What does the draft ‘National Health Data Management Policy’ contain?
Sai Krishna Muthyanolla
September 3, 2020
The Government released the draft ‘National Health Data Management Policy’ for public feedback & comments. What are the major provisions of the policy? What kind of concerns have been raised about the policy? What has been the experience of other countries with similar projects?
The National Health Authority (NHA) released the Draft National Health Data Management Policy on 26 August 2020 for comments and feedback from the public. It is available for comments till 03 September 2020. The Chief Executive Officer of NHA, which is the implementing authority of the Centre’s Ayushman Bharat- Pradhan Mantri Jan Arogya Yojana (AB PM-JAY) and the National Digital Health Mission (NDHM)  stated, ‘The Draft Health Data Management Policy is the maiden step in realizing NDHM’s guiding principle of Security and Privacy by Design for the protection of individuals’ data privacy. It encompasses various aspects pertaining to health data like data privacy, consent management, data sharing & protection etc.’
National Digital Health Mission launched by Narendra Modi on 15 August 2020
While addressing the nation on the 74 Independence Day of India from the ramparts of Red Fort, Prime Minister Narendra Modi launched the National Digital Health Mission (NDHM) under which a digital health ID would be created for all Indians. As per the stated objective, the health ID would work like a health account, containing details of every test, every disease, doctors visited, medicines taken, and diagnosis, he said. The ID card would be linked to the Aadhar or mobile number.
All health records of an individual would be stacked at one place
NDHM is a project of the Government of India which emanates from the National Health Policy of 2017 that proposed to digitize the entire healthcare system of India to overcome inefficiencies. Under this mission, the government also intends to put all health-related information of an individual at one place in addition to other objectives. As per the stated objectives,  instead of restricting the health records of a person to just the health facility where they undergo treatment, electronic health records of individuals can now be accessed from anywhere in the country digitally. Additionally, a repository for doctors and health facilities will also be available in the scheme of things.
The draft policy talks about collection, processing, and management of health information under NDHM
To achieve the stated objectives, confidential health data will be collected from individuals across the country and stored at multiple levels- Central, State/Union Territory, and at the health facility level. To ensure that the data is protected, and privacy is maintained, the government has formulated the draft health data management policy which lays down guidelines on how to collect, maintain, process, and utilize the information of patients collected under NDHM for the health IDs. The policy has come at a time when India’s personal data protection law is yet to see the light of the day.
Religious belief & political affiliation among personal sensitive data that could be collected
The policy permits hospitals, diagnostic centres, and other entities, known as data fiduciaries, to collect personal or sensitive personal data as specified in the policy. Sensitive personal data, among others, include a person’s physical, physiological, and mental health data, financial information such as bank account or card details, sex life, sexual orientation, medical records and history, biometric data, and genetic data. Other information which can be collected under this head include transgender status, intersex status, caste or tribe, and religious or political belief or affiliation.
Enrolment in the mission is voluntary and consent is must
According to the draft policy, those who opt to avail the health ID card, also referred to as data principals in the document, are given the complete control and decision-making power over how their personal data is collected and processed. Any personal data or sensitive personal data can be collected only after the consent of the individual. Individuals also have the right to revoke the consent or restrict sharing of any personal data at any time.
However, for the creation of Health ID, Health Practitioner ID or Health Facility ID, only such data should be collected which is essential for identification and authentication of data principal (individual), health practitioner, or health facility. Any personal or sensitive data which is not essential for this purpose shall not be processed for creating the ID, the policy states.
Privacy note should be shared with individuals not only while enrolment, but also when it is modified
Individuals must be given a clear and conspicuous privacy note by the data fiduciaries before collecting the information, at the time when privacy policies or procedures are changed, and also before further processing for any previously unidentified purpose.
Before engaging with any data processor, fiduciary must conduct appropriate due diligence covering data privacy and security and shall engage with them only after entering into a contract. The data fiduciary will also have confidentiality agreements and non-disclosure agreements. Regular audits by independent auditors approved by the Central Government should be carried out at least once every year to ensure compliance.
Any data processed under this policy should not be made public. In case it is being used for clinical or academical research, statistical analysis, policy formulation, etc., the data must be anonymized or de-identified in an aggregated form.
Data Protection Officer should be appointed for individuals to get in touch with
Those institutions with access to the data under NDHM must have a designated Data Protection Officer (DPO) whose details should be put up on the website. Individuals who have queries must be able to approach the DPO.
The data fiduciaries are expected to formulate and implement a ‘personal data breach management mechanism’ to make sure that any instances of violation or non-compliance, including unauthorized or accidental disclosure, sharing, alteration, destruction or use of personal data get promptly reported to the NHA and other relevant entities. NHA should formulate and implement procedures to ‘identify, track, review and investigate’ such incidents and maintain a record of these instances along with the action taken.
In case of any incident of data breach, the person responsible for it will be liable in accordance with the provisions of applicable law. Failure to comply with the policy, will also result in action such as termination of service of employees, or dismissal of volunteers/interns of such entities, termination of contracts with data processor entered into by such entities.
The draft policy raises multiple issues
The draft policy has been criticized by multiple sections. While some feel that the policy is about more about data than about health, others feel that this could be a step towards greater privatization of health care.  The time given for submitting comments & feedback is also too short (just seven days) and this has also been highlighted by some. The Internet Freedom Foundation has also filed a petition in the Delhi High Court on the draft policy.
On the other hand, the Union Health Minister Dr. Harsh Vardhan in his article in The New Indian Express, expressed hope that this has the potential to radically change the country’s health landscape. He went onto say that this could be an important step towards achieving United Nations’ Sustainable Development Goal of Universal Health Coverage by covering financial risk protection, increasing access to quality essential healthcare services, medicines, and vaccines for all.
However, in the absence of a strong data protection & privacy legislation, the policy raises more concerns about the implementation & data privacy aspects.
A similar initiative in Australia was criticized widely
‘My Health Record’ is a similar initiative launched in Australia in 2012, that provides an online summary of an individual’s key health information which the doctors can be given access to. Currently, there are over 22.81 million records in the portal. The system was criticized for multiple reasons such as parameters of access were not clear, concerns about data privacy, a coercive model etc. The Australian National Audit Office also audited the scheme and raised certain concerns about the management of cyber security & privacy risks. Civil Society organizations have also raised concerns around transparency in the usage of this data. Another  major concern was about automatic enrolment in the scheme. It led to a situation where only those who knew how to opt out could do so. The Australian government maintains that more than 90% of the eligible population participated in the scheme while only around 10% opted out.
Data breach and misuse warned in US
In the US, Health Insurance Portability and Accountability Act (HIPAA) became a legislation in 1996 to protect health information. In 2009, The Health Information Technology for Economic and Clinical Health Act (HITECH) came into effect to convince healthcare providers to use Electronic Health Records (EHR) which would make sharing patient’s health information simpler. The Breach Notification Rule which also came in 2009 mandates that information about any breach affecting more than 500 persons should be reported to individuals affected, prominent media outlets and also to the federal government. As an attempt to fill the gaps in these rules, in 2013, the first Omnibus rule came into effect which specified encryption standards for EHRs and new policies for healthcare workers using tablets and phones to use and access protected health information. However, in 2018, scientists showed that they could take a large dataset of health, remove the protected health information and use machine learning to re-identify 95% of adults and 80% of children, indicating that the information was vulnerable to attach and misuse.
What this means is, even in technologically countries with digital health record projects, there have been multiple issues in the implementation.
Featured Image: National Health Data Management Policy