After making Aadhaar necessary to access a number of services, the government is now ready to start linking health records to the biometrics-based identity number system. In October 2016, Scroll. in reported that officials from the Ministry of Health and Family Affairs had started collecting Aadhaar numbers of those seeking treatment at government hospitals and medical colleges.

“Patients’ Aadhaar numbers will be linked to a second health ID and these will be used in electronic health records,” said Sunil Sharma, joint secretary with the health ministry. “Government facilities in Haryana, Telangana are already collecting Aadhaar numbers from patients. This will allow continuity of care when patients go to a facility and the records can be shared electronically. This will avoid duplication.”

The health records will contain all the information related to the patient including name, address, and the health records produced during his or her visit to the hospital such as X-ray reports, blood test reports among others.

As health records contain sensitive information, the health ministry awarded a contract to the National Law School of India University in February 2016 to draft a law guaranteeing privacy and confidentiality of health data in electronic health records. The legal sub-group within the health ministry discussed the initial draft with the legal experts from the university in June 2016, and the draft legislation was submitted to the ministry in July 2016.

The National Law School of India University faculty experts have since then submitted two revised drafts of the proposed law, including one which was discussed with the health ministry’s legal subgroup last month.

Ministry officials and legal experts say a fundamental question that remains unresolved is that of who will own the data – the individual or the government. Ownership of the data implies control over the data.

“The NLSIU shared a draft a few weeks back and we sent it back as the draft is very focused on individuals’ privacy,” said Sharma. “Yes, patients will have the right to access their records and give consent for sharing. But after the records have been anonymised, they will also be used for big data analytics. The right to use the data has to be there with the government.”

The use of data could include epidemiological analysis related to disease outbreaks, for instance.

The current draft of the law provides civil and criminal remedies to individuals for breach of data. It provides for correcting data, but does not provide a right to individuals to get any data deleted from their records.

The final draft of the law is expected to be made public for public comments in the coming weeks, said Sharma.

Collecting health data

The Aadhaar Act says demographic information collected under Aadhaar Act will not include “medical history”.

demographic information includes information relating to the name, date of birth, address and other relevant information of an individual, as may be specified by regulations for the purpose of issuing an Aadhaar number, but shall not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.

— Section 2(k), Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act 2016.

The Unique Identity Authority of India, the agency that enrolls residents in Aadhaar and manages the database, is not empowered to collect information on residents’ medical history. However, the new law on health privacy that is tentatively titled “Electronic Health Data Privacy, Confidentiality and Privacy in India” will provide for collecting Aadhaar numbers linked to medical records.

The National Health Policy published earlier in March had also states that the government will be “exploring the use of “Aadhaar” (Unique ID) for identification” and “creation of registries (i.e. patients, provider, service, diseases, document and event) for enhanced public health/big data analytics, creation of health information exchange platform.”

Some government websites instruct patients to link Aadhaar numbers to their medical data.

National Aids Control Organisation website asks HIV patients registered at treatment centers to share their Aadhaar numbers.

Safeguarding personal data

The health ministry’s legal sub-group has representatives from the health ministry, the National Health Portal, the Ministry of Electronics and Information Technology, the Centre for Development of Advanced Computing, the Maulana Azad Medical College, Apollo Hospitals, the Federation of Indian Chambers of Commerce and Industry. This group met with the National Law School of India University’s expert committee members in the last week of March. The committee does not have representatives of civil society working on public health.

A person at the meeting pointed out differences arising within the group over two major questions in the process of finalising of the policy.

One is who will own and control the data.

“If the data is legally owned by the person to whom it belongs, one concern is that data once ‘de-identified’ should also be available to the government and researchers,” said an expert committee member who did not wish to be identified. “For example, for policy-making on HIV treatment, I as a policy-maker need to know how many individuals are HIV positive.”

De-identification is temporarily de-linking data from information that might be used to identify a patient. Such de-identification is different from anonymisation of data.

“Since the owner of the data may not be in favour of sharing any personal information, the legislation draft provides for anonymisation, which will destroy the identifiable pieces of information permanently at source,” said the expert committee member.

