On 7-6-2021, Oracle announced that it had completed the acquisition of Cerner in a USD 28.3 billion, all-cash deal. Oracle, the world’s second largest software company by revenue, is best known for its database software products and cloud services. Cerner, the second largest health care IT company in the US provides digital information systems and offers electronic health care records services to hospitals.
In a press briefing, Larry Ellison said that together, Oracle and Cerner would solve the problem of interoperability in health data by creating a unified national health records database.
Interoperability
What is the “interoperability problem” that Ellison was referring to? The interoperability problem arises from the fact that health care data is generally stored in scattered, disparate silo-like data systems that do not necessarily interact with one another. This creates an access problem for doctors who are looking for a patient’s medical history. Health care interoperability improves the ease with which doctors provide care to their patients, and can help their patients traverse the health care ecosystem.
The interoperability issue has even been recognised and sought to be addressed by US federal legislation. According to the 21st Century Cures Act, “interoperability” is facilitated by health information technology that: (A) enables the secure exchange of electronic information from other health IT without special effort on the part of the user; (B) allows for access, exchange, and use of all electronically accessible health information for authorised use; and (C) does not lead to information blocking.
Oracle plans to solve the interoperability issue by creating a national database for health care records, and integrating electronic health records (EHR) data (also known as “electronic medical records”, or EMR) from various siloed health care systems. Electronic health record systems store patients’ medical history including previous progress notes, test results, medications, reports, and demographics.
According to Ellison, an interoperable EHR system or a national health records database would bring health data and EHR systems of multiple hospitals under one roof, thereby creating value for both doctors and public health officials. Easy access to a patient’s medical records would allow doctors to act swiftly in cases of emergency and provide better diagnostic care and treatment. A national electronic health records system could be used by public health officials to analyse anonymised national health data which would have been very useful in the COVID-19 Pandemic. Apart from these, EHRs also help in conducting scientific research.
EHR databases can even be used by third parties for financial gain. For instance, insurance companies would be able to reduce costs by avoiding repeat tests and procedures. And in extreme cases, employers who access medical records may reject candidates who may be more expensive to insure.
National health care databases
However, the experiences of multiple countries that have attempted to solve this same “interoperability issue” indicate that a solution is far more elusive than Oracle’s public statements would have you believe.
In the early 2000s, the National Health Service of the UK launched the National Programme for IT which sought to unify the health care records of the entire nation. But, in 2011, the programme was shut down by the Government owing to increased costs, bad project management, and the inability to adapt to the enormous scale of the undertaking.3 One of the key factors that led to the failure of the programme was the lack of engagement with medical professionals. The inclusion of doctors in discussions would have allowed for greater participation and implementation of a system that is in the interests of the medical community and not just information technology and healthtech companies.
In the US, the National COVID Cohort Collaborative Data Enclave (N3C) was established by scientists and research experts to study health care data of patients infected with COVID-19.4 This project collected EHR data from various hospitals and created a centralised database that could help accelerate research and identify effective treatments. Doctors then used this information to treat Covid patients. However, this initiative was fraught with many challenges. Hospitals were hesitant to take part in the project and the data that was gathered needed to be standardised as different institutions collected information in different ways. But the experts gained from the fact that N3C received a waiver from the National Institutes of Health to use a limited data set of health data for research purposes without patient consent. Additionally, the project was carried out by experts already adept in interoperability issues that other countries or organisations may lack.
Singapore is one of the few countries to have successfully implemented a national EHR system. The Ministry of Health launched the programme in 2011 in collaboration with multiple vendors including Accenture. As of June 2022, more than 1700 health care institutions are a part of the national EHR.5 Both doctors and patients can access medical records through this system. However, Singapore’s success may be attributed to its small population size, fewer public health organisations, and fewer legacy EHR systems that existed at the time.
The Indian Government launched the National Digital Health Mission (NDHM) in 2020. The mission plans to strengthen health care in India through the use of technology and create a digital health ecosystem. One of the components of the NDHM includes the introduction of a unique health identifier that can be linked to the electronic health records of the individual. However, experts have raised concerns over the implementation of the NDHM without adequate legislation on general data protection and health data privacy laws.6 Further, they warn that the NDHM lacks a robust consent and privacy framework.
Privacy concerns
The introduction of any national EHR system inherently brings up questions about the privacy and security of sensitive personal health information of patients. In the quest to create a national EHR database and reduce interoperability issues, privacy experts have cautioned that governments or organisations may inappropriately use patient data to forward their own financial interests, to the detriment of patients.
The National Health Authority (NHA) of India published a draft Health Data Management Policy (HDMP) in August 2020 for the NDHM (or more recently known as “the Ayushman Bharat Digital Mission”) as part of its public consultation process. Several problems were identified with the draft policy. The Supreme Court of India in K.S. Puttaswamy v. Union of India7 held that where any policy is created that affects the right to privacy of the people, it must be a procedure established by law. The HDMP lacks any form of legislative backing, effectively making it a set of informal rules. It encourages the linkage of Aadhaar with the unique health ID which raises concerns about health data being linked to other forms of data. Additionally, the policy does not address the risk of reidentifying anonymised health data which is similar to the problem in the US.
