Ayushman Bharat Digital Mission: Privacy and security of healthcare data
The Ayushman Bharat Digital Mission (ABDM) has been launched with the objective of digitising healthcare and bringing care delivery to the last mile. With the second level integration of DigiLocker services, ABDM has revitalised the conversation around the data security obligations of ABDM participants, as well as the state. Simply put, ABDM intends to create an interoperable ecosystem of healthcare facilities, government facilities, to facilitate processing, transfer, storage of a patient’s digitised healthcare records, to ensure continuity of care and last mile delivery of healthcare services. Naturally, with an increased incidence of cybercrimes targeted at healthcare institutions, in India and overseas, patients are suspect about the level of preparedness of such institutions, against an ever-changing landscape of security threats.
The absence of a comprehensive privacy and data protection framework in India necessitates ultimate reliance upon sectoral regulations, to regulate the data collection, storage practices of healthcare institutions. To that end, several policy documents have been issued by the National Health Authority (NHA) to guide stakeholders, on best practices for data protection, and to assist on the implementation of operational, infrastructural, and technical measures, as they enroll with ABDM. These policies are based on the principles of a consent-based framework, limitation on data collection, accountability, privacy by design, all hallmarks of a robust data privacy framework.
The ABDM scheme allows for a unique account to be created and be ascribed to respective individuals as Ayushman Bharat Health Account (ABHA). The integration of DigiLocker services with ABHA will allow DigiLocker’s robust security framework to provide a secure document exchange platform between health information processors and healthcare institutions to share health records, on the basis of clear and affirmative consent of the users. As reliance is placed on AADHAAR for the purposes of availing DigiLocker services too, the level of security that is warranted under the scheme is higher.
While the government has made available guidelines for implementation, and supplementary handholding measures for stakeholders in the healthcare industry, users must also be cognizant of their rights in respect of their healthcare data. Patients must recognise that their affirmative consent will form the basis for processing of their data by entities; and such consent can be revoked at any time and user can seek deletion of their data, when it no longer has a pre-defined purpose. The user continues to control and choose between which document may be made accessible to another ABDM registered service provider.
Transparency measures, on part of the entities, can empower users to understand the extent of data collection, and allow them to make well-informed decisions concerning their information’s security. With interoperable solutions, movement of records would be swift – however, it will be important that the private entities which are registering with ABDM follow the protocols mandated for a closely knit ecosystem and allow for same levels of security to be applied to their data sets. Stakeholders are required to inform users of such rights, and implement user-friendly frameworks, interfaces within their ecosystem, to enable users to make and action such requests. This goes beyond the requirements of ABDM, but accounts for the extant privacy laws which apply across sectors. Similarly, the government is also duty bound to ensure that the information which is accessed by the central repository continues to remain secure and as the apex court has now ensured that right to privacy is a fundamental right, the end users will have recourse against the government at state and the center.
A Data Protection Officer must be mandatorily appointed by such entity, who shall act as the point of contact for users to make any request, complaint, regarding their information’s processing activities. In the event that such complaint is left unresolved by the healthcare provider, users can reach out to the ABDM-Grievance Redressal Officer (ABDM-GRO) under the grievance portal of ABDM website. As entities are required to appoint Grievance Officers, they can be reached out to by the end users, and will also be allowed to reach out to the appellate authority, as prescribed under the DigiLocker rules.
The current law allows for breaches to be reported by an user under the Information Technology Act, and shall be entitled to compensation; however enforcement around the same does not yield in a high sum, and there are not enough precedents that can be relied upon by an end user to build their case. However, recently the CERT-In Directions, 2022, have brought in changes which requires every entity managing digital systems, connected network architecture to report security incidents and breaches with CERT-In. This has got the companies to ensure that their affairs in relation to collection and management of data, and related infrastructure continue to be kosher. One task that remains to be done is building awareness amongst all the stakeholders, which can only happen through higher participation, more conversations.