In his Independence Day speech on August 15, Prime Minister Narendra Modi announced that every Indian would get a health ID under the National Digital Health Mission. He said this would revolutionise healthcare in the country.

“Your every test, every illness, what doctors prescribed and when, your reports will be on a single health ID,” Modi said.

How exactly will digital health records help Indians access affordable healthcare? And how can the government ensure the privacy of citizens’ health data?

Advertisement

While the government has not offered any clear answers to the first question, it has released a draft Health Data Management Policy, which it claims would protect citizens’ health data by regulating its collection and storage.

The draft policy was announced on August 26 in a press statement by the National Health Authority, an agency that functions under the health ministry. It invited public comments on the draft till September 3. Facing criticism for providing a narrow window for public comments, the National Health Authority extended the deadline till September 10.

But a doctor and disability rights activist in the Delhi High Court filed a petition pointing out that the time period was inadequate: “healthcare workers are fully engrossed in management of the Covid-19 pandemic, and it is unreasonable to expect them to analyse and evaluate such a complex policy document within 15 days during such an extraordinary crisis.” Besides, India’s pre-legislative consultation policy mandates at least a 30-day window for public feedback, stated the petition, drafted by lawyers associated with the non-profit group, Internet Freedom Foundation.

Advertisement

The court on September 3 directed the Centre to deal with the grievances raised in the petition according to the law, rules and government policy applicable to the case. The next day, the National Health Authority extended the deadline for public comments till September 21, Dr Indu Bhushan, chief executive officer of the National Health Authority said in an email response to queries sent by Scroll.in.

The petition stated that the draft policy raises “complex issues which require expertise in multiple disciplines of computer science, law, public health and medical ethics.” What are some of these complex issues?

Here is what we know, based on conversations with privacy lawyers and health experts.

Advertisement

What is the National Digital Health Mission?

First, a quick recap.

In July 2018, the Niti Aayog released a proposal for what it called the National Health Stack – a digital system which allowed both public and private entities to access personal health records of citizens with their consent. To digitise the personal health records of Indians, it suggested the creation of individual health IDs, using the biometrics-based Aadhaar as one of the foundational IDs.

A committee formed by the health ministry followed up with the National Digital Health Blueprint in October 2019, outlining plans to create “a system of Electronic Health Records, based on international standards, which are easily accessible to the citizens and service providers based on citizen‐consent.”

Advertisement

It spoke of creating a “digital health ecosystem” which would allow the “seamless exchange” of these records.

It recommended that a special organisation be set up to implement these plans. This organisation is the National Digital Health Mission. It comes under the supervision of the National Health Authority, which was established to implement the Ayushman Bharat programme of the Modi government.

What is the Health Data Management Policy?

On August 26, the National Health Authority released a press statement to announce that it had drafted the Health Data Management Policy.

Advertisement

The objectives of the draft policy have been laid down as creating a system of digital personal and medical health records, which is voluntary and based on the consent of individuals, and which allows for the secure exchange of health data with enough privacy safeguards.

The document identifies individuals as “data principals” who would voluntarily acquire unique health IDs, which would be used to electronically store their personal health records.

The records would be generated by “health information providers” – hospitals, diagnostic centres, public health programs.

Advertisement

“Health information users” – for instance, insurance companies – will have to place requests to access these records.

Access would require the consent of individuals through “consent managers”.

The draft policy outlines a framework for obtaining individuals’ consent – both for the collection of personal health records, as well as for accessing them.

A doctor examines a baby at a mobile clinic in Ahmedabad. Credit: Amit Dave/Reuters

What is the need for a health data policy?

India does not yet have a data protection law. A bill is still pending in Parliament.

But privacy lawyers say leapfrogging over a law is a bad idea. The health data policy would create a parallel mechanism even before the data protection bill was enacted. “Not only is it bad for health data but the danger of this approach is that it will make the data protection bill and its overarching rules on general privacy, including health data, stillborn,” said Raman Chima, senior international counsel at Access Now, a digital rights non-profit, and chair of the Internet Freedom Foundation.

