All healthcare facilities should have to comply with the draft Health Data Retention Policy (HDRP), the Internet Freedom Foundation (IFF), a digital rights group, submitted in its comments on the National Health Authority’s (NHA) HDRP on January 6.
The HDRP could have implications not just on the NHA’s Ayushman Bharat Digital Mission – which proposes a nation-wide federated digital health architecture – but also the Indian health sector at large, with provisions for retention of health data, different types of classification for the retained data, and more.
Which organisations should come under the HDRP?
1. NHA: One of the key questions that NHA asked was whether the policy should apply only to entities opting into the ABDM or all entities in the healthcare sector in India, including those who opt-out of ABDM.
IFF’s suggestion: It should apply to all healthcare entities, including those not in the ABDM.
“As the pace of digitisation proceeds in modern India, it is likely that the healthcare sector too will increasingly ‘go digital’,” IFF said.
The policy would ensure that there are adequate safeguards on user consent, privacy, and a plan for digitising medical institutions at scale, IFF added while citing the growing trend of telemedicine and e-consultations in India.
What will be the impact of opting out of the ABDM?
2. NHA: In the scenario of an opt-out, what could be the possible impact on the Health Data Retention Policy?
IFF’s suggestion: “Allowing healthcare facilities to opt-out without any uniformity of retention guidelines will result in a fragmented health care regime for Indian citizens,” the IFF said, reiterating its demand that all healthcare facilities be covered by the policy. This would ensure that a citizen’s right to healthcare, access to benefits is not impacted by a healthcare provider opting out of the ABDM, IFF reasoned.
IFF also asked the NHA to give ample time to healthcare providers for digitisation. This would ensure that their opting-out of the ABDM does not mean substandard or denial of healthcare to patients.
How should the HDRP be governed?
3. NHA: Who shall be the authority overseeing the HDRP’s implementation, and who will be the authority to roll it out at a macro level?
IFF’s suggestion: The Data Protection Authority should be the apex authority overseeing the implementation of the HDRP and formulating and enforcing statutory guidelines for the storage and processing of health data. Meanwhile, the National Digital Health Mission should be responsible for macro-level roll-outs.
IFF referred to the Joint Parliamentary Committee’s report on the Data Protection Bill which says that the DPA will deal with disputes related to personal or non-personal data protection, prevent misuse of personal data, etc.
“Further, since ‘health’, ‘biometric’, ‘genetic’, and ‘intersex status’ has been defined to be sensitive personal data, therefore, it primarily becomes the duty of the Data Protection Authority (DPA) to regulate such data and protect the interests of the data principals,” IFF said.
Involvement of the DPA in the larger NDHM governance
4. NHA: Is the existing governance structure – as laid out in the health data management policy – sufficient for the HDRP?
IFF’s suggestion: The governance structure in the HDMP does not lay down details like size, composition, selection process, tenure, powers, functions, terms of removal, financing, and the accountability framework governing NDHM. The IFF objected to the structure, saying that the NDHM would essentially be creating its governance structure itself which can cuase issues of delegation, lack of transparency, and accountability.
The organisation also asked that having government officers as the Chief Executive Officer and the Data Protection Officer, under the governance structure, could compromise its independence and the DPA should be allowed to nominate members to the NDHM governance structure.
A need to base the policy on a data protection law
5. NHA: How should the policy be enforced and what structure should entities responsible for retaining the health data have?
IFF’s suggestion: It said that policies regulating the storing or processing of health data should be notified under Section 2 of the Epidemic Diseases Act, 1897. These policies should also stay in place until specific guidelines for health data are specified by the regulatory body envisioned by the legislation.
“Without any statutory foundation and an independent regulatory authority, establishing and implementing a digital health records system; and sharing data with government bodies and private entities across different digital technology products, services and applications, risks fundamental rights to informed consent, confidentiality and privacy and may be contrary to the Indian Constitution,” IFF said.
Changes proposed to health data retention periods
6. NHA: What should be the ideal retention periods for inpatient, outpatient, and medico-legal cases?
IFF’s suggestion: Retention periods already specified under the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002, have been recommended. These are:
- Indoor Records: Standard proforma for 3 years from commencement of treatment
- Outpatient Records: 3 years
- Medico legal cases: until the final disposal of the case
Annual extensions to this can be taken based on consent that is informed, free,specific to the purposes and capable of being withdrawn at any time.
Why informed consent in extensions is necessary
7. NHA: If a provision to propose the extensions of retention should be created and under what considerations, the NHA asked.
