National Digital Health Blueprint 2020 needs a review?

With an aim to fix the ailing healthcare facility of the country, Indian government (like other sectors – Finance, Public Distribution System etc.) has opted for digitization as a solution. In January, 2020, the government released a National Digital Health Blueprint which sets out a comprehensive framework for “Federated National Health Information System”. In March, soon enough the COVID-19 pandemic struck the country and underlined the importance of having the National Digital Health Blueprint in action. However, the pandemic situation has also highlighted the many areas of improvement for the Blueprint and the need for urgent action on such improvements. This blog post will put forth the author’s views on the need of studying the Blueprint again and including the concepts like digital therapeutics, digital diagnostics and telemedicine in its scope. The blogpost will also aim to present a picture of the diverse elements of a futuristic digital health ecosystem for India and the role that science, scientists and technology can play in establishing such an ecosystem.

Introduction

It seems like that Indian government has developed a formidable belief that technology is solution for all the deep-seated problems which are haunting the country’s socio-economic growth since independence. In 2015, the ambitious Modi government launched the “Digital India” programme with an aim to transform India into a knowledge economy, empowered with on-the-go access to information, governance and essential services. This ambition quickly received a reinforcement in the form of JIO’s success, which resulted in increasing the smartphone penetration rate and making India the second-fastest digital adopter in the world. Around the same time, the image of India’s healthcare remained pitiful and harrowing. In the Healthcare Access and Quality (HAQ) Index, India ranked below what can be considered as dismal position – 145th out of 195 countries.

India significantly lacks in implementing most of the World Health Organisation’s (WHO) recommendations regarding the adequacy in terms of doctors, nurses, medical technicians and healthcare facilities as required to cater the population. Owing to such inefficiencies, the country’s healthcare policy has been inconsistent such that India is overburdened with the task of eradicating infectious tuberculosis disease. It is only in this decade that India was able to get the polio-free status for itself. Our country is also facing exponential rise in cases of lifestyle disorders ensuing the endemic of diseases like diabetes and clinical depression. Simply put, these statistics are omen for India as a contender to be in the league of top three fastest growing economies of the world. The government of India itself has noted that in order to realize the real growth potential, the country has to fix the health systems on priority basis by investing adequate finance and manpower. Presently, Indian labor workforce is performing far below its optimum productivity due to many ill-health issues.

Therefore, the government, considering the nation’s emerging forte in digital space, has decided to go digital in healthcare reforms as well in order to analyse the consumption of health services by the population. As per the GoI, the future is technology, and India cannot accomplish its goal of ‘Health for All’ in the absence of digitization of health infrastructure and delivery. India is seeing Artificial Intelligence or Machine Learning as the foundation of accessible, affordable and quality health solutions at the intersection of technologies like biotechnology, robotics and computer science. The digital approaches for upgrading the conventional healthcare infrastructure could definitely be an antidote for the frail healthcare infrastructure given the nation’s population  is increasingly on-boarding various digital platforms. It can also be a great overall strategic direction for India to shape its influence in terms of policy-making in the context of global health. It is indeed a possibility given India’s competitive position in technology innovations and the fact that health-tech market is in a nascent stage, with all the countries almost on level playing field.   

The National Digital Health Blueprint 2020 (NDHB)

The ruling government is envisioning the digital health infrastructure as a system that will fit well or accurately with its larger aim to modernize (specifically ‘digitize’) the public health welfare system. In this line, the missions that have been already initiated by government are Ayushman Bharat, Swachh Bharat, Digital India, and Make in India.

The Ministry of Health and Family Welfare of India (MoHFW), pursuant to its afore-mentioned digital health policy initiatives, released NDHB in January 2020. This is the only detailed official explanation of PM Modi’s proposed National Digital Health Mission. It provides a picture of the entire framework of a “Federated National Health Information System”. It elaborates that the envisioned framework will inter-link systems of private and public health provider organisations serving across primary-, secondary- and tertiary-healthcare services. As the blueprint specifies, this is clearly in alignment with one of the objectives envisaged under the National Health Policy of 2017 i.e., to create an integrated health information system for all stakeholders in the health system, to improve efficiency, transparency and citizen experience.

The NDHB is indeed a well drafted document as it comprehensively shows the way the reformers have to tread in order to carry out the colossal task of developing an extensive database of electronic health records, which will be available as single source repository of health data per unique patient within India. Beyond this, state-wise datasets containing information of health-workers (doctors, nurses, paramedics) and health facilities, disease registries, inventories, and insurance claim records will also form the essential element in federated system. The blueprint provides that the database hub and key facilities will be hosted by the Health-Cloud (H-Cloud). Similar to the Aarogya Setu’s API release, the federated system will also be interoperable to allow seamless data exchange.

