Ayushman Bharat Digital Mission: How safe, secure, and private is our health information?

Anand Trivedi | December 30, 2021


#Ayushman Bharat Digital Mission   #technology   #Heathcare  
Image courtesy: National Digital Health Blueprint
Image courtesy: National Digital Health Blueprint

Adopting a ‘citizen-centric’ approach, Ayushman Bharat Digital Mission (ABDM) launched last September marked an important milestone in India’s evolving journey towards open digital platforms. ABDM strengthens the equity and accessibility of health services through a technology-driven, holistic healthcare programme approach.

By providing a unique ID to every Indian citizen and by creating registries of clinical establishments, healthcare professionals, and pharmacies, it establishes a single source of truth about all the participants in India’s digital healthcare ecosystem. Additionally, by integrating siloed data systems to foster health data exchange through open digital standards, it enables seamless access to personal health records across the National Digital Health Ecosystem (NDHE).

So, within NDHE, for every visit by a patient to any healthcare facility that creates a digital transaction (e.g., prescriptions or diagnostic reports, also called an Electronic Medical Records – EMR) which can now be securely stored using the unique health ID. By threading together these EMRs over time, it creates a patient’s complete Electronic Health Record (EHR). Patients can seamlessly share these EMRs/EHR with different healthcare providers to enhance the efficiency and effectiveness of health services delivery.

However, how safe, secure, and private will an individual’s health information be in the system? This article looks at some hits and misses in the data security and privacy design of ABDM.

How the health information is kept safe & secure?
Security-by-design is a key principle embedded in the National Digital Health Blueprint (NDHB) that forms the basis of ABDM’s design. ABDM achieves this by implementing a well-thought-out federated architecture wherein the patient’s transactional data (EMRs), instead of being stored in more vulnerable, centralized systems, is held at/near the point of care and all other IT systems will have access to it only through links. These links organized chronologically to constitute the patient’s EHR will also be stored at the state-level. No health records are held at national-level. Since each data type is stored at only one level, it ensures uniqueness and consistency. Any personal health information in the form of a reference link moves across secure health networks and all such transactions are also watched over by the 24x7 security surveillance operations centre. This federated data architecture, infrastructure, and related processes ensure high levels of health information security.

How is my sensitive personal health information kept private and protected?
ABDM achieves privacy-by-design principle by placing the citizen in control of her/his health information through (a) in-built technological features such as consent manager, anonymization, and privacy operations centre, and (b) a dedicated Health Data Management Policy that outlines the rights of patients/citizens, i.e., ‘Data Principals’, and obligations of Health Information Providers/Users, i.e., ‘Data Fiduciaries’.

Technological interventions
The creation of EMR at the facility level, of the longitudinal EHR in the health locker using EMRs, and sharing of such EMRs/EHRs with Data Fiduciaries happens only after the patient consents to it as the Data Principal.

Secondly, ABDM’s anonymizer removes all the personally identifiable information from the EMRs/EHRs to protect privacy before sharing it. Both consent collection and anonymization happen at the primary source of data capture at the health facility.

Thirdly, ABDM’s privacy operations centre will monitor all access to private data, review consent form templates, design customized templates for the most common purposes, audit privacy compliance, evangelize privacy principles, and enhance overall trust in the ecosystem.

Policy measures
ABDM’s Health Data Management Policy (HDMP) provides robust prescriptions for protecting rights of Data Principals and fulfilling obligations of Data Fiduciaries.

ABDM-HDMP needs data fiduciaries to obtain free, informed, and specific citizen consent, which cannot be later withdrawn. It mandates them to issue privacy notice prior to data collection or in case of changes to their privacy policies or intended purposes of data use.

It also empowers Data Principals with rights such as getting confirmation on information collection from fiduciaries, accessing data, knowing with whom was it shared, requesting rectifications, and most importantly, the ‘right to be forgotten’ with an option to opt out of the NDHE and can get their Health IDs deleted.

It also puts the onus of implementing privacy-by-design on data fiduciaries by honoring all the Fair Information Practice Principles (FIPP). All data fiduciaries are required by HDMP to setup Data Protection Officers for grievance redressal and allows for data principals to escalate unresolved issues to the Mission’s grievance redressal officer.

Hence, ABDM puts together a comprehensive set of technological and policy interventions to improve the security and privacy of patients’ health information.

