For registration call @ 9958826967

Health Data Management Policy (15th December 2020)

Health Data Management Policy (15th December 2020)

Context:

The health Ministry Monday approved a policy under the National Digital Health Mission (NDHM) to protect and manage personal data of patients using the digital services of the scheme.

Background:

The policy that was approved by Union Health Minister Harsh Vardhan acts as a guidance document across the National Digital Health Ecosystem (NDHE).

The government said that this policy is to be read along with, and not in contradiction to, any applicable law.

Data collected across the National Digital Health Ecosystem (NDHE) will be stored in at the central level, the state or Union Territory level and at the health facility level, by adopting the principle of minimality at each point.

Panellists:

1. Shashidhar K.J., Associate Fellow ORF
2. Dr. Praveen Gedam, Additional CEO, National Health Authority

1. Features of Health Data Management Policy:

1. 1 Data Policy is a minimal document before the role of the national digital Health Mission in its a full-fledged form.

1.2 National digital Health Mission is going to deal with the data which is a health data which is supposed to be very sensitive, personal and lot of sensitivities are attached to it.

1.3 More than that we need to have certain protocols in place before we wanted to move ahead and to decide the way data will be collected, stored and processed, exchanged. The way consent will be given.

  • This policy was published by government of India in order to take care of these issues.

1.4 Even now the health data is being stored with the respective Healthcare providers in physical form or in a digital Park. What we are trying to do there is only to connect all such Healthcare provider by one platform and they will continue to hold the data at their own places the way they are doing it after complying to certain standards that we have prescribed.

1.5 Therefore, the data, in the case that once a hospital join digital Health Mission, then all the data with that particular Hospital which it may be having its electronic system is automatically made available to everybody, is not correct.

1.6 This is just the creation of a network connecting each hospital and laboratory and doctor with every other person. Therefore, if I go to a particular Hospital doing my blood test is a particular laboratory the treating doctor can see my report after I give explicit informed consent and that's it.

1.7 So, when we are talking about access to data, the most important reason is to provide a good quality Healthcare and therefore a Health Care provider should be in a position to see the health records of that person across all over India with his consent.

  • It is also possible to give partial consent I may say you, I want to give consent to show my record X and not record Y.

1.8 Speaking about authorities, as of now unless we have a specific anonymization and aggregation protocols in place that will not be done and it will take some time there for. This is just a connection connecting these individual digital health systems.

1.9 PENALTY: Punishment or penalty will depend on level of mischief.   It will be depending on the type of the person tries to do in that it has taken between Scooby-

  • Suspension, permanent cancellation from the ecosystem and we can also consider prosecuting them in Civil and criminal courts as per the existing various laws. But it will depend from case to case.
  • CONSENT: There will be an electronic system which we call it as CONSENT MANAGER. Data will be channelised to this consent manager.
  • The consent manager will verify
  1. Identity of a person who seeking data
  2. Identity of a person who providing data
  • And ensure the consent is provided and only after that the electronic handshake will be done.

1.10 PARTIAL CONSENT: It is possible that if one goes hospital for treatment of hand fracture then he doesn’t need to share his psychiatrist data. Further he can withdraw any consent. Further this consent is for a fixed period and not for indefinite period.

2. Need/Advantage:

2.1 Protection: Data is of course important for everything right now. Its also important to make sure that the data given to different authority and being shared across different entities that is to be protected.

2.2 Entire health ecosystem: And of course for the entire health ecosystem as it is envisaged within the document that it will be shared across different bodies say from the medical lab to the hospital to the doctors clinic to which ever place including Health Insurance provider.

  • In that situation that access to information about your particular health status is becomes very important.

2.3 Standardization and Uniformity:

  • Medical science or medical nomenclature are not actually used in a standardized pattern all over India.
  • A same disease, same procedure can be known by more than one name, all of which may be correct.
  • Sometimes they are used in short form.
  • So we see that this is start of the journey but data will be accessed by the other doctor the way it is accessed right now.

2.4 Personal data protection Bill: Requirement of PDP is under consideration and we are in tune with that. PDP is a very broad and generalist data bill. So, when it is passed but Health data Policy may not be subsumed because. For such kind of specific provision requirement of Health data bill still will be there and that is the reason it is as per the requirement of the society.

2.5 Dynamic Law: Its requirement of society, the way Technology advances, very social customs and values changes then law keep changing and also there is a certain principal which has been defined with respect to privacy by Supreme Court judgements.

2.6 Law backing: Judgements of Supreme Court has an effect of law. We do have in the form of various Supreme Court judgement like Putaswami judgement. We do have a General kinds of law which to some extent takes care of privacy. We can definitely use these legal provisions till PDP bill is passed by the Parliament. Therefore, we do have adequate legal provisions for its safeguard.

