The Centre for Internet & Society has made its submission to the National Digital Health Blueprint 2019 public, it addresses challenges and caveats in implementing an EHR system in India, wherein digital literacy and literacy levels are low. It explains that PHR benefits have been useful to those who are technically competent. It also flags issues with Digilocker and eSign, both of which are building blocks in the Blueprint. It also recommends that consent frameworks be designed around consent as a product.

Comments for the Blueprint closed on August 4, and haven’t yet been made public. The Ministry of Health held a public consultation on the Blueprint; our report of the day here. A summary of the Blueprint document is here.

Here are detailed notes from CIS’ submission (embedded below):

Anonymisation: DPA should create standards, only authorized bodies should access anonymised data

The Srikrishna Committee report has talked about the failure of anonymisation/de-identification, which can become redundant if quasi-identifiers are used. The EU and South Africa, among others, have put anonymised data outside the scope of data protection law. India has similar provisions in the PDP Bill, and additionally, also criminalises de-identification of anonymised data, without the consent of the data fiduciary.

  • The Data Protection Authority, as envisioned in the PDP Bill, should “create​ these standards that the health data under NDHB should follow​, to ensure the privacy of individuals”, as the Srikrishna Committee report has also recommended.
  • To address the possible failure of anonymisation, CIS recommends that the NDHB include an exhaustive list of bodies/individuals that can access the anonymised data and a list of cases cases for which they can access the data; this is to ensure that anonymised data is access by authorized agencies identified by the government. It also points out a provision in the DISHA Bill:

This should consider the recommendations made in the MoHFW’s Draft Digital Information Security in Health Act (DISHA) bill, which includes ​“​Digital health data, whether identifiable or anonymized, shall not be accessed, used or disclosed to any person for a commercial purpose and in no circumstances be accessed, used or disclosed to insurance companies, employers, human resource consultants and pharmaceutical companies, or any other entity as may be specified by the Central Government​.”

PHRs just won’t work in India, given current illiteracy and digital illiteracy rates and workload of health workers

PHR system described in blueprint will increase workload

Earlier health data management systems like HMIS and RCH have suffered because health works are overburdened and data entry operators cannot devote enough time to it. Capacity limitations have also led to gaps between a health episode and its digitisation, this could be a concern in the NDHB as data may not be digitised at source. The PHR prescribed in the NDHB will lead to more workload.

Assumes widespread digital literacy

The NDHB says service delivery under it will be facilitated by ‘near universal coverage’ of smart phones across India, but this premise assumed widespread digital literacy, a Digital Empowerment Foundation report revealed that nearly 90% of the population are not digitally literate.

PHRs benefit technically competent users, adoption needs high digital and heath literacy

CIS also argues that evidence suggests that the touted benefits of PHR – such as self-management of health – only accrue to technically competent users, and one need health literacy and digital literacy for effective use of PHRs, which in India is low. Again, adoption and benefits from PHRs depends on frequency of use. Phew.  “Those that stand to lose out on the use of PHRs then stand to be communities that are already underserved in the delivery of health services.” These communities already faced risk of exclusion from care delivery.

Also, PHRs’ benefits are also dependent on use of EHR systems by health care providers. “Importing the success of these electronic health programs from other high-income contexts does not factor in the endemic reasons for clinicians’ inertia in the adoption of EHRs.”….”As a result, doctors in India tend to be more problem-oriented, time-strapped, and pay less attention to the elaborate documentation of clinical notes.”

Demarcate levels at which data will be stored

The blueprint talks about creating a federated architecture for collecting and storing health information, but does not demarcate categories which is be stored in regional centres or with the care providers, versus data which will stored in the NDHB’s central repository, says CIS.

Its unclear how the Consent management frameworks will ensure that data principals are in control of their PHR while being stored at the central or regional site, or “or enforce the use of the recommended standard ISO/TS 17975:2015.”

While the focus on open standards and interoperability is commendable, it is far more difficult to operationalise the interoperability given the array of open standards to choose from. Often, in the case of decentralised personal data stores, interoperability then gets reduced to the use of open standards.

Consent frameworks should consider digital and general illiteracy; should be treated consent like a product, subject to liability

CIS reminds everyone that 90% of the population is not digitally literate and 30% is illiterate. There’s also widespread boilerplate contracts in the online world, something also acknowledge by the Srikrishna Committee report. Most people who consent to these may not read or understand them; which is why a revised consent framework is needed.

CIS recommended that the above-mentioned illiteracy numbers should be accounted for while implementing consent management frameworks; consent forms should be treated like a product, subject to product liability, to ensure that people provide informed and specific consent with respect to their digital health data. “The data fiduciaries are then obligated to design consent contracts/frameworks such that there are no pre-checked boxes or boilerplate contracts. They are required to design them in a manner such that they are read and understood by the data principals, thus allowing the latter to provide informed, affirmative consent.”

Digilocker has security issues, consent should be taken for Healthlocker

The Digilocker  on which the Healthlocker would be modeled  has inadequate security measures, raising concerns about the biometric data stored in it. Sensitive health data will become vulnerable if this model is followed. “Additionally, there is no method to take explicit consent from the users of DigiLocker  the consent is assumed when individuals sign up for the service.” Consent should be taken for Healthlocker.

eSign has security issues too; third-parties for Blueprint should be vetted

The eSign framework for Aadhaar also has security concerns since third-parties are involved; CIS recommends that “a transparent and rigorous vetting process for third parties involved, as well as strict access limitations for all third parties.”

Use of GI Cloud

The Blueprint recommends building the H-Cloud on MeitY’s Government Community Cloud and that says that key data hub management services must be deployed on it. MeitY’s consultation paper on the Cloud lists one of risks with it as risk of compromise of confidential information and intellectual property, CIS pointed out. “If healthcare systems are standardised across India, high costs will be involved. Costs should be laid out in significant detail before any steps are taken to implement it.,” said CIS.

The blueprint should have Right to be Forgotten

The NDHB includes a provision on immutability, which states that a record cannot be deleted without following due process. Such due process should consider the right of the data principal to delete specific entries or the entire set of records containing their personal information – aka Right to be Forgotten.

What do to in case of privacy breach?

The NDHB doesn’t mention any procedure to be followed in case of a data breach. Although it does mention creation of a Security Operations Centre (SOC) and a NDHB Security Policy, it doesn’t present the procedures they should follow in case of a privacy breach. CIS recommends creating a clear SOP for this.