Indu Bhushan, CEO of the National Digital Health
Image: Anushree Fadnavis/ Reuters
The National Digital Health Mission (NDHM), announced by Prime Minister Narendra Modi on August 15, includes creating unique health identifiers (UHID) for people, along the lines of Aadhaar, providing access to individual health records and connecting various levels of health care institutions. Currently in the pilot phase in six Union Territories (Andaman and Nicobar Islands, Chandigarh, Dadra and Nagar Haveli, Daman and Diu, Lakshadweep and Puducherry), the mission to create a digital health care ecosystem is set to have a nationwide rollout early next year.
Indu Bhushan, CEO of the National Health Authority, which is implementing the NDHM (apart from the Pradhan Mantri Jan Arogya Yojana or Ayushman Bharat) within the framework created by the National Health Data Management Policy, speaks with Forbes India about how the government plans to phase the national rollouts, what kind of data will be collected, how it will be stored and shared, how data security will be ensured, and why private involvement in building a repository of sensitive health data is crucial. Edited excerpts:
Q: NDHM will be scaled up nationwide by early next year. How are you getting the infrastructure ready for this?
The NDHM has picked up good momentum since we started with pilots in six Union Territories. The first phase was to build three major registries—individual IDs for people, doctors and facilities. That infrastructure is ready and rollout is being tested for its effectiveness and scale to see if it is possible to be increased to millions of people. We have made more than 3 lakh IDs so far, and registered 2,000 doctors and 1,000 facilities. In that sense, the proof of concept has been done.
The government has the Health Data Management Policy, which very clearly defines what kind of information should be collected from patients, how much should be stored, how it should be shared and retrieved. We are also launching an app for personal health records in the next few days, which, at the pilot phase right now, will be available in the six Union Territories where NDHM is implemented. People can download it and use it for looking at electronic medical records, and share it with anyone for the period they define. For example, if you want to share your data with someone between 12.30 pm and 1.30 pm today, you can provide consent just for that time period.
In addition, we have worked with DigiLocker to provide digital health locker services, where you can use your own devices to store data and pull your data from hospitals, based on your ID and other checks and balances. We have done well in terms of building the basic architecture and IT backbone. Now, it is a question of taking it to scale and hopefully, by early 2021, we will be going to the national scale.
Q: Getting a digital health ID is voluntary. So for those who provide consent, what will data collection and storage entail?
There are four major types of medical records we are planning to pull into the system: One is prescription, second is diagnostic reports, third is OPD notes from doctors, and fourth is discharge summary that also provides details on precautions to be taken, follow-ups etc. In some hospitals, all these records are already in digital form, but in many others they are still in paper form. Prescriptions, for example, are rarely issued in electronic or digital form in India. But we now have the capacity to collate, scan and digitise them.
The Personal Health Record (PHR) app will be helpful because whenever a hospital that is part of NDHM creates a health record related to you, you will get an alert that the record has been created, and you will get to decide whether you want to store that information with you or keep it there. You can store records in a public digital health locker or a private drive. And whenever you go to another doctor or hospital, you can easily share these records with them. The doctors or hospitals will be able to see that only with your consent.
Q: Are there any specific challenges in the NDHM pilot that you need to tackle before scaling up nationwide?
In the Union Territories we observed that we need to design offline modules along with the digital infrastructure in places where the [internet] connectivity is not very good. We also need to create the capability of new tools to plug that gap. Our second learning is related to communication and chain management. These facilities and doctors have been working in a certain way for a long time and they always raise a question about why digitisation is needed and what value it will add. So we need to work towards education and chain management. I believe that will take some time.
Q: How are you planning to phase the national rollouts?
That hasn’t been specifically discussed so far. My personal sense is that we can first start with states that have the infrastructure and are willing to go right away. In fact, many states like Uttar Pradesh, Tamil Nadu, Tripura, Maharashtra and a few others have written to us asking NDHM to be started in their states at the earliest.
But, of course, we will have to look at the readiness and the capacity in different states to see how the rollouts have to happen. And this capacity involves many different things. We have to work closely with states to see what kind of IT equipment, staff training and data storage capacities their hospitals may need, and each state will have to establish a mission implementation body and assign personnel for the same.
So that is the next step. The how and when of it has to be decided by the mission steering group, chaired by the Union Minister of Health and Family Welfare [Dr Harsh Vardhan]. The ministry has already sent out information and directions to the states regarding this, so once a decision is taken for national rollouts, implementation should not take more than a couple of months.
Q: Security of sensitive health data has been a concern. What steps are you taking towards that?
We are following what we call security and privacy by design. It’s not that we create an infrastructure and then think about security and privacy. The Health Data Management Policy, for example, lists out clear steps about how health data will be stored and what criteria has to be met. For storage, we will only be using registries hosted in government community cloud that will be protected from any potential attack. So in terms of designing the building blocks of this infrastructure, we have taken security and privacy concerns very seriously.
In terms of using and sharing health data, the policy has rigorous steps, taking note of best practices and protocols that have been set across the world. In the US, for example, the health data technology is mostly hospital-centred. Their systems are based on exchange of data or health records between hospitals. In many cases, the data might not be interoperable because different institutions and hospitals follow different standards. So in this case, we have made sure that data is interoperable, by enforcing certain common standards across the country. We’ve also made the individual completely in control of her/his health data, because if you don’t do that, as per what we’ve seen globally, privacy limits may be compromised.
Q: The private sector is given a huge role in building this sensitive health data infrastructure for the NDHM. Is there a conflict of interest here?
Not at all. It’s actually a complimentary thing. To understand, let’s take the example of an existing physical infrastructure, say road transport. Roads are developed and owned by the government, and the government also defines the rules. But it’s mostly private sector vehicles that run on these roads, and most of the establishments that service these roads are also private. The same thing is going to be happening with NDHM, where the building blocks will be created and owned by the government. The government will also ensure that this infrastructure is robust and create rules to prevent misuse. But it will be used by private players.
We are hoping private sector players who use these building blocks to develop facilities and applications will foster creativity and innovation. We’ve created the concept of a sandbox, an experimental site for private players to use our platform to co-develop tech products. So far, more than 300 applications have been given access to the sandbox and they’ve been trying out their applications. If we believe that any of these can be integrated into the digital mission, they have to undergo security testing to make sure that these applications don’t have security breaches that could potentially impact the building blocks of the infrastructure. Once that’s done, we can give them the key to our production environment where they can integrate their products. So we are going to be actively encouraging the private sector to use NDHM building blocks.
Q: What are the additional security checks and balances you plan to have in place while enabling private intervention in health data?
We have to maintain a balance. If we have a large number of checks and balances, then that will discourage participation of the private sector. We are keeping checks and balances to the minimum to ensure only a few things: One, security and privacy of data; two, they should follow standards to make the system interoperable. Apart from that, we’ll let a thousand flowers bloom.