The blueprint obviously lists the standards for maintaining the privacy and security of the digitized health data (The next blogpost on the National Digital Health Mission will exhaustively deal with privacy and security related aspects – we also have interesting classified updates for you in that post). Project implementation will not be gradual or stage-wise, but it will follow the scheme of technology sandbox to test and roll-out the massive data-management infrastructure. The infrastructure will be further used for tracing the real-time stats related to population-wide health status. The customized and timely interventions will be made if the predictive analytics of the stats forecast community outbreaks or disease spread propensity by region. The running algorithms will be deployed to optimize data analysis and allocate scarce resources at district and state level, and more.

It has to be kept in mind, and can be inferred from the blueprint, that there are three prerequisites for successfully initiating the exercise that the NDHB proposes:

Uniform internet and telecommunications availability across the country;

An extensive network of primary healthcare centres for service delivery; and

Trained health workforce.

Presently, all these three are work in progress in India wherein Second and Third points really require a special focus.  Internet penetration in India has picked up a good rate but healthcare on field is definitely lacking. The government has to create a solid foundation through uninterrupted support, spirit and funding.

The envisioned integrated national-health data hub will be a vital asset to run process and analyze all the complex health data, which can be leveraged for creating accurate policy-designs and well-gripped implementation control. For example, through algorithms, timely automated intervention within the health system will increase cooperation. As soon as certain stat will touch a determined threshold, the notifications will trigger the appropriate health-crisis management authorities. The entire process will include relaying of targeted messages within the population, automated stock and inventory management warnings, and virtual medical training and research, to create a strong foundation for affordable and efficient healthcare. Once operational, the database is expected to connect and expedite India’s slow-moving fragmented health system. While this will not immediately fix the system entirely, it is surely a step towards making it efficient and future-ready.

Is everything right with the Blueprint?

The Blueprint definitely mentions about the great plan of futuristic healthcare infrastructure. However, it is still far from being an “all-encompassing vision document” which is needed to provide solution to two-fold issues: (a) A launch pad for India’s digital health ambition, and (b) Need of resolving the deeply entrenched issues with healthcare that persist for years now. Therefore, it is needed to trace specific to context use cases recognizing the problems that are unique to India.

Even the WHO’s guidance has made the point that digital-health interventions must be treated as supplements, not substitutes, for functioning health systems. The Blueprint requires major upgrades to its dimensions- which means priority push for digital policy on therapeutics, diagnostics and medicine.

Policy action needed to reform therapeutics and diagnostics in India must be aligned with the broader AI policy of India. The current version of India’s AI policy provides “healthcare” as one of the most promising areas but admits the obstacles it will face in creating a new path. India is not alone in this predicament. Recognizing best practices around the world and picking out unique use-cases, the following points must be considered to strengthen the policy in terms of therapeutics and diagnostics:

1. Promoting indigenous innovation in health-tech while maintaining technological sovereignty;

2. The use-cases with respect to healthcare must be selected keeping in mind the inherent infrastructure limitations and resource shortages;

3. While going digital, it is important to keep patient safety as priority through adopting regulatory frameworks that mandate scientific and clinical validation of products/services;

4. One thing that is essential to the traditional doctor-patient relationship is trust. The approach must invest in creating a reliable infrastructure.

5. Real-world transparency, data confidentiality, cyber security and ethics should be the foundational principles when an innovator envisages a health-tech innovation. Proper guidelines for medical software developers and policy on transparent data-sharing agreements wherein, rights of patients are protected must be rolled out at the earliest.

Conclusion

Therefore, it is important to say it again, the Digital Health is not the immediate relief given the limitations of the India’s healthcare, i.e. inadequate infrastructure and resource shortages. However, one thing we have learnt for sure is that a better-connected and digitized nation is better-prepared to achieve sustainable development goals if policy’s approach is inclusive in real sense, and to face unprecedented black swans of magnitude like Covid-19 pandemic. Digital health adoption will bring many changes in the functioning of the current system across the value chain. The benefits of public goods, products and services under this category must be maximized, with minimum disruption to the society. If all goes well i.e. policy implemented properly and limitations checked promptly, the NDHB could be a chance for India to get rid of its ailing healthcare infrastructure.

