Insurance companies seek health data recorded under Ayushman Bharat


“It is suggested that insurance companies may have access to DATA (sic) of the data principal on similar lines, as banks have access to log in and check CIBIL scores,” ICICI Lombard General Insurance said in its Submission to National Health Authority (NHA) on Health Data Management Policy (HDMP). ICICI Lombard is a life insurance company and the NHA is the agency in charge of ABDM which released a revised version of its Health Data Management Policy (HDMP) for public comment in April.

According to ICICI, this will allow insurance companies to have better access to the data of the data principal (person whose data has been collected), to help quickly process claims and to carry out a risk assessment before issue a policy (this is called underwriting). Such access could be obtained by taking consent at the time of underwriting policies or registering claims through an application form or a claims form, respectively, the submission states.

Earlier this year, the NHA released the revised HDMP – a data protection framework for health data under the government’s Ayushman Bharat digital mission – citing feedback and learnings from the pilot project and national rollout of the ABDM since December 2020. It contains related clauses to store sensitive personal data of users in India only, obtain informed consent before processing a person’s health data, inform users about the persons with whom their data are shared, etc. An earlier version of it, released in August 2020, was criticized for linking unique health identifiers to Aadhaar, allowing private actors to access health data, not being backed by privacy law. data, etc

Why is this important: ICICI’s comments would mark one of the first times that insurers’ views on ABDM are known. The relationship between ABDM or the digitization of health in general with insurers and companies is controversial. For example, in his article entitled “Health Data as Wealth: Understanding Patient Rights in India in a Digital Ecosystem through a Feminist Approach”researcher Radhika Radhakrishnan said health insurance providers could use scanned health data to refuse to issue policies or increase premiums for people who do not appear healthy from these scanned records, notwithstanding their real needs, and without considering that these data themselves may be of poor quality.

ICICI submissions: health identifiers for newborns, enabling data retention

The insurance company also made the following recommendations in its brief:

Advertising. Scroll to continue reading.

i) Automatic generation of health identifiers for newborns
ICICI suggested that health IDs (now renamed to Ayushman Bharat Health Account or ABHA) be automatically generated for newborns. “This is intended to help with automation/digitization,” the company said.
While under the proposed policy, the ABHA can be created for a child at the request of a parent.

ii) Adding Health Claims to Electronic Health Records (EHRs)

The ICICI submission suggests that ABDM-registered citizens also be allowed to upload their health claims and insurance policies to their electronic health records linked to their ABHA. According to ICICI, such a facility will help speed up the processing of claims and curb fraud that takes place with insurance services.

Under the proposed policy, there is no ability for principals to tie health claims and policies to their ABHA. An ABHA is essentially an identification given to anyone registered with the ABDM, which helps to create electronic health records (including longitudinal records of their medical interactions on the ABDM or offline), to benefit from services such as teleconsultations via the ABDM and more.

iii) It is impossible to list all trustees with whom health data may be shared

Due to the fact that sometimes data may be shared with multiple partners such as labs, printing partners, etc. for customer service, sharing a list of all entities the data has been shared with will not be practical, ICICI said.
The proposed HDMP indicates that a principal should be able to obtain information about what data it has shared and with whom.

Advertising. Scroll to continue reading.

iv) Denial of services due to terms and conditions is not “detriment”

In its submission, ICICI said any withdrawal or denial of service resulting from the terms and conditions of a policy itself should also not be considered harm.

In the policy, the NHA sets out several actions that could constitute “harm” under the policy, including denial or withdrawal of service, benefit, or property resulting from an assessment decision. concerning the principal of the data or the discrimination. Any action resulting in such harm may render a fiduciary (any entity that processes health data within the framework of the ABDM) liable to be penalized by the ABDM.

v) Authorize the retention of data in accordance with the guidelines of statutory and regulatory bodies.

ICICI suggested that companies should be allowed to retain data in accordance with instructions given by regulatory and statutory bodies in an area.
He said this in response to the HDMP’s provision that trustees should notify, in their privacy policy, “the length of time that personal data is to be retained, or where the retention period is not known, then the criteria for determining this length period’.

(vi) Mechanism for sharing details within defined rights of data controllers.

Advertising. Scroll to continue reading.

ICICI has requested clarification from the NHA on the channels or systems through which requests for data may be made by principals. It also indicates that such a channel must be “traceable” and “verifiable”.
Under the HDMP, data controllers have the right to request certain information from trustees such as,

  • Who the data is shared with and from what categories
  • A summary of all processing activities performed on certain data
  • The personal data that has been processed, etc.

vii) Transparency data may be shared electronically
ICICI suggests the information should be allowed to be shared in an electronic format with the NHA, the document says.

This relates to the provision in the draft policy that requires trustees to disclose certain information about the processing of personal data to the NHA for transparency purposes. This includes information on the categories of personal data collected, the categories of personal data processed, the purposes for which it was processed, information on a fiduciary’s grievance redress mechanism, etc.

Quick recap: Progress on ABDM so far

The ABDM – the multi-level federated digital health initiative of government – ​​was rolled out nationwide in October 2021 and has since launched some core components, some subject to public consultation, yet some are still ongoing :

  • Ongoing consultations to create the medication registry which proposes to be a comprehensive database of all drugs sold in India along with demand, supply and other characteristics of drugs.
  • 40 third-party entities have completed integration with the UHI of ABDM to provide services there. The Unified Health Interface (UHI) proposed under the ABDM will offer various services such as teleconsultations, booking of laboratory tests, etc., to citizens.
  • Decisions taken regarding the register of health establishments and the register of health professionals which included modifications of functions, prioritization of groups of actors, etc. The HFR and HPR were opened for public consultation in June 2021 and plan to create registers of information on all health professionals and establishments registered with the ABDM.
  • Health Data Retention Policy (HDRP) has been in the consultation phase since November 2021. The HDRP proposes terms on how to process citizen health data for entities registered with the government’s ABDM and, potentially, those who also depend on it.

Read also :


Comments are closed.