“Legal rights of the parties who have not consented to participate in the Ayushman Bharat Digital Mission (ABDM) eco-system may have to be taken into consideration as any legal challenges in the court of law will only delay implementation of this flagship and landmark scheme,” the Federation of Indian Chambers of Commerce & Industry (FICCI) said in its response to the National Health Authority’s Health Data Retention Policy (HDRP) consultation paper.
From an insurance standpoint, patient consent should be mandated for sharing data with their insurance provider, especially when authorising a health service provider (hospital, clinic, lab,etc.) to collect insurance money for a treatment given, FICCI said. The HDRP lays down conditions on how to handle and retain citizens’ health data for entities enrolled in the ABDM and, potentially, those beyond it as well.
The HDRP was reportedly circulated among FICCI members such as Apollo Hospitals, Bharti Axa Life Insurance, etc., who provided comments, grievances, and recommendations in its filed response.
How should the ABDM be implemented?
NHA: How should the implementation of the policy be done in case the policy is made applicable for the ecosystem beyond ABDM?
Roll out HDRP for all in a phased manner: FICCI backed the implementation of the policy for all healthcare entities, starting with ABDM-empanelled agencies and then moving on to others in a phased manner:
- Phase 1 – All tertiary care hospitals (which provide specialised, long-term care) in tier 1 cities should be targeted.
- Phase 2 – Secondary care hospitals (less specialised than tertiary hospitals) should be covered.
- Phase 3 – All secondary care and tertiary care centres have to be covered.
- Phase 4 – Primary care centres (the first contact point for health issues, including general physicians, pharmacists, etc) and independent clinics should be covered. They should also start looking at minimising societal risks so the system could scale up, FICCI said.
NHA: How will the policy regulation be enforced and what should be the structure across relevant entities responsible for retaining the health data?
Three-tiered data maintenance framework: FICCI suggested that the responsibility of maintaining health data be split into the following:
- Level 1 – Storage responsibility
- Level 2 – Transactional-level responsibility
- Level 3 – Compliance and audit (State level from ABDM standpoint, internal auditors from individual hospital standpoint)
However, FICCI did not elaborate further on these points.
Use accreditation or contracts-based system for enrollment:
- An accreditation-based system should be used for enrollments in the ‘ecosystem’ (it is not clear if FICCI meant ABDM-enrolled entities or if it is pushing for the creation of a separate class of health data fiduciaries which would be subject to the policy). These accreditations would have to be renewed periodically, and could be withdrawn as well in case of a violation of an entity’s obligations, FICCI suggested.
- A contract-based system for enrollment should have strict penalties for any data breaches or violations of government policies, it said.
NHA: How can smaller clinics or centres, both public and private, build capability in a timely and cost- efficient manner to take responsibility of data retention for long time periods?
Include smaller clinics by creating common funds: In order to help smaller clinics comply with the HDRP, FICCI suggested:
- Set up a framework to allow smaller clinics to pool funds and create a common accredited facility or get third-party service providers to set up such a facility which the smaller clinics could then all use.
- Share best practices about health data governance, from across the world.
- Levy price caps by phase 2 of the rollout as government mandate for digitisation might lead to price increases by suppliers (FICCI did not say which suppliers exactly)
How should retention periods be specified in the policy?
NHA: What should be the ideal duration for these different health data types? Should a blanket retention duration be adopted for all health records in India or different schedules be defined as per a classification? Which is a better approach of retention?
Purpose-specific retention durations can be decided later: FICCI said that the duration needed for the health data could be blanket or purpose-specific but granularity could be built, once the platforms onboard more users and their comfort increases. However, FICCI said that ideally health data should be retained for as long as possible, adding that retention of health data in electronic forms helps improve treatments and takes away problems of storage and security.
Should extensions be given to retaining data?
NHA: Should there be a provision for extension of duration or retention of health data under the policy being proposed? What considerations should be made in defining the guidelines, allowing for such an extension?
Allow for extensions keeping in mind patient rights: FICCI asked that extensions be allowed, however, they should:
- Be for a pre-defined period
- Keep in mind the patients’ rights and consent
- Keep up with the international best practices by reviewing practices regularly
It said that data related to clinical trials, medico-legal cases, and IRDAI-specified insurance requirements should be exempted. FICCI did not elaborate further on what data comes under the IRDAI’s requirements.
Should the HDRP cover physical formats of health records as well?
NHA: While ABDM proposes that all entities opting to join NDHE must be able to retain health data in electronic format, and other entities of the healthcare ecosystem may consider physical or original formats, what options should be made allowable as part of the policy being proposed?
Policy should apply to electronic and physical health records: A single HDRP should be created with demarcations or identification of other formats of data, FICCI suggested. However, it added that the focus should be on creating a format for electronic health records in line with the objectives of the ABDM to allow smooth implementation and integration with other formats later if needed.
How should the HDRP be governed?
NHA: Will the governance model as per Health Data Management Policy (HDMP) be sufficient for the retention policy?
