National Digital Health Mission and Data Protection Concerns

With the launch of National Digital Health Mission (NDHM) under the Ayushman Bharat Pradhan Mantri Jan Arogya Yojana on the 74th Indian Independence Day, the new scheme under this mission will enable every Indian citizen with a health ID card. This ID card will have confidential medical data containing prescriptions, diagnostic reports and discharge summaries, stored in digital format.

The various digital systems involved in this mission are as follows: –

• HealthID- A unique Aadhaar-like health ID will be given to every individual to access their medical records.
• DigiDoctor- It will contain all the details of the doctors registered in the country including their professional experience and specialization details along with registration number.
• Health Facility Registry (HFR)- It will include all the health facilities such as hospitals would be registered into the system with all details such as services offered, specialties, etc.
• Personal Health Records (PHR)- The health records which will be in control of the individuals will be stored in this system. This is specifically for the individuals themselves to enable them to manage the critical information about their health.
• Electronic Medical Records (EMR)- This is like the digital chart of a patient’s medical history, treatment records, etc.
• e-Pharmacy- It will take orders online and deliver the medicines to the patients. This is yet to be launched.
• Telemedicine- It will provide medical care to the patients remotely including diagnosis and treatment with the help of telecommunications technology. This is yet to be launched.

Since the health-related data will be stored in federated architecture on the individual servers of hospitals, it becomes critical to ensure the data protection for maintaining its confidentiality and avoiding any possible breach. However, India has still not brought into force any specific Data Protection law like Health Insurance Portability and Accountability Act (HIPAA) of USA to develop regulations protecting the privacy and security of certain health information.

There are two draft legislations: one, the Personal Data Protection Bill 2019 (PDPB) which is pending in the Parliament of India and is sector agnostic and, second, draft Digital Information Security in Healthcare Act (DISHA) which is draft put out by Health Ministry and is especially for sharing of healthcare data.

Patient-related data will also have implications in terms of personally identifiable information (PII) as it will invoke various laws such as General Data Protection Regulation (GDPR) but its territorial scope is also limited to European Union (EU).

India has also not yet enacted specific and full-fledged legislation on data protection. Of course, the Parliament of India had amended the Information Technology Act (2000) (“IT Act”) to include specific section 43A, but it only includes corporates and not individuals regarding compensation for failure to protect data.

With the unavailability of information security laws related to healthcare in India, the following could be the repercussions or could lead to violation to the mandatory requirements: –

1. High Probability of Data Breach– The data breach occurs when any person or corporate generates, collects, stores, transmits or discloses digital health information in contravention to the provisions or standards laid down.
2. Data Integrity Issues- Data integrity will ensure accuracy of data but the issues arising due to unavailability of defined procedures and laws could lead to intentional or unintentional errors, including unintended data alterations and compromise during transfer from one system to another.
3. Data Ownership and Standardization Issues- An owner shall have the right to give, refuse or withdraw consent for the storage and transmission of digital health data. In terms of standardization, it is very important to transform the data before loading it to the target system.
4. Data Normalization Issues- Data Normalization is done to reduce data redundancy and improve data integrity. In view of unavailability of such laws, it could bring redundancy as data could exist in multiple forms. Data normalization issues could lead to security failures and the design flaws may increase the risk of data evasion.
5. Data Collection, Storage and Transmission Challenges- The purpose of data generation, collection, storage and transmission is to facilitate health and clinical research and health care quality. But the unavailability of data protection and information security laws (for maintaining CIA- confidentiality, Integrity and Availability) could lead to collection of data without informing the owner, lack of privacy controls while storing in cloud and transmitting the data without the consent of the owner.
6. Illegal Data selling and Theft- Unavailability of appropriate laws could lead to incidents where digital health data is acquired or accessed without proper authorization. For example, monetizing the patient data for the purpose of research and innovation may also be misused by its illegal selling without the knowledge of the patient, thereby, leaking his sensitive data amounting to the violation of data privacy.
7. Data Quality Issues- There could be the following data quality issues that can be encountered without the proper laws in place:

• Duplicated data– Repeated data making it difficult to uniquely identify the record;
• Inconsistent data formats– Storing same data in multiple tables from different data sources;
• Inaccurate data– Either the data is obsolete or has errors in it;
• Excessive data– Unusable or unrequired data could be waste of storage and cost;
• Poorly Defined data– Causes misunderstanding around the proper methodology for data management.

Summary:

There is no doubt that NDHM launched will significantly improve the efficiency, effectiveness, and transparency of health services delivery including building a paperless system and will facilitate online consultation with the doctors. But data protection and privacy are the keys to the success of this mission. It is imperative to enforce the Digital Information Security in Healthcare Act (DISHA) and Personal Data Protection Bill 2019 (PDPB) immediately so that the above repercussions can be controlled for revolutionizing the health sector in India with the help of technology.

Acknowledgments and References:

• https://government.economictimes.indiatimes.com/news/healthcare/national-digital-health-mission-heres-all-you-need-to-know/77564961
• https://www.livemint.com/news/india/pm-modi-launches-national-digital-health-mission-11597467562654.html
• https://timesofindia.indiatimes.com/blogs/voices/data-privacy-aarogya-setu-covid-19-app/
• https://www.nhp.gov.in/NHPfiles/R_4179_1521627488625_0.pdf
• https://indiankanoon.org/doc/76191164/

Views expressed in this article are my own