ITForChange (ITfC), a Bangalore-based think tank, said, “The use of retained data anonymization for indiscriminate and / or improper data sharing should not be permitted. The National Health Authority’s Health Data Retention. Answers to the Policy (HDRP) Consulting Paper. According to ITfC, such policies bring more data retention and changes to medical institutions that may not have previously maintained records.
HDRP proposes conditions regarding how to process citizen health data for entities registered with the government’s ABDM and, in some cases, beyond. ABDM is a government project aimed at digitizing citizens’ health records and developing analytical systems based on anonymized and aggregated health data for research, epidemiology and other purposes.
Abuse of such data can lead to discrimination, for example, against communities of patients with rare diseases and ethnic groups with sensitive, unique genetic and other health-related data. However, ITfC has revealed that a rigorous implementation of HDRP can be a compliance burden for small medical institutions.
How is ABDM implemented?
NHA: If a policy becomes applicable to an ecosystem beyond ABDM, how should the policy be implemented?
One of the key questions about HDRP was whether the policy should be applied to all entities in the Indian medical sector. This should include the entity that opts out of ABDM (option 1) or only apply to the entity that opts out of ABDM.
Limit the application of HDRP. ITfC has proposed to roll out the policy in stages.
- Initially, only facilities participating in ABDM should be subject to the policy.
- “Applying this policy to the” medical facilities “that were first registered with ABDM could be an incentive for” medical facilities “nationwide to undertake appropriate digitization in a variety of ways,” said a think tank. Says.
- Capability and awareness programs through the Indian Medical Research Council and the National Medical Commission have the potential to drive small medical facilities to digitization.
According to ITfC, this policy should also clearly state which medical institutions are covered. This can be an excuse for companies to perform non-consensual processing or data storage. If over time it becomes necessary to include other entities underneath, ITfC has suggested that they can be included after consultation. He added that such entities would also have to comply with other existing laws and regulations targeting “traditional” medical entities.
NHA: How can small public and private clinics and centers build features in a timely and cost-effective manner to take responsibility for long-term data retention?
NHA needs to support small clinics in acquiring resources. NHA will initially need to supplement the budget for public health facilities to help procure data storage facilities. In addition, you need to build skills among the smaller facilities under negotiation and create an empowered list of service providers related to data security and access issues.
The Internet Freedom Foundation has proposed as well. NHA provides financial support to small or public health facilities.
How do I need to specify a retention period in my policy?
NHA: What is the ideal duration for these different health data types? Do I need to adopt a comprehensive retention period for all health records in India, or do I need to define a different schedule for each category? Which is a better approach to retention?
When classifying data, you need to keep in mind its purpose and nature. The ITfC should keep in mind the principle of minimization, stating that data granularity captures the key attributes, outputs, and trends associated with such data, and called for increased data classification granularity. rice field. This prevents over-retention of data that is less important to retain and prevents under-retention of more important data.
“For example, data that may be used for research purposes (such as diagnostic images of cancer) should have a longer shelf life with appropriate protection against misuse.” — ITfC
The policy needs to be very clear about what data is included, but ITfC states that as a result of discussions, more types of data can be added.
Concerns about sharing non-personal data
Provisioning to opt out of non-personal data sharing: Through the opt-out clause proposed by ITfC, citizens should be given the option to opt out of sharing data in an anonymous or aggregated format for research or other purposes. In response to HDRP’s provisions that allow health data to be blocked if it cannot be removed due to legal requirements, ITfC has cited examples from the United Kingdom and Canada.
“for example, United Kingdom National Health Service (NHS) In 2018, we launched a national opt-out program. The program creates a single opt-out point that applies system-wide for patients who do not want to share data outside the NHS for research planning purposes and allows people to register their choices. Provided the mechanism. .. ”
“for example, In Ontario, Canada According to the Lockbox Regulations, medical facilities should place patient data in a sealed envelope for the duration of the retention period if the patient wishes to delete the data or if it cannot be disclosed if required by law. I can. “
In contrast, the Federation of Indian Chambers of Commerce (FICCI) called for the sharing of anonymized data for reference and analysis in epidemiology, clinical data analysis, machine learning, and more. This can be done by removing all PHIs (Personal Health Identifiers). It will then store them permanently on a cloud-based server, FICCI said.
Prohibition of discriminatory use of such non-personal data: ITfC proposes to introduce rules, rules and regulations to protect the medical sector from tightly regulated data-related harm and to share the benefits of (non-personal) data use. did. Sharing non-personal health-related data can be detrimental, and ITfC further inferred:
- Non-personal anonymous data is not regulated by any law
- The second draft of the Expert Committee on the Non-Personal Data Governance Framework is a law on both the prevention of collective harm and the activation of community members by imposing a duty of care on non-personal data collectors. Recommended provisions. A group involved in bringing complaints of collective harm to court.
- This report also provides the legal basis and means for sharing interests related to the use of non-personal data related to groups or communities.
Questions that ITfC does not answer
-
- Since ABDM has opt-out provisions, what are the possible implications in terms of maintaining health data in such scenarios?
- Should there be provisions for extension or retention of health data under the proposed policy? What considerations should be taken when defining the guidelines to enable such extensions?
- Who needs to have the vertex authority to monitor and implement the retention of health data? Which entity needs to deploy this policy at the macro level as part of the ecosystem?
- How can you ensure business continuity if your business, platform, or service provider goes bankrupt?
- Is a governance model that follows health data management policies sufficient for retention policies?
- How should policy regulation be enforced and what should be the overall structure of the relevant entity responsible for maintaining health data?
- Is there an alternative model or policy approach to consider?
This post is released under the CC-BY-SA4.0 license. Feel free to republish on the site with attribution and links. Adaptation and rewriting are allowed, but must be true to the original.
What is the future of digital health in India?
Want to track the digitization of health in India, don’t you have the time? Relying on content scattered throughout the web can make you feel more difficult than it needs to be.
Sign up for MediaNama to get the latest information on technological policy developments in India and around the world in a timely manner.
Read again:
Do you have anything to add? Subscribe to MediaNama here Please post a comment.