Advertisement

Besides, he pointed out a policy cannot create civil or criminal liabilities for those who violate it. “When it comes to health information, you want to be able to send a signalling effect because it is serious,” said Chima. “A policy document does not do that.”

In an email response to Scroll.in’s queries, Bhushan said it was incorrect to state that the policy did not have enough safeguards. “Numerous laws and relevant rules, and judgments of Hon’ble Supreme Court provide an adequate legal framework to ensure security and privacy and take action as per civil and/or criminal law,” he said. “Adequate safeguards have also been provided by way of the draft Health Data Management Policy. The provisions in the Personal Data Protection Bill, 2019 are also being implemented.”

What kind of data does the policy cover?

The draft policy defines electronic health records as “data in digital form, relevant to the wellness, health and healthcare of an individual...a collection of various medical records that get generated during any clinical encounter or events”.

Advertisement

The draft policy also extends to “sensitive personal data” which is defined as sex life, sexual orientation, transgender status, intersex status, caste, mental health, genetic and biometric data, religion and political affiliation, among others.

In a statement, the National Health Authority clarified: “The definition of term ‘sensitive personal data’ in the draft policy draws from Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 and Personal Data Protection (PDP) bill... However, nowhere in the operative section of the draft policy it is laid down that the said information will be called for.”

But privacy lawyers say the draft policy itself does not make this clear. “It doesn’t say there are going to be any prohibitions at all,” said Prasanna S, a lawyer who was among those who challenged the use of Aadhaar.

Advertisement

However, Bhushan claimed that the issue was being “misunderstood” and “misrepresented”. “Only limited information like name, year of birth, state, district is being asked for [generating health IDs],” he said. “No sensitive personal information, as has been portrayed in some media reports, is being asked for this purpose.”

Since the sharing of health data between patients and doctors is a regular feature of the health ecosystem, the definition of sensitive personal data has been incorporated so that the highest level of protection applicable to sensitive personal data is provided to such data/information,” he said. “The same should not be construed as an intent to collect any such data on the part of the NHA. It is for doctors to decide what information is to be sought and recorded.”

What is the role of Aadhaar in the policy?

The chief executive officer of the National Health Authority said in a recent interview that Aadhaar could not have served as a health ID since the Supreme Court’s judgement has limited its use.

Advertisement

But as the draft policy states, “Aadhaar number or any other document of identification as may be specified by the NHA” would be required to authenticate an individual’s identity at the time of creation of their health ID. Even though the draft clarifies that lack of an Aadhaar number would not prevent an individual from acquiring a health ID, Aadhaar is likely to be the primary document used by most people.

This means the health ID would be linked to an individual’s Aadhaar number, which creates a roundabout way for health records to be linked to Aadhaar, experts said.

“The idea behind the Supreme Court’s orders to clip Aadhaar’s wings was to ensure there is no scope creep,” said Prasanna. “That Aadhaar should not be used for random purposes that don’t even have an enabling legislation and was limited only to those benefits and subsidies strictly flowing from the consolidated fund of India. When you now use it for linking this new health system, it is by definition scope creep and that is exactly what the SC judgment militates against.”

Advertisement

In response to queries about the role of Aadhaar, Bhushan said that it was voluntary to use Aadhaar to enrol for a health ID and that this was permissible under Section 4 of the Aadhaar Act. “Therefore, it is not against the Supreme Court’s mandate or existing legal provisions regarding the use of Aadhaar,” he said.

Section 4 of the Act states that every Aadhaar number holder may voluntarily use it in a physical or online form for the purpose of authentication or offline verification if the entity performing the authentication is compliant with privacy and security standards, is permitted to offer authentication services and seeks authentication for a purpose prescribed by the Centre and in interest of the state.

A doctor takes samples for coronavirus immunoglobulin blood test at Government Medical College in Srinagar. Credit: PTI

Is participation in the digital health system voluntary as claimed?

