The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 1 to 3.
Health Data Management Policies - Differences Between the EU and India
http://editors.cis-india.org/internet-governance/blog/health-data-management-policies
<b>Through this issue brief we would like to highlight the differences in approaches to health data management taken by the EU and India, and look at possible recommendations for India, in creating a privacy preserving health data management policy. </b>
<p>This issue brief was reviewed and edited by Pallavi Bedi</p>
<hr />
<h2>Introduction</h2>
<p style="text-align: justify; ">Health data has seen an increased interest the world over, on account of the amount of information and inferences that can be drawn not just about a person but also about the population in general. The Covid 19 pandemic also brought about an increased focus on health data, and brought players that earlier did not collect health data to be required to collect such data, including offices and public spaces. This increased interest has led to further thought on how health data is regulated and a greater understanding of the sensitivity of such data, because of which countries are in varying processes to get health data regulated over and above the existing data protection regulations. The regulations not only look at ensuring the privacy of the individual but also look at ways in which this data can be shared with companies, researchers and public bodies to foster innovation and to monetise this valuable data. However for a number of countries the effort is still on the digitisation of health data. India has been in the process of implementing a nationwide health ID that can be used by a person to get all their medical records in one place. The National Health Authority (NHA) has also since 2017 been publishing policies that look at the framework and ecosystem of health data, as well as the management and sharing of health data. However these policies and a scattered implementation of the health ID are being carried out without a data protection legislation in place. In comparison, Europe, which already has an established health Id system, and a data protection legislation (GDPR) is looking at the next stage of health data management through the EU Health Data Space (EUHDS). Through this issue brief we would like to highlight the differences in approaches to health data management taken by the EU and India, and look at possible recommendations for India, in creating a privacy preserving health data management policy.</p>
<h2 style="text-align: justify; ">Background</h2>
<h3>EU Health Data Space</h3>
<p style="text-align: justify; "><span>The EU Health Data Space (<b>EUHDS</b>) was proposed by the EU Council as a way to create an ecosystem which combines rules, standards, practices and infrastructure, around health data under a common governance framework. The EUHDS is set to rely on two pillars; namelyMyHealth@EU and HealthData@EU, where MyHealth@EU facilitates easy flow of health data between patients and healthcare professionals within member states, the HealthData@EU,faciliates secondary use of data which allows policy makers,researchers access to health data to foster research and innovation.<a href="#_ftn1" name="_ftnref1"><sup><sup><span>[1]</span></sup></sup></a> The EUHDS aims to provide a trustworthy system to access and process health data and builds up from the General Data Protection Regulation (GDPR), proposed Data Governance Act.<a href="#_ftn2" name="_ftnref2"><sup><sup><span>[2]</span></sup></sup></a></span></p>
<h3><span>India’s health data policies: </span></h3>
<p style="text-align: justify; "><span>The last few years has seen a flurry of health policies and documents being published and the creation of a framework for the evolution of a National Digital Health Ecosystem (NDHE). The components for this ecosystem were the National Digital Health Blueprint published in 2019 (NDHB) and the National Digital Health Mission (NDHM). The BluePrint was created to implement the National Health Stack (published in 2018) which facilitated the creation of Health IDs.<a href="#_ftn3" name="_ftnref3"><sup><sup><span>[3]</span></sup></sup></a> Whereas the NDHM was drafted to drive the implementation of the Blueprint, and promote and facilitate the evolution of NDHE.<a href="#_ftn4" name="_ftnref4"><sup><sup><span>[4]</span></sup></sup></a> </span></p>
<p style="text-align: justify; "><span>The National Health Authority (<b>NHA</b>) established in 2018 has been given the responsibility of implementing the National Digital Health Mission. 2018 also saw the Digital Information Security in Healthcare Act (<b>DISHA</b>) which was to be a legislation that laid down provisions that regulate the generation, collection, access, storage, transmission and use of Digital Health Data ("DHD") and associated personal data.<a href="#_ftn5" name="_ftnref5"><sup><sup><span>[5]</span></sup></sup></a> However since its call for public consultation no progress has been made on this front.</span></p>