Although the policy adopts “privacy by design” as a principle, the fundamental lack of a law to support it makes it hard to enforce. Even the penalties prescribed in the policy are inadequate to act as a deterrent to the misuse of data. Despite the concerns raised by various organisations including the Internet Freedom Foundation, the new draft policy released in April 2022 fails to incorporate the suggestions put forth by public policy experts.
Apart from the HDMP, the recently published Data Protection Bill, 2021 may affect the health data privacy laws in India. However, this too has been criticised for placing economic interests at the same pedestal as privacy of data and for creating broad exceptions for processing personal data without consent. Currently, EHR data and medical records would be governed and classified as sensitive personal data or information under the IT Rules, 20118. But these Rules are applicable only to body corporates and data sharing to third parties does not require additional compliances apart from the consent of the data provider.
EHR systems, particularly in the US suffer from the risk of re-identification. The US data privacy law Health Insurance Portablity and Accountability Act (HIPAA) allows free sharing of deidentified patient data to third parties. Deidentification relates to a process in which the personal identifiers that may reveal the identity of an individual are deleted so that the privacy of the patient is maintained. However, the risk of reidentifying such data remains. In other words, deidentified data can be linked to patients.
In a study, researchers concluded that under the current HIPAA provisions, the process of deidentification is not sufficient.9 They were able to successfully reidentify 25 per cent of the dataset. The methods prescribed to deidentify data are inadequate to completely anonymise health care information.
Reidentified data has the potential to be misused. It can be sold to third parties who can use it to create a better understanding of consumers and push targeted advertising at them. If such data is hacked, the information may be used by identity thieves to claim medical expenses, the financial data of the patient could be exposed and finally, sensitive patient information may be revealed to employers or family members.10 In the eyes of large tech and health care companies, health data is seen as an asset that can be monetised. This necessitates strong data privacy laws that protect the sensitive health information of patients.
Monetisation of health data
Interoperable EHR systems aggregate health data from different hospitals and medical institutions. Researchers, public health organisations, and pharmaceutical companies find this data attractive. Deidentified health records that are sold to researchers are used to conduct large-scale studies where health data of a large population is necessary to reach a comprehensive conclusion.
In India, the draft Digital Information Security in Healthcare Act, 2018 that was placed in the public domain clearly barred the use of digital health data for commercial purposes. According to the draft Act, health data could not be sold to insurance companies, employers, and pharmaceutical companies even if they were anonymised. On the other hand, the HDMP does not have any such prohibitions. Experts speculate that healthtech companies may take advantage of this and sell data to insurance and pharmaceutical companies.
Insurance companies find health data appealing because firstly they can avoid the additional costs of repeat tests and procedures in different hospitals. Additionally, they may also use the data to target customers based on their overall health status. Insurance companies can levy high premiums or deny their services to persons with severe health issues and offer low premiums to relatively healthy policyholders.
Pharmaceutical companies may use health data to determine investments, examine how to target clinical trials, and develop marketing strategies. Additionally, they use deidentified health data for research. It has been reported that pharmaceutical giant Pfizer spends nearly 12 million dollars buying health data from various sources.
Recently, a lawsuit was filed against Meta, the parent company of Facebook, accusing it of collecting sensitive personal data from hospital websites using its pixel tracking tool. This is an example of the value that tech companies attribute to health care data.
Neither is this the first example of a big tech/health care data scandal. As part of the controversial Project Nightingale, Ascension, a health care company transferred the medical records of nearly 50 million individuals to Google in return for access to Google services. Google claimed that it would use the data and artificial intelligence to suggest improvements in individual patient care with the end goal to create an omnibus search tool. But there were concerns about the company monetising the data by using it for marketing or targeted advertising.11
Oracle’s acquisition of Cerner gives them access to a treasure trove of data. Whether Oracle will be duly cognizant of the privacy concerns of all its stakeholders including patients when accessing or monetising this data remains to be seen.
At any rate, Oracle’s plan to create a national EHR database is likely to be more difficult than their public statements suggest, judging by the experiences of other countries that have attempted to solve this “interoperability issue”.
† Shantanu Mukherjee, Founder, Ronin Legal.
†† 4th year student at Jindal Global Law School.
3. <https://journals.sagepub.com/doi/abs/10.1177/0951484816662492?journalCode=hsma>.)
4. <https://www.theverge.com/2020/10/19/21522863/health-data-records-covid-coronavirus-model-nih-privacy-n3c>.
5. <https://www.moh.gov.sg/institutions-participating-in-the-national-electronic-health-records-system-(nehr)>.
6. <https://ea51c4f6-3257-4b64-b189-d18d2b68e428.filesusr.com/ugd/bfda9b_14f8cf90a45b48958b4209442e8db9f8.pdf>.
8. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
9. <https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6344041/>.
10. <https://www.theverge.com/2021/6/23/22547397/medical-records-health-data-hospitals-research>.
11. <https://www.techtarget.com/searchhealthit/definition/Project-Nightingale>.