The National Health Authority has already begun the pilot project of enrolling and issuing health IDs to citizens across six Union Territories in the country. Nearly 3,000 health IDs have been made, said Dr Indu Bhushan, chief executive officer of National Health Authority, in an interview to Indian Express on August 23. “I want to put this out in public that it’s voluntary,” Bhushan was quoted as saying in the interview.

Advertisement

However, in one such pilot project, doctors and their family members at the Postgraduate Institute of Medical Education and Research in Chandigarh were directed to enrol for health IDs mandatorily, according to a circular signed by the institute’s director on August 28.

“The registration for generating health IDs is mandatory for all the citizens of our country and Chandigarh Administration has also initiated the registration process…” the circular states.

In an email response to Scroll.in, Bhushan said that authorities were advised to not issue such orders or withdraw or amend such orders if they were already issued. He said that the institute in Chandigarh had modified the circular.

Advertisement

The modified circular dated September 4 states that registration for a health ID was a “purely voluntary exercise”.

What are the other concerns?

The petition filed in the Delhi High Court points out that the policy allows health service providers to share anonymised data in aggregated form for the purpose of research and policy formulation.

“The privacy implications of such data sharing require in-depth examination because there is growing consensus amongst technical experts that anonymised data can be reidentified if combined with other data sets,” states the petition. “For instance, researchers have found that 87% of the US population can be identified using only three data points: Zip code, birth date and gender.”

Advertisement

Chima also questioned the lack of clarity in the draft policy on “consent managers” who will be instrumental in obtaining the consent of individuals to access their personal data. “It is not clear who these entities will be,” he said. “Will they be private sector entities? What is their relationship to health data? How would it work?”

Responding to these questions, Bhushan said that the consent manager would be an “electronic system” and that the software service for this would be provided by the National Health Authority. But the authority was undecided on the role of private entities for this.

“The decision regarding the participation of private entities for the purposes of said services will be taken at the appropriate stage,” he said, adding that the Reserve Bank of India had created similar such “electronic consent managers” called account aggregators.

Advertisement

“Digital consent managers will only act as intermediaries for obtaining and transmitting consent between individuals and healthcare providers, they will not have access to any individual’s health records in this process,” Bhushan said.

What is the need for a digital health system?

Beyond the specific concerns around the draft policy, some experts are raising a more fundamental question: what is the need for the government to create a system of electronic health records?

In the interview to the Indian Express, Bhushan said the health records would ensure “patients will have greater information about the kind of treatment given”.

Advertisement

“Right now, if you look at any hospital, you would find people carrying their records in some file or some plastic bag … in tattered forms. Sometimes, these records are not fully there. The doctor doesn’t have the benefit of having the full picture of their medical history, so the treatment or the kind of test and diagnostics (they) recommend may not be most optimal,” he said.

However, health experts are not convinced. In an article in The Hindu, P Joy Oommen, a former chief secretary of Chhattisgarh and Dr KR Antony who headed the State Health Resource Centre in the state, pointed out the government already had health cards created under the Ayushman Bharat insurance scheme. “Currently, for pan-India portability or for determining insurance cover, these cards were good enough without the need for the entire medical history at any centralised platform,” they write.

Dr T Sundararaman, former director of the National Health Systems Resource Centre, an advisory body to the Union health ministry, said the digital health mission is designed for the benefit of the private sector. It would lead to the commercialisation of medical data, without expanding actual health services on the ground. He called the plan “wasteful”. “When you are not able to maintain a [medical] case sheet and to leap to this…it is a mismatch of priorities and it is not feasible,” he said.

Advertisement

Prasanna pointed out that there was “a near complete absence” of explanation by the government about the need for collecting health data.

“The most important data protection principle is minimal collection,” he said. “But because the draft puts the [need for] data collection beyond the realm of contestation, we are left to just argue on the smaller fruits of what happens to the collected data.”