“I had gone to an ENT clinic in Chennai for a routine checkup. At the reception, they collected my personal details at the reception in a ledger. I was not told that it will be uploaded to a cloud application. When I returned home after the check up, I got a text message saying that my details have been uploaded on a private platform and added to its database,” said Chennai-based Ramraj, a 28-year-old employee at a private company.
Ramraj’s account is part of an increasingly-concerning trend of private online medical platforms, in this case Bengaluru-based DocOn Technologies, uploading sensitive details such as health records on their platforms and creating a common health ID without allegedly taking consent of patients. This is also happening irrespective of whether the patient had any interaction with the said platforms prior, during or after their consultation.
The message that Ramraj received from DocOn
This health ID creation gains further importance because the privacy policies of these platforms state that the collected sensitive personal data can be sold or transferred to third parties and affiliates in an “aggregated and non-personally identifiable form”. Coupled with India’s archaic laws that have failed to keep up with technology and in the absence of robust data protection laws, there is lack of accountability of such platforms when it comes to addressing such alleged violations.
Not an one off incident
A while back, Hasgeek co-founder Kiran Jonnalagadda was subjected to a similar situation when he visited a physiotherapist in Bengaluru. Around two to three days after the consultation, Jonnalagadda received a text message from Bengaluru-based Portea Medical welcoming him to their platform and informing that a customer ID had been created wherein he could access his physiotherapy records.
Like Ramraj, neither did Jonnalagadda have any interaction with the online medical platform nor had he provided his consent for creation of the health ID. He took up the matter with the doctor and was told that Portea Medical was being used in the clinic for record keeping.
What the doctor keeps for record keeping is not my problem, but when Portea (Medical) provides a customer ID, that is not record keeping; that is Portea linking records across doctors with a common ID, which they should not be doing. So, firstly, they did not have my consent to give me an ID, and they also did not have my consent to link my records across doctors — Kiran Jonnalagadda, HasGeek
We will be deleting the data: Portea Medical CTO
Ramasubramani Ganesan Chief Technical Officer (CTO) said that Portea Medical has taken cognisance of Jonnalagadda’s request to delete his data from the platform. “Our team is working on it. Given the patient is particular that he does not want to share the data with us, we will be removing the data from the system,” Ganesan said.
However, Ganesan justified the creation of the health ID by saying that physiotherapy in the clinic was a service provided by Portea Medical. “So by taking the services, we were just informing how we can reach back to us in case he wants any additional support,” he said.
When asked if there were visible signages at the clinic denoting that the service was being offered by Portea Medical, Ganesan said, “Normally we have Portea banners, and names. But for the past year, due to Covid-19, those banners had been removed, which might have caused the confusion. In regards to this particular case, we need to figure out the details — whether there was a communication issue. But in general, we get consent forms signed, so that patients know that Portea Medical is involved.”
Mishi Choudhary, founder of Software Freedom Law Center (SFLC.in) while criticising such private players said, “It is clear that consent was not given at all let alone freely given. In any other country, such businesses will be heavily fined but if the party responsible for laying down a framework and enforcing it i.e. the government itself is facilitating health data leakages, citizens are left with no avenue to take their claims to.”
It is quintessential for a platform or the concerned practitioner who is providing these details to such platform, to obtain an informed consent from the patient whose private information is to be appropriated. Uploading of information would not only be an infringement of the patient’s right to privacy but would also be against the Indian Medical Council’s (Professional Conduct, Etiquette and Ethics) Regulations — Kritika Seth, founding partner of Victoriam Legalis
Have you faced similar issues with data collection without your consent? Do leave us a comment below
Not just health IDs, issues pertaining to medicine deliveries and telemedicine too
A few weeks back, Mumbai resident Chitra Mathur, who works at an NGO, went on Tata 1MG to order a few medicines for herself. The medicine she had to order required a prescription; and she had that required prescription from a doctor. She uploaded it on the platform and had placed the order for the medicines.
However, her order was flagged and she received a call from someone who introduced himself as a doctor. This alleged doctor enquired about her prescription, her ailments, the prescription’s veracity etc , and several other questions which she thought were invasive. She pointed out that neither did she consent to being called, nor was she aware that her prescription (sensitive health details) can be shared with others.