(These are personal views and opinions of the author and do not necessarily reflect views of any organisation)

Hopes and Doubts related to Telemedicine Guidelines in the context of Data Protection

Author is Vineet Gupta, Volunteer Researcher, LawforIT. He is actively involved in a research on privacy policies of different leading online medical consultation platforms. Policy paper will be soon available on the Blog.

Background

The Medical Council of India jointly with the NITI Aayog notified the Telemedicine guidelines in midst of the Coronavirus Pandemic. These guidelines can be seen as a first attempt in providing some amount of relief, in regards to legal gaps and anxieties around the practice of medicine by doctors via communication devices.

Although, historically (with the advent of technology) telemedicine has been widely performed in India, for long there has not been any type of legal mechanism for the same. From the introduction of the Communication channel by ISRO in 2001, linking Chennai’s Apollo Hospital with the Apollo Rural Hospital at Aragonda village in the Chittoor district of Andhra Pradesh[i] and to the hundreds of apps providing for online consultation today, we have come up a long way. With the technological up-gradation and boom in the telecommunication sector, it was quite common for a patient to seek recommendations from their family doctors on calls, WhatsApp messages, and even video conferencing. Realizing the potential around telemedicine and its outreach, the internet was flooded with many startups acting as intermediaries that provided a channel between patients and doctors for online medical consultation.

On one side telemedicine was gaining popularity and on the other side, there was also a certain amount of anxiety, backlash, and confusion around the practice of telemedicine. With no proper guidelines among the practice of telemedicine, the doctors were kind of hesitant in providing online/telephonic consultations. They were also pressurized by the medical associations (some of which even declared telecommunication as unethical and practice of which can lead to cancelation of license)[ii]. The patients were hesitant to get telemedicine and a little reluctant to provide their sensitive information online to unknown doctors. They were scared as for long there was no telemedicine and data protection law in place. Most importantly many people, especially the rural population were, and are unaware of the potential of telemedicine and its application in this Technological era. The introductory part of the guideline’s states that:

“In India, till now there was no legislation or guidelines on the practice of telemedicine, through video, phone, Internet-based platforms (web/chat/apps, etc). The existing provisions under the Indian Medical Council Act, 1956, the Indian Medical Council (Professional Conduct, Etiquette and Ethics Regulation 2002), Drugs & Cosmetics Act, 1940 and Rules 1945, Clinical Establishment (Registration and Regulation) Act, 2010, the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 primarily govern the practice of medicine and information technology. Gaps in legislation and the uncertainty of rules pose a risk for both the doctors and their patients.[iii]

https://www.mohfw.gov.in/pdf/Telemedicine.pdf

The case of Deep Sanjeev Pawaskar and Anr. v. The state of Maharashtra[iv] was by the high court of Bombay a doctor provided advice to ailing patient online due to lack of unavailability of routine doctor and unfortunately, the patient died. The high court held the doctor as negligent for using telemedicine to treat the emergency. This case led to widespread criticism as the patient would have died irrespective, and telemedicine had no role to play. The above case triggered the need for new legislation, and the need for remote doctors in coronavirus pandemic led to the expeditious introduction of these much-awaited guidelines. These guidelines have opened a door to the future of telemedicine in India. While a lot has been discussed upon the salient features of this act, I will be strictly adhering to the examination the guidelines concerning personal data protection concerns.

Locating privacy under Telemedicine Guidelines

In the course of doctor-patient interaction, a significant amount of data exchange takes place from the side of the patient and the guidelines also makes it compulsory for the RMP to store and keep a record of all this electronic health record[v]. A Registered Medical Practitioner (RMP) is free to choose the mode of communication for providing telemedicine[vi]. The guidelines provide for various types of information related to health conditions which are needed to be provided by the patient to the RMP over telemedicine[vii]. Further, the guidelines provide for the maintenance of privacy as well as medical ethics following the Indian Medical Council act and rules[viii]. The guidelines also state that the RMP would have to follow and abide by various data protection laws such as the Information Technology Act and other data protection laws and rules (present as well as notified in future) which provides for the protection of patient’s data[ix]. The guidelines also highlight the breach of confidentiality by the doctors would be declared misconduct and will be penalized by IMC act, ethics, and other laws[x]. The doctors are exempted from charges in cases where there is reasonable evidence to believe that the breach is due to some technological error with no involvement of the RMP[xi].

