In the age of digital revolution, how safe is your personal health data?

In today’s time, we are all but a piece of statistic – a number, a unique ID. Sometimes, because of our DNA, we might be a significant aberration that could be studied using tools called data analytics.

Health data analytics, the study of how our health information can be taken and analysed to give a direction to future medicine or build delivery mechanism might not raise red flags. Complete healthcare data management or health data analytics are a process of storing, protecting, and analysing data. Managing these data sets allows health systems to create holistic views of patients, personalise treatments, improve communication, and streamline services to save costs and predict better health outcomes.

Once healthcare providers have the data, they have a complete patient history that can be pulled with the unique patient ID number; that helps make informed decisions and predict models for treatment. In the long run, health trends and epidemiological data could lead to better treatment planning and disease managing protocols.

At the same time, because health care providers require big investments, they can also make informed decisions based on insights provided by these data sets.

But is my health data safe? Here is a look at the legal framework

Given the almost daily disclosures about how individual data available online are vulnerable, you should know that your personal health-related data, which hospitals, pathology labs, and now even insurance companies providing health covers gather, are not protected under any specific health-related ruling.

Since all of us are now signficant statistics, data, including those related to healthcare are protected under the Data Protection Bill, 2011. As of now, there is no specific legislation on privacy and health data protection in India. However, the Information Technology Act, 2000 (the ‘Act’) contains specific provisions intended to protect electronic data (including non-electronic records or information that have been, are currently, or are intended to be, processed electronically).

Of course, there is the HIPAA (Health insurance portability and accountability Act) compliance, the best practices to ensure privacy for patients. But that is a US-based ruling, so it is not enforceable in India. The goal of this rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care and to protect public's health and well-being. The rule tries to strike a balance – permitting important use of information and at the same time protecting the privacy of patients. Whenever some data are used, there needs to be an informed patient consent, in a language that the patient understands.

Big bucks in Health analytics

Health analytics, the basis of using healthcare-related data to understand a variety of things, including patient health records and how hospitals can function better, is in a nascent stage in India. Globally speaking, it was a $2-billion opportunity in the US and slated to grow to $54 billion worldwide by 2025, according to a Grand View research. The opportunity is growing with a wide adoption of electronic health records (EHRs) and the urgency to contain rising costs.

While there are many companies in India that are doing health data analytics, most of the work is for the US and European markets. Hospital chains do have data analytics departments to do specific work for ensuring a better experience for patients.

Max Healthcare, with its 14 hospitals, was among the earliest adopters of EHRs at all its hospitals. Almost 15 years on, the system is well established with all patients having a unique ID system. All records of patients who visit Max Healthcare are online. Every trip and every disease is mapped. So, when a physician looks at the reports online, he can view the patient’s complete history, red flags, allergies, etc. That gives the patient the confidence in the physician, and the physician can make the best and most informed decision based on the information that he has on his dashboard. This physician's portal gives him access to records, helps him forge a long-term relationship, and also makes him make informed choices for the course of treatment. The patient, meanwhile, does not have to lug around physical reports.

These data, while they might have been generated in the hospital, belong to the patient. “Patient data are owned by the patient himself; it is only accessed by the doctor for disease management,” says Sumit Puri, chief information officer & director of information technology, Max Healthcare. “Patients can access their data with the unique ID, move across hospitals and take a second opinion. It is the hospital’s policy that patients take charge of their own health,” he adds.

According to Puri, the hospital group does data analytics to manage a better customer experience, both in terms of ease of comfort and clinical outcomes. Patient data are analysed to predict how a disease might move and how best to manage it. “If at all we use patient data for studies, it is done while keeping anonymous the patient’s personal information, including name.” Recently, Max Healthcare undertook an 18-month study with Deekins University, Australia, to study outcomes of patients with stroke. Every patient whose data were used was given an anonymous ID.

Max Healthcare plans to use its EHR to encourage patients to take charge and ownership of their own health records on the patient portal. At some point, Max's EHR could be aligned to the government EHR portal as well.

