In the below article, which appeared in BMJ Global Health, authors Nivedita Saksena (Harvard TH Chan School of Public Health, FXB Center for Health and Human Rights and the inaugural IDHN Fellow at the Mittal Institute), Rahul Matthan (Takshashila Institution, Bengaluru, India), Anant Bhan (Centre for Ethics, Yenepoya (Deemed to be University), Mangalore, Karnataka, India), and Satchit Balsari (Department of Emergency Medicine, Harvard Medical School / Beth Israel Deaconess Medical Center and Mittal Institute Steering Committee member) explore India’s National Digital Health Mission’s goal of creating a system of electronic health records that capture data, with the patient’s consent. However, traditional mechanisms that seek to protect individual autonomy through patient consent are inadequate in a digitized ecosystem. Yet with this system, it is impossible to predict how the data may be recombined and used, making the use of such data potentially ineffective. The authors examine the opportunities and challenges of other alternatives like the fiduciary obligations that hold data processors accountable; privacy by design (PbD) principles that rely on technological safeguards against abuse; and regulatory frameworks.
In August 2020, India announced its vision for the National Digital Health Mission (NDHM), a federated national digital health exchange where digitised data generated by healthcare providers will be exported via application programme interfaces to the patient’s electronic personal health record. The NDHM architecture is initially expected to be a claims platform for the national health insurance programme ‘Ayushman Bharat’ that serves 500 million people. Such large-scale digitisation and mobility of health data will have significant ramifications on care delivery, population health planning, as well as on the rights and privacy of individuals. Traditional mechanisms that seek to protect individual autonomy through patient consent will be inadequate in a digitised ecosystem where processed data can travel near instantaneously across various nodes in the system and be combined, aggregated, or even re-identified.
In this paper, we explore the limitations of ‘informed’ consent that is sought either when data are collected or when they are ported across the system. We examine the merits and limitations of proposed alternatives like the fiduciary framework that imposes accountability on those that use the data; privacy by design principles that rely on technological safeguards against abuse; or regulations. Our recommendations combine complementary approaches in light of the evolving jurisprudence in India and provide a generalisable framework for health data exchange that balances individual rights with advances in data science.