TECH
25/02/2019 9:38 AM IST | Updated 26/02/2019 10:45 AM IST

In India, Apps Track Every Medicine You Take, And Your Data Is An ‘Asset’

Electronic Medical Records are becoming more widespread in India, but with a lack of medical data law, or a general data protection law, highly sensitive information is up for the taking.

Doxper.com screenshot

BENGALURU, Karnataka — A healthcare digitisation startup, partly-owned by a health management service provider, tracks your medical prescriptions and stores your information forever, at a time when India has no laws governing what companies can and cannot do with your sensitive medical information.

Sounds like a nightmare?

Doxper, a Bengaluru-based healthcare startup, is just that: the company provides doctors with a bluetooth enabled pen and customised notepad that automatically photographs your prescription as your doctor writes it down and then uploads it to a cloud-based server maintained by the company. Soon after the appointment the patient receives an SMS on their cell phone with their prescription.

Worryingly, the company signs a click-through user-agreement with doctors, but not with the patients whose sensitive medical records the company stores — possibly in violation of rules framed under the Information Technology Act 2000, section 5 of which mandates companies get explicit user consent before gathering patient information.

Doxper stands out thanks to its use of a smart-pen, but the use of Electronic Medical Records (EMRs) is growing in India, with input methods ranging from novel solutions like automatic transcription, to tablet devices where the doctor enters all the patient information, to old-fashioned PC software. Some competitors include PurpleDocs, Webmedy, HealthLink, and many more smaller providers.

While companies insist they are simply making it more convenient for patients and doctors to maintain medical histories, collecting such data makes it possible for services like Doxper to build detailed profiles of each patient. In time, patients might find such information may be shared with law enforcement, used against them in the form of higher insurance premiums, or simply sold further to third party companies.

Adam Tanner, a fellow at Harvard’s institute for quantitative social science and author of a new book on the topic, Our Bodies, Our Data, said in an interview that patients generally don’t know that their information — such as diseases, or surgeries — is being bought and sold. This is being anonymised and aggregated, but that isn’t necessarily a guarantee of privacy.

“The problem over time is that as you have more and more information, there’s more and more about people who might be,” Tanner said. In other words, when there’s more anonymous data available, it’s easier to circumvent privacy and identify the people with their data.

Inside Doxper’s business model

Founded in 2015, Doxper has reportedly raised two rounds of funding, with a major backer being Vidal Healthcare, one of the leading health insurance companies in India. Speaking to HuffPost India, Parag Agarwal, who heads Partnerships at Doxper, explained that the company is focused on building up its network of paying customers—doctors—and solving the problem of digitisation.

He added that “Vidal Healthcare is a TPA (Third Party Administrator) and is not an insurer. A TPA only processes claims. They are not authorised to sell insurance products and hence there is no conflict of interest.”

Correction: Vidal Healthcare, which invested in Doxper, is a health management service provider. Vidal Health Insurance is a TPA, and does not own a stake in Doxper. The two companies are related, and have the same managing director, according to company filings.

“We have a long term view,” Agarwal said. “We’re not upselling or cross-selling, we won’t try and sell you medicines. The doctor has access to the digital records from his practice, while the patient gets the written prescription, and a soft copy.”

“We are not sharing that data with any other companies,” he added.

Doxper.com screenshot

Later, in a written response, Agarwal also added that only the doctors and patients have access to their data, and none of the company employees. “To add layers of security, Doxper employs a unique method of storing data in parts across different databases and servers such that patient identifiers, doctor/ hospital details and treatment plans never are accessed together by anyone ever. Further to this, all the data is always stored and transmitted in encrypted format with same levels of security that banks deploy,” he wrote.

Yet a review of Doxper’s expansive Terms of Service and Privacy Policy reveals that Agarwal’s statements should not be taken at face-value. The Privacy Policy, the company notes, may change from time to time — implying that Agarwal’s promises today might not hold good tomorrow. Even the current policy has certain loopholes:

  • Section 3 of the Privacy Policy states that even after a “user” deletes their Doxper account, “the User’s data may be anonymized and aggregated, and then may be held by the Company as long as necessary for the Company to provide its Services effectively. The use of such anonymized data will be solely for analytic purposes.” The company does not define what they mean by anonymised data, or what constitutes “analytic purposes”.
  • Section 8 warns that the company might hold onto information indefinitely, “Further, such prior information is never completely removed from Our databases due to technical and legal constraints, including stored ‘back up’ systems. Therefore, You should not expect that all of Your personally identifiable information shall be completely removed from our databases in response to Your requests.” 

Doxper’s Terms of Service make clear that:

  • The Website/Application and the Company accepts no liability for any errors or omissions, whether on behalf of itself, any Service Providers or third parties, or for any damage caused to the User, the User’s belongings, or any third party, resulting from the use or misuse of any Product purchased or service availed of by the User from the Website/Application.

The “Security” section of Doxper’s Privacy Policy makes the company’s business model explicit: “We treat data as an asset that must be protected against loss and unauthorised access.”

Doxper charges Rs 15,000 per year, which includes the digital pen, a digitisation suite, cloud storage for the doctor’s practice data, and automated SMSes. In addition there are scheduled Excel reports, and doctors can choose from predefined templates for the prescription paper.

