This article is the first of a two-part series on the National Digital Health Mission, and the best practices required to scale digital health in a democratic, inclusive manner. Click here to read part two.
As the BBC reported in June, despite approaching journalists, the mayor of Ahmedabad, and even the Gujarat Health Minister, Shefali’s 44-year-old husband, Umesh, lost the battle to COVID-19 within five days of experiencing breathing difficulties. A dearth of isolation rooms, hospital beds, ventilators, and even doctors who could treat infected patients culminated in a family tragedy for Shefali and her two young daughters.
In light of the COVID-19 outbreak, the need for access to better, affordable healthcare infrastructure and services has been magnified in an unprecedented manner. Despite the free medical facilities offered at public health centres, the quality of care varies across urban and rural areas, as well as across different Indian states. Based on indicators including mortality rates, immunization coverage, and districts with cardiac care units, the NITI Aayog ranks Kerala as the best-performing state when it comes to healthcare, while Uttar Pradesh is at the bottom of the list. Such glaring disparities reflect how vulnerable the Indian healthcare system is, especially as it struggles to contain a pandemic that has killed over 1,00,000 Indians.
These limitations have catalysed the development of new technological solutions to address the pressures COVID-19 is exerting on the healthcare system. As people are adapting to the virtual “new normal”, so is the health industry—online delivery of medicines, teleconsultations by doctors, and e-prescriptions have all seen a significant surge in numbers since March, owing to the lockdown measures and contact restrictions imposed by the government.
The availability of and access to patient medical histories, directories of healthcare workers, and insurance records have become even more crucial to hospitals and doctors attending to patients requiring critical care within pressing timelines. Such data, if potentially available at the click of a button at all times, could be used for faster prognosis, personalized treatment, and clinical development.
Keeping in mind these benefits, as well as the overall technological development India aims to achieve through its Digital India campaign, Prime Minister Narendra Modi launched the National Digital Health Mission (NDHM) on India’s 74th Independence Day earlier this year. The National Health Authority under the Ministry of Health and Family Welfare (MoHFW) will overlook the roll-out of the NDHM and digitize all health records to help more Indians access affordable healthcare in a timely manner.
As part of the NDHM, the MoHFW recently sought public comments on the Health Data Management Policy (HDMP), released last month. Similar to the National Health Stack, earlier envisaged by the NITI Aayog, the HDMP provides guidelines to protect the privacy of individuals, as the NDHM issues unique health IDs and creates a database of the personal health data of individuals. This data includes, among other data points, biometrics, transgender status, caste, religious beliefs, and political affiliations.
The government is now proposing to dispense the potential COVID-19 vaccine through a digitized system that will require the Indian population to furnish their IDs—that is, digital health IDs, Aadhaar cards, or any other identification documents—to receive such a vaccine.
Though this may be useful in tracking immunisation, there should be adequate safety nets in place, to account for the complex realities of digitizing health data. This is a task that involves not just the mere collection of health data of individuals, but reliable internet connectivity, interoperability (or, the ability of computer systems and networks to exchange information), data protection laws, and adherence to international standards governing management of health data.
So, how will the government achieve the digitization of health data without invading our privacy?
As per the HDMP, governments at all levels—Central, State, and local—will create a decentralized database, accessible to not just the government and its various departments, but also to primary health care centres, clinics, diagnostic labs, insurers, hospitals, and research institutions. Once you are assigned a unique health ID, which will be your health account, all your health data collected by the HDMP will be stored in the database, which can be accessed and retrieved by your doctor or even pharmacist whenever required. This data will be de-identified, which means that any information that may reveal your actual identity, will be stripped away.
And the most important stakeholders pic.twitter.com/TwmrGf4rwH
— robos of Tech Law & Policy (@rTechLawPolicy) August 30, 2020
Given this ubiquitous access to health data across the board, building trust between the patient and the caregivers in such a large-scale digital ID project is of paramount importance.
Similar to attorney-client privilege or doctor-patient confidentiality, a ‘fiduciary’ relationship based on the exchange of information or data must ensure that the organization collecting such information or data (known as a data fiduciary) protects the privacy of the individual and takes reasonable care to prevent any potential risks or harm to them. Any such relationship should be based on trust, transparency, accountability, and most importantly, ‘informed’ consent from the user to share their information.
However, poor internet connectivity and digital illiteracy may pose implementation challenges when it comes to building trust or developing an understanding of informed consent. Despite over 500 million Indians using social media, internet penetration still stands at 50% across the country. Translating the terms and conditions of data management into regional languages, educating patients about the collection of their health data, and informing them about how such data will be used, will be the collective responsibility of all the data fiduciaries participating in this digital ecosystem. Yet, with such a networked system of highly sensitive data, existing laws in India do very little to impose a duty of care on data fiduciaries and ensure patient privacy. Simply put: our data laws may not incentivise fiduciaries enough to protect user privacy.
