India: National Digital Health Blueprint and the first steps towards digital healthcare
In 2017, the Ministry of Health & Family Welfare ('the Ministry of Health') released the National Health Policy, which identifies the gradual attainment of universal healthcare as a long-term goal and recommends establishing a federated health information architecture, health information exchanges, and a national health information network by 2025. In pursuance of this, the National Digital Health Blueprint ('the Blueprint') was drafted to lay down the basic framework for future health systems, including information health exchanges. Shreya Shenolikar, Darren Punnen, and Dr. Milind Antani, from Nishith Desai Associates, discuss the evolution of digital healthcare and the concerns associated with implementing a national digital healthcare framework.
With the sheer size and population of the country, access to healthcare, let alone quality healthcare, has been a challenge that the Government has been trying to tackle for years. With private healthcare and out of pocket expenditure still dominating the healthcare scene, India has started looking into innovative models to bridge the gap. In this pursuit, digitisation of healthcare has been identified as one of the primary means to reach the length and breadth of the country in a manner that even the most remote citizen may finally have the opportunity to access quality healthcare. This has further been bolstered by the unprecedented digital rise that India has been witnessing, thanks to increasingly affordable devices and access to the internet. As a result, the groundwork for the implementation of digital healthcare at the national level has already been laid, and it is only a matter of time before med-tech innovations take the forefront.
The Government has taken various steps over the last couple of years to encourage the adoption of digital health platforms in the health sector. The Blueprint aims to create a framework for the evolution of a national digital health eco-system and establish a specialised organisation called the National Digital Health Mission, to implement the Blueprint.
At its core, the Blueprint contains a set of principles for digital health systems, which provide guidance on the architecture of any proposed system dealing with health information. The Blueprint also specifies key principles of Privacy by Design, confidentiality, and the right to be forgotten, that health systems should incorporate into their architecture. The Blueprint, if properly executed, should allow for the interoperability of health systems at the patient, hospital, and ancillary healthcare provider level (such as ambulance and emergency response services). Effectively, this would lead to the creation of a uniform healthcare system with an electronic medical record of every Indian citizen. Various healthcare providers have already forayed into digitising healthcare within their organisation. With the Blueprint, it is likely that these systems would be integrated in a manner that allows for citizens to access their health data across the board, regardless of the provider.
The Blueprint broadly envisions a health system composed of over 35 building blocks as part of a federated architecture. The health system will store data at the national, state, and local (facility) level. More detailed records, such as electronic medical record, will be stored at a local level, while a repository of standards and data dictionaries will be maintained at a national level. Each level will be composed of building blocks appropriate for that level. For instance, the building block of 'common application,' publishing the code of a few most commonly used applications, would be at the national level. On the other hand, the building blocks of 'anonymisation' and 'consent manager' would be at the point of care, and the building blocks of 'anoymiser-as-a-service' and 'consent-management-as-a-service' would be at the state level to facilitate inter-facility transfers. The entire system would be supported by call centres, a health portal, social media (for emergency management, health awareness, and community-based services), and a range of apps.
Overall, the Blueprint makes a concerted effort to lay down the basis of a future healthcare system by focusing on key infrastructural building blocks, in order to maintain one source of record, prioritise consent, focus on interoperability, and put in place an open source system. However, the path to digitising health records for an entire nation is predicated on two things:
- firstly, each healthcare provider, including clinics of individual doctors in both urban and rural areas, primary healthcare centres, mobile healthcare providers, and emergency response services, would be required to have internet connectivity; and
- secondly, it would require patients to be able to use smartphones to effectively access these services digitally.
As of March 2019, internet usage in India was at a meagre 36%, where the number of users were equally distributed between rural and urban India. The next few years, though, are expected to witness exponential growth in internet use and the number of smartphone users, and India is expected reach 700 million smartphone users and 800 million internet users by 2023. This is a clear indication that India is well placed to operationalise a digital health system, provided some steps are taken to increase internet connectivity across the country.
Limits of the Blueprint
The Blueprint does not address the infrastructural concerns with respect to implementing a digital health system in India. The Blueprint limits itself, perhaps intentionally, to specifying the components of the proposed health system, while not addressing the mechanism for implementation. For instance, the principle of Privacy by Design is incorporated into the Blueprint and the health facility has been made responsible for ensuring the data is kept secure and confidential. The Blueprint also recommends that healthcare providers adopt the International Standard Organisation's ('ISO') 22600:2014 Health Informatics - Privilege Management and Access Control as a best practice. However, implementing ISO standards may be difficult for most healthcare providers in India and monitoring data protection compliance at the healthcare provider level may also prove to be a challenge. Instead, storing data with independent bodies who would be responsible for administering the health system may lead to better outcomes for data security. This approach was explored by the Government in 2018 and they had even published a draft law titled the Digital Information Security in Healthcare Act ('the Act'). The Act, if enacted, would establish a health information exchange which would be administered by authorities established under the Act. The authorities would primarily be responsible for overseeing the exchange of health information across healthcare providers. A health system along the lines of the Act reduces compliance obligations required to be undertaken by healthcare providers, and therefore the cost incurred by them in enrolling themselves in the proposed digital health system.