In the paper, the NHA proposes that the HDRP has the same governance structure as the HDMP. A data protection officer (DPO) appointed by the ABDM, which as per the HDMP manages grievance redressal, will look after compliance with the retention policy. The paper also says that the DPO will have the additional responsibility of creating an audit mechanism and in cases where a Health Information User (HIU) or Health Information Provider (HIP) no longer exists, they will ensure data is not orphaned, through data custodian.
Have an apex body with regional offices: FICCI provided four recommendations for the governance structure:
- These should be an apex body for the entire country for the enforcement of the policy, with representation from each state, the public, and relevant industries for holistic decision making and having regional offices.
- It should also be made ‘statutorily relevant’ for better enforceability.
- Should identify risks and maximizes benefits in areas such as the legal framework, accreditation process, data security cycle. etc.
- Should be modified to identify violators ‘automatically’, at an early stage, and prevent damage from happening. FICCI does not elaborate further on what this could mean.
What will be the impact of opting out of the ABDM?
NHA: As ABDM has a provision for opt-out, in such a scenario what may be the possible implications from the perspective of health data retention?
Mandate digitisation for those who opt-out and levy penalties: FICCI suggested that there be a higher penalty to deter entities from opting out of the ABDM. However, if they do, they would need to comply with the rules for at least 1o years after the opt-out and mandatorily convert their health data to digital, it said.
Concerns with regards to sharing and storage of data
How will existing laws comply with sharing, retention of different data? In the submission, members bat for sharing anonymised data for reference and analysis in epidemiology, clinical data analytics, machine learning, etc. This should be done by removing all PHI (personal health identifiers) and then storing them in cloud-based servers permanently.
Thus, FICCI’s members asked if there were any restrictions on sharing of anonymised data under the ABDM and whether these would be in compliance with the incoming data protection bill.
Members also asked for clarification on how existing laws would interact with the HDRP even beyond the scope of handling anonymised data. They outlined four such laws of concern:
- Digital Information Security in Healthcare Act (DISHA)
- The Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002,
- The Clinical Establishments (Registration and Regulation) Draft Rules 2010
- EHR Standards 2016
Put in place a licensing system to ensure compliance with security policies: To ensure the security of data and limit liabilities, FICCI suggested that the government put in place a licensing system for Health Information Management System providers which ensures that their software is compliant with the government’s data policies. Otherwise, they could be de-licensed. However, it added that this provision must be diluted for smaller clinics so that it doesn’t become too restrictive.
How should business continuity be ensured?
NHA: How can business continuity be ensured in case of fall of the establishment, platform or service providers?
FICCI recommended that continuity could be ensured by:
- Allowing a healthcare entity to take over the data of another healthcare entity that is going out of business, or opting out of the ABDM based on the consent of the data principal
- Allowing only accredited entities, platforms, or service providers to participate.
- Creating a central archival model, to which healthcare entities can transfer their data when they go out of business.
- Regularly updating the digital platform, maintaining it, and having efficient processes on the health service and insurance providers’ to avoid any problems with business continuity, data standards, etc.
Dependence on human intervention for entering and codifying health data: Artificial intelligence can help a medical professional enter data onto a digital system in compliance with any health data standards they may be using; however, FICCI said, the process still needs human intervention to be perfect.
Compatibility between old and new data standard systems: Most hospitals today have electronic systems compatible with old standards, only able to do a few tasks with newer ones like HL7 which is an internationally-recognised set of terminologies for electronic health data storage and sharing, FICCI said.
No two-way communication between EHR systems and patients: Currently, electronic health record systems allow one-way communication by allowing a person read-only access to their health records but not control or change their data through them. “Many industry experts argue that the lack of two-way communication between medical apps and EHR systems is the next biggest challenge for healthcare,” the submission said.
What has been happening with the ABDM?
The ABDM was rolled out nationwide in October 2021 and 20 crore Unique Health IDs have been issued under it. Shortly after its launch, the ABDM ran into controversy when citizens, who turned up to get vaccinated, were issued health IDs without their full informed consent. [Read more]
The NHA has also launched other components of the ABDM like the Unified Health Interface, Healthcare Professionals Registry (HPR), Health Facility Registry (HFR), Health Information Exchange & Consent Manager (HIE-CM), etc. Barring the HIE-CM, the NHA has invited feedback on other ABDM components. But another ABDM building block called the ‘Drug Registry’ is yet to see light.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
What will be the future of digital health in India?
Do you want to keep track of the digitisation of health in India but don’t have the time? Relying on scattered content from across the web makes it feel harder than it needs to be.
Subscribe to MediaNama and get crisp, timely updates on tech policy developments in India and across the world.
Also Read:
- Summary: Health Data Retention Policy proposed under ABDM
- Who benefits from the value of people’s health data? It’s insurance companies
- Key Aspects: National Digital Health Mission’s Data Management Policy
Have something to add? Subscribe to MediaNama here and post your comment.
