It is becoming increasingly evident that amidst the global pandemic, it is ‘technology’ that made the world go around. Offices moved online, social events moved online, education moved online, and it seems like, medicare, too, is moving online.
Welcome: ‘National Digital Health Mission’ (NDHM). This new scheme was launched as India celebrated its 74th Independence Day. It is pegged to revolutionise India’s health sector and increase access to healthcare through technology.
But, will this come at the cost of data privacy? Let’s find out!
What is the ‘National Digital Health Mission’?
Just how your Aadhaar number is linked to all government records, a similar number is now proposed to digitize all your health records. An Aadhaar-like number, called Health ID, will be assigned to every individual. This ID will store certain ‘sensitive personal data’. In the draft policy, sensitive personal data is defined as this: such personal data, which may reveal or be related to, but shall not be limited to,
- financial information such as bank account or credit card or debit card or other payment instrument details;
- physical, physiological and mental health data;
- sex life;
- sexual orientation;
- medical records and history;
- biometric data;
- genetic data;
- transgender status;
- intersex status;
- caste or tribe; and
- religious or political belief or affiliation (this point is sure to garner eyeballs and public comments)
As envisaged, various healthcare providers, such as hospitals, laboratories, insurance companies, online pharmacies, telemedicine firms, will also be synchronized in the health ID system.
According to the National Health Authority (NHA), every patient who wishes to have their health records available digitally must start by creating a 14-digitl unique Health ID. This Health ID will be linked to the person’s Aadhaar or mobile number. Each Health ID will be linked to a health data consent manager, which will be used to seek the patient’s consent and allow for seamless flow of health information from the Personal Health Records module.
It would work something like this:
let’s say you are running a temperature since 2 days now. You book an e-appointment with your doctor. Your doctor asks for your Health ID and digitally accesses your medical history. He understands your medical conditions, past treatments, allergies, etc., examines you digitally, and then prescribes some medication. You click on the name of the medicine and it gets delivered to your house. Your medical records get updated with the latest visit, prognosis, medicines recommended and recovery trajectory.
Can patients control data in their Health ID?
This Health ID, unlike Aadhaar number (which is a physical card), is envisaged in the form of a mobile application. Patients can create a Health ID, which will then allow them to share their data with hospitals and doctors digitally. When they create their Health ID, they will get access to a digital locker to store all their medical information. They can choose for how long and what specific documents they would like to share with whom. Once they choose to share any document, a copy will then be stored in the other person’s digital locker.
If anyone wants to benefit from government schemes, only then will such a person be required to connect their Health ID to their Aadhaar.
Digital records and data privacy
To jog our memories, our banks pushed us to link Aadhaar to our accounts, so did our telecom operators and so did payment wallets, and so did the stock exchanges, and so did various registrars, etc. After all of that, The World Economic Forum’s Global Risks Report 2019, said, “The largest (data breach) was in India, where the government ID database, Aadhaar, reportedly suffered multiple breaches that potentially compromised the records of all 1.1 billion registered citizens. It was reported in January 2018 that criminals were selling access to the database at a rate of Rs. 500 for 10 minutes, while in March a leak at a state-owned utility company allowed anyone to download names and ID numbers.”
Additionally, during the Covid-19 lockdown, the Centre was under the spotlight after France-based ethical hacker Elliot Alderson made public allegations that the Aarogya Setu app had security issues. Later in May, the government released the source code for the Android version of the app, in a move to bring transparency to the app’s functioning.
With such precedence, fears of data breaches are not invalid. Learning from the experiences of lapses in the Aadhaar ecosystem, the NHDM has, this time, taken some preventive measures. The objective of NDHM reads as “creating a system of personal health records, based on international standards, and easily accessible to the citizens and to the service providers, based on citizen-consent.” The crucial word here being ‘citizen consent’.
Unlike Aadhaar that doesn’t have an option to let individuals exit the unique identification system except children below 18 years, digital health IDs will be available under a voluntary opt-in system. It has a door for opting out as well. While anonymous data collection will be beyond the control of citizens, personal data collection will require express consent from the citizens. The government also claims that it has built a consent-based access mechanism. Through this, citizens can hide certain information from healthcare bodies by enabling only partial consent.
Additionally, no treatment can be denied by any doctor or hospital on the grounds of non-provision of such consent. Also, any citizen can demand access to his / her personal data, and demand complete data deletion at any time. India’s draft data protection bill, too, centres around consent and the ‘right to delete’.
This initiative of creating a Health ID for all is a major stride towards achievement of the United Nations Sustainable Development Goal 3.8 of Universal Health Coverage, including financial risk protection. However, it is not free from unauthorized access, misuse or potential breaches (just like any other technology platform). But, here’s what you can do about it. Choose whether to opt-in, who to give access to, and most importantly, exercising the right to delete your data completely if ever push comes to shove.
Also read: Will World War 3 be fought online?