Rebooting consent in the digital age: a governance framework for health data exchange.

In August 2020, India announced its vision for the National Digital Health Mission (NDHM), a federated national digital health exchange where digitised data generated by healthcare providers will be exported via application programme interfaces to the patient's electronic personal health record. The NDHM architecture is initially expected to be a claims platform for the national health insurance programme 'Ayushman Bharat' that serves 500 million people. Such large-scale digitisation and mobility of health data will have significant ramifications on care delivery, population health planning, as well as on the rights and privacy of individuals. Traditional mechanisms that seek to protect individual autonomy through patient consent will be inadequate in a digitised ecosystem where processed data can travel near instantaneously across various nodes in the system and be combined, aggregated, or even re-identified.In this paper we explore the limitations of 'informed' consent that is sought either when data are collected or when they are ported across the system. We examine the merits and limitations of proposed alternatives like the fiduciary framework that imposes accountability on those that use the data; privacy by design principles that rely on technological safeguards against abuse; or regulations. Our recommendations combine complementary approaches in light of the evolving jurisprudence in India and provide a generalisable framework for health data exchange that balances individual rights with advances in data science.

The Privacy Implications of Using Data Technologies in a Pandemic.

The COVID -19 pandemic has seen a rise in the deployment of digital health technologies. This includes those aimed at identifying the infected and making sure they did not spread the infection any further as well as other technologies providing data driven insights aimed at improving the effectiveness of decisions such as locking down certain areas and allowing others to re-open. This paper attempts to evaluate the socio-legal implications of the use of these technologies with a particular focus on privacy. It does that by examining a range of data technologies that were deployed during the pandemic with a view to assess the socio-legal implications of their use. It analyses the technologies themselves, the data collected, the manner in which it was intended to be used and the safeguards if any built into these technologies. Based on this analysis we will attempt to evaluate the privacy implications of these technologies. Never before have data technologies been used in this manner at the frontlines of our battle against a virulent disease. As a result there are no precedents that directly address what does or does not constitute a violation of personal privacy. Notwithstanding that, the paper attempts to arrive at a conclusion as to the legitimacy of the use of these technologies and the safeguards that would be appropriate under the circumstances.

Regulatory Sandboxes: A Cure for mHealth Pilotitis?

Mobile health (mHealth) and related digital health interventions in the past decade have not always scaled globally as anticipated earlier despite large investments by governments and philanthropic foundations. The implementation of digital health tools has suffered from 2 limitations: (1) the interventions commonly ignore the "law of amplification" that states that technology is most likely to succeed when it seeks to augment and not alter human behavior; and (2) end-user needs and clinical gaps are often poorly understood while designing solutions, contributing to a substantial decrease in usage, referred to as the "law of attrition" in eHealth. The COVID-19 pandemic has addressed the first of the 2 problems-technology solutions, such as telemedicine, that were struggling to find traction are now closely aligned with health-seeking behavior. The second problem (poorly designed solutions) persists, as demonstrated by a plethora of poorly designed epidemic prediction tools and digital contact-tracing apps, which were deployed at scale, around the world, with little validation. The pandemic has accelerated the Indian state's desire to build the nation's digital health ecosystem. We call for the inclusion of regulatory sandboxes, as successfully done in the fintech sector, to provide a real-world testing environment for mHealth solutions before deploying them at scale.

Reimagining Health Data Exchange: An Application Programming Interface-Enabled Roadmap for India.

In February 2018, the Government of India announced a massive public health insurance scheme extending coverage to 500 million citizens, in effect making it the world's largest insurance program. To meet this target, the government will rely on technology to effectively scale services, monitor quality, and ensure accountability. While India has seen great strides in informational technology development and outsourcing, cellular phone penetration, cloud computing, and financial technology, the digital health ecosystem is in its nascent stages and has been waiting for a catalyst to seed the system. This National Health Protection Scheme is expected to provide just this impetus for widespread adoption. However, health data in India are mostly not digitized. In the few instances that they are, the data are not standardized, not interoperable, and not readily accessible to clinicians, researchers, or policymakers. While such barriers to easy health information exchange are hardly unique to India, the greenfield nature of India's digital health infrastructure presents an excellent opportunity to avoid the pitfalls of complex, restrictive, digital health systems that have evolved elsewhere. We propose here a federated, patient-centric, application programming interface (API)-enabled health information ecosystem that leverages India's near-universal mobile phone penetration, universal availability of unique ID systems, and evolving privacy and data protection laws. It builds on global best practices and promotes the adoption of human-centered design principles, data minimization, and open standard APIs. The recommendations are the result of 18 months of deliberations with multiple stakeholders in India and the United States, including from academia, industry, and government.