<p style="text-align: justify; "><span>Along with these three strategy documents the NHA has also released policy documents more particularly the Health Data Management Policy (which was revised three times; the latest version released in April 2022), the Health Data Retention Policy (released April 2021), and the Consultation Paper on Unified Health Interface (UHI) (released March 2021). Along with this in 2022 the NHA released the NHA Data Sharing Guidelines for the Pradhan Mantri Jan Aarogya Yojana (PM-JAY) India’s state health insurance policy. </span></p>
<p style="text-align: justify; "><span>However these draft guidelines repeat the pattern of earlier policies on health data, wherein there is no reference to the policies that predated it; the PM-JAY’s Data Sharing Guidelines published in August 2022 did not even refer to the draft National Digital Health Data Management Policy (published in April 2022). As stated through the examples above these documents do not cross-refer or mention preceding health data documents, creating a lack of clarity of which documents are being used as guidelines by health care providers. </span></p>
<p style="text-align: justify; "><span>In addition to this the Personal Data Protection Bill has been revised three times since its release in 2018. The latest version was published for public comments on November 18, 2022; the Bill has removed the distinction between sensitive personal data and personal data and clubbed all personal data under one umbrella heading of personal data. Health and health data definition has also been deleted; creating further uncertainty with respect to health data as the different policies mentioned above rely on the data protection legislation to define health data. <br /></span></p>
<h3><b><span>Comparison of the Health Data Management Approaches </span></b><span><br /> </span><span>Interoperability with Data Protection Legislations </span></h3>
<p style="text-align: justify; "><b><span><br /></span></b><span>At the outset the key difference between the EU and India’s health data management policies has been the legal backing of GDPR which the EUHDS has. EUHDS has a strong base in terms of rules for privacy and data protection as it follows, draws inference and works in tandem with the General Data Protection Regulation (GDPR). The provisions also build upon legislation such as Medical Devices Regulation and the In Vitro Diagnostics Regulation. With particular respect to GDPR the EUHDS draws from the rights set out for protection of personal data including that of electronic health data.<br /></span></p>
<p style="text-align: justify; "><span>The Indian Health data policies however currently exist in the vacuum created by the multiple versions of the Data Protection Bill that are published and repealed or replaced. The current version called the Digital Personal Data Protection Bill 2022 seems to take a step backward in terms of health data. The current version does away with sensitive personal data (which health data was a part of) and keeps only one category of data - personal data. It can be construed that the Bill currently considers all personal data as needing the same level of protection but it is not so in practice. The Bill does not at the moment mandate more responsibilities on data fiduciaries<a href="#_ftn6" name="_ftnref6"><sup><sup><span>[6]</span></sup></sup></a> that deal with health data (something that was present in all the earlier versions of the Bill) and in other data protection legislation across different jurisdictions and leaves the creation of Significant Data Fiduciaries (who have more responsibilities) to be created by rules, based on the sensitivity of data decided by the government at a later date.<a href="#_ftn7" name="_ftnref7"><sup><sup><span>[7]</span></sup></sup></a> In addition to this the Bill does not define “health data”, the reason why this is a cause for worry is that the existing health data policies also do not define health data often relying on the definition mentioned in the versions of Data Protection Bill. </span></p>
<h3><span>Definitions and Scope</span></h3>
<p><span>The EUHDS defines ‘personal electronic health data’ as data concerning health and genetic data as defined in Regulation (EU) 2016/679<a href="#_ftn8" name="_ftnref8"><sup><sup><span>[8]</span></sup></sup></a>, as well as data referring to determinants of health, or data processed in relation to the provision of healthcare services, processed in an electronic form. Health data by these parameters would then include not just data about the status of health of a person which includes reports and diagnosis, but also data from medical devices. <br /></span></p>
<p style="text-align: justify; "><span>In India the Health Data Management Policy 2022, defines “Personal Health Records” (<b>PHR</b>) as a health record that is initiated and maintained by an individual. The policy also states that a PHR would be able to reveal a complete and accurate summary of the health and medical history of an individual by gathering data from multiple sources and making this accessible online. However there is no definition of health data which can be used by companies or users to know what comes under health data. The 2018, 2019 and 2021 version of the Data Protection Legislation had definitions of the term health data, however the 2022 version of the Bill does away with the definition.<br /></span></p>
