Just imagine, if at the beginning of the ongoing pandemic, India had the entire health history of its citizens digitised—every visit to a doctor, along with every prescription, every vaccination, every allergy. Now just imagine if all this data could be fed into an artificial intelligence software, which would then narrow down on the health factors common to those people who contracted the virus or to those who succumbed to it.
Did they all have certain common health conditions in the past? What about the prevalence, as well as severity, among people who were vaccinated against other illnesses, the BCG vaccine, for instance? This data analytics, then, in turn could be used by policymakers to proactively protect citizens—give advance care to those in vulnerable categories, for instance. Or just as likely (assuming stone-hearted economists were in charge of policy), deny the limited medical resources to those from categories with low rates of recovery.
Much can be said in favour of centralised digitisation of all health records and bringing all citizens on to a common digital platform. Yet, the Central government’s most recent plan to create a Health ID for each citizen has raised several concerns: Are we ready as a country for such a system? Is it secure enough? Will it end up widening inequalities? To dismiss these as Luddite objections to progress through technology is foolhardy.
The scheme in a nutshell: The Health Data Management Policy (HDMP) proposes to create Health IDs for patients as well as for health practitioners and facilities, a repository to store health data digitally, in addition to a mechanism to access and use such data by different participants. To be sure, the policy also proposes salutary privacy measures—the Health ID can be cancelled by the patient at any time, and the data attached to their ID removed.
The policy is explicit that the system cannot be exclusionary—you cannot be denied healthcare, or the ability to practice, for want of a Health ID. Data intermediaries must obtain consent, which must be informed, and records of the consent must be maintained. The policy also provides additional protection for the processing of sensitive personal information—such as religion and sexual orientation. (An early controversy was that the policy made it mandatory for patients to share such data. It certainly does not!). So what are the objections?
Privacy concerns: One of the prime criticisms is that this widespread data collection and processing is happening without a privacy law in place. Let us for the purpose of this article assume that the government will pass the required legislation. But even then, health information can be such that many data principals will be embarrassed, were it to become known—through a leak or even through routine processing. An abortion, a failed suicide attempt, treatment for sexual assault or mental illness—all of these might be captured in the repository.
Even if the data were protected as it is intended, it could still result in harm. Imagine a data intermediary who employs analytics to predict consumer behaviour and offers its services to banks. So a borrower with a history of mental illness could find bank loans denied on that very count, or their insurance premiums very high.
The government’s answer to this is to assure us that one can choose not to be a part of the ecosystem and that the policy clearly spells out its non-exclusionary ethos. This argument is illusory on two counts. Firstly, the experience of Aadhaar is cautionary. Even as Aadhaar continues to be branded as voluntary, several examples have emerged over the last year showing it to be mandatory for availing services (for instance, the Delhi HC recently mandated Aadhaar to be furnished to avail Covid testing in the capital). Another disincentive against opting out could come in the form of private pressures.
Suppose your insurance provider charges you a higher premium for not having a Health ID (the insurer’s risks are lesser if it knows your health history better), resistance will wear thin. The risk of exclusion can have unintended effects. There are those who might choose to not avail treatment if it means becoming a permanent record, as has already been seen among patients suffering from stigmatised diseases such as HIV or even tuberculosis. And these are still middle-class concerns. The risk of exclusion it poses to the poorest Indians, who need healthcare coverage the most, is a topic of its own.So who stands to gain?
Any analysis of policy must focus on who the actual beneficiaries would be. What the HDMP does is create a framework for the collection, sharing and processing of data—mostly by private players. Any benefit that might accrue to the patient is derivative. Imagine Facebook’s business model: A free service, where your data which you willingly share with/on the website is spliced and diced and sold to advertisers so that they can target you specifically.
The real benefits from the HDMP would be to enable private players, including tech-powered start-ups, to provide services around healthcare. But just like in the case of Facebook, you, the user, are the product. The product (information about your ability to repay, your risk profile, etc.) is sold to companies that you deal with (banks, etc). In all likelihood, this will only contribute to greater exclusion of those who fall outside the ideal customer profile for these companies. Tech evangelists would like us all to believe that technology will make life better for all of us. And it does, undoubtedly. But any benefit to the Indian consumer will be if the government uses technology to proactively provide services and infrastructure support. The proposed policy does nothing of that sort.
Abraham C Mathews
A Delhi-based advocate