“Generation of Health IDs should be mandatory, a priori step prior to the planned rollout of HDRP,” the Telemedicine Society of India (TSI) and Post Graduate Institute of Medical Education Research (PGIMER) Chandigarh said in their response to the National Health Authority’s Health Data Retention Policy (HDRP) consultation paper. TSI comprises doctors from different parts of the country, looking to raise awareness about telemedicine.
Curiously, the Delhi NCR and Tamil Nadu chapters of TSI sent in their comments separately from the central body. While the TSI-PGIMER submission sought to link Aadhaar with health IDs, mandatory Health ID generation, etc., the two regional chapters demanded longer data retention periods, new types of data classifications, and more. Provision for a “relational database of family members or kin” should be created as the Unique Health IDs would be linked to Aadhaar, TSI-PGIMER said.
The HDRP lays down conditions on how to handle citizens’ health data for entities enrolled in the government’s Ayushman Bharat Digital Mission (ABDM) and, potentially, those beyond it as well. The ABDM is the government’s project that looks to digitise the health records of citizens, develop a teleconsultation platform called the Unified Health Interface (UHI), and more.
The ABDM looks to facilitate teleconsultations across the country in response to India’s understaffed healthcare sector. However, telemedicine has been a touchy subject for doctors and other stakeholders after the Bombay High Court ruled against two doctors for offering teleconsultations in 2018. In 2020, the Health Ministry notified the telemedicine guidelines.
Dear reader, we urgently need to build capacity to cover the fast-moving tech policy space. For that, our independent newsroom is counting on you. Subscribe to MediaNama today, and help us report on the policies that govern the internet.
How would the HDRP be implemented?
NHA: How should the implementation of the policy be done in case the policy is made applicable for the ecosystem beyond ABDM?
TSI Delhi and TN: Start with applying the policy to ABDM-enrolled entities and then move to players outside of it, the submission recommended. The enrollment should not be mandatory except for cases where the government is both the payor (in case of insurance schemes) and provider; for instance, at government hospitals.
TSI-PGIMER: The ABDM should be made mandatory if the HDRP is to be applied universally as it would be difficult to ensure compliance otherwise, the submission said. However, it did not mention what approach should be taken.
NHA: How can smaller clinics or centres, both public and private, build capability in a timely and cost- efficient manner to take responsibility of data retention for long time periods?
TSI Delhi and TN: A gestation period for adoption could be provided, especially for hospitals with less than 25 beds. But retention measures are slowly already being adopted by smaller healthcare entities due to insurance requirements, the submission said. Holding regular seminars, educating stakeholders, and making the policy’s conditions a requirement in smart city policies and for accreditation with the National Accreditation Board of Hospitals (NABH), National Accreditation Board for Testing and Calibration Laboratories (NABL), etc., was also suggested.
TSI-PGIMER: Carry out a pilot for the suggested approaches so that infrastructural groundwork is laid down therein, otherwise “the project has a propensity to fail as something ‘too ambitious’ in the current scheme of things,” the submission read. It also recommended that the policy should be applied with no state-level changes, despite health being a state subject.
How should retention periods be specified in the policy?
NHA: What should be the ideal duration for these different health data types? Should a blanket retention duration be adopted for all health records in India or different schedules be defined as per a classification? Which is a better approach of retention?
There was a slight difference of opinion here. TSI-PGIMER said that data should be retained for the lifetime of the patient while TSI Delhi and TN batted for retention periods between 20 years to a patient’s lifetime.
“We need to look ahead and serve the new generation borne in the digital age. For a child born today, 10 years of data retention would be meaningless. For someone with chronic care one can’t delete data that goes beyond 10 years.” — TSI Delhi and TSI Tamil Nadu
How should data be classified under the policy?
NHA: How in your view will a detailed granular data classification enable a better health data retention?
The policy establishes two data classifications – inpatient and outpatient data. While TSI-PGIMER asked for a third classification of data for teleconsultations, TSI Delhi and TN asked for a shift in approach.
“Most health data are interlinked from point of patient care and really subclassifying again applies better when there is a physical need of storage of such data…a new paradigm of data classification will emerge in the digital world. It may be defined as a health condition being cured or not cured. Being acute and cured or acute and not cured or chronic and cured or chronic and not cured.” – TSI Delhi and TSI Tamil Nadu
How should the HDRP be governed?
NHA: Will the governance model as per Health Data Management Policy (HDMP) be sufficient for the retention policy?
In the paper, the NHA proposes that the HDRP has the same governance structure as the HDMP. A data protection officer (DPO) appointed by the ABDM, will manage grievance redressal and supervise compliance with the retention policy. The DPO will have the additional responsibility of creating an audit mechanism and in cases where a Health Information User (HIU) or Health Information Provider (HIP) no longer exists, they will ensure that the data is not orphaned by appointing a data custodian.
TSI Delhi and TN: An independent body with key stakeholders from government and non-government organisations should be formed to be in charge of implementing the HDRP. This should also include representatives from ‘leading countries’ and be revised every five years, the submission said.
TSI-PGIMER: A single nodal point such as an ICMR or NITI Aayog could prove insufficient to govern over the data that the policy would manage. The medical data gathered here would be crucial for clinical research and thus, needs multiple nodal bodies to define ownership, the submission said.
- It further sought clarity on the mechanism that would be adopted to deal with non-compliant entities as there are ‘fallacious’ complaints filed by vested interests as well.
- TSI-PGIMER also requested that the government’s EHR (Electronic Health Record) guidelines and telemedicine guidelines should be updated concurrently.
Should the HDRP cover physical formats of health records as well?
NHA: While ABDM proposes that all entities opting to join NDHE must be able to retain health data in electronic format, and other entities of the healthcare ecosystem may consider physical or original formats, what options should be made allowable as part of the policy being proposed?
Both advocated for promoting digital health records, but only TSI Delhi and TN asked to make retention in electronic formats compulsory.
Concerns with regards to sharing and storage of data
Both submissions filed raise concerns about how health data will be stored, shared, and collected.
TSI Delhi and TN: The regulatory structure for entities responsible for retaining health data should be set up after the Data Protection Bill is passed in Parliament.
TSI-PGIMER: Provide clarity on the minimum health data that needs to be retained and develop quality control mechanisms for retaining health data.
The submission further posed the following questions regarding the security of health data under the ABDM:
- Since the health data will ultimately be linked to the UID/Aadhaar, how will misuse by big pharmaceutical lobbies and/or insurance companies be avoided?
- How will the security and non-redundancy of the Application Programming Interfaces (APIs) used by the Data Protection Officer, Data Fiduciary, or other users be ensured? If XYZ has access to the API details of the stakeholder, will he/she be easily able to access sensitive patient data? What are the planned levels of security to avoid such data breaches?
- How will misuse of data by healthcare professionals, especially for scientific research and publications, be avoided?
- Since the digital illiteracy and digital divide is still quite significant at the stratum of the end-user, measures to reduce potential data breaches at the uninformed/less informed citizen/patient level need to be in place.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- FICCI cautions against violating consent of citizens on Health Data policy
- Summary: Health Data Retention Policy proposed under ABDM
- Who benefits from the value of people’s health data? It’s insurance companies
- Key Aspects: National Digital Health Mission’s Data Management Policy
Have something to add? Subscribe to MediaNama here and post your comment.