<h3><span>Health data and wearable devices</span></h3>
<p style="text-align: justify; "><span>One of the forward looking provisions in the EUHDS is the inclusion of devices that records health data into this legislation. This also includes the requirement of them to be added to registries to provide easy access and scrutiny. The document also requires voluntary labeling of wellness applications and registration of EHR systems and wellness applications. This is not just for the regulation point of view but also in the case of data portability, in order for people to control the data they share. In addition to this in the case where manufacturers of medical devices and high-risk AI systems declare interoperability with the EHR systems, they will need to comply with the essential requirements on interoperability under the EHDS. </span></p>
<p style="text-align: justify; "><span>In India the health data management policy 2022 while stating the applicable entities and individuals who are part of the ABDM ecosystem<a href="#_ftn9" name="_ftnref9"><sup><sup><span>[9]</span></sup></sup></a> mention medical device manufacturers, does not mention device sellers or use terms such as wellness applications or wearable devices. Currently the regulation of medical devices falls under the purview of the Drugs and Cosmetics Act, 1940 (DCA) read along with the Medical Device Rules, 2017 (MDR). However in 2020 possibly due to the pandemic the Indian Government along with the Drugs Technical Advisory Board (DTAB) issued two notifications the first one expanded the scope of medical devices which earlier was limited to only 37 categories excluding medical apps, and second one notified the Medical Device (Amendment) Rules, 2020. These two changes together brought all medical devices under the DCA as well as expanded the categories of medical devices. However it is still unclear whether fitness tracker apps that come with devices are regulated, as the rules and the DCA still rely on the manufacturer to self-identify as a medical device.<a href="#_ftn10" name="_ftnref10"><sup><sup><span>[10]</span></sup></sup></a> However, this regulatory uncertainty has not brought about any change in how this data is being used and insurance companies at times encourage people to sync their fitness tracker data.<a href="#_ftn11" name="_ftnref11"><sup><sup><span>[11]</span></sup></sup></a></span></p>
<h3><span>Multiple use of health data </span></h3>
<p style="text-align: justify; "><span>The EUHDS states two types of uses of data: primary and secondary use of data. In the document the EU states that while there are a number of organisations collecting data, this data is not made available for purposes other than for which it was collected. In order to ensure that researchers, innovators and policy makers can use this data. the EU encourages the data holders to contribute to this effort in making different categories of electronic health data they are holding available for secondary use. The data that can be used for secondary use would also include user generated data such as from devices, applications or other wearables and digital health applications.However, the regulation cautions against using this data for measures and making decisions that are detrimental to the individual, in ways such as increasing insurance premiums. The EUHDS also states that as the data is sensitive personal data care should be taken by the data access bodies, to ensure that while data is being shared it is necessary to ensure that the data will be processed in a privacy preserving manner. This could include through pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data.</span></p>
<p style="text-align: justify; "><span>While the document states how important it is to have secondary use of the data for public health, research and innovation it also requires that the data is not provided without adequate checks. The EUHDS requires the organisation seeking access to provide several pieces of information and be evaluated by the data access body. The information should include legitimate interest, the necessity and the process the data will go through. In the case where the organisation is seeking pseudonymised data, there is a need to explain why anonymous data would not be sufficient. In order to ensure a comprehensive approach between health data access bodies, the EUHDS states that the European Commission should support the harmonisation of data application, as well as data request. <br /></span></p>
