The Niti Aayog released a consultation document on July 6 that could change the way the health data of Indians is stored and shared. It has proposed the creation of a National Health Stack to make both personal health records and service provider records available on cloud-based services using the internet. It has been designed along the lines of India Stack – a set of cloud-based cashless services like digital payments that use application programme interfaces or APIs to transfer information through the system.

This has raised alarm among digital rights activists. “Digital health records are a great thing,” said Raman Chima, policy director at the digital rights non-profit Access Now. “But having them pullable via APIs is not necessarily a good thing. Having them accessible via open APIs is a very dangerous thing.”

The National Health Stack would require the creation of Health IDs for beneficiaries “with a link to a strong foundational ID such as the beneficiary’s Aadhaar number”. It also mandates the creation of uniform digital personal health records. Personal health records will be a collection of all data about an individual across various health providers – comprising of medical history, medication and allergies, immunisation status, laboratory test results, radiology images, vital signs, personal stats such as age and weight, demographics and billing information, and multiple health apps.

Using the argument that “every citizen has a right to not just her/his health data but also right to access to structured data”, the consultation document says that all service provider electronic health records and stand-alone personal health records – including wearables, health devices and health apps –should have APIs compatible to the National Health Stack personal health records.

This sensitive health data, the document says, will be maintained in a secure and private environment, with the individual determining rights of access. “Health data fiduciaries” will facilitate consent-driven interaction between entities that generate the health data and entities that want to consume the data for delivering better services to the individual. However, it does not elaborate on what kind of entities these health data fiduciaries will be, whether they will be government or private bodies.

Already questions have been raised about India Stack allowing private companies to use the information on its system, much of which is based on Aadhaar, to create their technology services.

Having a health stack, the base of which is personal health data, throws up more questions about who owns, who can access and who can control such digital data. emailed questions to Alok Kumar, advisor to the Niti Aayog, but he did not respond. The story will be updated in case he responds.

Aims of the National Health Stack

The aim of the National Health Stack, according to the Niti Aayog document, is to improve access and affordability of healthcare, facilitate national health programmes, monitor insurance policies and claims, and boost medical research and health analysis. The stack is being designed to support existing and future health initiatives, both public and private.

The proposed India Health Stack will have four key components – electronic health registries of health service provides and beneficiaries, a coverage and claims platform, a federated personal health records framework and a national health analytics platform. It will also have other components like digital health IDs, health data dictionaries, supply chain management for drugs, payment gateways and more.

The coverage and claims platform in particular will be the digital structure for the Pradhan Mantri-Rashtriya Swasthya Suraksha Mission or PM-RSSM, which is the health insurance component of the Ayushman Bharat programme through which the government intends to provide Rs 5 lakh health insurance cover each to more than 10 lakh families.

Prime Minister Narendra Modi reviews the preparations for launch of Health Assurance programme under Ayushman Bharat in New Delhi on May 7, 2018. (Photo: IANS/PIB)

Through these platforms, the National Health Stack is supposed to facilitate collection of comprehensive healthcare data across the country. Analysis of this data can help policy makers design health policy and help detect fraud in health insurance, the document states.

But health activists are not convinced. “People doing medical research or public health research are craving good data to enable proper health planning,” said Prasanna Saligram, public health researcher with the People’s Health Movement. “We don’t have authentic data anywhere. Depending on the season or the person recording data or political motives, malaria data might be recorded as malnutrition and malnutrition recorded as malaria. People keep fudging data and that is not going to change with a new digital technology architecture.”

The document also says that the data can help “engage market players (NGOs, researchers, watchdog organizations) to innovate and build relevant services on top of the platform and fill the gaps”, which is like the design of India Stack that allows market players to build services based on Aadhaar and other data collected by the government.

Who runs the stack?

Health data is just about the most sensitive kind of data. If health data is mishandled or revealed, a person with a chronic medical condition can be discriminated against by potential employers or at the workplace and thereby face significant financial harm. Disclosure of a medical condition like HIV or tuberculosis can also result in social harm since people with these diseases face immense stigma. Insurance companies deny claims or raise premiums based on health data.

Chima says that India Stack, which is the model for the National Health Stack, appears to be an entire ecosystem of operations and services, products and institutional design but nobody knows who exactly deploys it. The India Stack website claims that the API team at iSPIRT has been a pro-bono partner in the development, evolution, and evangelisation of its systems. iSPIRT is a technology lobby group. In fact, in this video published on June 7 on the YouTube channel Bharat Inclusion, Pramod Varma – whose LinkedIn profile identifies him as “chief architect Aadhaar, architect India Stack, chief technology officer at EkStep, volunteer at iSPIRT, technology advisor and mentor” – describes the form and function of the National Health Stack among other platforms being built for information sharing.

