Health tech companies bat for self-regulation to protect healthcare data of users

In the absence of a sound legislation for data protection in the country, health tech firms have strongly pitched for self-regulation to protect healthcare data of users. The Covid-19 pandemic has pushed rapid digitisation of the whole healthcare system. The pandemic has accelerated the digital health solution adaptability among the patients and doctors simultaneously.

Digital solutions like e-health, tele-consultation and tele-medicine were on the rise during the pandemic and will be continued. The National Health Authority (NHA), the body in charge of the government’s Ayushman Bharat Digital Mission (ABDM), released a revised version of its Health Data Management Policy (HDMP) in April this year. It lays down conditions on how information can be shared, stored, and exchanged by defining security standards for companies, guidelines on privacy policies, defining the Health Information Exchange and Consent Manager, and so on.

Even though, it is a personal data protection framework for health data and applies to everyone in the National Digital Health Ecosystem (NDHE), the personal data of a person can be processed without consent in case of medical emergency where there is a threat to the life or health of the data principal; or interest of public health; or order of the competent court as per the policy. The second condition’s ambiguous framing implies a considerable amount of arbitrariness that may provide the discretion to extract significant amounts of personal data in the name of public health, said the Internet Freedom Foundation (IFF), a digital rights advocacy in its blog on the policy.

“In addition to the broad consent taken in the beginning, specific consent must also be taken at each instance of data processing and sharing. Data processors must be required to put in place systems and processes for ‘masking’ of data. Personal Data Processing Model Consent Form must explicitly mention that the collection of data is voluntary and refusal will not lead to exclusion from services,” IFF said.

On the other hand, the Personal Data Protection Bill 2019 was withdrawn by the government in August this year as it was considering a comprehensive legal framework to regulate the online space, including introducing separate laws on data privacy, the overall Internet ecosystem, cybersecurity, telecom regulations, and harnessing non-personal data to boost innovation in the country. “The safety of users' data is very important in the wake of India’s push for digital health. Healthcare providers must ensure that they properly manage patient data to create a culture of trust and transparency with patients.

Today, as digitalisation spreads rapidly, data breaches and cyber-attacks have become much more common and patient information has become more at-risk than ever before. Healthcare data is extremely personal and can be used maliciously in the wrong hands. It's imperative that healthcare providers take it upon themselves to protect it, while regulation is pending,” said Amrit Singh, Co-founder and CRO, Loop Health, health and insurtech startup. The startup raised USD 40 million in total funding till date. It raised USD 25 million in a Series B round led by General Catalyst and Elevation Capital in April this year.

Studies show that trust in doctors is already at an all-time low. Health tech founders build companies on the promise of revolutionizing healthcare. To deliver on this promise, they must address the major problem in healthcare today: low trust in physicians, Singh said. Without building the necessary provisions to ensure data privacy, consumers are unlikely to trust new healthcare startups with their personal, private health information. Many founders (like Loop's team) are aware of this customer trust problem and have focused on privacy from Day 1, implementing strict rules around the storage and movement of patient data, he added. “We restrict access to data and certain applications to only those users who require access to perform their jobs. User authentication and authorization is what we rely on for ensuring data protection and safety,” he stated.