Recently, the National Health Authority (NHA) published a consultation paper[1] seeking suggestions for developing a Healthcare Professionals Registry (HPR) as a part of the National Digital Health Mission (NDHM). The HPR is a master database of healthcare professionals that will allow users to search and identify healthcare professionals across the country. Currently, the National Medical Commission maintains an India Medical Registry Search[2] similar to the HPR. The Dentist Council of India also has a portal[3] serving similar needs. Some portals also provide registries of homeopathy and other allied healthcare professionals.
The Healthcare Professionals Registry is developed to bring all these registries together under a single platform. The aim is to include various stakeholders, including all the health care professionals that serve patients directly, such as doctors, dentists, and nurses, and other healthcare professionals that do not serve patients directly, including health service managers, support staff of hospitals, etc. Although it seems to be a robust plan, some legal considerations must be considered before implementing it. In the light of recent data leaks during the pandemic, the privacy risks that will be discussed are even more dangerous. This article analyses legal challenges that could impact stakeholders’ privacy, including the treatment given to the data collected and the data governance issues and further explores the possible sociological issues.
Classification of types of data
The consultation proposes two models of the Healthcare Professionals Registry – one is a patient-centric model where the concerned authorities will collect the data of the healthcare professionals who are in direct contact with the patients. The other model is an ecosystem-centric model where the authorities will collect details of healthcare professionals such as health service managers. Irrespective of the model chosen, data fields such as demographic information, language spoken, registration information, educational information, place of practice, and other information will be collected to develop the registry. It is crucial to classify the data fields into different definitions of data types to understand the governance treatment that will be adopted. The law that will apply for the protection of data, in this case, is quite ambiguous. India does not have specific legislation to govern data protection. However, some provisions of the Information Technology (Reasonable Security Practices Procedures and Sensitive Personal Data or Information) Rules, 2011[4]govern data protection by providing for reasonable security practices. These rules are not relevant in this scenario as the scope of the rules only covers private entities that collect and process data.
The Health Data Management Policy[5] approved in December 2020 for National Digital Health Mission provides for minimum requirements to be followed for data protection. This policy defines[6] Personal data the same way as is defined in the draft Personal Data Protection Bill, 2019[7]. Most of the data fields collected for the Healthcare Professionals Registry would fall under both definitions. The Policy has taken a step ahead and has included Unique Health ID and Personal Health Identifier under the definition of personal data. There are, however, noticeable differences between the governance framework prescribed under each of them. While the Policy includes anonymisation of data as one of the steps involved in processing the data collected, the Personal Data Protection Bill does not provide for anonymisation within its definition of processing. Other differences include an absence of discussion about re-identification of data which is imperative with respect to health data.
The draft of the Digital Information Security in Healthcare Act, 2018[8] should also be considered at this point as it was a health data-centric sectoral draft. Under Digital Information Security in Healthcare, Act some of the above data fields fall under Sec 3(k), which defines[9] personally identifiable information. Again, there are notable differences between the Digital Information Security in Healthcare Act draft and the policy. It foremost includes the differences in the definitions of personal data. There is also no harmonisation between the requirements of consent. While it is required at every stage in the Digital Information Security in Healthcare, Act draft, the Personal Data Protection Bill, and the Digital Health Policy only provide for a single consent requirement. All these differences are bound to affect the levels of governance.
Yet another issue with the governance framework is that few data fields such as language spoken or educational information would fall under the ambit of non-personal data. There is a separate framework[10] in the pipeline for the same. It could become strenuous for health professionals to keep track of how their data is being processed, given that there are so many differences between the policies and draft bills. This requires harmonisation of the policies with the draft bills and the consultation paper on Healthcare Professionals has to be revised accordingly.
Challenges with Data Governance
For the models of data governance, the consultation paper provides two options. One is the centralised model where the authorities under health mission will manage the master database and will address any issues, and the other is a decentralised set-up where such an authority will only act as an aggregator of various databases and will not be responsible for addressing any issues concerning the data. Based on the recent UHI Consultation paper[11], it is most likely that the decentralised model will be followed for all the components of the National Digital Health Mission. It is quite clear from the Healthcare Professionals Registry paper that the National Digital Health Mission, in this case, will only be an aggregator of data and will not be responsible for the veracity of the information. This is to be taken care of by those government agencies with a legal mandate to maintaining the same. This is counterproductive because the whole objective of the National Digital Health Mission is not just developing a model but also making it trustworthy.
Issues with anonymised data: Re-Identification of data
Another neglected aspect of the Healthcare Professionals Registry that is connected to the issues in the National Digital Health Mission is anonymisation and re-identification. Though there is no discussion about the same in the consultation paper, the Personal Data Protection bill lends help wherein it defines anonymised data and de-identified data by classifying the former as an irreversible process. Nonetheless, studies[12] have shown that anonymised data can also be re-identified using specific techniques.
