Digital technologies have really helped us take healthcare to the next level. Today you don’t even have to travel to the doctor to consult him, you can get your prescriptions and medicines online and even order home collection for tests. Due to the advent of tele consultations, patients have easy access to doctors over their phones. Also, doctors have access to patient records due to cheaper storage and the widespread use of the internet. All this means that many of the transactions between healthcare providers, doctors and patients are happening almost completely over digital platforms. This also means that hospitals are now collecting a lot of what we would call as personal information about patients and this creates some unique challenges.
Earlier this year the Delhi Government accidentally released data of all citizens that had taken the Covid 19 test. The data seems to be from November 2020 to January 2021, but has some older records as well. The leak contained – PII or Personal Identifiable Information including Name, Age, gender, SRF ID and Hospital where the test was conducted. A similar incident happened in Bangalore when the Government tried to implement track-and-trace protocols. They accidentally published names of all patients who had tested positive for Covid 19. The implications of these kind of data leaks is why the National Digital Health Mission means to address and enhance the privacy posture of the Indian healthcare system. One of the key initiatives for that is the Draft Data Privacy Bill. While there is a lot of excitement around the provisions of the draft data privacy bill the question remains whether the bill will help us take a giant step towards protecting healthcare privacy? And are our hospitals ready for it?
Here are three key considerations for hospitals to evaluate their readiness for the bill and to prepare themselves better for the inevitable digital-first future.
Hospitals will have to spend a lot of time and effort in establishing the processes for data discovery. Today, the data is collected at various places like OPD, Pharmacy, Diagnosis, Healthcare Services, Patient Attenders among others. Most of these systems are decentralized and non-interoperable. The first step would be to integrate them – to discover and assimilate existing hospital-owned databases, seamlessly.
Though this would obviously involve technology, the key is to identify the right processes, put the right protocols in place, and organise the teams for this exercise, before selecting the technology.
Additionally, methods of data collection would have to be reassessed, as also, the actual requirement for data collection. Does the hospital really need that data if it is personally identifiable, what are the privacy implications? A good example is hospital attenders who work with patients to take care of them are required to wear badges or passes with their name and age on it. Do we really need to collect it and if yes then how are we going to handle that data?
Hospitals maintain records of patients for years. Even today, if you go to some of the older hospitals you will have rooms full of paper records that are kept there for various compliances, statutory and insurance requirements.
With the advent of the PDP bill, hospitals will need to put robust record management protocols in place. How the records will be stored, and for how long, and how is the hospital planning to retire older records are key considerations.
Also, if digital and AI programs must be used, the data storage would have to be defined against the requirements for machine learning. All record management and storage protocols must work in sync with data discovery processes. This is to ensure that data integrity is maintained in a seamless manner.
Sensitisation of Staff
While defining processes and protocols, getting the right talent, and implementing technology might take time, hospitals should embark on an immediate task for sensitising the staff around patient and personal data. Most analyst firms believe that most of the data loss and leakage incidents happen due to improper sensitisation and training.
Hospitals would need to devise training programs to educate the staff on the provisions of the draft bill, they would also have to run mock exercises to ensure that the training is being well-received by the staff and is actually effective.
While digital technology is really helping the patients and doctors to come together, it is important for hospitals to get the people, processes and technology in place to ensure that the data collected due to this process is handled properly.
In conclusion, while the draft data privacy bill is a key step in the development of a privacy mindset in India, which is essential in Healthcare it is only a beginning. Hospitals and facilities need to start preparing for this situation immediately and the above three steps indicate the three main areas to address right away.
The article has been written by Dr Vikram Venkateswaran, Member, Healthcare Working Group, IET Future Tech Panel