Reading Telemedicine Guidelines with data privacy laws

Personal information and Data protection Rules 2011

It is quite clear that telemedicine guidelines would have to be read in conjuncture with data protection laws of the country to protect the privacy of the patients. After the judgment of K.S Putttuswamy v. Union of India[xii], privacy is well recognized as the part of the fundamental rights of the citizens. The data protection laws in India are governed by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 under the IT act. The judgment of Puttuswamy has led forth the Personal Data Protection Bill, 2019 which is in the process of getting passed by the parliament any time soon this year or the coming year[xiii]. The IT rules of 2011, as well as the new personal data protection bill, treats ‘Health Records’ as ‘sensitive personal data or information (SPDI)’. Under the IT acts data protection rules, when a corporate body deals with SPDI (collection, storage, transfer, or processing of SPDI) the data protection rules get activated. The data protection rule considers consent as an important requirement so a doctor or institution is required by law to obtain the consent of the patient in writing for use of any of his data[xiv]. There is also a restriction of sharing SPDI to the third party without the consent of the patient[xv]. The institution collecting such SPDI also has to put a policy in place and mention clearly on their websites[xvi]. A standard of procedure to store data has to be maintained as well as there should be a requirement of modification[xvii] and opt-out[xviii] their SPDI if the need arises.

Role of Intermediaries

There are many e-health apps which just act as a facilitator between the patient and the doctors and are not as such directly involved in the transaction[xix]. In these types of cases, such apps or companies will act as an intermediary and would be subjected guidelines of IT act specifically for the intermediaries. Such intermediaries have to initiate certain due diligence such as including terms of use, the appointment of grievance officer, and removal of offending/unlawful content within 36 hrs of request.

Telemedicine Guidelines: gaps are still needed to be filled to protect mass sensitive data

With the advent of Corona virus pandemic even a lot of state governments are actively involved in providing their own guidelines[xx] and facility of telemedicine[xxi] through their empaneled state government doctors or through Public private partnership Apps and facilities. Although telemedicine has opened a whole new legal world still there are various legal inadequacies in the Telemedicine sector which the present telemedicine guidelines, IT act, and rules do not properly address.

Firstly the telemedicine guidelines make no difference between ‘data fiduciary’ (person who stores, collect and process massive volume of important data) and ‘social media intermediary’ and also what if both are the same. For instance, many corporate hospitals (eg Apollo)[xxii] which have a wide range of medical business are also providing telemedicine. Some pharmaceutical companies (eg. Lybrate)[xxiii] are also in the business of telemedicine.

E-Pharmaceutical companies are already facing uncertainties in regards to online sale of drugs with central government coming out with Draft Rules 2018 to regulate e-pharma amending earlier Drug and cosmetic rules of 1945[xxiv]. These rules will also throw light on protecting data of patients seeking medicines online. But how will draft rules and telemedicine guidelines be able to regulate e-pharma companies who are even providing telemedicine is an area government needs to focus on since these types of companies have huge amount of sensitive data of patients and prone to misuse. Many of these apps even provide for their internal channels of communication for doctors and patients. While taking services from these sites there would be the transmission of the huge amount of electronic medical records to these companies. Since doctors belong to the same company or use a communication channel of the company who is acting as social media intermediary, then believing that data is not shared between them is being very optimistic.

Access to such a huge amount of ‘sensitive personal data’ to the hands of corporates without any supervision is troublesome. These data might be used to create an algorithm for targeted advertising, sharing with 3rd parties, and moving huge data outside the country. In such a scenario if there is any data breach who would be liable? is a question on which the guidelines are silent. And as the data protection law stands today, there is not much to offer.

So, we have to go through the pending data protection bill[xxv] to find some answers. In the Data protection bill two types of entities have a huge due diligence obligation in terms of dealing with personal data’s namely ‘significant data fiduciary’ and ‘social media intermediary’. Under the bill, the obligation which is associated with the significant data fiduciary (a person holding a huge amount of important data to be notified government) is extended to the social media intermediary(‘an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services[xxvi]’). These significant data fiduciaries and social media intermediaries will be notified by the government.

In addition to provisions provided for significant data fiduciaries like maintenance of records[xxvii], data protection impact assessments[xxviii], an audit of policies[xxix], and appointment of a data protection officer[xxx], Social media intermediaries are obligated to put forth an option to the users (registering from India or using the services in India) for voluntary verification of their accounts. The provisions for ‘significant data fiduciary’ and ‘social media intermediary’ seems promising for companies dealing with electronic medical health records but whether these hospitals providing telemedicine would be notified under ‘significant data fiduciary’ or the e-health apps storing huge amount of data as ‘social media intermediaries’ is a question of time as the bill is still pending.

