Health Data Management Policy under the National Digital Health Mission — An Analysis

The announcement launching the National Digital Health Mission by the Prime Minister in his speech on August 15, 2020, marked the first step towards actualising the potential of the digital ecosystem to provide systemic linkages between the various levels of care (viz., primary, secondary and tertiary) in order to ensure continuity of care, and the delivery of better health outcomes in terms of access, quality, affordability, lowering of disease burden and efficient monitoring of health entitlements to citizens. The journey began with the Centre introducing a draft Health Data Management Policy (HDMP) on August 26, 2020, which was released to the public for comments and feedback. This article aims to bring about some key insights and critical questions on the draft of the policy released by the government.

Health Data Management Policy Layout

One of the key highlights of this policy is the list of the stakeholders and entities to which this policy is applicable. It includes not just individuals, medical practitioners, healthcare providers, and regulatory bodies but also expands the applicability to charitable institutions, insurers, central and state governments, pharmaceutical companies, and public and private research bodies pertaining to healthcare. The inclusion of such a diverse set of stakeholders and entities brings about its own sets of challenges despite the visionary approach of an all-encompassing umbrella policy, especially in the regulatory aspects. Some of the points on these challenges are discussed further in this article.

Stakeholder Mapping for Health Data Management Policy

The Consent Framework forms a large and important part of the HDMP. This section defines the boundary conditions in relation to the collecting and processing of personal or sensitive personal data, the methodology to be implemented for permissions and notification of consent, and the rights of data principals. A recurring term that keeps repeating in the consent framework is that of ‘Data Fiduciaries’.

As per the definition specified in the policy, “data fiduciary” means any person, including the State, a company, any juristic entity or any individual who alone, or in conjunction with others, determines the purpose and means of processing of personal data. For the purpose of this Policy, data fiduciaries include Health Information Providers and Health Information Users.

The roots of the term ‘data fiduciary’ first appears in a consultation document titled “National Health Stack — Strategy and Approach” drafted by the NITI Aayog. This document was one of the policy initiatives taken up by the NITI Aayog towards scaling up efforts towards achieving universal health coverage in India. The data fiduciaries are trustees that shall facilitate consent-driven interaction between entities that generate the health data and entities that want to consume the PHR for delivering better services to the individual. With the HDMP including Health Information Providers (Hospitals, Labs, Health Apps) and Health Information Users (Hospital, Doctor/Specialist, Insurance Provider, Personal Health Apps) into the foray, the task of defining and regulating the ‘consented’ collection and processing of personal health records.

Role of the Health Data Fiduciary is central to the success of the collection and processing of electronic health records and other data points. Image Source: NITI Aayog: National Health Stack — Strategy and Approach.

Information asymmetry is vital for sustained competitive advantage in a market ecosystem. Whilst a majority of personal health apps and health insurance providers are private players, it is quintessential to create mechanisms to safeguard electronic health records (EHR) data. It is imperative that regulatory bodies of companies (SEBI, Competition Commission of India) and other industry bodies come together and work with the National Health Authority to ensure that private entities including pharmaceutical companies, medical device manufacturers, healthcare app providers, diagnostic centres, and insurance providers do not take undue advantage of the new health data management system. An explosion of healthcare data has serious repercussions for a plethora of Indian businesses, with ramifications on international trade, mergers and acquisitions, foreign direct investment, and potential aggregation.

The assumption of the consent framework is that the current policy legal frameworks on IT and data policy, along with all the other relevant laws are applicable to the HDMP. The biggest push towards data privacy in the National Digital Health Ecosystem (NDHE) is the Personal Data Protection Bill, 2018. The Bill regulates the processing of personal data of individuals (data principals) by government and private entities (data fiduciaries) incorporated in India and abroad. However, this crucial piece of legislation is still in its draft form, and as of March 2020, the Bill is being analyzed by a Joint Parliamentary Committee (JPC) in consultation with experts and stakeholders. The final submission of the JPC report might be expected in the upcoming monsoon session of the Parliament. Meanwhile, the existing current legal frameworks governing are inadequate in handling the scale and scope of the HDMP in its entirety, especially in matters pertaining to data breaches and risk management of data breaches, local storage of sensitive data (on servers within the boundaries of the country), and governance mechanisms for collection, storage, and processing sensitive data (EHRs). Not to mention, the existing draft of the Personal Data Protection Bill 2018 in its current form has seen its own share of responsible and accurate criticism from lawyers (Justice B. N. Srikrishna) and the civil society (Internet Freedom Foundation) alike. The need of the hour is to explore ways to go back to the fundamentals and rethink the core data integrity, security, and privacy structures and its governance across all entities and stakeholders in the national digital health ecosystem.

