Identity Project

Who will own your data when your electronic health records are linked to Aadhaar?

The draft health privacy law will be made public to invite comments in the coming weeks, government officials say.

After making Aadhaar necessary to access a number of services, the government is now ready to start linking health records to the biometrics-based identity number system. In October 2016, Scroll. in reported that officials from the Ministry of Health and Family Affairs had started collecting Aadhaar numbers of those seeking treatment at government hospitals and medical colleges.

“Patients’ Aadhaar numbers will be linked to a second health ID and these will be used in electronic health records,” said Sunil Sharma, joint secretary with the health ministry. “Government facilities in Haryana, Telangana are already collecting Aadhaar numbers from patients. This will allow continuity of care when patients go to a facility and the records can be shared electronically. This will avoid duplication.”

The health records will contain all the information related to the patient including name, address, and the health records produced during his or her visit to the hospital such as X-ray reports, blood test reports among others.

As health records contain sensitive information, the health ministry awarded a contract to the National Law School of India University in February 2016 to draft a law guaranteeing privacy and confidentiality of health data in electronic health records. The legal sub-group within the health ministry discussed the initial draft with the legal experts from the university in June 2016, and the draft legislation was submitted to the ministry in July 2016.

The National Law School of India University faculty experts have since then submitted two revised drafts of the proposed law, including one which was discussed with the health ministry’s legal subgroup last month.

Ministry officials and legal experts say a fundamental question that remains unresolved is that of who will own the data – the individual or the government. Ownership of the data implies control over the data.

“The NLSIU shared a draft a few weeks back and we sent it back as the draft is very focused on individuals’ privacy,” said Sharma. “Yes, patients will have the right to access their records and give consent for sharing. But after the records have been anonymised, they will also be used for big data analytics. The right to use the data has to be there with the government.”

The use of data could include epidemiological analysis related to disease outbreaks, for instance.

The current draft of the law provides civil and criminal remedies to individuals for breach of data. It provides for correcting data, but does not provide a right to individuals to get any data deleted from their records.

The final draft of the law is expected to be made public for public comments in the coming weeks, said Sharma.

Collecting health data

The Aadhaar Act says demographic information collected under Aadhaar Act will not include “medical history”.

demographic information includes information relating to the name, date of birth, address and other relevant information of an individual, as may be specified by regulations for the purpose of issuing an Aadhaar number, but shall not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.

— Section 2(k), Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act 2016.

The Unique Identity Authority of India, the agency that enrolls residents in Aadhaar and manages the database, is not empowered to collect information on residents’ medical history. However, the new law on health privacy that is tentatively titled “Electronic Health Data Privacy, Confidentiality and Privacy in India” will provide for collecting Aadhaar numbers linked to medical records.

The National Health Policy published earlier in March had also states that the government will be “exploring the use of “Aadhaar” (Unique ID) for identification” and “creation of registries (i.e. patients, provider, service, diseases, document and event) for enhanced public health/big data analytics, creation of health information exchange platform.”

Some government websites instruct patients to link Aadhaar numbers to their medical data.

National Aids Control Organisation website asks HIV patients registered at treatment centers to share their Aadhaar numbers.
National Aids Control Organisation website asks HIV patients registered at treatment centers to share their Aadhaar numbers.

Safeguarding personal data

The health ministry’s legal sub-group has representatives from the health ministry, the National Health Portal, the Ministry of Electronics and Information Technology, the Centre for Development of Advanced Computing, the Maulana Azad Medical College, Apollo Hospitals, the Federation of Indian Chambers of Commerce and Industry. This group met with the National Law School of India University’s expert committee members in the last week of March. The committee does not have representatives of civil society working on public health.

A person at the meeting pointed out differences arising within the group over two major questions in the process of finalising of the policy.

One is who will own and control the data.

“If the data is legally owned by the person to whom it belongs, one concern is that data once ‘de-identified’ should also be available to the government and researchers,” said an expert committee member who did not wish to be identified. “For example, for policy-making on HIV treatment, I as a policy-maker need to know how many individuals are HIV positive.”