Parting note

The telemedicine guidelines are a huge breakthrough in the field of medical sciences. The guidelines have tried to address a huge amount of anxieties and uncertainties about the practice of telemedicine but in the context of data protection, the guidelines sadly have not much to offer. The guidelines have to be read along with data protection laws of the country and as the data protection laws of the country currently stand there is not enough impact to ensure the protection of sensitive patient data from the hands of big hospitals doing telemedicine themselves and e-health apps acting as an intermediary for telemedicine. The new data protection bill, 2019 if passed as it is, it would address a lot of these gaps provided the government notifies these hospitals and e-health apps as significant data fiduciary and social media intermediaries respectively. Another pending bill such as Digital Information Security in Healthcare Act (DISHA), a regulatory platform for sharing digital records among hospitals and will be based on setting digital health records in the country[xxxi].  DISHA  will be clubbed with Personal data protection bill along with telemedicine guidelines would be something to look forward.


[i] https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6618173/

[ii] https://medicaldialogues.in/indian-medical-association-seeks-clear-cut-guidelines-on-telemedication-from-medical-council-of-india

[iii] https://www.mohfw.gov.in/pdf/Telemedicine.pdf

[iv] Criminal Anticipatory Bail Application No. 513 OF 2018

[v] Telemedicine guidelines 2020, section 3.7.2

[vi] Telemedicine guidelines 2020, section 1.4.1

[vii] Telemedicine guidelines 2020, section 3.5

[viii] Telemedicine guidelines 2020, section 3.7.1

[ix] Id

[x] Id

[xi] id

[xii] 2017 10 SCC 1

[xiii] https://prsindia.org/billtrack/personal-data-protection-bill-2019

[xiv] Rule 5(1) of the Data Protection Rules

[xv] Rule 7 of the Data Protection Rules

[xvi] Rule 4(1) of the Data Protection Rules

[xvii] Rule 5(7) of the Data Protection Rules

[xviii] Id

[xix] https://www.dr-hempel-network.com/digital-health-startups/doctor-patient-platforms-in-india-success/

[xx] See Maharastra: https://www.maharashtramedicalcouncil.in/Files/Notifications_26032020_MCI%20Notification%20Regarding%20TELEMEDICINE.pdf, See Karnataka: https://www.mondaq.com/india/healthcare/905172/karnataka-government-notificationregulations-on-covid-19

[xxi] See kerela: https://economictimes.indiatimes.com/industry/healthcare/biotech/healthcare/kerala-govt to-use-telemedicine-service-e-sanjeevani-for-non-covid-patient-care/articleshow/76370573.cms?from=mdr,

See Westbengal : https://www.newindianexpress.com/nation/2020/jun/30/west-bengal-sets-up-covid-warrior-club-to-help-contain-pandemic-2163150.html, See Tamil Nadu: https://tsitn.org/telemedicine-facilities-in-tamil-nadu/, See Karnatka: https://economictimes.indiatimes.com/news/politics-and-nation/karnataka-govt-launches-apthamitra-helpline-and-app-to-fight-covid 19/articleshow/75293952.cms?from=mdr, See Delhi: https://www.newindianexpress.com/cities/delhi/2020/jul/04/aap-launches-district-surveillance-telemedicine-hub-to-help-with-covid-19-requirements-2165260.html, See Rajasthan: https://timesofindia.indiatimes.com/city/jaipur/rajasthan-government-starts-free-medical-tele-consultation-service/articleshow/75540116.cms

[xxii] id

[xxiii] id

[xxiv] https://www.mondaq.com/india/food-and-drugs-law/865476/regulations-for-online-sale-of-medicines and-drugs-in india#:~:text=India%3A%20Regulations%20For%20Online%20Sale%20Of%20Medicines%20And%20Drugs%20In%20India&text=The%20draft%20rules%20prescribe%20that,registered%20with%20the%20applicable%20authority.

[xxv] Supra

[xxvi] Section 26 (4) Private Data protection bill, 2019

[xxvii] Section 28 Private Data protection bill, 2019

[xxviii] Section 27 Private Data protection bill, 2019

[xxix] Section 29 Private Data protection bill, 2019

[xxx] Section 30 Private Data protection bill, 2019

[xxxi] https://pib.gov.in/Pressreleaseshare.aspx?PRID=1578929