Beyond the consent framework part of the HDMP, the following points and analysis are worth thoughtful consideration:

1. Perversion of Health ID: The HDMP mentions the provision of a health ID on a purely voluntary basis by the data principal. However, the reach of the health ID expanding into every aspect of the medical and healthcare value chain makes it next to impossible to avoid it. The health ID will surely then become an all-pervasive transaction tool in the healthcare value chain, with no option of backing out from it.
2. The case for Interoperability: One of the underlying objectives of the health data management policy is to ensure interoperability across multiple partners associated with healthcare delivery to individuals in India. The efforts towards National Health Stack by the NITI Aayog in 2018 was a step towards achieving a similar objective, modelled on the widely successful India Stack used in the financial inclusion domain. The case of interoperability in both the domains is poles apart in terms of the rationale and its case for existence. The financial inclusion ecosystem using the India Stack is highly structured with robust tech and non-tech methods which can work across multiple stakeholders in the value chain. However, the healthcare ecosystem is not uniform in its structure, with a large non-tech approach, fragmented data points, heavily regulated medical procedures and heavy liability of the stakeholders under the law. Also, the sheer volume of potential opportunities (number and not financial value) of both B2B and B2C products, services, and platform in the healthcare and medical value chain surpasses that of the financial inclusion sector and requires sharp regulation and constant monitoring. There is a case to be made in ensuring interoperability and keeping data points siloed.
3. Ownership of Health Facility ID: The HDMP is not specific on the demarcation between the management of the healthcare facility vis-a-vis the owner of the healthcare facility pertaining to the requirement of a health facility ID. This is important from corporate governance and legal standpoint.
4. Privacy by Design on Stakeholders: One of the key pillars of the HDMP is its federated decentralised structure of collecting, storing, and processing healthcare data. Even if systemised, the API call will be made across the various players of the National Digital Health Ecosystem, and the onus of the maintaining data integrity, security, and privacy systems fall on to the healthcare providers, who do not have an excellent track record in keeping secure systems for data management and network capabilities.
5. The case for sharing of de-identified data or anonymised data: The HDMP makes a strong provision for sharing de-identified data or anonymised data pertaining to various health data parameters for facilitating health and clinical research, academic research, archiving statistical analysis, and policy formulation. The guidelines will be laid down by the National Health Authority. The provision extends to any entity in the National Digital Health Ecosystem, which extends to health apps, insurers, pharmaceutical, and medical device manufacturing companies. This might indirectly provide valuable business intelligence which might affect consumers in terms of health insurance premiums, higher cost of pharma drugs, etc. There should be a strong and robust mechanism to check the sharing of such de-identified data or anonymised data, with heavy regulations pertaining to its use even in medical/clinical and academic research.

The health data management policy introduced by the government of India has vast potential in redefining and restructuring the very fabric of the healthcare ecosystem in India. The introduction of this policy also brings about its own set of challenges and unanswered questions especially on the topics of data integrity, security and privacy, and suitable regulatory authority. The recent article on the National Health Stack and iSPIRT’s Attempt To Replicate India Stack by inc42 provides an in-depth understanding of the similarities between the India Stack and the National Health Stack, and its potential pitfalls, along with a tangential commentary on vested interests and the potential windfall for companies closely associated with shepherding such initiatives. There is an urgent need for a larger debate on the multiple issues raised across the value chain, a more collaborative approach towards designing the structures and frameworks enumerated in the policy, as well as extremely robust and stringent regulatory mechanisms to maintain the requisite checks and balances for the various systems and processes across the multitude of stakeholders in the healthcare ecosystem.