The Blueprint also falls short of ensuring that patients provide informed consent with respect to the manner in which their health data would be used. Under the Blueprint, data would be collected as per a consent framework established for the collection and processing of health data. The ISO standard of ISO/TS 17975:2015 Health Informatics - Principles and data requirements for consent in the collection, use or disclosure of personal health information, for consent management, and the Electronic Consent Framework (Technology Specifications) published by the Ministry of Electronics and Information Technology, have been recommended in the Blueprint. The Blueprint also stipulates that the data principal should be the owner of the data and have complete control over what data is collected, how/with whom it is shared and for what purpose, as well as how it is processed. Anonymised data may be accessed by the Government for studying disease prevalence and for framing policy accordingly, however, the Blueprint is silent on what the consent framework would be like at the ground level. A common problem with obtaining user consent for processing their digital data is the difficulty in explaining to the user in simple terms what data is being collected, how it is being processed, and who it may be shared with. This problem is compounded in India due to low levels of digital literacy. Therefore, in addition to obtaining user consent for collecting and processing data, a robust regulatory framework governing health records generally should be put in place.
Existing regulatory framework
Currently, electronic health records in India are regulated under the Information Technology Amendment Act 2008 ('IT Act') and the Information Technology (Intermediaries Guidelines) Rules, 2011 ('the IT Rules'). Under the IT Rules, health data is among the forms of data classified as personal data and entities processing such data are only permitted to do so on the basis of and in accordance with a consent obtained from the provider of the data. Additionally, the Ministry of Health has also prescribed the Electronic Health Records Standards, 2016 ('EHR Standards'). The EHR Standards are a set of non-binding standards for hospitals to implement when collecting health information of patients. The EHR Standards deal with system architectural requirements, data points to be captured in health records, and the format for capturing such information, amongst other requirements. For instance, patient identification should be captured as per the standard prescribed under ISO/TS 22220:200 Health Informatics – Identification of Subjects of Health Care, clinical terminology should be captured as per the SNOMED Clinical Terms, and data encryption should be a minimum of 256-bits key length. The EHR Standards also designate the provider of the data as the owner of the health data and specifies how the data may be used, both with and without the patient's consent.
However, the current regulatory framework is not entirely sufficient for governing health data at a large-scale level. The IT Act and the IT Rules are not specific to healthcare data protection, and provide only a basic level of data protection by ensuring that the person providing the data is informed about the manner in which the data will be used. To strengthen the data protection regime in India, the Government is in the process of enacting the Personal Data Protection Bill, 2019 ('the Bill') which grants data principals certain explicit rights, such as the right to correction and erasure, the right to data portability, and the right to be forgotten. Nonetheless, the Bill, if enacted, will only serve as supporting regulation to protect the rights of patients whose data is present in any health system. The EHR Standards, while providing some guidance to ensure interoperability for health records across systems, are intended to be applied only at the hospital level and are not comprehensive enough to be the basis of a nationwide healthcare system.
The Blueprint, therefore, intends to fill the void on what a national level healthcare system should look like. The Government has already begun utilising digital health tools in Government-sponsored healthcare systems.
The move towards digital health is inevitable, making it all the more essential for India to ensure that this transition happens in a systematic way that accounts for the best interests of patients. The Blueprint may be viewed as more of a long-term goal, which can be operationalised once some of the foundational building blocks have been laid. Currently, India is yet to complete the first step of putting in place a digital health system, which is digitising paper records and developing a uniform way of capturing patient data in electronic health records. Once all records have been digitised in a manner that can be accessed across systems, a health information system can be put in place, which would act as a repository for the medical records of every patient. The Government has taken certain steps towards prescribing standards for health records and setting up a national health information exchange. However, the EHR Standards are not widely adopted in India and the Act continues to remain in the draft stages.
If leveraged correctly, the EHR Standards and the Act can help accelerate the adoption of digital health records and act as the foundation for all healthcare service providers in India. Once these first steps are taken, India can finally move towards the long-term goal of adopting a digital health system envisaged in the Blueprint. That being said, the Blueprint has aptly crystallised the vision of the future of healthcare in India, and it is safe to say that the future looks bright.