Identity Project

Who will own your data when your electronic health records are linked to Aadhaar?

The draft health privacy law will be made public to invite comments in the coming weeks, government officials say.

After making Aadhaar necessary to access a number of services, the government is now ready to start linking health records to the biometrics-based identity number system. In October 2016, Scroll. in reported that officials from the Ministry of Health and Family Affairs had started collecting Aadhaar numbers of those seeking treatment at government hospitals and medical colleges.

“Patients’ Aadhaar numbers will be linked to a second health ID and these will be used in electronic health records,” said Sunil Sharma, joint secretary with the health ministry. “Government facilities in Haryana, Telangana are already collecting Aadhaar numbers from patients. This will allow continuity of care when patients go to a facility and the records can be shared electronically. This will avoid duplication.”

The health records will contain all the information related to the patient including name, address, and the health records produced during his or her visit to the hospital such as X-ray reports, blood test reports among others.

As health records contain sensitive information, the health ministry awarded a contract to the National Law School of India University in February 2016 to draft a law guaranteeing privacy and confidentiality of health data in electronic health records. The legal sub-group within the health ministry discussed the initial draft with the legal experts from the university in June 2016, and the draft legislation was submitted to the ministry in July 2016.

The National Law School of India University faculty experts have since then submitted two revised drafts of the proposed law, including one which was discussed with the health ministry’s legal subgroup last month.

Ministry officials and legal experts say a fundamental question that remains unresolved is that of who will own the data – the individual or the government. Ownership of the data implies control over the data.

“The NLSIU shared a draft a few weeks back and we sent it back as the draft is very focused on individuals’ privacy,” said Sharma. “Yes, patients will have the right to access their records and give consent for sharing. But after the records have been anonymised, they will also be used for big data analytics. The right to use the data has to be there with the government.”

The use of data could include epidemiological analysis related to disease outbreaks, for instance.

The current draft of the law provides civil and criminal remedies to individuals for breach of data. It provides for correcting data, but does not provide a right to individuals to get any data deleted from their records.

The final draft of the law is expected to be made public for public comments in the coming weeks, said Sharma.

Collecting health data

The Aadhaar Act says demographic information collected under Aadhaar Act will not include “medical history”.

demographic information includes information relating to the name, date of birth, address and other relevant information of an individual, as may be specified by regulations for the purpose of issuing an Aadhaar number, but shall not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.

— Section 2(k), Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act 2016.

The Unique Identity Authority of India, the agency that enrolls residents in Aadhaar and manages the database, is not empowered to collect information on residents’ medical history. However, the new law on health privacy that is tentatively titled “Electronic Health Data Privacy, Confidentiality and Privacy in India” will provide for collecting Aadhaar numbers linked to medical records.

The National Health Policy published earlier in March had also states that the government will be “exploring the use of “Aadhaar” (Unique ID) for identification” and “creation of registries (i.e. patients, provider, service, diseases, document and event) for enhanced public health/big data analytics, creation of health information exchange platform.”

Some government websites instruct patients to link Aadhaar numbers to their medical data.

National Aids Control Organisation website asks HIV patients registered at treatment centers to share their Aadhaar numbers.
National Aids Control Organisation website asks HIV patients registered at treatment centers to share their Aadhaar numbers.

Safeguarding personal data

The health ministry’s legal sub-group has representatives from the health ministry, the National Health Portal, the Ministry of Electronics and Information Technology, the Centre for Development of Advanced Computing, the Maulana Azad Medical College, Apollo Hospitals, the Federation of Indian Chambers of Commerce and Industry. This group met with the National Law School of India University’s expert committee members in the last week of March. The committee does not have representatives of civil society working on public health.

A person at the meeting pointed out differences arising within the group over two major questions in the process of finalising of the policy.

One is who will own and control the data.

“If the data is legally owned by the person to whom it belongs, one concern is that data once ‘de-identified’ should also be available to the government and researchers,” said an expert committee member who did not wish to be identified. “For example, for policy-making on HIV treatment, I as a policy-maker need to know how many individuals are HIV positive.”

De-identification is temporarily de-linking data from information that might be used to identify a patient. Such de-identification is different from anonymisation of data.

“Since the owner of the data may not be in favour of sharing any personal information, the legislation draft provides for anonymisation, which will destroy the identifiable pieces of information permanently at source,” said the expert committee member.

Thus, de-identifying patient data can be reversed. This is useful for doctors to access data when a patient returns to a hospital or visits another doctor or is incapacitated.

