In in-person doctor-patient consultation scenarios, the fact that the patient initiated the consult can be construed as consent. This applies especially for out-patient consultations: one does not need a separate mechanism to seek consent from the patient. At MediaNama’s discussion on the impact of the PDP Bill on the healthcare sector held on June 19, both Dr Sunil Shroff, President (TN), Telemedicine Society of India, and Abhishek Malhotra, managing partner at TMT Law agreed with this characterisation. This discussion was supported by Microsoft, Google, TMT Law Practice and the Telemedicine Society of India. Comments have been edited for brevity and clarity.
However, in the digital scenario, where the consult is taking place either via telemedicine or other such methods, “there should be a requirement of explicit consent even if it is as simple as opt-in consent,” Malhotra said, explaining that this should be enshrined (in-laws and guidelines) because otherwise, especially in India, it is difficult to have control over what exactly could be used and misused. “That’s why I think that regardless of the time limitation or otherwise, explicit consent should necessarily be required,” he added.
How consent works in digital health and teleconsults
Even in digital consults, there is also a distinction between the consent that is given for the consultation itself and the consent that is given for the processing of the information, said Malhotra. “This distinction has been brought about in the Telemedicine Practice Guidelines 2020 as well where, because the patient is initiating the consultation, they are giving consent for the consultation. However, for the processing itself, the terms that are set out in the provisions of the Personal Data Protection Bill, 2019, bill itself, under Section 7 and aspects thereof, necessarily need to be followed for processing,” he said. Malhotra was referring to the provision in the bill that requires the data fiduciary, such as a hospital, to give notice to their customers/patients about how their data would be processed, how their personal data will be collected, how long it will be stored for, among other things (under Section 7).
The Personal Data Protection Bill, 2019, places the burden of proof for consent on the data fiduciary. However, the recently notified Telemedicine Practice Guidlines do not require that the consultation be necessarily recorded and preserved. “What you [the doctor] needs to do is log the details of the time the person called, what conversation took place, and the [medical] advice that was given,” according to Dr. Shroff. Explicit consent need to be preserved when the doctor is carrying out WhatsApp/text messaging, he added.
“The Telemedicine Practice Guidelines have essentially captured that physical OPD consultation scenario into the telemedicine piece,” Dr. Varun Gupta, vice-president of medical affairs and public policy at 1mg said. “It is equivalent to when a person goes and consults a doctor in a physical world, the final output is a prescription or a document, but the doctor-patient consultation is not being recorded anywhere,” he said. 1mg provides online medical consultations, medicine delivery, and diagnostic tests, among other things. It is also a part of the Swasth Alliance, a grouping of 100 players in healthcare, VCs, and technology, which is working on scaling telemedicine. “In the telemedicine setup, there is a platform or technology interface where the doctor-patient interaction takes place. But the relevant final output comes out on the medical history page or prescription,” he said.
Consent for follow-ups, after a patient’s death
“Healthcare settings involve a lot of follow-ups, said Dr Varun Gupta. For instance, an epilepsy patient already taking medicine but needs to just talk to the doctor and consult. For such as a patient with a chronic disease patient, there is a longitudinal treatment, so follow up for them should be included without consent,” Dr Varun Gupta said.
The Personal Data Protection Bill, 2019, does not lay down a procedure for the patient’s consent when the data principal/patient passes away. How would a data fiduciary take a data principal’s consent or explicit consent in such a scenario? According to Dr. Shroff, a governance framework for this can be borrowed from the Mental Healthcare Act, 2017.
- The Mental Healthcare Act, 2017, stipulates that every person (except for minors) has the right to nominate a representative for taking treatment decisions during periods of incompetence. The law dedicates an entire chapter to the nominated representative. “There are many, many points wherein the nominated representative could step in, in case the patient is incapacitated. It could be an immediate family member, a friend, or somebody like the director of an organization or tribunal,” Dr Shroff explained.
- In fact, the act also provides for an ‘advanced directive’, which are documents written by any competent person in “advance” of an anticipated period of incompetence. Such directives can include treatment choices and the patient’s objections, values, and principles can be laid down in such documents. A person/patient who knows that they may lose capacity can give an advanced directive to their nominated representative. “Looking at the Mental Health Act, 2017, and incorporating certain things within data protection, can help to give clarity with regard to explicit consent,” Dr. Shroff said.
More and more health data will become available in the future and we will not know what to do with that data, Dr. Shroff warned. “We must remember that health data is going to become a commodity. We could see trading of health data just like we trade commodities today. In India, there is also a high risk of fraud by impersonation, which would be especially easy to carry out in the home healthcare market.
