NATIONAL DIGITAL HEALTH MISSION: PRIVACY ANALYSIS

Posted byAarif NabiPosted inLAW, Privacy LawTags:, , , , , , , , ,
http://www.twitter.com

Privacy on the internet? That’s an oxymoron.

Catherine Butler

Introduction

National Digital Health Mission (NDHM), a part of Ayushman Bharat Pradhan Mantri Jan Arogya Yojana (AB PM-JAY), was launched by the Prime Minister Narendra Modi on India’s 74th Independence day in August, 2019. The initiative is completely technology based intended to improve the health services in India. Under the scheme, a Health ID will be provided to the patient which will contain his/her medical information such as the name of the health problem, diagnosis, name of the medical practitioner, medicines prescribed, medical history or a complete health analysis of the patient, etc. The scheme is supposed to bring about efficiency and transparency in the medical sector. Each time a patient goes to the doctor or to a pharmacy, he/she will have to provide his Health ID which will have all the concerned information. For the sake of confidentiality, a one-time access will be given to a doctor or a pharmacy while medical check-up is done or medicines are bought respectively. But however, some privacy concerns have been raised against the policy. Although the consent mechanism is there, but the question is still there. Is our medical data safe when we consent for digitising and storing our medical data or giving its access to doctors and pharmacy holders?

The Structure of the Scheme

As of now, the scheme has four digital health systems to store and access electronic medical records (EMR). The first one is Health Id. It will be given to the patients containing all their relevant medical information. It is the primary source to access such information or to prescribe or buy medicines. The second one is Digi Doctor. It is a kind of database which contains the details of the doctors enrolled in India. It will include their names, qualifications, specialization, years of experience, medical institution they are concerned with, registration number etc. The third one is Health Facility Registry (HFR). All medical health facilities will be registered in it and will contain all the other details like specialties, services provided, technology used etc. the fourth system is Personal Health Records (PHR). This system contains the medical information of the patients including their medical problem, diagnosis, medicines prescribed, medical history etc.

How Does it Work?

The National Health Policy of 2017 proposed National Digital Health Authority which in turn came with National Digital Health Blueprint in 2019. The later lead to National Digital Health Mission. Under the Mission, a Health Id will be given to the patients (data principals). It will be an app storing all their relevant health information. It will be linked to Digi Doctor and Health Facility Registry (HFR). The Consent Manager will take the consent from the data principal or patient to allow the flow of this information between systems. The Health Id will be in the form of mobile application created on the basis of person’s basic details, mobile and Aadhaar Number. The data principals have been given the access and decision-making powers over their data. They can register it, change it or delete it.

On entering hospital, the patient will scan the Health ID QR Code at the desk from his mobile app and hospital will immediately get all his medical details. The hospital will send a consent request to patient and till what time, such consent be given. The patient will choose what data to share and for how long should hospital have the access to such data. The doctors registered on the Digi Doctor will get the required details for the patient check-up. And patient will be accordingly referred to the said doctor who will require access to relevant medical data from the patient there as well. The medicines will be prescribed online and the details will be updated. The patient will have to again scan the Health ID QR Code at pharmacy to buy the prescribes medicines. The Health Facility Registry (HFR) will provide the names of the hospitals, dispensaries, clinics, labs and other health facilities across country for the convenience of citizens.

The NDHM is intended to digitize and improve the efficiency and transparency of health system in India to make it more accessible, convenient and citizen-centric. The patients will have remote access to their medical information, the private and public health facilities, consult medical professionals and receive better healthcare. Various concerns have been raised in relation to the Scheme such as privacy concerns, illiteracy, unavailability of mobile phones and that the Scheme will mostly benefit the urban population.

Privacy Concerns

The Scheme has raised various issues such as privacy and logistical concerns, portability concerns, concerns of medical and local communities etc. Among all of these, privacy concerns are the one to be primarily looked at. The Mission seeks to build a collaboration between govt. and private sector hospitals and other health facilities; hence the health data is vulnerable to commercial misuse and hacking. Although, the NDHM Data Management Policy contains provision for the anonymization of data. But the reports have shown that even after such anonymization of personal data, there has been results of targeted ads and insurance calls. In December (2017), the Maharashtra govt. reported the leakage of electronic medical records of some 35,000 patients from a lab because of unavailability of adequate protection measures. Sections 43 and 72 of the Information Technology Act provides for the protection of sensitive personal information. The section provides various procedures and standards to be followed. But §43 apply to only corporate bodies. While in NDHM, the data fiduciaries and data processors of medical data can also be public bodies. They can hence dispense with such provisions.

India doesn’t have any concrete law on privacy protection. Electronic Health Record Standards of Union Health Ministry are currently governing the electronic medical information. But the standards are flawed posing high risk of leakage of such information. The NDHM Data Management Policy doesn’t specify the exact procedure as to how they will own, store and process the medical information. The timelines to hold such information aren’t clearly defined. There is no mention of whether the patient can later made them to delete his/her medical data. There is a possibility of commercialization and selling of such data if proper safeguards are not followed. There are also chances of profiteering and foreign surveillance. When a huge amount of medical information is stored digitally in a central database, there are chances of leakage and data theft as we saw in Aadhaar. The leakage of such medical data can have serious socio-economic consequences such as social boycott of HIV patients etc. Two-third of the Indian population lives in rural areas. To avail the benefits of this Scheme, they don’t possess the necessary requirements such as smartphones, proper internet and mobile network, technology equipped health facilities, proper education to access digital information etc. The Scheme will hence only benefit the urban population. There is also a possibility of making the scheme mandatory which will hence exclude the major population having no access to aforesaid facilities. Although the medical data received will be deidentified and anonymized, but it can easily be reversed by comparing the data with voter Id and other details by the commercial agencies. Like Arogya Setu App, the data stored in NDHM App will be unsafe and vulnerable to hacking and misuse which will result into spam insurance and marketing calls, targeted aids etc.

The NDHM Health Data Management Policy stated that Aadhaar or any other document has to be used at the time of Health ID registration. But the Supreme Court has already limited the usage of Aadhaar and people are likely to use Aadhaar as their primary identity to be linked with Health ID. This makes the exercise very arbitrary. The Draft Policy is silent about the Consent Managers. Whether they will be private agencies or public ones; or digital systems, the policy doesn’t mention.

Conclusion

Although the Mission is very helpful and would make the medical system more efficient and transparent. But at the same time, its threats can’t be ignored. The Policy has raised various questions. With no concrete personal data protection legislation, the policy doesn’t talk about owning, storage and processing of data. It doesn’t talk about misuse, data theft, data leakage, penalties and remedies, etc. The Scheme works well on the paper. But it has unimaginable repercussions in reality.

References

Published by Aarif Nabi

Law Student and Judicial Aspirant

One thought on “NATIONAL DIGITAL HEALTH MISSION: PRIVACY ANALYSIS

Leave a comment

Design a site like this with WordPress.com
Get started