But the government wants to anonymise patient data, which will no longer allows the data to be traced back to the individual, which is a more permanent de-linking.

The expert committee member added: “At the meeting, the National Informatics Centre officials were of the opinion that such a model of completely anonymising the data is not possible, and that at present they do not use such models because of technological reasons. We pointed out that this is a common practice and is being done by governments of other countries.”

The government and legal experts are also divided over whether an authority need to be created to regulate the process of collecting and storing data, regulating exchanges where the information will be stored and assigning licenses to private medical establishments.

The draft law advocates for the creation of a National e-Health Authority or NeHA for regulating public and private health information exchanges and for enforcing laws and regulations related to privacy and security of health records.

“But the government is now saying they want to create a National Digital Health Authority (NDHA) under a separate statute,” said another committee member who declined to be identified.

Joint secretary Sharma who is also a member of the legal sub group, however, said this was not a significant point of difference. “Whether it is NeHA or NDHA, it is a just a matter of name,” he said.

Sharma added that besides unique numbers for individuals seeking treatment, identifiers called National Identification Numbers will also be assigned to all health facilities starting with public facilities. “We have assigned verified unique IDs to 2 lakh medical establishments already,” said Sharma.

Concerns about privacy

Legal and medical experts are closely watching how the final legislation resolves questions over data confidentiality, privacy, and patients’ rights.

Many countries that already have such legislation focus not just on “who owns the data” but “what patients’ rights will be”.

“The General Data Protection Regulation of the European Commission, for instance, does not provide that patients ‘own’ their medical data, but that everyone has a right to the protection of personal data,” said lawyer Vrinda Bhandari. “The Regulation provides that no health data can be processed except in few specific conditions, such as if required in course of a law, putting the onus on the government to adhere to these conditions.”

The United States has the Health Insurance Portability and Accountability Act, 1996 – a privacy law that gives individuals right to their health information and sets rules and limits on who can access health information. As per the law, in the course of conducting research, the researchers are permitted to use health data only with individual authorisation and under limited circumstances without authorisation.

RS Nilakantan who works as data scientist in Chennai has worked with the United States government on the electronic medical records said that to access these records, he was required to travel to the United States. “They did not allow the data to leave their network,” he said.

Meanwhile, in a blatant violation of patient rights, some patients have been turned away from government medical facilities and denied treatment for failing to produce their Aadhaar numbers, public health activists have pointed out.

A news report that appeared in Hindi newspaper Dainik Bhaskar, Raipur edition, on March 24 on the denial of medical treatment for lack of Aadhaar cards.
A news report that appeared in Hindi newspaper Dainik Bhaskar, Raipur edition, on March 24 on the denial of medical treatment for lack of Aadhaar cards.

“If a health privacy law is still being drafted, why is data already being collected?” asked Bhandari. “Even under the Information Technology Act, 2000, medical records and history is categorised as sensitive personal data and should not be collected without informed consent of individuals, on what their rights of data protection, data access will be.”

Notice to patients at Bhimrao Ambedkar Hospital at Raipur in Chhattisgarh requiring patients to submit Aadhaar numbers for treatment under Rashtra Swasth Bima Yojana. (Photo credit: Jan Swastha Abhiyan)
Notice to patients at Bhimrao Ambedkar Hospital at Raipur in Chhattisgarh requiring patients to submit Aadhaar numbers for treatment under Rashtra Swasth Bima Yojana. (Photo credit: Jan Swastha Abhiyan)

Anant Bhan, an expert in bioethics, said that Indian health systems are informed by very poor evidence and need better data but at the same time the government needs to be transparent and accountable in data collection.

“If we are handing over of data, then at least we have a right to know what is being done with it,” said Bhan. “If by default, using a healthcare facility and creating an electronic health record involves your data being used for analysis, then the government is responsible to make people aware about it. They should display public notices outside hospitals talking about it.”

However, Dr Amar Jesani who edits Indian Journal of Medical Ethics said that linking electronic records with Aadhaar will invade privacy and violate autonomy by forcing patients to provide blanket consent for use of their medical data. Since these records require patients to produce Aadhaar or proof or enrolment or undergo biometric authentication when they visit hospitals there may be cases of exclusion, The scientific basis for collecting such data might also be unsound, he pointed out. “It is scientifically problematic because epidemiological estimates based only on the data which are in electronic records, could be misleading in the estimation of disease burden of the community,” he said. “A priority setting in the health policy using such data could therefore be erroneous.”

