New

Health data retention

(Mains GS 2 : Government Policies and Interventions for Development in various sectors and Issues arising out of their Design and Implementation.)

Context:

  • Recently , the body responsible for administering the Ayushman Bharat Digital Mission (ABDM) i.e. The National Health Authority (NHA) has initiated a consultation process on the retention of health data by health-care providers in India.
  • The consultation paper provides a detailed discussion on the need for the policy, its scope, key elements under it, and proposed approach for its governance structure under the ambit of Ayushman Bharat Digital Mission (ABDM).

Classify data wisely:

  • Consultation paper suggested that a simple classification system exposes individuals to harms arising from over-collection and retention of unnecessary data.
  • At the same time, this kind of one-size-fits-all system can also lead to under-retention of data that is genuinely required for research or public policy needs.
  • Instead, we should seek to classify data based on its use and health data not required for an identified purpose would be anonymised, or deleted.

Remain choicefull:

  • Currently, service providers can compete on how they handle the data of individuals or health records; in theory, each of us can choose a provider whose data policies we are comfortable with.
  •  Given the landscape of health-care access in India, including through informal providers, many patients may not think about this factor in practice.
  • Nonetheless, the decision to take choice out of the individual’s hands should not be taken lightly.

Right to privacy:

  • The Supreme Court of India has clarified that privacy is a fundamental right, and any interference into the right must pass a four-part test: legality; legitimate aim; proportionality, and appropriate safeguards. 
  • The mandatory retention of health data is one such form of interference with the right to privacy.
  • In this context, the question of legality becomes a question about the legal standing and authority of the NHA.
  • Since the NHA is not a sector-wide regulator, it has no legal basis for formulating guidelines for health-care providers in general.

Hold till need:

  • The aim of data retention is described in terms of benefits to the individual and the public at large.
  • Individuals benefit through greater convenience and choice, created through portability of health records and broader public benefits through research and innovation, driven by the availability of more and better data to analyse.
  • Globally, legal systems consider health data particularly sensitive, and recognise that improper disclosure of this data can expose a person to a range of significant harms.
  • These could include harms that would be very difficult to make whole, so it is not enough to have penalties for such breaches; every effort must be made to minimise the extent of data collected, and to hold it only for the amount of time needed so as to reduce the likelihood of any breach in the first place.

Adequate anonymisation:

  • Privacy risks should make us very hesitant about retaining an individual’s entire health or medical record on the grounds that they might be useful for research someday.
  • As per Indian law, if an individual’s rights are to be curtailed due to anticipated benefits, such benefits cannot be potential or speculatory: they must be clearly defined and identifiable.
  • In a world of big data, the research community is still to arrive at consensus on what constitutes adequate anonymisation, or what might be considered best practices or methods for achieving it.
  • We are not yet able to rule out the possibility that even anonymisation may not be the least intrusive solution to safeguarding patients’ rights in all scenarios.

Way forward:

  • Ultimately, the test for retaining data should be that a clear and specific case has been identified for such retention, following a rigorous process run by suitable authorities.
  • Another safeguard would be to anonymise data that is being retained for research purposes.
  • An alternate basis for retaining data can be the express and informed consent of the individual in question.
  • Health-care service providers will have to comply with the data protection law, once it is adopted by Parliament.

Conclusion: 

  • Since the premise of ABDM is based on federated architecture, it becomes paramount that there are specific guidelines on data retention so that health data can be stored and shared securely among different ecosystem partners, post consent of the patient.
Have any Query?

Our support team will be happy to assist you!

OR