<p style="text-align: justify; "><span>In India, while multiple health data documents state the need to share data for public interest, research and innovation, not much thought has been given to ensuring that the data is not misused and that there is harmonisation between bodies that provide the data. Most recently the PMJay documents states that the NHA shall make aggregated and anonymised data available through a public dashboard for the purpose of facilitating health and clinical research, academic research, archiving, statistical analysis, policy formulation, the development and promotion of diagnostic solutions and such other purposes as may be specified by the NHA. Such data can be accessed through a request to the Data Sharing Committee<a href="#_ftn12" name="_ftnref12"><sup><sup><span>[12]</span></sup></sup></a> for the sharing of such information through secure modes, including clean rooms and other such secure modes specified by NHA. However the document does not mention what clean rooms are in this context. </span></p>
<p style="text-align: justify; "><span>The Health Data Management Policy 2022 states that Data fiduciaries (data controllers/ processors according to the data protection legislation) can themselves make anonymised or de-identified data in an aggregated form available based in technical processes and anonymisation protocols which may be specified by the NDHM in consultation with the MeitY. The purposes mentioned in this policy included health and clinical research, academic research, archiving, statistical analysis, policy formulation, the development and promotion of diagnostic solutions and such other purposes as may be specified by the NDHMP. The policy states that in order to access the anonymised or de-identified data the entity requesting the data would have to provide relevant information such as name, purpose of use and nodal person of contact details. While the policy does not go into details about the scrutiny of the organisations seeking this data, it does state that the data will be provided based on the term as may be stipulated. <br /></span></p>
<p style="text-align: justify; "><span>However the issue arises as both the documents published by the NHA do not have a similar process for getting the data, for example the NDHMP requires the data fiduciary to share the data directly, while the PMJay guidelines requires the data to be shared by the Data Sharing Committee, creating duplicate datasets as well as affecting the quality of the data being shared. </span></p>
<h3><b><span>Recommendations for India </span></b><span><br /> </span><span>Need for a data protection legislation:</span></h3>
<p style="text-align: justify; "><span>While the EUHDS is still a draft document and the end result could be different based on the consultations and deliberations, the document has a strong base with respect to the privacy and data protection based on the earlier regulations and the GDPR. The definitions of what counts as health data, and the parameters for managing the data creates a more streamlined process for all stakeholders. More importantly the GDPR and other regulations provide a way of recourse for people. In India the health data related policies and strategy documents have been published and enforced before the data protection legislation is passed. In addition to this India, unlike the EU has just begun looking at a universal health ID and digitisation of the healthcare system, ideally it would be better to take each step at a time, and at first look at the issues that may arise due to the universal health ID. In addition to this, multiple policies, without a strong data protection legislation providing parameters and definitions could mean that the health data management policies only benefit certain people. This also creates uncertainty in terms of where an individual will go in case of harms caused by the processing of their data, and who would be the authority to govern questions around health data. The division of health data management between different documents also creates multiple silos of data management which creates data duplication and issues with data quality. </span></p>
<h3><span>Secondary use of data</span></h3>
<p style="text-align: justify; "><span>While both the EUHDS and India's Health Data Management Policy look at the sharing of health data with researchers and private organisations in order to foster innovation, the division of sharing of data based on who uses the data is a good way to ensure that only interested parties have access to the data. With respect to the health data policies in India, a number of policies talk about the sharing of anonymised data with researchers, however the documents being scattered could cause the same data to be shared by multiple health data entities, making it possible to identify people. For example, the health data management policy could share anonymised data of health services used by a person, whereas the PMJAY policy could share data about insurance covers, and the researcher could probably match the data and be closer to identifying people. It has also been revealed in multiple studies that anonymisation of data is not permanent and that the anonymisation can be broken. This is more concerning since the polices do not put limits or checks on who the researchers are and what is the end goal of the data sought by them, the policies seem to rely on the anonymisation of the data as the only check for privacy. This data could be used to de-anonymise people, could be used by companies working with the researchers to get large amounts of data to train their systems, </span></p>