Thus, de-identifying patient data can be reversed. This is useful for doctors to access data when a patient returns to a hospital or visits another doctor or is incapacitated.

But the government wants to anonymise patient data, which will no longer allows the data to be traced back to the individual, which is a more permanent de-linking.

The expert committee member added: “At the meeting, the National Informatics Centre officials were of the opinion that such a model of completely anonymising the data is not possible, and that at present they do not use such models because of technological reasons. We pointed out that this is a common practice and is being done by governments of other countries.”

The government and legal experts are also divided over whether an authority need to be created to regulate the process of collecting and storing data, regulating exchanges where the information will be stored and assigning licenses to private medical establishments.

The draft law advocates for the creation of a National e-Health Authority or NeHA for regulating public and private health information exchanges and for enforcing laws and regulations related to privacy and security of health records.

“But the government is now saying they want to create a National Digital Health Authority (NDHA) under a separate statute,” said another committee member who declined to be identified.

Joint secretary Sharma who is also a member of the legal sub group, however, said this was not a significant point of difference. “Whether it is NeHA or NDHA, it is a just a matter of name,” he said.

Sharma added that besides unique numbers for individuals seeking treatment, identifiers called National Identification Numbers will also be assigned to all health facilities starting with public facilities. “We have assigned verified unique IDs to 2 lakh medical establishments already,” said Sharma.

Concerns about privacy

Legal and medical experts are closely watching how the final legislation resolves questions over data confidentiality, privacy, and patients’ rights.

Many countries that already have such legislation focus not just on “who owns the data” but “what patients’ rights will be”.

“The General Data Protection Regulation of the European Commission, for instance, does not provide that patients ‘own’ their medical data, but that everyone has a right to the protection of personal data,” said lawyer Vrinda Bhandari. “The Regulation provides that no health data can be processed except in few specific conditions, such as if required in course of a law, putting the onus on the government to adhere to these conditions.”

The United States has the Health Insurance Portability and Accountability Act, 1996 – a privacy law that gives individuals right to their health information and sets rules and limits on who can access health information. As per the law, in the course of conducting research, the researchers are permitted to use health data only with individual authorisation and under limited circumstances without authorisation.

RS Nilakantan who works as data scientist in Chennai has worked with the United States government on the electronic medical records said that to access these records, he was required to travel to the United States. “They did not allow the data to leave their network,” he said.

Meanwhile, in a blatant violation of patient rights, some patients have been turned away from government medical facilities and denied treatment for failing to produce their Aadhaar numbers, public health activists have pointed out.

A news report that appeared in Hindi newspaper Dainik Bhaskar, Raipur edition, on March 24 on the denial of medical treatment for lack of Aadhaar cards.

“If a health privacy law is still being drafted, why is data already being collected?” asked Bhandari. “Even under the Information Technology Act, 2000, medical records and history is categorised as sensitive personal data and should not be collected without informed consent of individuals, on what their rights of data protection, data access will be.”

Notice to patients at Bhimrao Ambedkar Hospital at Raipur in Chhattisgarh requiring patients to submit Aadhaar numbers for treatment under Rashtra Swasth Bima Yojana. (Photo credit: Jan Swastha Abhiyan)

Anant Bhan, an expert in bioethics, said that Indian health systems are informed by very poor evidence and need better data but at the same time the government needs to be transparent and accountable in data collection.

“If we are handing over of data, then at least we have a right to know what is being done with it,” said Bhan. “If by default, using a healthcare facility and creating an electronic health record involves your data being used for analysis, then the government is responsible to make people aware about it. They should display public notices outside hospitals talking about it.”

However, Dr Amar Jesani who edits Indian Journal of Medical Ethics said that linking electronic records with Aadhaar will invade privacy and violate autonomy by forcing patients to provide blanket consent for use of their medical data. Since these records require patients to produce Aadhaar or proof or enrolment or undergo biometric authentication when they visit hospitals there may be cases of exclusion, The scientific basis for collecting such data might also be unsound, he pointed out. “It is scientifically problematic because epidemiological estimates based only on the data which are in electronic records, could be misleading in the estimation of disease burden of the community,” he said. “A priority setting in the health policy using such data could therefore be erroneous.”