De-identification is temporarily de-linking data from information that might be used to identify a patient. Such de-identification is different from anonymisation of data.

“Since the owner of the data may not be in favour of sharing any personal information, the legislation draft provides for anonymisation, which will destroy the identifiable pieces of information permanently at source,” said the expert committee member.

Thus, de-identifying patient data can be reversed. This is useful for doctors to access data when a patient returns to a hospital or visits another doctor or is incapacitated.

But the government wants to anonymise patient data, which will no longer allows the data to be traced back to the individual, which is a more permanent de-linking.

The expert committee member added: “At the meeting, the National Informatics Centre officials were of the opinion that such a model of completely anonymising the data is not possible, and that at present they do not use such models because of technological reasons. We pointed out that this is a common practice and is being done by governments of other countries.”

The government and legal experts are also divided over whether an authority need to be created to regulate the process of collecting and storing data, regulating exchanges where the information will be stored and assigning licenses to private medical establishments.

The draft law advocates for the creation of a National e-Health Authority or NeHA for regulating public and private health information exchanges and for enforcing laws and regulations related to privacy and security of health records.

“But the government is now saying they want to create a National Digital Health Authority (NDHA) under a separate statute,” said another committee member who declined to be identified.

Joint secretary Sharma who is also a member of the legal sub group, however, said this was not a significant point of difference. “Whether it is NeHA or NDHA, it is a just a matter of name,” he said.

Sharma added that besides unique numbers for individuals seeking treatment, identifiers called National Identification Numbers will also be assigned to all health facilities starting with public facilities. “We have assigned verified unique IDs to 2 lakh medical establishments already,” said Sharma.

Concerns about privacy

Legal and medical experts are closely watching how the final legislation resolves questions over data confidentiality, privacy, and patients’ rights.

Many countries that already have such legislation focus not just on “who owns the data” but “what patients’ rights will be”.

“The General Data Protection Regulation of the European Commission, for instance, does not provide that patients ‘own’ their medical data, but that everyone has a right to the protection of personal data,” said lawyer Vrinda Bhandari. “The Regulation provides that no health data can be processed except in few specific conditions, such as if required in course of a law, putting the onus on the government to adhere to these conditions.”

The United States has the Health Insurance Portability and Accountability Act, 1996 – a privacy law that gives individuals right to their health information and sets rules and limits on who can access health information. As per the law, in the course of conducting research, the researchers are permitted to use health data only with individual authorisation and under limited circumstances without authorisation.

RS Nilakantan who works as data scientist in Chennai has worked with the United States government on the electronic medical records said that to access these records, he was required to travel to the United States. “They did not allow the data to leave their network,” he said.

Meanwhile, in a blatant violation of patient rights, some patients have been turned away from government medical facilities and denied treatment for failing to produce their Aadhaar numbers, public health activists have pointed out.

A news report that appeared in Hindi newspaper Dainik Bhaskar, Raipur edition, on March 24 on the denial of medical treatment for lack of Aadhaar cards.
A news report that appeared in Hindi newspaper Dainik Bhaskar, Raipur edition, on March 24 on the denial of medical treatment for lack of Aadhaar cards.

“If a health privacy law is still being drafted, why is data already being collected?” asked Bhandari. “Even under the Information Technology Act, 2000, medical records and history is categorised as sensitive personal data and should not be collected without informed consent of individuals, on what their rights of data protection, data access will be.”

Notice to patients at Bhimrao Ambedkar Hospital at Raipur in Chhattisgarh requiring patients to submit Aadhaar numbers for treatment under Rashtra Swasth Bima Yojana. (Photo credit: Jan Swastha Abhiyan)
Notice to patients at Bhimrao Ambedkar Hospital at Raipur in Chhattisgarh requiring patients to submit Aadhaar numbers for treatment under Rashtra Swasth Bima Yojana. (Photo credit: Jan Swastha Abhiyan)

Anant Bhan, an expert in bioethics, said that Indian health systems are informed by very poor evidence and need better data but at the same time the government needs to be transparent and accountable in data collection.