<p><span>train data that could lead to greater surveillance, increase insurance scrutiny etc. The NHA and Indian health policy makers could look at the restrictions and checks that the EUHDS creates for the secondary use of data and create systems of checks and categories of researchers and organisations seeking data to ensure minimal risks to an individual’s data. </span></p>
<h2><b><span>Conclusion</span></b></h2>
<p style="text-align: justify; "><span>While the EU Health data space has been criticised for facilitating vast amounts of data with private companies and the collecting of data by governments, the codification of the legislation does in some way give some way to regulate the flow of health data. While India does not have to emulate the EU and have a similar document, it could look at the best practices and issues that are being highlighted with the EUHDS. Indian lawmakers have looked at the GDPR for guidance for the draft data protection legislation, similarly it could do so with regard to health data and health data management. One possible way to ensure both the free flow of health data and the safeguards of a regulation could be to re-introduce the DISHA Act which much like the EUHDS could act as a legislation which provides an anchor to the multiple health data policies, including standard definition of health data, grievance redressal bodies, and adjudicating authorities and their functions. In addition a legislation dedicated to the health data would also remove the existing burden on the to be formed data protection authority. </span></p>
<hr />
<div><br />
<div id="ftn1">
<p><a href="#_ftnref1" name="_ftn1"><sup><sup><span>[1]</span></sup></sup></a><span> “</span><span>European Health Data Space</span><span>”, European Commission, 03 May 2022,https://health.ec.europa.eu/ehealth-digital-health-and-care/european-health-data-space_en </span></p>
</div>
<div id="ftn2">
<p><a href="#_ftnref2" name="_ftn2"><sup><sup><span>[2]</span></sup></sup></a><span>“</span><span>European Health Data Space</span><span>”</span></p>
</div>
<div id="ftn3">
<p><a href="#_ftnref3" name="_ftn3"><sup><sup><span>[3]</span></sup></sup></a><span> “National Digital Health Blueprint”, Ministry of Health and Family Welfare Government of India, https://abdm.gov.in:8081/uploads/ndhb_1_56ec695bc8.pdf</span></p>
</div>
<div id="ftn4">
<p><a href="#_ftnref4" name="_ftn4"><sup><sup><span>[4]</span></sup></sup></a><span> “National Digital Health Blueprint”</span></p>
</div>
<div id="ftn5">
<p><a href="#_ftnref5" name="_ftn5"><sup><sup><span>[5]</span></sup></sup></a><span> “Mondaq” “DISHA – India's Probable Response To The Law On Protection Of Digital Health Data” accessed 13 June 2023,https://www.mondaq.com/india/healthcare/1059266/disha-india39s-probable-response-to-the-law-on-protection-of-digital-health-data</span></p>
</div>
<div id="ftn6">
<p><a href="#_ftnref6" name="_ftn6"><sup><sup><span>[6]</span></sup></sup></a><span>“The Digital Personal Data Protection Bill 2022”, accessed 13 June 2023 , https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Potection%20Bill%2C%202022_0.pdf</span></p>
</div>
<div id="ftn7">
<p><a href="#_ftnref7" name="_ftn7"><sup><sup><span>[7]</span></sup></sup></a><span>The Digital Personal Data Protection Bill 2022</span></p>
</div>
<div id="ftn8">
<p style="text-align: justify; "><a href="#_ftnref8" name="_ftn8"><sup><sup><span>[8]</span></sup></sup></a><span> Regulation (EU) 2016/679 defines health data as “Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council (1) to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test. </span></p>
<p><span> </span></p>
</div>
<div id="ftn9">
<p style="text-align: justify; "><a href="#_ftnref9" name="_ftn9"><sup><sup><span>[9]</span></sup></sup></a><span> For creating an integrated, uniform and interoperable ecosystem in a patient or individual centric manner, all the government healthcare facilities and programs, in a gradual/phased manner, should start assigning the same number for providing any benefit to individuals.</span></p>
</div>
<div id="ftn10">
<p style="text-align: justify; "><a href="#_ftnref10" name="_ftn10"><sup><sup><span>[10]</span></sup></sup></a><span> For example a manufacturer of a fitness tracker which is capable of monitoring heart rate could state that the intended purpose of the device was fitness or wellness as opposed to early detection of heart disease thereby not falling under the purview of the regulation.</span></p>
</div>
<div id="ftn11">
<p style="text-align: justify; "><a href="#_ftnref11" name="_ftn11"><sup><sup><span>[11]</span></sup></sup></a><span>“</span><span>Healthcare Executive” “GOQii Launches GOQii Smart Vital 2.0, an ECG-Enabled Smart Watch with Integrated Outcome based Health Insurance & Life Insurance, accessed 13 June 2023<br /> </span><a href="https://www.healthcareexecutive.in/blog/ecg-enabled-smart-watch"><span>https://www.healthcareexecutive.in/blog/ecg-enabled-smart-watch</span></a><span> </span></p>