Chima said that India Stack “has been designed in a manner where it uses public resources and is designed by public agencies but it is not clear whether the government has designed and operated this or it has been subcontracted to someone else or whether it is a private sector product or a model where it has been acquired by government.” He added, “Basically, it has been designed to circumvent Right To Information disclosures and obligations, it circumvents public procurement and generally circumvents accountability.”

Having industry participation seems to be crucial to the Niti Aayog’s vision of the health stack. At a conference in Bengaluru in June, Alok Kumar, advisor to the Niti Aayog, made a presentation about a standardised digital health system saying that they will be owned and operated by the government but will have open data that can be accessed by people who want to build on the data using open API software. The conference was organised by the Public Health Foundation of India, but most of the panelists and audience members were from medical technology companies – medical devices makers, telemedicine service providers, professional care service providers, and digital healthcare systems providers.

Niti Aayog member (health) Vinod Paul and advisor Alok Kumar addressing a conference on Universal Health Coverage in Benagaluru in June.

The use of Aadhaar

Since 2016, the government has been planning to link Aadhaar to electronic health records, despite a provision in the Aadhaar Act that says demographic information collected under Aadhaar Act will not include “medical history”. Aadhaar seems to be central to the design of the National Health Stack as it is in India Stack. Identification will follow the method prescribed in the National Health Policy, 2017, which states that the Aadhaar number is preferred where available. In case the Aadhaar number is not available, beneficiaries can supply local identifiers or photo identity card number issued by any central or state government.

Aadhaar requirements for medical services has already created several problems. As reported in November last year, some HIV positive people undergoing antiretroviral therapy under the NACO programme dropped out of the programme for fear that once they submitted their Aadhaar details, their HIV status would become known to their families.

There have already been instances of people being denied medical services because they did not have Aadhaar. In October 2017, a woman was reportedly denied an abortion at a government hospital because she could not produce her Aadhaar or any other government identification. She later went to an unqualified medical practitioner to have the abortion and the procedure endangered her life. There have been several other instances of exclusion from health services because hospitals have asked for Aadhaar as identity proof.

Health activists argue that health systems should not require proof of identity from those seeking treatment.

“It is also dangerous if this health stack needs linking to a unique ID, whether Aadhaar or something else,” said Chima. “Linking to one unique health identifier is dangerous because if the data is compromised at one point, then it is compromised forever.”

Security and consent

The consultation document repeatedly says that access of data and flow of information will be based on consent by the owner of the data. To ensure this, the stack will have a “consent layer” that is separate from data flow. According to the document, “patients may opt to (consent to) archive their data in one or more types of meta-directories that will then allow (or restrict) automated access for clinical, research, quality improvement, or marketing purposes.”

“The consent layer here is a technical feature,” said Apar Gupta, lawyer and co-founder of the Internet Freedom Foundation. “In the absence of a law, the requirement for consent will be the decision of a company or government department, which will be discretionary, arbitrary and without adequate democratic legitimacy. The technical framework has to be within the bounds of the legal framework.”

Gupta also points out that data protection in line with human rights principles and the right to privacy go beyond consent. There must be regulatory interventions to prevent harmful use of a person’s personal data even if they have given consent.

Saligram said that this “system places the onus of control on the user with an assumption that they know how to control the flow of information through APIs, like a software engineer.” However, he pointed out, “In reality, the user is more likely to be an elderly lady with low levels of literacy who earns by selling coriander.”

To protect health information, he said, all data in the system should be masked but this will be counter-productive for parties wanting to build on such data.

Saligram also pointed out that in India, most people will only go to a hospital when they are very sick. At that point, they are only looking for treatment and will consent to almost anything.

Health data laws

In March this year, the government released a draft of the Digital Information Security in Healthcare Act or DISHA, which recognises that people have the right to privacy, confidentiality, and security of their digital health data. They also have the right to give or refuse consent for generation and collection of such data.The draft Act allows clinical establishments to generate, collect and store health data. Such establishments include hospitals, laboratories and medical professionals but not medical technology companies.

The draft Act specifies that “digital health data, whether identifiable or anonymised, shall not be accessed, used or disclosed to any person for a commercial purpose and in no circumstances be accessed, used or disclosed to insurance companies, employers, human resource consultants and pharmaceutical companies, or any other entity as may be specified by the Central Government”.

However, the Niti Aayog’s National Health Stack strategy involves a separate platform only for insurance claims and coverage. Will the National Health Stack be covered by a proposed DISHA law? The fate of the DISHA law itself hangs in the balance as the Justice BN Srikrishna Committee is in the final stages of preparing its report on the larger question of data protection and will give direction to drafting a privacy law for India.

“There seems to be government acknowledgment of privacy concerns that require an act of parliament to protect health data but the approach doesn’t seem to be coordinated,” said Gupta. “If you look at the Niti Aayog draft of digitisation of health data integrating it with services, there is mention of privacy and the necessity of legislation but in the form a technical architecture by itself.”