Data Privacy and Empowerment in Healthcare

Technology has been a boon to healthcare. Minimally-invasive procedures have significantly increased safety and recovery time of surgeries. Global collaboration between doctors has improved diagnosis and treatment. Rise in awareness of patients has increased the demand for good quality healthcare services. These improvements, coupled with the growing penetration of IT infrastructure, are generating huge volumes of digital health data in the country.

However, healthcare in India is diverse and fragmented. During an entire life cycle, an individual is served by numerous healthcare providers, of different sizes, geographies, and constitutions. The IT systems of different providers are often developed independently of each other, without adherence to common standards. This fragmentation has the undesirable consequence of the systems communicating poorly, fostering redundant data collection across systems, inadequate patient identification, and, in many cases, privacy violations.

We believe that this can be addressed through two major steps. Firstly, open standards have to be established for health data collection, storage, sharing and aggregation in a safe and standardised manner to keep the privacy of patients intact. Secondly, patients should be given complete control over their data. This places them at the centre of their healthcare and empowers them to use their data for value-based services of their choice. As the next wave of services is built atop digital health data, data protection and empowerment will be key to transforming healthcare.

Numerous primary health care services are already shifting to smartphones and other electronic devices. There are apps and websites for diagnosing various common illnesses. This not only increases coverage but also takes the burden away from existing infrastructures which can then cater to secondary and tertiary services. Data shared from devices that track steps, measure heartbeats, count calories or analyse sleeping patterns can be used to monitor behavioural and lifestyle changes – a key enabler for digital therapeutic services. Moreover, this data can not only be used for monitoring but also for predicting the onset of diseases! For example, an irregular heartbeat pattern can be flagged by such a device, prompting immediate corrective measures. Thus, we see that as more and more people generate digital health data, control it and utilise it for their own care, we will gradually transition to a better, broader and preventive healthcare delivery system.

In this context, we welcome the proposed DISHA Act that seeks to Protect and Empower individuals in regards to their electronic health data. We have provided our feedback on the DISHA Act and have also proposed technological approaches in our response. This blog post lays out a broad overview of our response.

As our previous blog post articulates the principles underlying our Data Empowerment and Protection Architecture, we have framed our response keeping these core principles in mind. We believe that individuals should have complete control of their data and should be able to use it for their empowerment. This requires laying out clear definitions for use of data, strict laws to ensure accountability and agile regulators; thus, enabling a framework that addresses privacy, security and confidentiality while simultaneously improving transparency and interoperability.

While the proposed DISHA Act aligns broadly with our core principles, we have offered recommendations to expand certain aspects of the proposal. These include a comprehensive definition of consent (open standards, revocable, granular, auditable, notifiable, secure), distinction between different forms of health data (anonymization, deidentification, pseudonymous), commercial use of data (allowed for benefit but restricted for harm) and types and penalties in cases of breach (evaluation based on extent of compliance).

Additionally, we have outlined the technological aspects for implementation of the Act. We have used learnings from the Digital Locker Framework and Electronic Consent Framework (adopted by RBI’s Account Aggregator), previously published by MeitY. This involves the role of Data Fiduciaries – entities that not only manage consent but also ensure that it aligns with the interests of the user (and not with those of the data consumer or data provider). Data Fiduciaries only act as messengers of encrypted data without having access to the data – thus their prime task remains managing the Electronic Data Consent. Furthermore, we have highlighted the need to use open and set standards for accessing and maintaining health records (open APIs), consented sharing (consent framework) and maintaining accountability and traceability through digitally verified documents. We have also underscored the need for standardisation of data through health data dictionaries, which will open up the data for further use cases. Lastly, we have alluded to the need to create aggregated anonymised datasets to enable advanced analytics which would drive data-driven policy making.

We look forward to the announcement and implementation of the DISHA Act. As we move towards a future with an exponential rise in digital health data, it is critical that we build the right set of protections and empowerments for users, thus enabling them to become engaged participants and better managers of their health care.

We have submitted our response. You can find the detailed document of our response to DISHA Act below

SBI and iSPIRT discuss future of banking in India

iSPIRT and SBI had a 4-hour meeting on the future of banking. 30+ seniormost officers of SBI – including all the MDs, DMDs, CGMs, and GMs – participated. Two SBI Board members were also present. Nandan Nilekani chaired the session from iSPIRT side.
DSC_2148The first session was about understanding the technology trends that are shaping banking. There was special focus on understanding implications of eKYC, Aadhaar, new payment infrastructure and GST Network. There was also a good discussion how point-solutions by startups are changing banking.
The second session showcased 7 Fintech software product companies (NovopayHappay,Vote4CashCapitalFloatCustomerXPSProbeEquity, Enstage) and 2 non-FinTech product companies(InMobi, TeamIndus). The third session session was about SBI strategy. This was a very productive discussion. We can’t share the details as it was confidential.
This meeting brought together two threads within iSPIRT. One thread was related to its Policy work related to Open APIs (that is shaping the technology infrastructure of banking and finance in India) and the push for Cashless India. The other thread was InTech50, which is a market catalyst that helps big companies leverage software products startups to drive innovation throughout their business.
DSC_2150iSPIRT is fostering many such dialogs with not just banking giants like SBI, but with Regulatory institutions like SEBI, RBI and others, to fashion a new India.

Era of Open APIs

APIs are important public goods that must be done right. They must not be held captive to commercial interests. This is why iSPIRT is helping Government in this area. iSPIRT’s work is inspired by Open Source movement and IETF methods. It fits with our charter of creating public goods without public money.
GSTN teamOur Open API effort is based on some core principles:
– Like IETF, iSPIRT is not a member organization. Participation is “People, not companies”.
– “Design is a team sport”. Focus is on building a modern architecture for country-scale technology systems.
– iSPIRT API Teams have people who are “Competent experts that are completely free of conflicts”.
– Technical decisions emerge from intense discussion. They are informed by prototypes, not theory. Motto is: “Code walks, bullshit talks”.
Today Economic Times carries an article about this Open API effort.  The article conveys the progress that we are making. More is on its way.
Source: Economic Times

We will soon be launching a micro-site to build engagement with your community. Watch this space.