As a hospital group, patient privacy is a big issue and the hospital group follows strict government guidelines on sharing of data. Max Healthcare also undertook a security audit with a major firm with a strict security protocol followed on the hardware as well as for accessing data to ensure no misuse of data/data theft takes place.

Of course, it also is HIPAA-compliant.

Diagnostics: The source of all health information

“We do extremely high-end diagnostics tests, data analytics helps us make accurate evaluation and give a direction to a course of treatment,” says Zoya Brar, CEO, Core Diagnostics. A pathology laboratory based in Gurgaon, it focuses on the full bouquet of oncology, genetic disorders and is getting into pharmacogenetics (use of targeted medicine based on genetic response to medicine) for 27 diseases. Based on analysis of patient data, the test can give an indication on the course of treatment so that there are fewer adverse drug reactions (ADR).

“Pathology labs are privy to a vast amount of health-related data which once analysed can actually give a direction to physicians to emerging disease patterns.” says Arunima Patel, managing director of Mumbai-based IGenetics Diagnostics. Increasingly, artificial intelligence is being used to predict better outcomes based on patient data.

Health Insurance and acturial calculations

However, in the insurance sector, such strict standards might not be followed. Health-related insurance data might not share the same fate. The data that are gathered by insurance companies are used to determine the rate of premium and exclusions in offering coverage (actuarial calculations). These data are owned by the insurer. However, to provide a service, these data are shared with the third-party administrator (TPA). If an intermediary like an agent or broker is involved, that intermediary becomes privy to that data. “Data are vulnerable to sharing and, therefore, wrong use,” says K Ramachandran, an insurance industry expert associated with the revision of reinsurance guidelines.

Data Analytics is a big boon to the delivery side. It can make predictive modeling of diseases. Based on insights on patterns and correlations found in healthcare data, healthcare marketers can make predictions about which groups of people are the most likely candidates for certain conditions. They can also predict how those people will behave during their interactions with the healthcare organisation, based on past data. Creating predictive models based on analytical data can save healthcare marketers time and money, since they can target their campaign efforts to the most likely prospects.

For insurance companies, claims data help healthcare organisations discover actionable insights and know how to effectively execute on those insights. Gathering, managing, and analysing physician data provides a view into physician behaviour; healthcare organisations can analyse claims data to discover physician loyalties, engage in meaningful dialogue, identify and resolve issues, and build relationships based on respect and trust. These initiatives help organisations achieve a successful physician alignment, increase volumes and referral rates, and realise incremental revenues. Internationally, many insurance companies are using analytics for patients’ disease management, especially in case of chronic diseases. It remind patients to keep a healthy lifestyle, and keeps track of where a patient stands with regard to their lifestyle choices. Patients might be rewarded if they meet the prescribed health parameters.

“There is nothing called a secure environment,” says Ritesh Gandotra, director, GDO sales, Xerox. The company is not just a hardware supplier but also offers secure solutions to store, move and manage data to a number of companies, including hospital chains. Companies need to be constantly vigilant if they have to ensure no leakage happens at any level. Data breach and misuse are part of the game of management, according to Gandotra. So, information, data and samples are vulnerable to the ethics of the people handling them.

Henrietta Lacks an African-American woman whose cancer cells are the source of the HeLa cell line, the first immortalised and important cell line in medical research. The sample, taken from a biopsy of a tumour for cervical cancer in 1951, was used without consent, as was the practice then; and it is still being used for research. In an ethical world, that would be unthinkable. Isn't it?

Data privacy in India

India’s IT ministry adopted the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, or The Privacy Rules, which took effect in 2011. These require corporate entities collecting, processing and storing personal data, including sensitive personal information, to comply with certain procedures. These also include pathology labs that we routinely use.

In August 2011, the ministry issued a clarification on the Privacy Rules, providing that any Indian outsourcing service provider/organisation providing services related to collection, storage, dealing or handling of sensitive personal information or personal information under contractual obligation with any legal entity located within or outside India is not subject to collection and disclosure of information requirements, including the consent requirements, provided that they do not have direct contact with the data subjects (providers of information) when providing their services.