</div>
<div id="ftn12">
<p style="text-align: justify; "><a href="#_ftnref12" name="_ftn12"><sup><sup><span>[12]</span></sup></sup></a><span> The guidelines only state that the Committee will be responsible for ensuring the compliance of the guidelines in relation to the personal data under its control. And does not go into details of defining the Committee.</span></p>
</div>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/health-data-management-policies'>http://editors.cis-india.org/internet-governance/blog/health-data-management-policies</a>
</p>
No publishershwetaHealth ManagementPrivacyInternet GovernanceCovid19Digitisation2023-07-10T16:36:25ZBlog EntryCivil Society’s second opinion on a UHI prescription
http://editors.cis-india.org/internet-governance/blog/civil-society-second-opinion-on-uhi-prescription
<b>On January 13, Pallavi Bedi and Shweta Mohandas from CIS participated in an online collaboration organised by Internet Freedom Foundation for a joint submission to the Consultation Paper on Operationalising Unified Health Interface (UHI) in India released by the National Health Authority.</b>
<p>The article originally published by Internet Freedom Foundation can be <a class="external-link" href="https://internetfreedom.in/civil-societys-second-opinion-on-a-uhi-prescription/">accessed here</a>.</p>
<hr />
<p style="text-align: justify; ">The National Health Authority (NHA) released the Consultation Paper on Operationalising Unified Health Interface (UHI) in India on December 14, 2022. The deadline for submission of comments was January 13, 2023. We collaborated with the Centre for Health Equity, Law & Policy, the Centre for Internet & Society, & the Forum for Medical Ethics Society to submit comments on the paper.</p>
<h3 id="background">Background</h3>
<p style="text-align: justify; ">The UHI is proposed to be a “foundational layer of the Ayushman Bharat Digital Health Mission (ABDM)” and is “envisioned to enable interoperability of health services in India through open protocols”. The ABDM, previously known as the National Digital Health Mission, was announced by the Prime Minister on the 74th Independence Day, and it envisages the creation of a National Digital Health Ecosystem with six key features: Health ID, Digi Doctor, Health Facility Registry, Personal Health Records, Telemedicine, and e-Pharmacy. After launching the programme in six Union Territories, the National Health Authority issued a press release on August 26, 2020 announcing the public consultation for the Draft Health Data Management Policy for NDHM. While the government has repeatedly claimed that creation of a health ID is purely voluntary, contrary <a href="https://caravanmagazine.in/health/doctors-in-chandigarh-compelled-to-register-for-the-voluntary-national-health-id">reports</a> have emerged. In our <a href="https://drive.google.com/file/d/1H5zWsIPj92Vp_gxloBcBzjTwOFif47xY/view">comments</a> as part of the public consultation, our primary recommendation was that deployment of any digital health ID programme must be preceded by the enactment of general and sectoral data protection laws by the Parliament of India; and meaningful public consultation which reaches out to vulnerable groups which face the greatest privacy risks.</p>
<p style="text-align: justify; ">As per the synopsis document which accompanies the consultation paper, it aims to “seek feedback on how different elements of UHI should function. Inviting public feedback will allow for early course correction, which will in-turn engender trust in the network and enhance market adoption. The feedback received through this consultation will be used to refine the functionalities of UHI so as to limit any operational issues going forward.” The consultation paper contains a set of close-ended questions at the end of each section through which specific feedback has been invited from interested stakeholders. We have collaborated with the Centre for Health Equity, Law & Policy, the Centre for Internet & Society, & the Forum for Medical Ethics Society to draft the comments on this consultation paper.</p>
<p style="text-align: justify; ">Our main concern relates to the approach the Government of India and concerned Ministries adopt to draft a consultation paper without explicitly outlining how the proposed UHI fits into the broader healthcare ecosystem and quantifying how it improves it rendering the consultation paper and public engagement efforts inadequate. Additionally, it doesn’t allow the public at large, and other stakeholders to understand how it may contribute to people’s access to quality care towards ensuring realisation of their constitutional right to health and health care. The close-ended nature of the consultation process, wherein specific questions have been posed, restricts stakeholders from questioning the structure of the ABDM itself and forces us to engage with its parts, thereby incorrectly assuming that there is support for the direction in which the ABDM is being developed.</p>