2.7 The Policy is definitely an improvement from the draft document. Definitions were clearly mentioned. For ex. They clarified what consent manager will look like.

2.8 Federated architecture: In case of Vahan Sarthi programme, the concerned transport department server has the data about all the driving licence plate and all vehicles.

  • This is not the case with what we are trying to do is the data will be stored in a federated architecture. Hospital at the system will have data of hospital it is not going to go anywhere. We are only connecting these things.
  • The better example may be UPI platform the data of various public sector and private sector banks is with themselves only and UPI is just connecting them.  

2.9 Audit logs: Yes audit logs, we are going to have log of each and every entry.

2.10 Coming to telemedicine: Present biggest challenge with the telemedicine is that the person whom we are getting connected together is actually a doctor or not the KYC of a doctor is still a problem. This will be resolved in NHDM.

3. Challenge:

3.1 In this Framework, we need to take care of who is actually accessing the data and make sure only the appropriate authorities are accessing the data.

3.2 We don’t have a Personal Data Protection bill. So, health policy says that it will be read with applicable law. Ideally this policy should have come with DPP which is still pending in Parliament.

3.3 What happens if data is breached by authority? What Penalty will be applied to them?

3.4 Laws are not adequate and equipped to safeguard data and privacy in this cyber crime and IT Age.

3.5 However, the policy gives some hope. So once data policy is passed, I hope this bill will subsumed in that.

3.6 Other things are that how do you get actual proper informed consent, because policy say that it will be done under Indian contract act. But we are mostly following tick button where we accept the conditions of websites. How would we know where is the loophole?

3.7 Will this entire system be considered digital public good and can it be auditable?

3.8 Can people actually have access to the source code provided to actually verify the system and see if everything is going exactly the way it's supposed to go?

3.9 As data of Vahan Sarthi programme was leaked outside and people were targeted using this data.

 

Important Points made by Guests:

Q. Salient features of this policy:

Ans-

  • Data Policy is a minimally document before the role of the national digital Health Mission in its a full-fledged form.
  • National digital Health Mission is going to deal with the data which is a health data which is supposed to be very sensitive, personal and lot of sensitivities are attached to it.
  • More than that we need to have certain protocols in place before we wanted to move ahead and to decide the way data will be collected, stored and processed, exchanged. The way consent will be given. This policy was published by government of India in order to take care of these issues.

Q. As far as data is concerned in specific medical data is concerned, how is it important to know, whom is it going to help and how is it going to health ecosystem as a whole?

Ans-

Data is of course important for everything right now. Its also important to make sure that the data given to different authority and being shared across different entities that is to be protected.

And of course for the entire health ecosystem as it is envisaged within the document that it will be shared across different bodies say from the medical lab to the hospital to the doctors clinic to which ever place including Health Insurance provider.

In that situation that access to information about your particular health status is becomes very important.

but in this Framework, need to take care of who is actually accessing the data and make sure only the appropriate authorities is accessing the data.

Q.  As far is this privacy concerns are concerned, people have raised several issues. How have the privacy concerns being addressed, how do you see them being addressed?

Ans-

Even now the health data is being stored with the respective Healthcare providers in physical form or in a digital Park. What we are trying to do there is only to connect all such Healthcare provider by one platform and they will continue to hold the data at their own places the way they are doing it after complying to certain standards that we have prescribed.

Therefore, the data is not the case that once a hospital join digital Health Mission, then all the data with that particular Hospital which it may be having its electronic system is automatically made available to everybody, is not correct.

This is just the creation of a network connecting each hospital and laboratory and doctor with every other person. Therefore, if I go to a particular Hospital doing my blood test is a particular laboratory the treating doctor can see my report after I give explicit informed consent and that's it.

So, when we are talking about access to data, the most important reason is to provide a good quality Healthcare and therefore a Health Care provider should be in a position to see the health records of that person across all over India with his consent.

It is also possible to give partial consent I may say you, I want to give consent to show my record X and not record Y.

Speaking about authorities, as of now unless we have a specific anonymization and aggregation protocols in place that will not be done and it will take some time there for. This is just a connection connecting these individual digital health systems.

Q.  Getting consent in partial consent as well so is there a protocol that needs to be followed?

Is there some kind of uniformity and standardization across the board as well because it talking about the entire country and entire population?

Ans-

CONSENT:

There will be an electronic system which we call it as CONSENT MANAGER. Data will be channelised to this consent manager.

The consent manager will verify

  1. Identity of a person who seeking data
  2. Identity of a person who providing data
  • And ensure the consent is provided and only after that the electronic handshake will be done.