Health data is your most intimate information, yet draft Health Data Management Policy doesn’t notify you if data is breached, envisions use of caste and religious data (albeit as sensitive info), and doesn’t mandate security measures. @CCGNLUD‘s reaction- https://t.co/RONna4oTNx pic.twitter.com/URi3VnQbz6
— Subhashish Bhadra (@Subhashish30) September 28, 2020
India currently does not have a comprehensive data protection law. Though the Supreme Court has declared the right to privacy as a fundamental right, the Draft Personal Data Protection Bill, 2019, which will enforce the right to privacy and hold data fiduciaries accountable to legal standards, is yet to be passed by the Parliament. With no legal framework in place, individuals may not have adequate safeguards or redressal mechanisms serving their best interests in the event of a data breach, or if their data is misused by the government or private companies. The recent data leak at Dr. Lal Path Labs, where the identified personal data of patients was stored (without a password) on a cloud, is evidence enough to show how the exposure of critical data without adequate security measures may put thousands at risk.
Could the HDMP be used for surveillance too?
Since the outbreak of COVID-19, governments across the world have implemented various surveillance tools from drones to contact tracing apps to monitor the spread of the epidemic, and ensure that those infected take adequate precautions and follow quarantine measures.
India’s very own contact tracing app, ‘Aarogya Setu’, was also made mandatory for inter-state travel, entering offices, and even when accessing public health facilities. Aarogya Setu, which uses an individuals’ GPS location and Bluetooth to trace the people they have been in contact with, provides the government with unconditional power to retain and use such data for other ‘unintended’ purposes such as surveillance and interception. Collection of multiple data points through Aarogya Setu that have nothing to do with one’s health, for example, religion or caste, may further enable the government or even health facilities to discriminate against individuals. Upon receiving severe criticism from privacy advocates, the government withdrew its decision of making Aarogya Setu mandatory and made it voluntary instead.
A STAT investigation found that a common method of using analytics software to target medical services to patients who need them most is infusing racial bias into decision-making about who should receive stepped-up care. https://t.co/Yjx75GDtQb
— STAT (@statnews) October 15, 2020
Yet, while State-sponsored health surveillance has raised eyebrows in the past for being discriminatory against marginalized communities, private companies are also infamous for algorithmic bias and the commercial exploitation of data. There have been instances in the West where healthcare algorithms have perpetuated the bias against people based on their genetic make-up or color. In India, it is likely that decisions made by software may end up ostracizing economically and culturally weaker sections of society from the healthcare system.
Given these past experiences, with the HDMP collecting data such as caste and transgender status, the scope for similar instances of exclusion is wide, which may result in thousands being denied healthcare. The unauthorized or unintended disclosure of an individual’s HIV status or mental illness may result in them being denied access to crucial healthcare services owing to societal stigma. For example, a trans woman may be subject to discrimination by an insurer as they might have to reveal not just their gender but also prescription drugs taken or any treatments sought. Such linking up of data across health care providers may inadvertently exacerbate existing historical, cultural, and institutional biases.
Such scenarios can occur at scale, even though the HDMP aims to make healthcare more inclusive and accessible; India’s past experience with Aadhaar, its national digital identity system, has highlighted how the most vulnerable sections of society suffer the most due to arbitrary profiling.
we’ve released experimental evidence on the impacts of Aadhaar. we find it did reduce leakage, but at the cost of some exclusion and pain to genuine beneficiaries. w/ @karthik_econ and @sandipz https://t.co/b5iAJqGwWx pic.twitter.com/1GQTeuRLyX
— Paul Niehaus (@PaulFNiehaus) February 13, 2020
Aadhaar, which was launched with the objective to directly deliver subsidies and benefits to Indians and plug leakages due to corruption and inordinate delays to some success, has also been criticized for excluding labourers, the differently-abled, the elderly, and the transgender community, as many from these populations lack the requisite identity proofs needed to be issued an Aadhaar card. Those without the Aadhaar card, around 102 million Indians as of 2019, end up excluded from the welfare system as they’re unable to avail of its benefits and schemes. Failures in identity verification, the lack of secure technical infrastructure, and poor data protection practices have further resulted in exclusion from the State’s protections, in some cases, leading to death. Such drawbacks in healthcare under the HDMP may have devastating repercussions on people’s lives. So, how can the NDHM be made more robust so that it benefits as many as possible?
India’s new digital landscapes require new, flexible regulations—but, how do you develop laws for unchartered terrain? For some answers, click here to read more under ‘Regulating for a Digital Future’, curated by The Bastion and the Centre for Communication Governance, NLU Delhi.
The Bastion is happy to announce a new Technology vertical, where we’ll be covering how the future intersections of tech, policy, and society will affect India’s development journey. To read more of our technology coverage, click here. Interested in writing for us? Click here to read our submissions guidelines.