The API model proposed for the healthcare professionals registry will help link various details(anonymised) that could result in re-identification. The consultation paper of the healthcare professionals registry states that the healthcare professionals registered on the platform will be able to look up patients records through their Unique Health ID. The Unique Health ID is a unique identification number given to the patients for holding their electronic health records. This ID is linked to the Aadhaar card. Though linking is not compulsory, there is an increasing number of cases[13] where they are being linked without the consent of the data principal. This link in itself will cause issues, including an increased risk of data theft, identity fraud, and data exploitation for commercial purposes. There is an increased concern of re-identification when doctors can look up these health IDs on the system.
Apart from the Aadhaar link, the consultation paper also states that[14] the health professionals’ ID (Health ID) that will be given to doctors will be linked to their respective facilities ID, whereby it can be used to manage the personnel management system. This way, every ID in the system is connected throughout and could also lead to a situation where it is connected outside the health networks. This will not just lead to an increased risk of cyber-crime but also will lead to the explosion of dossier society. The term ‘Dossier Society’ was coined in the late 1980s to define a society where states maintained dossiers on individual data. Coupled with today’s powerful technology, States have found it easier to collect data, thereby increasing State surveillance. Hence, connecting data across networks without a proper study of the risks of re-identification can violate the privacy of billions of individuals.
Issues with commercial use of data
The consultation paper does not reflect the draft of the Personal Data Protection Bill and Digital Information Security in Healthcare, Act and this is quite clear with the number of discrepancies between the paper and the existing policies, documents, and draft bills. While the Digital Information Security in Healthcare Act draft is very much against[15] the use of digital health data for commercial purposes such as marketing, the consultation paper very clearly states[16] that pharmaceutical companies can use doctors’ information on the network for marketing purposes. This gives a potential for possible misuse of data to sell products. Reports[17] have shown that various doctors have been subjected to unethical marketing practices. Access to more data without any safeguards will allow pharma companies to poach more healthcare professionals.
Adopting the privacy by design policy
Each of the documents, consultation papers, and policies use the term privacy by design to imply that frameworks have been built considering centred around the policy, but the approach that is taken towards data governance and linking data across networks with no safeguards does not conform with this policy. The recently released Unified Health Interface consultation paper[18] suggests that Unified Health Interface will be the basic foundation of the National Digital Health Mission wherein patients can search for healthcare professionals and opt for facilities such as teleconsultation. Again, this paper does not substantiate how personal data will be processed beyond the basic framework. The documents do not have strong points to substantiate and establish that the policies are being drafted around privacy[19]. None of them have addressed the fact that India does not have a robust legal framework for privacy. World Health Organization’s document[20]on legal frameworks for e-health highlights that three elements have to be taken care of for introducing an e-health network; comprehensive laws, sectoral laws, and informal rules[21]. India lacks comprehensive and sectoral laws; the policies that are being introduced would amount to informal rules and will hence face implementation problems.
The sociological perspective
The pandemic has brought in serious data privacy issues. Data is being collected and processed with no proper mechanism.
The requirement of Aadhaar cards for creating Health IDs has caused exclusion problems during the pandemic. Though the National Digital Health Mission policy says that the Aadhaar card is not a requirement, several incidents have shown that the health officials have insisted on the requirement of Aadhaar even for providing basic health treatment. This causes problems of exclusion where people are deprived of availing basic services.
As already discussed, the consent and governance frameworks of each of these policies are distinct. It will be exhaustive for healthcare professionals to keep track of their data. While the digital mission aims to develop an effective digital health infrastructure, such variations will make it challenging to implement it without significant issues.
The way Forward
The Healthcare Professionals Registry is a much-needed solution to tackle the problem of identifying the right talent. However, specific issues have to be addressed for Healthcare Professionals Registry and National Digital Health Mission to stand the test of time. The following points can be taken into consideration: –
- The consultation paper has to be revised following the existing documents and policies of the government. The paper should reflect the objectives of the Personal Data Protection Bill, 2019 and the Digital Information Security in Healthcare Act draft. Though they have not become law, the provisions framed under them reflect the minimum level of privacy requirements required to manage this system;
- There is no clarity as to how State’s databases will be treated. Tamil Nadu is developing[22] a database similar to the National Digital Health Mission at a micro-level. IDs identical to the Health ID are said to be issued to the residents of Tamil Nadu;
- Provisions that encourage using data for marketing purposes have to be revised. With the number of already existing problems, encouraging commercial data utilisation can prove to be an issue;
- There is no clarity on how certain elements such as Digidoctor will be treated once the project is fully launched. The Digidoctor, which can be linked to the Aadhaar Card, is similar to the Health Professional IDs (HPID) given to the health professionals. The paper does not provide any information on Digidoctor. It also does not provide information on whether or not the health professionals ID requires Aadhaar. Though it seems like both these IDs will be merged, the position regarding the same has to be clarified;
- The Healthcare Professionals Registry project has already been implemented in a pilot form. This can be used to understand the legal issues that could arise out of full-scale implementation;
- Re-identification issues have not been discussed in the consultation paper and the National Digital Health Mission draft. This has to be addressed as the data on the central platform will be possibly linked outside the network. One of the most suitable methods in the Indian scenario is minimising data collection. The data fiduciaries should narrow down the collection only to the required data fields and define the use of each of them;
- Linking the IDs with the Aadhaar card has made the system more vulnerable; hence, different verification mechanisms should be preferred over the Aadhaar. Sufficient training has to be given to the administrators to ensure that Aadhaar is not a compulsory requirement;
- In the decentralised model, National Digital Health Mission will be aggregating already available information from the governing bodies. Though the National Digital Health Mission needs to take the onus to verify the veracity, it should ensure that the details are re-checked by the agencies to avoid any issues with the veracity of the data available; and
- Currently, India does not have a robust data protection law without which it could become challenging to handle the problems arising from the system. With a significant volume of interconnected data across the network, it throws up privacy issues that can be managed only with a robust legal framework. This requires the legislature’s initiative in passing the pending bill.
