The launch of National Digital Health Mission (NDHM) was announced by the Prime Minister Sh. Narendra Modi in his Independence Day address to the nation from the ramparts of the Red Fort.
In the absence of legislation on data protection, the government has used existing and proposed laws as well as court judgments to carve out a policy to safeguard patient data recorded in the unique digital health ID under the newly launched National Digital Health Mission.
Two policies — one to manage and share patient data based on their consent, and another to ensure its security — are currently in the process of approvals, according to Dr Indu Bhushan, CEO of the National Health Authority (NHA) which will implement the NDHM.
In 2018, Niti Aayog proposed a Digital Health ID to “greatly reduce the risk of preventable medical errors and significantly increase quality of care”. This, in addition to the system enabling users “to obtain a longitudinal view of their healthcare records”. This proposal was then further taken up by the Central government with the Ministry of Health and Family Welfare, the NHA, and the Ministry of Electronics and IT preparing a strategy overview document last month for “Making India a Digital Health Nation Enabling Digital Healthcare for all”. As envisaged, various healthcare providers — such as hospitals, laboratories, insurance companies, online pharmacies, telemedicine firms — will be expected to participate in the health ID system. The strategy overview document points out that while option of digital Health ID will be there, in case a person does not want Health ID, then also treatment should be allowed.
“While we may not have the (data protection) law, we have a draft Personal Data Protection (Bill), and we also have various Supreme Court judgments on data privacy and data security. Some of them came in the context of Aadhaar,, which are also like laws, and then we also have the IT Act, which also has many other provisions about how data should be obtained, stored and used,” Dr. Bhushan said.
“The kind of standards we are following here are of the highest nature. We are following what we call privacy by design — it’s not that we build a system and then look for privacy, because we are thinking of… how we can ensure privacy and build our system based on that,” he said.
“This is a new field, and we are doing the best, based on whatever the latest technology is, and the latest thinking in data privacy. I am quite confident that our norms and protocols will measure up to the best and latest standards in the world,” Bhushan said.
The health data management policy will ensure that privacy, confidentiality and consent are upheld right from the process of creation of the health IDs, which will follow a “free and informed consent” process. Aadhaar numbers of patients will only be requested once the patient consents to creating the ID.
In order to ensure that this is adhered to, the security policy, Bhushan said, will have in place “strict” norms with “more than 100 checks and balances” related to the kind of firewalls that should be in place and the protocols that should be followed to ensure data protection.
“In our system… (while) seeking consent for sharing data, we give them (patients) the option of sharing only part of the data or full data and also the option of for how much time you want to share it. You can also revoke the consent after giving it. All those features are there,” he said.
“Hospitals are also not allowed to share any of the data that they keep without the consent of the patient, and any data that is shared for policy purposes has to be macro data and has to be anonymised. No personally identifiable information can be shared by any of the hospitals who keep the data,” he said.
While private sector resources will be used to create the infrastructure, the architecture and the way the platforms are to be developed are defined by the government, preventing issues of conflict of interest, he said. The core infrastructure will be owned and controlled by the government.
“All these things are evolving issues. When we say that we’re creating a national digital health ecosystem, data security and privacy are a part of that ecosystem. As the technology will evolve, so will the policy and the approach that we take for protecting people’s privacy,” he said.