IFF’s suggestions: Extensions could be provided for certain cases, IFF says. It points to cases where an individual may not want to share their data with a health facility as they may be accompanied by family members and frequently infromaiton about conditions like HIV or drug addictions aren’t shared by patients with family members as well. Further, a family UHID also links health records of all members.
Thus, IFF says that in cases of extensions on retention of data pertaining to genetic relevance such as mental health disorders, oncological and neurological records explicit informed consent must be taken by the data principal (or their legal representatives in case of their incapacity or death).
Why a blanket retention period should not be chosen
8. NHA: A better approach for retention was asked to be commented on. It could be a blanked duration or by the definition of different ‘schedules’.
IFF’s suggestion: A graded approach to retention could help protect patient rights while allowing for innovation. Patients may want certain sensitive data to be deleted soon after while some other data could remain digitised. However, a short duration would defeat the purpose of electronic records, while a long duration would increase compliance or allow health information users (such as insurance providers, hospitals, etc.) to misuse data and impinge on citizens’ rights.
Suggestion related to anonymised data
9. NHA: Views on the benefit of granular classification of data on health retention and the proposed classification of data were invited.
IFF’s suggestion: Asking that the periods of retention be proportional to the purpose of data collection, IFF added that annonymised data should not be treated in a laissez faire (minimum government intervention) manner. It also said that the consent override proposed in the policy could be an overreach. Instead, it recommended mandating access controls along with anonymisation for such data like keeping a list of authorised individuals and limiting access to the extent necessary for fulfilling a purpose.
According to IFF, the policy’s provisions for anonymised data ignores several security risks.
Preference for electronic records
10. NHA: Under the policy, should considerations be made for entities keeping records in physical or original formats?
IFF’s suggestion: Shareable, electronic records are preferred, however, the policy should make considerations (such as time) for smaller healthcare facilities. IFF also expressed disappointment that the HDRP would not be applicable retrospectively.
Concerns with the state of Indian healthcare
11. NHA: How should the policy be implemented, given limitations in infrastructure, capacity, and health data understanding in the sector?
IFF’s suggestion: Capacity building measures should be undertaken along with a phased manner of the implementation of the HDRP. This should include providing grants to aid the digitisation of local rural and urban bodies, according to the IFF
Questions to which the IFF does not respond
The IFF does not provide responses to the following questions:
- How can smaller clinics or centres, both public and private, build capability in a timely and cost-efficient manner to take responsibility for data retention for long time periods?
- How granular should data classification be? Is more granularity required beyond that presented in the sections above? Addressing this aspect of the Health Data Retention Policy would help assess whether minimalist data classification – pertaining only to inpatients and outpatients – would suffice the purpose of health data retention. A minimalist data classification would have both advantages and disadvantages. Please suggest your view in this regard.
- How should the guiding principle of this policy be determined for the benefit of stakeholders and ease of adoption by varying sizes of entities deciding to opt-in for ABDM?
- How should the implementation of the policy be done in case the policy is made applicable for the ecosystem beyond ABDM?
- Is there an alternative model or policy approach which could be considered?
What is the ABDM and what has happened with it so far?
The ABDM, previously known as the National Digital Health Mission, rolled out nationwide in October after a pilot project in seven Union Territories for a year. In November, MediaNama reported that so far nearly 14 crore Unique Health IDs have been created under the mission, 96% of which are connected to Aadhaar cards with the NHA also recently enabling driving license-based authentication for UHIDs. Like the HDRP, the NHA has also said that it will be releasing a consultation paper on the ‘Drug Registry’ in the next month.
In the HDRP consultation paper, the NHA said that it has launched the following building blocks under it: Health ID, Personal Health Records (PHR) App, Healthcare Professionals Registry (HPR) starting with doctors, Health Facility Registry (HFR), and Health Information Exchange & Consent Manager (HIE-CM). While there hasn’t been any consultation or paper released on the HIE-CM, the NHA has released consultation papers on the Unified Health Interface (UHI), Health Professionals Registry, Health Facility Registry, NDHM draft implementation strategy, NDHM blueprint, data policy, sandbox framework guidelines, and other such papers.
- Summary: Health Data Retention Policy proposed under ABDM
- Who benefits from the value of people’s health data? It’s insurance companies
- Key Aspects: National Digital Health Mission’s Data Management Policy
Have something to add? Post your comment and gift someone a MediaNama subscription.