The COVID-19 pandemic has shocked healthcare systems across the globe, exposing and heightening the flaws in the existing systems. It has disproportionately impacted countries with improper and unequal access to health services, who were faced with compounded problems in fragmented healthcare systems. It is important now more than ever to set up a more integrated and well-functioning healthcare system.
India, a developing country, is not only the second most populous country, but also comprises of a rural population that struggles with information gaps, inadequate access to affordable, inclusive, efficient and quality healthcare services. These issues are compounded when dealing with a global pandemic. With this, issues around improving the state of healthcare systems has come to the forefront. improving the healthcare system will have a direct impact on the welfare of the population by reducing social inequities and poverty. While universal healthcare may be a distant dream, ensuring adequate access to quality and affordable healthcare services to citizens without the risk of financial hardship is critical.
India’s first attempt towards this is through its ambitious National Digital Health Mission (NDHM) which was announced on its 74th Independence Day, in an attempt to improve medical infrastructure by digitising and integrating the medical records of individuals.
The NDMH traces back to National Health Policy, 2017. The vision for the policy was cemented with the release of the National Digital Health blueprint which aims to create a citizen-centric, universal healthcare system to improve accessibility and inclusivity leveraging the power of technology. The blueprint recommended the establishment of the NDHM, a governmental authority with functional autonomy, which ill implement the scheme under the supervision of the National Health Authority, a body initially set up to implement the Ayushman Bharat program. The NDHM aims to create a digital ecosystem for healthcare data through the creation of personal digital health IDs, unique identifiers for doctors and health facilities and seamless exchange of personal health records with the consent of the individual.
On August 26th 2020, The draft Health Data Management Policy was released. The Policy seeks to create a voluntary-based system of digital personal and medical health records centred around the consent of individuals. The key feature of this scheme is to integrate fragmented personal data using digital technology to create a health ecosystem. The draft policy introduces the Health ID, a unique 14-digit number that can be generated on the NDHM website, that will act as a digital storehouse for an individual’s health records. The digitally stored health records include, but are not limited to treatment history, doctor’s visits, diseases and medicine prescribed.
The policy is envisaged to benefit India’s fragmented health system by integrating health data and allowing for greater ease and convenience. Regrettably, the draft policy has received widespread criticism centred around potential breach of privacy, concerns about large scale data breaches, and health surveillance.
The first point of concern is that the draft policy is vague on the limitations or prohibitions of personal data that the Health ID would store. It states that “data” not only includes “data relevant to the wellness, health and healthcare of an individual.” but also extends to “sensitive personal data”, derived from the definition in the Data Protection Bill, 2019, which includes sex life, sexual orientation, transgender status, intersex status, caste, mental health, genetic and biometric data, religion and political affiliation, among others. Sensitive personal information in the wrong hands could potentially expose vulnerable sections of our society to various forms of exploitation. Information, if leaked, that could potentially harm sexual minorities, people with disabilities, women and other minorities. Without clarity on the limitations of the data that can be stored, the policy could be more detrimental than beneficial.
The draft policy even allows sharing of anonymised health data with third parties for research and policymaking. Sharing anonymised healthcare data is also disconcerting because of the likelihood that the data could be traced back to the individuals. Consequently, allowing sharing of anonymised data runs the risk of commercialisation or commoditisation of health data.
Technology enabling the collection and use of data have allowed data-centric business models to emerge that offer significant consumer benefit. The trade-off for innovation, convenience and consumer benefit is privacy and data. Which brings us to the second point of concern – the high-risk, low-return trade off of privacy. Despite the rise of data-centric business models across the globe, alarmingly, only 66% of the nations in the world safeguard people’s data and privacy. India is part of the 34% that does not safeguard people’s data and privacy because it still does not have data protection laws. Building the largest centralised health ID and data storage in the world in the absence of adequate protection is precarious.
Officials have released clarifications reinforcing that the scheme would go hand-in-hand with provisions of the yet-to-be-passed Data Protection Bill, however, addressing serious privacy concerns with connections to a data protection bill that is yet to be passed is dangerous. The safeguards provided in the draft bill are inadequate to deal with the nuances of personal health information. And based on past patterns, privacy breaches have been a problem for other government programs like Aadhaar wherein multiple security lapses and data breaches have exposed millions of citizens’ sensitive personal information. For instance, in 2018, the Aadhaar database reportedly suffered multiple breaches that potentially compromised the records of all 1.1 billion registered citizens. This data was exposed and sold on various dark web lists. Between August 2017 and January 2018, Aadhaar numbers, names, physical and e-mail addresses, phone numbers and photos of almost 1.1 billion registered citizens were found susceptible to data breaches. Not only are these breaches incredibly concerning, but the government inaction to reinforce safeguards and add additional security measures following these incidents are all the more concerning. The high risk of exposing the health data of millions of citizens in exchange for convenience or ease is not worth the trade-off. Therefore, until these previous issues are ironed out completely and a robust data protection policy is in place, the NDHM should be a secondary priority for the government. Access to quality and affordable healthcare is the need of the hour, and that should also be the primary priority of the government.
Another significant challenge that the draft policy poses is that is lacks consideration – of internet accessibility across non-urban areas and of digital illiteracy. At present, India does not have the necessary telecom, or medical infrastructure to be able to execute this policy effectively. Almost 50% of India does not have access to the internet. While the internet penetration rate has increased steadily since 2015, an internet penetration rate of 50% means that this policy ignores the needs of half the population.
Digital illiteracy is set to pose a critical challenge since consent is the foundation of this policy. An individual’s consent is a prerequisite to access their health data. However, people’s vulnerabilities while seeking health services could be misused to get consent. Vulnerable sections of society would be disproportionately affected since consent could be obtained in desperation or through ignorance, which is why informed consent must be a prerequisite to ensure adequate protection of a vulnerable individual’s privacy. Considering that a large proportion of India’s population will be unable to gain the benefits of the policy, it reinforces the need to delay the policy until the necessary legislative, institutional and infrastructural requirements are accomplished.
While the policy has potential to benefit individuals, the trade-off is too high a price to pay, especially in the absence of established data protection laws. Curiously, once the draft policy was released to the public, only one week was initially given for comments and feedback. After public criticism, the deadline was extended by a mere 11 days. Customarily, the public is given 1-3 months to give comments and feedback. The time given to comment on complex data storing infrastructure with far-reaching implications for individual privacy: one week. Which brings us to question, why is the government attempting to effectuate this policy in haste?
A policy of this nature necessitates in-depth consultations and deliberations with legal professionals, computer science experts and health experts, more public discourse and effective governance strategies to execute it effectively. At a period in time when there are more pressing and serious concerns that demand government attention and investment, focus must be diverted towards developing the necessary legislative, institutional and infrastructural requirements that necessitate change. While a digital health policy may be an aim for the government, the policy demands deliberate and thoughtful execution for successful implementation. Improper implementation of the policy is likely to have detrimental effects. Without adequate safeguards, individuals as well as the government must tread with caution.