We welcome your comments at letters@scroll.in.
Sponsored Content  BY 

How technology is changing the way Indians work

An extensive survey reveals the forces that are shaping our new workforce 

Shreya Srivastav, 28, a sales professional, logs in from a cafe. After catching up on email, she connects with her colleagues to discuss, exchange notes and crunch numbers coming in from across India and the world. Shreya who works out of the café most of the time, is employed with an MNC and is a ‘remote worker’. At her company headquarters, there are many who defy the stereotype of a big company workforce - the marketing professional who by necessity is a ‘meeting-hopper’ on the office campus or those who have no fixed desks and are often found hobnobbing with their colleagues in the corridors for work. There are also the typical deskbound knowledge workers.

These represent a new breed of professionals in India. Gone are the days when an employee was bound to a desk and the timings of the workplace – the new set of professionals thrive on flexibility which leads to better creativity and productivity as well as work-life balance. There is one common thread to all of them – technology, tailored to their work styles, which delivers on speed and ease of interactions. Several influential industry studies and economists have predicted that digital technologies have been as impactful as the Industrial Revolution in shaping the way people work. India is at the forefront of this change because of the lack of legacy barriers, a fast-growing economy and young workers. Five factors are enabling the birth of this new workforce:

Smart is the way forward

According to the Future Workforce Study conducted by Dell, three in five working Indians surveyed said that they were likely to quit their job if their work technology did not meet their standards. Everyone knows the frustration caused by slow or broken technology – in fact 41% of the working Indians surveyed identified this as the biggest waste of time at work. A ‘Smart workplace’ translates into fast, efficient and anytime-anywhere access to data, applications and other resources. Technology adoption is thus a major factor in an employee’s choice of place of work.

Openness to new technologies

While young professionals want their companies to get the basics right, they are also open to new technologies like Augmented Reality, Virtual Reality and Artificial Intelligence. The Dell study clearly reflects this trend — 93% of Indians surveyed are willing to use Augmented/Virtual Reality at work and 90% say Artificial Intelligence would make their jobs easier. The use of these technologies is no longer just a novelty project at firms. For example, ThysenKrupp, the elevator manufacturer uses VR to help its maintenance technician visualize an elevator repair job before he reaches the site. In India, startups such as vPhrase and Fluid AI are evolving AI solutions in the field of data processing and predictive analysis.

Desire for flexibility 

A majority of Indians surveyed rate freedom to bring their own devices (laptops, tablets, smartphones etc.) to work very highly. This should not be surprising, personal devices are usually highly customized to an individual’s requirements and help increase their productivity. For example, some may prefer a high-performance system while others may prioritize portability over anything else. Half the working Indians surveyed also feel that the flexibility of work location enhances productivity and enables better work-life balance. Work-life balance is fast emerging as one of the top drivers of workplace happiness for employees and initiatives aimed at it are finding their way to the priority list of business leaders.

Maintaining close collaboration 

While flexible working is here to stay, there is great value in collaborating in person in the office. When people work face to face, they can pick up verbal and body language cues, respond to each other better and build connections. Thus, companies are trying to implement technology that boosts seamless collaboration, even when teams are working remotely. Work place collaboration tools like Slack and Trello help employees keep in touch and manage projects from different locations. The usage of Skype has also become common. Companies like Dell are also working on hi-tech tools such as devices which boost connectivity in the most remote locations and responsive videos screens which make people across geographies feel like they are interacting face to face.

Rise of Data Security 

All these trends involve a massive amount of data being stored and exchanged online. With this comes the inevitable anxiety around data security. Apart from more data being online, security threats have also evolved to become sophisticated cyber-attacks which traditional security systems cannot handle. The Dell study shows that about 74% of those surveyed ranked data security measures as their number one priority. This level of concern about data security has made the new Indian workforce very willing to consider new solutions such as biometric authentication and advanced encryption in work systems.

Technology is at the core of change, whether in the context of an enterprise as a whole, the workforce or the individual employee. Dell, in their study of working professionals, identified five distinct personas — the Remote Workers, the On-The-Go Workers, the Desk-centric Workers, the Corridor Warriors and the Specialized Workers.

Dell has developed a range of laptops in the Dell Latitude series to suit each of these personas and match their requirements in terms of ease, speed and power. To know more about the ‘types of professionals’ and how the Dell Latitude laptops serve each, see here.

This article was produced by the Scroll marketing team on behalf of Dell and not by the Scroll editorial team.