At Rs 25,000 per year, doctors can customise the prescriptions, generate on-demand reports, and use multiple digital pens. Right now, the company has over 2,000 doctors using its hardware.

But while its focus today is on increasing the doctors using Doxper, Agarwal agreed that monetising data is something that is on the eventual roadmap. “Selling data is not economically viable,” he said, explaining that instead, companies need to find ways to use data to add more value to their offerings. However, he also cautioned that the market was still very nascent, and that data monetisation would only become a focus once it was saturated. “Data that is anonymised and aggregated could be used, for research only,” he said.

Some of the areas where data could play a role, he added, were in public health, pharma, and insurance. “You don’t have to harass the patient, or offer a discount on the medicines, but you can use the data to understand what gaps are there in the country, and what the people need,” he added.

“We are solving a universal and fundamental problem. Healthcare for an individual often spans multiple decades. Thus, historical records will always be vital for quality care. The sooner healthcare records are digitised in the patient journey, the greater the potential for a seamless ecosystem between providers, payers, patients, and policymakers,” Doxper CEO and co-founder Shailesh Prithani said.

Keeping your data secure

Doxper (and other companies acting in the health space) don’t have to comply with any privacy regulations in India. Therefore, the companies work to maintain compliance with the American Health Insurance Portability and Accountability Act (HIPAA).

Karan Vijay Singal, MD India of Startup Genome, which is a data driven policy advisor to governments globally on issues related to bolstering local startup ecosystems, and who has worked in the healthcare and insurance space, told HuffPost India that “HIPAA compliance is necessary for any Health Data related company that is looking to grow in the US, and in the absence of legal provisions in India, is seen as the best possible alternative.”

Singal added that the Digital Information Security in Healthcare Act (DISHA) draft was made public nearly a full year ago, although it has not been passed yet.

In the act, the patients whose data is being processed are seen as the owners of their information. This means that all data, including prescriptions, would belong to the patient, who would have to expressly consent to their data being collected like this.

Doxper also said that doctors are supposed to take the patient’s consent before collecting their data using the system, but this can be in the form of a verbal consent. “They verbally take consent of the patient, and in few cases, have incorporated written consent process as part of prescription template itself,” Agarwal wrote.

Meanwhile, the Draft Data Protection Bill, which was released in July last year, also recognised medical data as highly sensitive, and requiring stringent privacy protections. However, like DISHA, this too remains a work-in-progress that hasn’t seen any progress.

Agarwal said that as of now, these laws were not in place, and added that Doxper was compliant with international standards.

Another industry insider who did not wish to be named said that while properly funded companies would not cut corners, this was not necessarily the case with all companies. “I am not familiar with Doxper,” he said, “but this is a very important issue right now and most people are not aware about it. There is a major market for data, and it’s good that today people are starting to have a heightened sense of concern about privacy and security.”

According to him, personalised medical information is not so relevant to insurance companies. “It could be important for claim settlement, but otherwise it’s not such a big deal. The industry it would really matter to is pharma companies.”

Pharma companies in India are limited in the amount of research they can do, in order to determine trends in medicine buying (and prescribing). “There are maybe 6,000 samples from doctors across India, so if an EMR company can grow to more than that size, with reliable information, this could be very valuable,” he said. “The problem is that this completely violates privacy. Let’s say you do statistical obfuscation to anonymise the data. The pharma company has a direct relationship to the doctors, so they can take this anonymous data, match it with their own data, and figure out which doctor is prescribing what over time.”

Can this be linked to you—and so what?

What’s less clear, according to the industry insiders we spoke to, is whether this data can then be linked down to the patients as well. Doxper’s Agarwal claims that on its platform, this is not possible. Each doctor can see the details of their own patients, and each patient can see their history, but this, he confirmed, is not being shared with others.

The others we spoke to said that it could be theoretically possible, but isn’t being done as far as they know.

However, there are fears that such information could be used in ways that can affect us negatively. Apple reportedly held discussions to work with insurance companies to offer its Apple Watch, which tracks a huge range of health and fitness data. According to reports, such information is highly valuable—while credit card numbers are allegedly sold for $0.25, electronic medical health records could be worth thousands of dollars.

And as companies gather more data on users, they have used them to charge differential rates—one example being Tinder charging users over 30 more money for its premium service. Other companies are looking at IOT data to track how well you’re driving, and make insurance offers based on this information.

“It may seem benign – ‘Maybe they’ll give me more targeted advertising’, the real issue is we have very important decisions made about our lives – whether or not we have credit ― on the basis of that data,” said Nick Srnicek, author of Platform Capitalism, and a lecturer on digital economies at the Digital Humanities department at King’s College London in an earlier interview. “If an algorithm determines that you shouldn’t have access to credit, it is very hard to report against that.”

Ultimately though, as a number of recent exposés have shown, almost all of the apps that you’re using are sharing your data, and as a consumer, it’s next to impossible to know which platform to trust. Although Doxper said that it isn’t interested in directly monetising user data, others might not have the same view. As consumers, we’re going to have to become much more conscious of our privacy, ensure that there is proper consent about our data, and think twice before using any app—because the companies aren’t interested in doing this on our behalf.

Editor’s Note: This story has been updated to more accurately show the roles of the companies involved.