With so many issues, it is less likely that the National Digital Health Mission will succeed from a long-term perspective. The issues aforementioned have to be addressed by consulting with the stakeholders who can provide detailed insights to make the system suitable for the Indian legal and technical environment.
Citation:
Harinie Seenivasan, Moving forward with the Healthcare Professionals Registry, Metacept-Communicating the Law, accessible at https://metacept.com/moving-forward-with-the-healthcare-professionals-registry
References:
[1] Consultation Paper on Healthcare Professionals Registry, National Health Authority, retrievable from https://National Digital Health Mission.gov.in/assets/uploads/consultation_papersDocs/Consultation-Paper-on-Healthcare-Professionals-Registry.pdf
[2] Indian Medical Registry Search, National Medical Commission, retrievable from https://www.nmc.org.in/information-desk/indian-medical-register/
[3] Indian Dentist Registry, Dental Council of India, retrievable from https://dciindia.gov.in/StateDentalCouncilList.aspx
[4] Information Technology Rules, Ministry of Communications and Information Technology, retrievable from https://www.meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf
[5] National Digital Health Mission: Health Data Management Policy, National Health Authority, retrievable from https://National Digital Health Mission.gov.in/health_management_policy
[6] Defined under Sec.4(y) ““personal data” means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information. For the purpose of this Policy, personal data would include Personal Health Identifier;”
[7] The Personal Data Protection, Bill 2019, PRS India, https://prsindia.org/files/bills_acts/bills_parliament/2019/Personal%20Data%20Protection%20Bill,%202019.pdf
[8] Digital Information Security in Healthcare, Act, Ministry of Health & Family Welfare, retrievable from https://www.nhp.gov.in/NHPfiles/R_4179_1521627488625_0.pdf
[9] Defined under Sec.3(k) “‘Personally Identifiable Information’ means any information that can be used to uniquely identify, contact or locate an individual, or can be used with other sources to uniquely identify a person, and includes the information stated in Schedule I.”
[10] Report by Committee of Experts on Non-Personal Data Governance Framework, Ministry of Electronics and Information Technology, retrievable from https://static.mygov.in/rest/s3fs-public/mygov_160922880751553221.pdf
[11] Consultation Paper on Unified Health Interface, National Health Authority, retrievable from https://National Digital Health Mission.gov.in/assets/uploads/consultation_papersDocs/UHI_Consultation_Paper.pdf
[12] Natasha Lomas, Researchers spotlight the lie of ‘anonymous’ data, Tech Crunch, accessible at https://techcrunch.com/2019/07/24/researchers-spotlight-the-lie-of-anonymous-data/
[13] Sarthak Dogra, Took Covid vaccine using Aadhaar? Your National Health ID has been created without your permission, India Today, accessible at https://www.indiatoday.in/technology/features/story/took-covid-vaccine-using-aadhaar-your-national-health-id-has-been-created-without-your-permission-1806470-2021-05-24
[14] Supra note 1 at 20.
[15] Supra note 8 at 20.
[16] Supra note 1 at20.
[17] Banjot Kaur, There’s an unhealthy alliance between doctors and pharma firms, DownTo Earth, accessible at, https://www.downtoearth.org.in/news/health/there-s-an-unhealthy-alliance-between-doctors-and-pharma-firms-64230)
[18]Consultation Paper on Unified Health Interface, National Health Authority, retrievable from, https://ndhm.gov.in/assets/uploads/consultation_papersDocs/UHI_Consultation_Paper.pdf
[19] Anita Gurumurthy,et.al, Responses to NHA Consultation Paper on the Unified Health Interface, IT for Change accessible at https://itforchange.net/sites/default/files/add/IT-for-Change-Response-to-the-consultation-on-UHI-Aug-2021.pdf.
[20] Legal frameworks for e-health, World Health Organization, retrievable from https://www.who.int/goe/publications/legal_framework_web.pdf
[21] Ibid at 21.
[22] Aihkir Suri, Tamil Nadu Government’s Plan To Roll Out Its Own Health ID Raises Eyebrows, Medianama, accessible at https://www.medianama.com/2021/09/223-tamil-nadu-health-id/
