Faced with rising health costs and the demands of aging populations, governments around the world are increasingly exploring more sustainable payment models, as well as the efficiencies and potential cost-savings of digital technologies. But this transformational shift cannot take place unless policymakers address a potential Catch-22 around a sensitive topic: data. Innovative digital health companies cannot operate or scale without it; patients and providers, however, justifiably worry about the privacy and security of sensitive, personal information. Governments, industry, patients and other stakeholders are therefore reflecting deeply about how to approach data access and data rights, privacy, cybersecurity, and other related questions in order to responsibly unlock the promise of improved health outcomes and lower costs.

India: Balancing the Need for Data Privacy and its Promise to Expand Health Coverage

In early 2018, Prime Minister Modi announced an initiative – the National Health Protection Mission – to expand subsidized care to the nation’s extreme poor. With more than half a billion citizens living in poverty, it may be the largest expansion of public care in history – and India’s government will rely on data-centric innovation to fuel this expansion. The public health care scheme will rely on data to monitor quality of service and as well as determine fees. Officials recently partnered with players in the United States to establish application programming interfaces (APIs), a move that may improve health IT interoperability, unleash innovation, and make health information more accessible for providers and patients.

At the same time, India is considering a sweeping data privacy bill to regulate data sharing and protect consumers. As it stands, many fear that the proposed bill may stymie digital health innovation. The draft legislation, created by the Data Protection Committee, would impose data processing and security requirements on the government, any Indian company, any Indian citizen, or any person incorporated or created under Indian law. The Committee also recommended a broad definition of "sensitive data," including health information, and new requirements for handling such data, suggested restrictions on the use of anonymized datasets, and proposed data localization requirements that could increase costs, create access challenges, and reduce security for data controllers, such as health providers. Many of the provisions seek to translate elements of the European Union’s model for privacy of its citizens as articulated in the General Data Protection Regulation, which has been criticized as inflexible for existing and emerging business models and may lead to increased costs for health care providers or limitations in use of data that could be useful for health care improvements. As controllers of large amounts of sensitive data, health care providers and companies must pay particular care with GDPR-inspired provisions around the world, which give patients more control and rights over their personal and health data. In addition to potentially steep fines for non-compliance, such regulations might change how patient data is used for diagnosis, how it is shared between health care professionals, and require new retention and storage models to comply with patient rights, such as the “right to be forgotten.” The Committee has submitted the bill to India’s Ministry of Electronics and Information Technology (MeitY), where officials are receiving public comment while they review the proposal and consider next steps. The bill must pass both houses of Parliament to become law.

China and Korea: The Next Health Data Leaders?

India’s shift towards utilizing health data is indicative of a larger global trend. In 2016, the Chinese State Council issued a plan to promote and regulate "healthcare big data," which the government declared to be a strategic national resource. The plan includes a pledge to construct 100 regional clinical data demonstration centers, along with three national databases. It goes on to note that the expansion of health data collection necessitates not only the development of interconnected platforms, services, and related technical capacity, but also a regulatory and policy framework to underpin it. Likewise, the South Korean Minister of Trade, Industry, and Energy announced an initiative to collect and harness the genetic and biometric data of 10 million Koreans, create a comprehensive database, and launch data analytics-driven pilot projects in an effort to spur innovation and support the country's biopharmaceutical and healthcare sector. How China and Korea address questions surrounding health data access and ownership, as well as privacy and security, in these initiatives remains to be seen. What is certain is that those policies will be critical to informing business models for digital health companies seeking to operate in those markets.

Israel’s Booming Health Tech Industry and Government Investment

Unlike countries that have been focused on data protection and patient access to healthcare, Israel has been focusing on digital health innovation and use of data and technology to support new treatments for patients.

Israel has a rich technology industry and is investing in using government investment to spur the use of health data to support technology and pharmaceutical innovation that can support health care improvement. Earlier this year, Israel announced a plan to invest $275 million to bring into a single database of the digital medical records that it has collected over a period of 20 years and digitize the personal health records of its nearly 9 million citizens for use by researchers and life sciences companies to help develop new drugs. The government is working with a software partner to gather information from Israeli volunteers and create a database for academics and foreign health care companies to use in the development of preventive medicines and personalized care. The government expects the plan to attract foreign investment and encourage partnerships with local entrepreneurs.

The Israeli government also launched an $8.73 million pilot program that pairs up private technology companies with public HMOs, in an effort to harness innovation and improve Israel’s role as a global leader in digital health.

APEC's Cross Border Privacy Rules (CBPR) System: Balancing Data Protection and Trade

Meanwhile, as attention focused on the entry into force of the EU’s GDPR, momentum continues to grow around the Cross Border Privacy Rules (CBPR) system created by the Asia-Pacific Economic Cooperation (APEC) forum. Developed and endorsed by APEC's 21 member economies, the CBPR system strengthens privacy protections while facilitating the international flows of data that fuel trade, power e-commerce, and underpin the 21st-century global economy. The CBPRs are a voluntary but enforceable privacy code of conduct, whereby participating member economy organizations may be certified by independent, third-party "Accountability Agents."

In early 2018, Singapore became the sixth participating APEC economy, joining the United States, Japan, Korea, and others, with the Philippines, Australia, and Chinese Taipei all taking steps to join the system. As more countries join, CBPR is demonstrating that a balance can be struck between protecting privacy and enabling cross-border data flows.

As governments seek to accelerate technology innovation to drive improved health outcomes and lower costs, issues of data collection, management, privacy, security, and usability will be paramount. Industry, patient groups, researchers, and other stakeholders have a critical role to play in engaging with governments around the world to shape policies that will responsibly enable innovation.