PARTIAL CONSENT:

It is possible that if one goes hospital for treatment of hand fracture then he doesn’t need to share his psychiatrist data. Further he can withdraw any consent. Further this consent is for a fixed period and not for indefinite period.

STANDARDIZATION AND UNIFORMITY:

Medical science or medical nomenclature are not actually used in a standardized pattern all over India.

A same disease, same procedure can be known by more than one name, all of which may be correct.

Sometimes they are used in short form.

So we see that this is start of the journey but data will be accessed by the other doctor the way it is accessed right now.

Q. Challenges?

Ans:

We don’t have a PDP bill. So, health policy says that it will be read with applicable law. Ideally this policy should have come with DPP which is still pending in Parliament.

Laws are not adequate and equipped to safeguard data and privacy in this cyber crime and IT Age.

However the policy give some hope. So once data policy is passed, I hope this bill will subsumed in that.

What happens if data is breached by authority? What Penalty will be applied to them?

Q. As far as the penalty is a concern for any breach release someone doesn't comply with the policy of with the rules of guidelines what kind of action can we expect to be taken?

Ans-  

Personal data protection Bill: Requirement of PDP is under consideration and we are in tune with that. PDP is a very broad and generalist data bill. So, when it is passed but Health data Policy may not be subsumed because. For such kind of specific provision requirement of Health data bill still will be there and that is the reason it is as per the requirement of the society.

Dynamic Law: Its requirement of society, the way Technology advances, very social customs and values changes then law keep changing and also there is a certain principal which has been defined with respect to privacy by Supreme Court judgements.

Law backing: Judgements of Supreme Court has an effect of law. It is not 100% correct to say that we don't have any legal framework dealing with privacy. We do have in the form of various Supreme Court judgement like Putaswami judgement. We do have a General kinds of law which to some extent takes care of privacy. We can definitely use these legal provisions till PDP bill is passed by the Parliament. Therefore we do have adequate legal provisions for its safeguard.

PENALTY:

Punishment or penalty will depend on level of mischief.   It will be depending on the type of the person tries to do in that it has taken between Scooby-

Suspension, permanent cancellation from the ecosystem and we can also consider prosecuting them in Civil and criminal courts as per the existing various laws. But it will depend from case to case.

Q.  Draft Policy was kept in the public domain for some time now we have the Final policy, so what changes made in it?

Ans:

Dynamic policy: One very important or change explicitly declared that it will be a dynamic document as and when we get to.  

Certain concerns were raised about the definition of extremely sensitive data that we have tried to address by specifically making clear that all the health data will be extra sensitive.

Q. Would you say that this is a step in the right direction as far as a digital health ecosystem is concerned?

ANS:

The Policy is definitely an improvement from the draft document. Definitions were clearly mentioned. For ex. They clarified what consent manager will look like.

It mentions that consent manager, will help you deal with navigate your privacy concern. Not sure how will that translate into electronic consent manager.

Other things are that how do you get actual proper informed consent, because policy say that it will be done under Indian contract act. But we are mostly following tick button where we accept the conditions of websites. How would we know where is the loophole?

Q. What does this policy mean for digital health ecosystem? What is the status of digital health in our country? How do we move forward?

Ans:

  • India and the top hospitals have their own digital health system is policy enables all these separate players to come together and form ecosystem a system of systems.
  • This will also lead in the long run some kind of standardization across various hospitals across various hospitals in future will enable the generation of big data.
  • The emphasis will always be on privacy and the individual concerned and a probably then anonymized and aggregated data can be used to make better decisions in for public and public policy and in Medical Science.
  • We have to also take care that it is genuine Public Cause which we will be using and not for commercial exploitation by some xyz entity.
  • Will this entire system be considered digital public good and can it be auditable?
  • Can people actually have access to the source code provided to actually verify the system and see if everything is going exactly the way it's supposed to go?
  • As data of Vahan Sarthi programme was leaked outside and people were targeted using this data.

In case of Vahan Sarthi programme, the concerned transport department server has the data about all the driving licence plate and all vehicles.

This is not the case with what we are trying to do is the data will be stored in a federated architecture. Hospital at the system will have data of hospital it is not going to go anywhere. We are only connecting these things.

The better example may be UPI platform the data of various public sector and private sector banks is with themselves only and UPI is just connecting them.   

Yes audit logs, we are going to have log of each and every entry including there are some time in correct entries made by a mistake and then they are corrected to those entries as well so that we should know when was it corrected.

Coming to telemedicine: Present biggest challenge with the telemedicine is that the person whom we are getting connected together is actually a doctor or not the KYC of a doctor is still a problem. This will be resolved in NHDM.

Comment

Upload File