual’s lifetime in cloud-based health lockers, such as MeitY’s DigiLocker.

Related Articles

“Using a Health ID is the first step towards creating safer and efficient digital health records for you and your family” explains the government’s NDHM website. The site adds that a health ID enables a citizen’s interaction with participating healthcare providers, and “allows you to receive your digital lab reports, prescriptions and diagnosis seamlessly from verified healthcare professionals and health service providers”.

However, there are challenges such as interoperability of databases and privacy protection that must be addressed, according to the experts. Each state has its own database of Electronic Health Records and accessing these databases will require very good bandwidth. To have one integratable infrastructure across the country, the bandwidth of the connectivity from the government hospitals to the cloud infrastructure has to be increased considerably. 

Having the right bandwidth is required because health information can be quite large. The Electronics Health Records and Personal Health Records, an integral part of the electronic health systems India is aiming for, can include images from X-Rays, MRI scans and more–all of which have very large file sizes. Not having the right infrastructure in place could lead to common issues where links don’t work, data isn’t updated, etc.

NDHM harmonises with existing and proposed laws, such as the Information Technology (IT) Act, Aadhaar Act, along with applicable medico-legal regime and the proposed Non-Personal Data Framework. But it predominantly relies on the Personal Data Protection (PDP) Bill, 2019 for general privacy safeguards. The Personal Data Protection (PDP) bill has been under review by a Parliamentary committee since 2019 and is pending consultation before a joint parliamentary committee, leaving India without a generic or specific health data protection law. The NDHM depends significantly on principles under the PDP Bill (such as qualified consent and specific user rights) which do not have legal precedence in India. In the absence of the PDP, there will be arbitrary ad-hoc things around privacy rules around different sectors thus enforcing the need to get the PDP bill out at the earliest.

The NDHM website does explain that “NDHM does not store any of your health records. Your health records are stored with healthcare information providers as per their retention policies and are shared over the NDHM network with encryption mechanisms only after your express consent”. However the absence of a comprehensive personal data protection mechanism applicable to digital health records leaves open the need for an interim policy to address India’s privacy concerns.

The launch of UHID on a voluntary basis, without a robust legal framework to protect health data, has resulted in a regulatory vacuum and poses a challenge to the implementation of NDHM’s health data management, including data sharing, privacy and strategic control. 

Given that the NDHM is expected to improve access to healthcare and create data resources for policy-making and research, public participation in this initiative plays a huge role. Hence making it necessary to incorporate certain safeguards which could make the mission successful as it provides citizens with the controls required to protect their data while enjoying the benefits of integrated healthcare through UHID. 

Show More

Related Articles

Leave a Reply

Back to top button