Areas of improvements in ABDM’s data protection architecture
While the HDMP outlines various possible contraventions, their penalties are limited to a ban, suspension, or cancellation of digital health IDs. Experts opine that this may cause minor violations either going completely unpunished or inviting disproportionately higher penalties, thereby highlighting the need for a graded penalty system ranging from warnings, corrective actions, and monetary penalties to suspension, cancellation and instituting criminal proceedings depending on the cause. To enforce the same, the need for the enactment of the impending Personal Data Protection Bill, 2019 for establishing overarching data protection legislation in the country cannot be understated. The HDMP is at best a set of rules which need legal strengthening to address privacy concerns, an issue that even UNAIDS has emphasized.

Also, the HDMP needs to further address the recourse available in case of unlawful re-identification of anonymized data, now a widely recognized threat. Additionally, the threat of data breach, especially given the sensitive nature of information entails risks of public embarrassment, humiliation, loss of reputation and stigmatization with possibilities of discrimination at workplaces and in access to insurance, further underscores the need for strengthening the legal framework with sector-specific laws like the USA’s The Health Insurance Portability and Accountability Act.

Secondly, given the inherently skewed power equation in the doctor-patient relationship due to informational inequality combined with lower sensitization towards consent and its implications, HDMP falls short on prescribing behaviuoral nudges to simplify the process of consent-taking for making it more informed in reality. The broad consent form should be accompanied with an information sheet explaining the rights to confirmation and access, correction and erasure, restricting or objecting to disclosure and data portability, as well as the process for grievance redressal, in an easy-to-understand language. These aspects are well-analyzed in the working paper by Centre for Health, Equity, Law, & Policy and the Internet Freedom Foundation. It is also worthwhile to consider the option of providing privacy ratings/visual colour codes to various consent forms/artefacts to improve comprehensibility and generate interest among data principals to encourage them to read the detailed forms.

Overall, since consent is central to fully realize the benefits of privacy-by-design, it is extremely important to accompany the ABDM’s roll-out with a well-planned Information, Education, Communications (IEC) campaign to generate citizen awareness about their rights, obligations of fiduciaries, and importance of consent in the ecosystem.

In summary, ABDM does an excellent job at embedding security-and-privacy-by-design in its design components and with certain critical improvements, it can truly empower citizens/patients towards a safe and secure participation in the NDHE.

Trivedi is Director at NITI Aayog, Government of India

Comments

 

Other News

Imperative omissions in the Constitution

The making of the Indian Constitution and its subsequent adoption on January 26, 1950 required the founding members to go through several pieces of the legal document that the country already had during the British rule, let alone the Constitution of other countries. Until 1857, these laws, although applie

R-Day parade showcases India’s military might, cultural diversity

President Ram Nath Kovind led the Nation in celebrating the 73rd Republic Day today as part of ‘Azadi ka Amrit Mahotsav’ across the country. The celebration saw a series of new events conceptualised by the defence ministry during the main parade on Rajpath along with ‘Beat

INS Khukri to be handed over to Diu administration today

As the nation celebrates its 73rd Republic Day, INS Khukri will be handed over to the Diu administration in a ceremonial event at the Khukri Memorial. INS Khukri, the lead ship of the Indian Navy’s Khukri class corvettes, is an indigenous surface-to-surface missile fitted vessel that h

The perils of metro roads – A Delhi/NCR context

The anxiety and chaos that we face on our city roads are endemic, dangerous, and deadly. It emerges from a combination of too many vehicles, road conditions, ineffective traffic controls, poor planning and lack of innovative corrections, loose enforcement, and lacking traffic discipline in the commuters, t

‘Classified’, a scintillating expose of the ISRO spy story

Classified: Hidden Truths in the ISRO Spy Story By J. Rajasekharan Nair Srishti Publishers, 280 pages, Rs 350 The Indian Space Research Organisation (ISRO) was rocked by a spy case in 1994, taking down in its wake six persons, including S. Nambi Narayanan. The

If Rahul is in race to prove himself a better Hindu, our efforts have paid off: Ram Madhav

Ram Madhav, a member of the RSS National Executive, has said that Congress leader Rahul Gandhi proudly proclaiming to be a better Hindu is a welcome step and the opposition’s newfound claim that their Hinduism is superior to the Hinduism of RSS is the new competition in India.   &nbs

Visionary Talk: Ram Madhav, Member Rashtriya Swayamsewak Sangh with Kailashnath Adhikari


Archives

Current Issue

Opinion

Facebook    Twitter    Google Plus    Linkedin    Subscribe Newsletter

Twitter