Question for @1mgOfficial: Do you think it is ok to call any customer at any time and start asking them invasive personal questions about their medical history, when they have only ordered medicine? @tandon_prashant @agarwal_gaurav @vikaskjs @TataCompanies
— Three Girl Family (@threegirlfamily) September 6, 2021
1. I never consented to receiving unsolicited calls from 'doctors' through @1mgOfficial. I trust my own doctor. If I need another prescription, I'll go to them. The last thing I want is a random unknown doctor asking me intrusive questions. Why do you do this @1mgOfficial? (5/n)
— Three Girl Family (@threegirlfamily) September 6, 2021
We reached out to Tata 1MG, its co-founder Prashant Tandon, their public relations team with specific queries in this regard. However, we did not receive any response at the time of publication of this report.
Sarvesh Mathi, a journalist with MediaNama too had to face a similar situation when he ordered a few prescription drugs on NetMeds for his grandmother. Like Mathur, he too received a call from 1MG questioning the veracity of the prescription and confirming the medicines needed. It was only after providing an explanation that the order was processed.
First of all, orders are “flagged” for a number of reasons which range from legibility, to expiration date, to “product mismatch” where the customer has ordered an item other than the prescribed item, such as a generic version of the molecule rather than a named brand, to name a few. In any such case, the customer is notified that there is an issue with the prescription and that one of our network doctors will be calling them to get any of these, or other points clarified — NetMeds Escalation Team
Since the prescriptions that Mathi or Mathur upload on their respective platforms can (according to its privacy policies) be shared with third parties, we asked NetMeds and Tata 1MG regarding its data sharing practices. While we did not receive any response from Tata 1MG, this is what NetMeds said.
Big void when it comes to regulation of online medical platforms: Experts
Mahendra Kumar Bajpai, a Supreme Court advocate, and Honorary Director at the Institute of Medicine Law explained that there is a lack of legal framework in India when it comes to regulating online medical platforms providing telemedicine facilities. The current set of laws are there only to regulate healthcare providers and they are not enough for online medical platforms.
When it comes to telemedicine, we have a set of laws for doctors and three guidelines which have come out for regulating allopathic, homeopathic, ayurvedic doctors. And these guidelines are only for regulating doctors. The regulation goes to the extent of saying that they are not concerned about telemedicine. Although certain provisions of the IT Act are applicable, they are not enough. This gap is being exploited — Mahendra Kumar Bajpai, a Supreme Court advocate
What Bajpai essentially is saying is that the consultation side of telemedicine, including aspects such as doctor-patient relationship, is regulated under Code of Medical Ethics. However when it comes to platform-related processes such as collection, sharing of data, and so on, there is a huge gap.
Bajpai had also pointed towards the lack of a robust data protection law in the country. In that regard, most privacy policies and terms and condition pages of platforms such as Tata 1MG, NetMeds, Portea Medical etc mention that they share the collected sensitive personal data with third parties after “anonymising” them. However, Mishi Choudhary, SFLC.in founder, was not convinced.
If these companies claim that they are sharing anonymised data, one must ask what categories of data are being shared and how are actual identifiable persons getting intimation or calls. Perhaps what they mean is pseudonymous data and not anonymous. Pseudonymous means data which could be attributed to a natural person by the use of additional information — Mishi Choudhary, SFLC.in founder
What can/should be done, according to experts
Make online medical platforms encrypted: Cybersecurity expert V Anand said that medical data gets leaked in the dark markets quite a lot. He dismissed privacy policies of online medical platforms as “shams” and instead stressed on “owning your encryption” (wherein the data is encrypted and is accessible by a key held by an individual).
Compliance to IT Rules 2021 necessary: Utsav Trivedi partner at TAS Law said that these platforms should comply with Information Technology (Intermediary Guidelines and Digital Ethics Code) Rules, 2021. According to the rules —
Patients’ rights: According to SFLC, these are some of the rights that patients must have and which should be included in the functioning of online medical platforms
- Right to be informed: companies must tell individuals what data of theirs is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties.
- Right to restrict processing: individuals can request that a company limits the way it uses personal data.
- Right to object: Individuals should have the right to challenge certain types of processing, such as direct marketing
- Open House on National Digital Health Mission: Stakeholders want no liability for data, fair discovery, and more.
- AWS suggests changes to Unified Health Interface and other building blocks of NDHM
- Unified Health Interface: IT For Change warns against oligopolies, raises privacy concerns
- RTI: Over 11 Crore Unique Health ID’s issued through CoWIN says Health Ministry
- At UHI consultation meet, NHA reveals details on NDHM governance, roll-out, and more
- Summary: Consultation paper on UHI shows what NDHM could look like