As a part of the Digital India program, the Government of India is encouraging hospitals in India to make use of the “Online Registration System (ORS) framework to link various hospitals across the country for providing some services such as booking appointments, collecting lab reports etc.
The framework will enable aadhar based eKYC process if patient’s mobile number is registered with UIDAI.
Presently about 53 hospitals have gone online under this framework . Some of the Hospitals that have gone onboard now include AIIMS at different places, PGIMER, and GMC at Chandigarh, NIMHANS and K.C.General hospital, Bengaluru, JIPMER, Puducherry, etc. There is no doubt that this is just a small sample of Government hospitals.
At present around 1000-1500 appointments per day are being booked under the system and since its launch on 1st July 2015, about 448700 appointments have been booked under the system.
There is no doubt that there is a long way to go before the scheme could be called successful.
For Privacy practitioners, it is necessary to realize that even before the HDPSA draft is available with the public, a major initiative to collect and link the hospitals in India on a common portal is underway. The Government has developed an “Online Boarding Manual” as a guideline for hospitals (Details available here).
At present the appointment registration will collect the Sensitive Personal Information of Aadhar along with the department contacted, the purpose of contact etc which are also considered health related information of an individual and hence can be classified as Sensitive Personal Information under Section 43A of ITA 2008 requiring “Reasonable Security Practices”.
It appears that the individual hospitals just link to the ORS portal and the information processing is done at the ORS portal. Hence the Privacy and Security obligations fall on the portal.
In order to understand how the system seems to be used, I checked the NIMHANS OPD website which is one of the users of this framework.
It is also not clear how the information collected for appointment at the ORS website is re-transmitted to NIMHANS or made accessible to them.
Obviously, the system must be considered as being under the pilot run and a lot more thought needs to be given.
When HDPSA kicks in, these hospitals suddenly realize that they have already put a huge chunk of Sensitive personal Information which ought to have been protected from a back date and they will be in default from day one.
I hope some responsible persons in the management of these hospitals would take some corrective steps in this regard.