<h3 id="our-submissions">Our submissions</h3>
<p>A. <b>General comments</b></p>
<p>a. <b>Absence of underlying legal framework</b></p>
<p style="text-align: justify; ">Ensuring health data privacy requires legislation at three levels- comprehensive laws, sectoral laws and informal rules. Here, the existing proposal for the data protection legislation, i.e., the draft Digital Personal Data Protection Bill, 2022 (DPDPB, 2022) which could act as the comprehensive legal framework, is inadequate to sufficiently protect health data. This inadequacy arises from the failure of the DPDPB, 2022 to give higher degree of protection to sensitive personal data and allowing for non-consensual processing of health data in certain situations under Clause 8 which relates to “deemed consent”. Here, it may also be noted that the DPDPB, 2022 fails to specifically define either health or health data. Further, the proposed Digital Information Security in Healthcare Act, 2017, which may have acted as a sectoral law, is presently before the Parliament and has not been enacted. Here, the absence of safeguards allows for data capture by health insurance firms and subsequent exclusion/higher costs for vulnerable groups of people. Similarly, such data capture by other third parties potentially leads to commercial interests creeping in at the cost of users of health care services and breach of their privacy and dignity.</p>
<p>b. <b>Issues pertaining to scope</b></p>
<p style="text-align: justify; ">Clarity is needed on whether UHI will be only providing healthcare services through private entities, or will also include the public health care system and various health care schemes and programs of the government, such as eSanjeevani.</p>
<p>c. <b>Pre-existing concerns</b></p>
<ol>
<li style="text-align: justify; "><b>Exclusion</b>: Access to health services through the Unified Health Interface should not be made contingent upon possessing an ABHA ID, as alluded to in the section on ‘UHI protocols in action: An example’ under Chapter 2(b). Such an approach is contrary to the Health Data Management Policy that is based on individual autonomy and voluntary participation. Clause 16.4 of the Policy clearly states that nobody will “be denied access to any health facility or service or any other right in any manner by any government or private entity, merely by reason of not creating a Health ID or disclosing their Health ID…or for not being in possession of a Health ID.” Moreover, the National Medical Commission Guidelines for Telemedicine in India also does not create any obligation for the patient to possess an ABHA ID in order to access any telehealth service. The UHI should explicitly state that a patient can log in on the network using any identification and not just ABHA.</li>
<li style="text-align: justify; "><b>Consent</b>: As per media <a href="https://caravanmagazine.in/health/chandigarh-administratio-aggressively-pushes-national-health-id-registrations-among-residents">reports</a>, registration for a UHID under the NDHM, which is an earlier version of the ABHA number under the ABDM, may have been voluntary on paper but it was being made mandatory in practice by hospital administrators and heads of departments. Similarly, <a href="https://www.thequint.com/tech-and-auto/govt-created-uhid-without-consent-say-vaccinated-indians">reports</a> suggest that people who received vaccination against COVID-19 were assigned a UHID number without their consent or knowledge.</li>
<li style="text-align: justify; "><b>Function creep</b>: In the absence of an underlying legal framework, concerns also arise that the health data under the NDHM scheme may suffer from function creep, i.e., the collected data being used for purposes other than for which consent has been obtained. These concerns arise due to similar function creep taking place in the context of data collected by the Aarogya Setu application, which has now pivoted from being a contact-tracing application to “<a href="https://indianexpress.com/article/technology/tech-news-technology/aarogya-setus-journey-from-a-quick-fix-for-contract-tracing-to-health-app-of-the-nation-8006372/">health app of the nation</a>”. Here, it must be noted that as per a RTI response dated June 8, 2022 from NIC, the Aarogya Setu Data Access And Knowledge Sharing Protocol “<a href="https://drive.google.com/file/d/1eSUoZtFqrIcqJH2Q2zK-LJmTDKF49l66/view">has been discontinued</a>".</li>
<li style="text-align: justify; "><b>Issues with the United Payments Interface may be replicated by the UHI</b>: The consultation paper cites the United Payments Interface (UPI) as “strong public digital infrastructure” which the UHI aims to leverage. However, a trend towards market concentration can be witnessed in UPI: the two largest entities, GooglePay and PhonePe, have seen their market share hover around 35% and 47% (by volume) for some time now (their share by value transacted is even higher). Meanwhile, the share of the NPCI’s own app (BHIM) has fallen from 40% in August 2017 to 0.74% in September 2021. Thus, if such a model is to be adopted, it is important to study the UPI model to understand such threats and ensure that a similar trend towards oligopoly or monopoly formation in UHI is addressed. This is all the more important in a country in which the decreasing share of the public health sector has led to skyrocketing healthcare costs for citizens.</li>
