While India is still in its nascent stages in the evolution of its health data ecosystem — it is important to diagnose some of the early challenges in the data systems’ design.
The Covid-19 pandemic has upended several datafication approaches to healthcare, whether it is digital dashboards at the state-level to track and trace Covid-19 hotspots or a myriad of contact tracing apps that allow citizens to determine their exposure levels to the virus in a geographic .
There have been manifold applications over the last few months, whether it is telemedicine practice by doctors, or the Delhi government’s real-time information tracking application on hospital beds. In the context of the pandemic, AI based techniques are being used on a myriad on datasets right from cough patterns to lung X-rays to aid in early detection.
While India is still in its nascent stages in the evolution of its health data ecosystem and does battle larger capacity constraints in healthcare, it is important to diagnose some of the early challenges in the health data systems design. This article outlines them here from a regulatory standpoint along with looking at a few fixes that can herald a sound federated health data protection architecture.
Healthcare data in India is fairly fragmented and scattered, given the interaction of citizens ranges across multiple diagnostic centres, hospitals, medical practitioners and pharmacies. There are also several distinct parts in delivery chain, whether its insurance agents, third-party administrators (TPAs) or intermediaries such as ASHA workers. The issues of fragmentation are acknowledged by the Health Ministry, in its electronic health record (EHR) standards document of 2016 that look at this digitisation of workflows in healthcare systems. The development of IT systems without a modicum of interoperability (i.e., the-ability of a hospital system of X to communicate with system Y in a different location) has led to redundancies with static silos of data repositories that have sprung up.
Developing such enterprise architecture systems in healthcare has been a challenge, even in developed nations, as seen with the National Health Service (NHS) ‘Connecting for Health’ efforts in UK that were abandoned after seven years of existence. The key reason for the failure of the British system was attributed to its highly top-down nature and lack of any ground-up apparatus.
A digital public infrastructure-industry complex in India can be associated with the non-profit tech organisation, iSPIRT as it’s been closely involved in the development of digital public platforms around ‘India Stack’ (a set of APIs that helped build a cashless economy) and the Bharat Health Stack, dubbed to be the ‘UPI of healthcare’ with a planned system incorporating open APIs for EHRs. Commendably, iSPIRT has been organising a series of virtual open house discussions over the last few weeks to provide a transparent account of the underpinnings behind this health stack.
There are several design features that we see in common between the Unified Payment Interface (UPI) and the early patchwork of the health stack. Open APIs, distinct consent and data layers (dubbed as a ‘data empowerment and protection architecture’) and sandbox testing environments are some features that can be seen in both the system designs. The National Health Stack strategy document put out by Niti Aayog draws references to the past successes of federated digital initiatives such as UPI and the GSTN as an inspiration to building a platform approach on health records. However, several NGOs do bat for ‘open source’ to co-exist along with open standards and open APIs as necessary design choices for the development of open digital ecosystems.
What are some first principles that we must keep in mind for governing health systems that are linked to public welfare? Do patients have agency over the access and use of health records by third parties? Would an algorithmic basis for EHR see individuals’ credit scores integrated on it as well? These are fundamental questions to consider if we are to futureproof the development of the Digital Health policy blueprint.
While the health stack has stressed the importance of data ownership by patients, the absence of a rights-based framework governing healthcare data (as a class of sensitive personal data) does warrant us to interrogate the role of ownership. This is especially important given the context of a prevalent data divides and digital literacy challenges. In this regard, a Digital Empowerment Foundation (DEF) study tells us that for about 90% of India’s population, digital literacy is almost non-existent.
Where such data awareness paradigms are scarcely socialised, data capture gets legitimised with the emergence of consent manager models, where fiduciaries manage consent on the data subject’s behalf. As EHR adoption in India is still at nascent levels, the implementation of an ethical datafication model is critical, especially amid underserved communities.
Whilst we are still amidst a process to get a personal data protection law passed, there have been some initial efforts into building a privacy framework for the healthcare sector. The Health Ministry had proposed a ‘Digital Information Security in Healthcare Act’ in 2018 that would enforce privacy and security standards for EHRs. This bill has been now subsumed into a more sector-agnostic framework driven by MeitY with the Personal Data Protection (PDP) Bill that looks at what constitutes personal health records, decision making powers on health data and penalties for breach of consent.
The Bill doesn’t speak of the “right to be forgotten” of a patient or clarity on how a health stack built with a biometric authentication (Aadhaar) layer would solve for concerns around anonymity, esp. as health data is categorised as sensitive personal data. Consent in healthcare is associated with a higher threshold level (esp., on data sharing with third parties) as seen with how clinical trials are governed world over.
As the adoption of EHRs becomes imperative amid a glut of information challenges (both, the ones linked to the Covid-19 and those preceding it), there are three fundamental fixes we should prescribe for a “plan-centric” health governance design.
Firstly, improving interoperability by better data integration and harmonisation, such as the synthesis of twenty odd ISO standards into a more context-laden open standard that incorporates local clinical terminologies. Data portability is critical as there are healthcare institutions split between using different standards (such as SNOMED CT and ICT 10) or in some cases, no specific standards at all. While the Ministry of Health has veered towards adopting SNOMED CT in the National Digital Health Blueprint, it must ensure seamless data portability to allow interaction mechanisms with institutions that may still use ICT 10. The NHS ‘Connecting for Health’ experience also forebodes the need for India to de-risk by avoiding the development of a singular central registry and focus rather on a multi-level hierarchy of EHRs.
Second, the building blocks of the digital ecosystem around the Bharat Health Stack must be inclusive in accommodating patient rights organisations such as the ‘Jan Swasthya Abhiyan.’ The need to involve patient rights groups is imperative at this juncture, as patient data is at the heart of digital health databases. Data rights should be defined bearing in mind the patient, not the hospital as the key focus. Moreover, health data fiduciaries should bear greater responsibility in improving readability and accessibility of consent forms by allowing for these mechanisms to be available in vernacular languages. The onus should squarely lay on these fiduciaries to provide notices in multiple languages and empower citizens to better understand what they consent to.
Finally, how we build lean datafication approaches in healthcare lies in our ability to find the right balance on privacy, transparency and development. Justice B.N. Srikrishna, who chaired the data protection committee rightly notes, each data collection exercise should provide a clear purpose description and lay out a methodology for procuring the data. The Personal Data Protection Bill of 2019 currently under consideration does place the burden of proof for consent on the data fiduciary. However, the recently notified Telemedicine Practice Guidelines 2020 doesn’t provide adequate clarity on preserving consent records. Anonymity is essential for data that is going to be classified as ‘sensitive personal data’ as is safeguards around strict purpose limitation and allowing data processing in a fair and transparent manner. Several of these principles are echoed in the Data Access and Sharing Protocol of the contact tracing app, Aarogya Setu that came out in May 2020.
This balance between the protection of personal privacy, providing transparency and accountability for the institutions that govern this data (whether consent managers or data exchanges whilst ensuring the empowerment of the individual is at the heart of setting a prudent appropriate federated rights-based design for healthcare data protection.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
Non-resident fellow at ORF. Sahil Deo is also the co-founder of CPC Analytics, a policy consultancy firm in Pune and Berlin. His key areas of interest ...Read More +
Subhodeep is a Senior Consultant with the Public Affairs segment of FTI Consulting focusing on technology and trade issues. Previously he was based in Washington ...Read More +