The nature of informed consent in India
India is an extremely large, multilingual country, with different demographics, financial ability, and ability to understand, Dr. Shubnum Singh, advisor at the Confederation of Indian Industry (CII), said. Regulations India laid down in 2002 said that the confidentiality of patient information lies with the doctor. “Even if a doctor gets consent signed by the patient, the patient has to be fully informed about what consent they are giving. When it comes to consent for wearables, we must remember that most people in India don’t even have a mobile phone,” she said. In India, it is second nature for doctors, nurses, and hospital staff, to fill in forms and documents for patients. In such a scenario, it difficult to ascertain, record, and ensure consent.
Shweta Mohandas, policy officer at the Center for Internet & Society agreed, stating that while the Personal Data Protection Bill, 2019 improves readability and accessibility by specifying that consent should be in multiple languages, “it also puts the onus of the multilingual requirement on the data fiduciary to decide whether it can actually provide notices in different languages”.
Under the bill, informed consent is when a data principal totally understands it, something which is difficult to ascertain, Mohandas said. The bill lays down that consent has to be clear, accessible, and easy to understand; it needs to be understood by different types of people, with different technical and language abilities that are using these apps, she added.
The role of a patient’s family: Dr Shroff pointed out a perhaps unique scenario typical in India, that presents an ethical dilemma to doctors and health workers. A patient’s family can play an active role when it comes to the amount of knowledge the patient has about their own health. In India, it’s very often that a patient is likely to die, and you want to share that information, but their relatives will ask you not to tell the patient because they will be devastated. “But I’m answerable to my patient, not to their relatives. If the patient is not informed, how is he going to take care of all his affairs?” he asked.
Governance of consent managers
The PDP Bill, 2019, classifies consent managers as data fiduciaries and requires them to register with the future Data Protection Authority. Consent managers can play two distinct roles under the bill: they can enable a data principal to “manage” i.e. grant, revoke, modify, their consent for their data; consent managers can also be used by the data principal to exercise their rights under the bill, such as the right to be forgotten, and right to erasure, among others. Bangalore-based private thinktank iSpirt is working on building a health data consent manager with the Swasth Alliance.
1mg’s Dr Varun Gupta said that the concept of consent managers, and the requirement to register with the DPA seems to be very manual.
“It’s unclear how the consent managers would handle metadata, and what issues will emerge when they are practically implemented. From an industry side, I would not say I’m looking at whether the compliance [and protections] are they adequate or not. The whole concept of consent managers and movement [of data] through content managers may be impractical,” he said.
Need for standardisation to enable data portability
“We face a lot of challenges with data portability because there is no standardization of medical data across the hospitals, pharmacies, diagnostic labs. The Ministry of Health took a very good step in by founding CDAC Pune, which was made into a centre of excellence for data standardisation,” Dr Gupta said. “They did a lot of training, took a license from SNOMED CT which was being shared with all the institutions. There was a large amount of work being done on standardization of the data, so that data portability among institutions becomes easy.”
There is controversy even among the top two international standards — between ICD-10 and SNOMED CT. Some institutions follow no standards, some follow ICD-10 for reporting, but some follow SNOMED CT for specific incidences. If we don’t continue working on SNOMED CT or some other standard, 2-3 years later, it will be easier for some officer to come and impose standards on people. We have taken a step back by not including SNOMED CT as a constant.
Dr Shroff agreed stating that when we talk about the portability of any data or information, “you need to bring some standards, and the standards will have to be followed. In its absence, there would be chaos.” Healthcare records standards currently being used in Ayushman Bharat, the Karnataka government’s Yeshashwini scheme, are all different. “In ICD-10 you have 40,000 code, in Ayushman Bharat you have 3,498 codes, in Yeshashwini you have 4000 codes. Basically, the fundamentals have to be worked one. This is not something that can be rushed.” Dr Singh said.
Use of blockchain in healthcare data
When it comes to data deletion, the bill lays down a data retention framework. Data aggregation and data sharing on a mass level is already happening, explained Vatsal Gaur from HSA Advocates. “There are some people trying to solve this through the adoption of blockchain because that actually anonymizes it by virtue of the technology itself. My concern is there can be exemptions under the PDP bill for any company which is adopting DLT as a technology. Because you cannot have real-time transmission of data which is safe and secure, and take consent for the transfer of personal and sensitive personal data. We can’t do it practically if it’s a blockchain technology,” he said.
“Any technology which adopts distributed ledger cannot have a deletion mechanism. The only thing you can do in a blockchain is you can add blocks to it so that it gets erased with time. So practically in an advent of technology where DLT is becoming mainstream, and hyper ledger is now going to be adopted, there will have to be some caveats which will have to be drafted,” said
- #NAMA: GOQii founder Vishal Gondal on issues of bias, discrimination, and accuracy of health data [read]
- #NAMA: Personal Data Protection Bill needs to work on basic definitions to cater to the healthcare sector [read]