Technology could improve access to healthcare but stringent data protection measures must safeguard people’s health records
This piece is part of the series, Sustainable Development in the Indo-Pacific
The growth of digital health, or the integration of digital technologies to strengthen healthcare systems, has been highly uneven across the Indo-Pacific. This poses a challenge as the ageing population and demand for access to care increase in this region. Even as Information and Communications Technologies (ICTs) are increasingly being used to combat disease, promote telemedicine, and spur innovation in the med-tech industry, there is an urgent need to focus on first principles and ensure the in-country digitalisation of health records, the security and confidentiality of health data, and data interoperability within digital health ecosystems.
In this context, the present article briefly studies the experiences of India, Taiwan, and Australia—three Indo-Pacific countries that are at very different stages of implementing systems of unique health identifiers (IDs) for their citizens. Collectively, the three cases demonstrate the need to balance the idea of improved access to healthcare with stringent national data protection measures.
The Ayushman Bharat Digital Mission (ABDM), launched by Prime Minister Modi in September 2021, aims to build a robust digital health infrastructure for India that will increase equitable access to health services, improve health outcomes, and reduce costs. The centrepiece of the ABDM is the development of a unique 14-digit health ID for citizens that is expected to act as a health account to which their personal health records can be linked. Access to a patient’s retrospective medical history is expected to result in better diagnoses; and purportedly, a patient’s data will only be viewed by doctors and healthcare service providers with the patient’s express consent.
In the absence of a privacy and data protection law in India, however, the potential security of personal data linked to the new ID has become a matter of controversy. There are no clear guidelines yet on how health data will be collected, stored, and shared. The NITI Aayog’s draft Data Empowerment Protection Architecture (DEPA) proposes a mechanism for individuals to allow third parties to access their data via intermediary ‘consent managers’. But the DEPA is oriented chiefly towards the needs of the financial services space, and hasty attempts to apply it to the healthcare sector may fail to meet data protection norms.
Access to a patient’s retrospective medical history is expected to result in better diagnoses; and purportedly, a patient’s data will only be viewed by doctors and healthcare service providers with the patient’s express consent.
The lack of clarity about data management related to the new health ID has already had unsettling consequences. People registering for their COVID vaccination on the CoWin platform have been surprised to learn that their Aadhar details have been used without their informed consent to populate parts of the government’s incipient health ID database.
Since 2015, Taiwan’s strong Personal Data Protection Act (PDPA) has provided the governing framework for the security and management of personal data. For the PDPA, ‘personal data’ includes private information, ID card numbers, and medical records. In fact, medical records and health examinations are classified as ‘sensitive personal data’ and accorded special protection.
The importance Taiwan attaches to the issue is evident from the fact that in January 2021, its government withdrew from a US $171-million local trial of a new digital identity card, the eID, due to concerns over information security. The new eID had been designed to fuse Taiwan’s existing digital IDs—including health IDs, the National Health Insurance (NHI) card, and other forms of identification—with Citizen Digital Certificates, and was meant to allow online access to government services.
Halting the eID roll-out until stronger data protection measures are adopted is an extraordinarily progressive move for a country that already has a successful history of implementing health ID projects at scale, and has invested heavily over a period of 25 years to establish an advanced digital health ecosystem.
The Taiwanese government’s position has been that the distribution of the eID should remain suspended until a new legislation—or amendments to the PDPA—further enhances privacy and helps protect personal data from cyber attacks. It has also stated that the new legislation should cover the security of unique digital IDs and related processes in much greater detail. Halting the eID roll-out until stronger data protection measures are adopted is an extraordinarily progressive move for a country that already has a successful history of implementing health ID projects at scale, and has invested heavily over a period of 25 years to establish an advanced digital health ecosystem.
For over a decade now, Australia has had a robust health ID system, which is backed by a long-standing privacy and data protection law. According to the country’s Privacy Act of 1988, ‘sensitive information’ is defined to include information about an individual’s ‘health, genetics, and biometrics’, and is granted special protection.
Australia’s unique health ID for citizens—a 16-digit number called the Individual Healthcare Identifier (IHI)—was launched in 2010, and aims to ‘help healthcare providers accurately communicate information with each other and identify and access patient records in the ‘My Health Record’ system’. The link between the IHIs and ‘My Health Record’ data ensures that health records are matched with the right patient, and that the information referenced with the IHI is complete, accurate, and accessible with the patient’s explicit or implied consent at her point of service.
A striking feature of the IHI programme is its layered system of checks and balances for maximising data security. Apart from the foundational Privacy Act, the IHI system is supported by the Healthcare Identifiers (HI) Act of 2010 that provides a legal, national mechanism for assigning and administering unique health IDs. The Office of the Australian Information Commissioner (OAIC), in turn, acts as the independent regulator for the privacy aspects of the HI Act and the My Health Record e-database. Finally, the country’s National Digital Health Strategy looks upon the ‘secure exchange of health information’ as a strategic priority. It has ensured that most Australians have a My Health Record by 2018, and seeks to enable both inter-provider and patient–provider communications through secure digital channels by 2022.
Cooperation in the Indo-Pacific today tends to take the form of either issue-based coalitions, focused capacity-building efforts, or like-minded countries working in bilateral, minilateral, or plurilateral formats. As more countries in the region look to launch or upscale digital health initiatives, strategic collaborations that focus on the intersection of tech and data security could prove to be transformational.
The cases of India, Taiwan, and Australia represent three different stages of evolution in the deployment of unique health IDs. India has embarked upon an ambitious programme without the necessary data protection laws or safeguards in place. Taiwan has a mature legal and digital infrastructure, but has chosen to pause, take stock, and re-engineer its systems for the better, whereas Australia continues to build steadily on an advanced digital health ecosystem, supported by far-sighted data privacy laws.
It would be productive for an Indo-Pacific network consisting of these and other countries to share knowledge and good practices related to the management of health data. Ultimately, the members of such a network could jointly develop a standardised data-sharing framework to help countries strengthen their own data-sharing models and provide a template for others taking their first steps in the digital health space. Moreover, this would also contribute towards the achievement of Sustainable Development Goal 3—promoting good health and well-being—across the region.
The Indo-Pacific Centre for Health Security funded by the Australian government supports projects that seek to anticipate, avert and arrest infectious diseases. The Asia Pacific Medical Technology Association (APACMed) supports innovations and advances in the medical devices and in-vitro diagnostics industry.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
Anirban Sarma is Deputy Director of ORF Kolkata and a Senior Fellow at ORF’s Centre for New Economic Diplomacy. He is also Chair of the ...
Read More +
PREV