</ol>
<p style="text-align: justify; ">B. Our response also addressed specific questions about search and discovery, service booking, grievance redressal, and fake reviews and scores. Our responses on these questions can be found in our comments <a href="https://drive.google.com/file/d/1j9wUafZM10kmS_MOzk-D8LYIPMm_9JOa/view?usp=share_link">here</a>.</p>
<h3 id="our-previous-submissions-on-health-data">Our previous submissions on health data</h3>
<p style="text-align: justify; ">We have consistently engaged with the government since the announcement of the NDHM in 2020. Some of our submissions and other outputs are linked below:</p>
<ol>
<li>IFF’s comment on the Draft Health Data Management Policy dated May 21, 2022 (<a href="https://drive.google.com/file/d/1I4ZAVLNa00v_MeTDYoAv63Ueq6ICTwWT/view?usp=sharing">link</a>)</li>
<li>IFF’s comments on the consultation Paper on Healthcare Professionals Registry dated July 20, 2021 (<a href="https://drive.google.com/drive/folders/10x0IirdQTZCC9S_w83nTVp1GRsxArDt7">link</a>)</li>
<li>IFF and C-HELP Working Paper: ‘Analysing the NDHM Health Data Management Policy’ dated June 11, 2021 (<a href="https://drive.google.com/file/d/1sEBg-syzsbe159x4PGkAHzcZilct0cQq/view">link</a>)</li>
<li>IFF’s Consultation Response to Draft Health Data Retention Policy dated January 6, 2021 (<a href="https://drive.google.com/file/d/124iqcboTxkrPLMPX6erLXjhH1SDk_L0B/view?usp=sharing">link</a>)</li>
<li>IFF’s comments on the National Digital Health Mission’s Health Data Management Policy dated September 21, 2020 (<a href="https://drive.google.com/file/d/1H5zWsIPj92Vp_gxloBcBzjTwOFif47xY/view?usp=sharing">link</a>)</li>
</ol>
<h3 id="important-documents">Important documents</h3>
<ol>
<li style="text-align: justify; ">Response on the Consultation Paper on Operationalising Unified Health Interface (UHI) in India by Centre for Health Equity, Law & Policy, the Centre for Internet & Society, the Forum for Medical Ethics Society, & IFF dated January 13, 2023 (<a href="https://drive.google.com/file/d/1j9wUafZM10kmS_MOzk-D8LYIPMm_9JOa/view?usp=share_link">link</a>)</li>
<li>NHA’s Consultation Paper on Operationalising Unified Health Interface (UHI) in India dated December 14, 2022 (<a href="https://abdm.gov.in:8081/uploads/Consultation_Paper_on_Operationalising_Unified_Health_Interface_UHI_in_India_9b3a517a22.pdf">link</a>)</li>
<li>Synopsis of NHA’s Consultation Paper on Operationalising Unified Health Interface (UHI) in India dated December 14, 2022 (<a href="https://abdm.gov.in:8081/uploads/Synopsis_Operationalising_Unified_Health_Interface_UHI_in_India_308cd449fb.pdf">link</a>)</li>
</ol>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/civil-society-second-opinion-on-uhi-prescription'>http://editors.cis-india.org/internet-governance/blog/civil-society-second-opinion-on-uhi-prescription</a>
</p>
No publisherPallavi Bedi and Shweta MohandasHealth TechHealth ManagementInternet GovernanceHealthcare2023-02-15T08:20:15ZBlog EntryComments to the Draft National Health Data Management Policy 2.0
http://editors.cis-india.org/internet-governance/blog/comments-to-the-draft-national-health-data-management-policy-2.0
<b>Anamika Kundu, Shweta Mohandas and Pallavi Bedi along with 9 other organizations / individuals drafted comments to the Draft National Health Data Management Policy 2.0. </b>
<p style="text-align: justify; ">This is a joint submission on behalf of (i) Access Now, (ii) Article 21, (iii) Centre for New Economic Studies, (iv) Center for Internet and Society, (v) Internet Freedom Foundation, (vi) Centre for Justice, Law and Society at Jindal Global Law School, (vii) Priyam Lizmary Cherian, Advocate, High Court of Delhi (ix) Swasti-Health Catalyst, (x) Population Fund of India.</p>
<p style="text-align: justify; ">At the outset, we would like to thank the National Health Authority (NHA) for inviting public comments on the draft version of the National Health Data Management Policy 2.0 (NDHMPolicy 2.0) (Policy) We have not provided comments to each section/clause, but have instead highlighted specific broad concerns which we believe are essential to be addressed prior tothe launch of NDHM Policy 2.0.</p>
<hr />
<p style="text-align: justify; ">Read on to <a href="http://editors.cis-india.org/internet-governance/draft-national-health-management-policy" class="internal-link">view the full submission here</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/comments-to-the-draft-national-health-data-management-policy-2.0'>http://editors.cis-india.org/internet-governance/blog/comments-to-the-draft-national-health-data-management-policy-2.0</a>
</p>
No publisherAnamika Kundu, Shweta Mohandas and Pallavi BediHealth TechHealth ManagementInternet GovernanceHealthcare2022-05-24T16:06:15ZBlog Entry