“If we are handing over of data, then at least we have a right to know what is being done with it,” said Bhan. “If by default, using a healthcare facility and creating an electronic health record involves your data being used for analysis, then the government is responsible to make people aware about it. They should display public notices outside hospitals talking about it.”

However, Dr Amar Jesani who edits Indian Journal of Medical Ethics said that linking electronic records with Aadhaar will invade privacy and violate autonomy by forcing patients to provide blanket consent for use of their medical data. Since these records require patients to produce Aadhaar or proof or enrolment or undergo biometric authentication when they visit hospitals there may be cases of exclusion, The scientific basis for collecting such data might also be unsound, he pointed out. “It is scientifically problematic because epidemiological estimates based only on the data which are in electronic records, could be misleading in the estimation of disease burden of the community,” he said. “A priority setting in the health policy using such data could therefore be erroneous.”

We welcome your comments at letters@scroll.in.
Sponsored Content BY 

The pioneering technologies that will govern the future of television

Home entertainment systems are set to get even more immersive.

Immersive experience is the core idea that ties together the next generation of cinematic technologies. Cutting edge technologies are now getting integrated into today’s home entertainment systems and challenging the limits of cinematic immersion previously achievable in a home setting. Here’s what you should know about the next generation of TVs that will grace your home.

OLED Technology – the new visual innovation in TVs

From the humble, grainy pictures of cathode ray tube TVs to the relatively clarity of LED and LCD displays, TVs have come a long way in improving picture quality over the years. The logical next step in this evolution is OLED displays, a technology that some of the best smartphones have adopted. While LED and LCD TVs make use of a backlight to illuminate their pixels, in OLED displays the pixels themselves emit light. To showcase darkest shades in a scene, the relevant OLED pixels simply don’t light up, creating a shade darker than has ever been possible on backlighted display. This pixel-by-pixel control of brightness across the screen produces an incomparable contrast, making each colour and shade stand out clearly. OLED displays show a contrast ratio considerably higher than that of LED and LCD displays. An OLED display would realise its full potential when supplemented with HDR, which is crucial for highlighting rich gradient and more visual details. The OLED-HDR combo is particularly advantageous as video content is increasingly being produced in the HDR format.

Dolby Atmos – the sound system for an immersive experience

A home entertainment system equipped with a great acoustic system can really augment your viewing experience far beyond what you’re used to. An exciting new development in acoustics is the Dolby Atmos technology, which can direct sound in 3D space. With dialogue, music and background score moving all around and even above you, you’ll feel like you’re inside the action! The clarity and depth of Dolby Atmos lends a sense of richness to even the quieter scenes.

The complete package

OLED technology provides an additional aesthetic benefit. As the backlight is done away with completely, the TV gets even more sleek, so you can immerse yourself even more completely in an intense scene.

LG OLED TV 4K is the perfect example of how the marriage of these technologies can catapult your cinematic experience to another level. It brings the latest visual innovations together to the screen – OLED, 4K and Active HDR with Dolby Vision. Be assured of intense highlights, vivid colours and deeper blacks. It also comes with Dolby Atmos and object-based sound for a smoother 360° surround sound experience.

The LG OLED TV’s smart webOS lets you fully personalise your TV by letting you save your most watched channels and content apps. Missed a detail? Use the Magic Zoom feature to zoom in on the tiniest details of your favourite programs. You can now watch TV shows and movies shot in 4K resolution (Narcos, Mad Max: Fury Road, House of cards and more!) as they were meant to be watched, in all their detailed, heart-thumping glory. And as 4K resolution and Dolby Atmos increasingly become the preferred standard in filmmaking, TVs like LG OLED TV that support these technologies are becoming the future cinephiles can look forward to. Watch the video below for a glimpse of the grandeur of LG OLED TV.

Play

To know more about what makes LG OLED TV the “King Of TV”, click here.

This article was produced by the Scroll marketing team on behalf of LG and not by the Scroll editorial team.