“It is suggested that the Insurance Companies may be provided access to the DATA (sic) of data principal on similar lines as Banks have access to login and check CIBIL scores,” ICICI Lombard General Insurance said in its submission to the National Health Authority (NHA) on the Health Data Management Policy (HDMP). ICICI Lombard is a life insurance company and the NHA is the body in charge of the ABDM which released a revised version of its Health Data Management Policy (HDMP) for public consultation in April.
According to ICICI, this will allow insurance companies to have greater access to the data of the data principal (person whose data has been collected), help in quickly processing claims and conducting risk evaluation before issuing a policy (this is called underwriting). Such access could be received by taking consent at the time of underwriting of policies or registering of claims by way of proposal form or claim form, respectively, the submission says.
Earlier this year, the NHA had released the revised HDMP- a data protection framework for health data under the government’s Ayushman Bharat Digital Mission- citing feedback and learnings from the pilot and nationwide roll-out of the ABDM since December 2020. This contains clauses related to storing sensitive personal data of users in India only, taking informed consent before processing someone’s health data, informing users about whom their data is shared with, and so on. An earlier version of it, released in August 2020, was criticised for linking Unique Health IDs with Aadhaar, providing private players access to health data, not being backed by a data protection law, and so on.
Why it matters: ICICI’s submissions would mark one of the first times that insurance providers’ views on the ABDM are becoming known. The relationship between the ABDM or digitisation of health in general with insurance providers and companies is controversial. For instance, in her paper titled ‘Health Data as Wealth: Understanding Patient Rights in India within a Digital Ecosystem through a Feminist Approach’, researcher Radhika Radhakrishnan said that health insurance providers could use digitised health data to refuse to issue policies or increase premiums for people who may not seem satisfactorily healthy from those digitised records, notwithstanding their real needs, and without considering that such data itself may be of poor quality.
ICICI’s submissions: Health ID’s for newborns, allowing data retention
The insurance company also gave the following recommendations in its submission:
i) Automatically generating Health IDs for newborn children
ICICI has suggested that Health IDs (now renamed to Ayushman Bharat Health Account or ABHA) should be generated for newborn children automatically. “This is intended to contribute towards automation/digitization,” the company said.
Whereas under the proposed policy, the ABHA can be created for a child upon the request of a parent.
ii) Adding health claims to electronic health records (EHRs)
ICICI’s submission suggests that citizens enrolled in the ABDM, also be allowed to upload their health claims and insurance policies to their electronic health records linked to their ABHA. According to ICICI, such a facility will help in quicker claims processing and curb frauds that take place with insurance services.
Under the proposed policy, there is no facility for principals to link health claims and policies to their ABHA. An ABHA is essentially an identification given to any individual enrolled in the ABDM, which helps create electronic health records (comprising longitudinal records of their medical interactions on the ABDM or offline), avail services like teleconsultations through the ABDM and more.
iii) Impractical to list all fiduciaries health data may be shared with
Due to the fact that sometimes data can be shared with multiple partners such as laboratories, printing partners, etc. for servicing customers, sharing a list of all entities with whom data has been shared will be impractical, ICICI said.
The proposed HDMP says that a principal should be able to get information on what data of theirs has been shared and with whom.
iv) Denial of services due to the terms and conditions is not a ‘harm’
In its submission ICICI has said that any withdrawal or denial of service occurring as a result of the terms and conditions of a policy itself, should not be considered a harm as well.
In the policy, NHA lays out multiple actions that could constitute as ‘harm’ under the policy which include denial or withdrawal of a service, benefit or good resulting from an evaluative decision about the data principal, or discrimination. Any actions that result in such harms can make a fiduciary (any entity which processes health data under the ABDM) susceptible to being penalised by the ABDM.
v) Allow retention of data per the statutory and regulatory body directives.
ICICI has suggested that companies be allowed to retain data as per any directions given by the regulatory and statutory bodies in a domain.
It said this in response to HDMP’s provision that fiduciaries would have to notify, in their privacy policy, ‘the period of time for which the personal data shall be retained, or where the period of retention is not known, then the criteria for determining such period’.
vi) Mechanism of sharing details under outlined rights of data principals.
ICICI has asked for clarity from the NHA on the channels or systems through which data requests can be raised by principals. It also says that such a channel should be ‘traceable’ and ‘auditable’.
Under the HDMP, data principals are given the right to ask for certain information from fiduciaries such as,
- Individuals with whom data is shared and of what categories
- A summary of all processing activities done on a certain data
- The personal data that has been processed, and so on.
vii) Data to be provided for transparency can be shared electronically
ICICI suggests that information should be allowed to be shared in an electronic format with the NHA, the document shows.
This is with regards to the provision in the draft policy that requires fiduciaries to disclose certain information about the processing of personal data to the NHA for transparency. This includes information about categories of personal data collected, categories of personal data processed, purposes for which they were processed, information about a fiduciary’s grievance redressal mechanism and so on.
Quick recap: Progress on the ABDM so far
The ABDM- the government’s mutli-tiered, federated, digital health initiative- was rolled out nationwide in October 2021 and has since had some core components launch, some put out for public consultation, and yet some that are still in the works:
- Consultations ongoing to create the Drug Registry which is proposed to be a comprehensive database of all drugs sold in India as well as drug demand, supply, and other characteristics.
- 40 third-party entities completed integration with ABDM’s UHI to provide services on it. The Unified Health Interface (UHI) proposed under the ABDM will offer various services such as teleconsultations, booking lab tests, etc., to citizens.
- Decisions made on Health Facility Registry and Healthcare Professionals Registry which included modifications in functions, prioritisation of stakeholders groups, etc. The HFR and HPR were opened for public consultation in June 2021 and envisage creating registries of the information about all healthcare professionals and facilities enrolled in the ABDM.
- The Health Data Retention Policy (HDRP) has been in the consultation phase since November 2021. The HDRP proposes conditions on how to handle citizens’ health data for entities enrolled in the government’s ABDM and, potentially, those beyond it as well.
Also read:
- NHA releases new and revised Health Data Management Policy
- Summary: Swasth Alliance proposes health insurance claims data exchange
- Who benefits from the value of people’s health data? It’s insurance companies
