Doxper.com screenshot

BENGALURU, Karnataka — A healthcare digitisation startup, partly-owned by a health management service provider, tracks your medical prescriptions and stores your information forever, at a time when India has no laws governing what companies can and cannot do with your sensitive medical information. Sounds like a nightmare? Doxper, a Bengaluru-based healthcare startup, is just that: the company provides doctors with a bluetooth enabled pen and customised notepad that automatically photographs your prescription as your doctor writes it down and then uploads it to a cloud-based server maintained by the company. Soon after the appointment the patient receives an SMS on their cell phone with their prescription. Worryingly, the company signs a click-through user-agreement with doctors, but not with the patients whose sensitive medical records the company stores — possibly in violation of rules framed under the Information Technology Act 2000, section 5 of which mandates companies get explicit user consent before gathering patient information. Doxper stands out thanks to its use of a smart-pen, but the use of Electronic Medical Records (EMRs) is growing in India, with input methods ranging from novel solutions like automatic transcription, to tablet devices where the doctor enters all the patient information, to old-fashioned PC software. Some competitors include PurpleDocs, Webmedy, HealthLink, and many more smaller providers.

While companies insist they are simply making it more convenient for patients and doctors to maintain medical histories, collecting such data makes it possible for services like Doxper to build detailed profiles of each patient. In time, patients might find such information may be shared with law enforcement, used against them in the form of higher insurance premiums, or simply sold further to third party companies. Adam Tanner, a fellow at Harvard’s institute for quantitative social science and author of a new book on the topic, Our Bodies, Our Data, said in an interview that patients generally don’t know that their information — such as diseases, or surgeries — is being bought and sold. This is being anonymised and aggregated, but that isn’t necessarily a guarantee of privacy. “The problem over time is that as you have more and more information, there’s more and more about people who might be,” Tanner said. In other words, when there’s more anonymous data available, it’s easier to circumvent privacy and identify the people with their data. Inside Doxper’s business model Founded in 2015, Doxper has reportedly raised two rounds of funding, with a major backer being Vidal Healthcare, one of the leading health insurance companies in India. Speaking to HuffPost India, Parag Agarwal, who heads Partnerships at Doxper, explained that the company is focused on building up its network of paying customers—doctors—and solving the problem of digitisation. He added that “Vidal Healthcare is a TPA (Third Party Administrator) and is not an insurer. A TPA only processes claims. They are not authorised to sell insurance products and hence there is no conflict of interest.” Correction: Vidal Healthcare, which invested in Doxper, is a health management service provider. Vidal Health Insurance is a TPA, and does not own a stake in Doxper. The two companies are related, and have the same managing director, according to company filings. “We have a long term view,” Agarwal said. “We’re not upselling or cross-selling, we won’t try and sell you medicines. The doctor has access to the digital records from his practice, while the patient gets the written prescription, and a soft copy.” “We are not sharing that data with any other companies,” he added.

Doxper.com screenshot

Later, in a written response, Agarwal also added that only the doctors and patients have access to their data, and none of the company employees. “To add layers of security, Doxper employs a unique method of storing data in parts across different databases and servers such that patient identifiers, doctor/ hospital details and treatment plans never are accessed together by anyone ever. Further to this, all the data is always stored and transmitted in encrypted format with same levels of security that banks deploy,” he wrote. Yet a review of Doxper’s expansive Terms of Service and Privacy Policy reveals that Agarwal’s statements should not be taken at face-value. The Privacy Policy, the company notes, may change from time to time — implying that Agarwal’s promises today might not hold good tomorrow. Even the current policy has certain loopholes: Section 3 of the Privacy Policy states that even after a “user” deletes their Doxper account, “the User’s data may be anonymized and aggregated, and then may be held by the Company as long as necessary for the Company to provide its Services effectively. The use of such anonymized data will be solely for analytic purposes.” The company does not define what they mean by anonymised data, or what constitutes “analytic purposes”.

Section 8 warns that the company might hold onto information indefinitely, “Further, such prior information is never completely removed from Our databases due to technical and legal constraints, including stored ‘back up’ systems. Therefore, You should not expect that all of Your personally identifiable information shall be completely removed from our databases in response to Your requests.” Doxper’s Terms of Service make clear that: The Website/Application and the Company accepts no liability for any errors or omissions, whether on behalf of itself, any Service Providers or third parties, or for any damage caused to the User, the User’s belongings, or any third party, resulting from the use or misuse of any Product purchased or service availed of by the User from the Website/Application. The “Security” section of Doxper’s Privacy Policy makes the company’s business model explicit: “We treat data as an asset that must be protected against loss and unauthorised access.” Doxper charges Rs 15,000 per year, which includes the digital pen, a digitisation suite, cloud storage for the doctor’s practice data, and automated SMSes. In addition there are scheduled Excel reports, and doctors can choose from predefined templates for the prescription paper. At Rs 25,000 per year, doctors can customise the prescriptions, generate on-demand reports, and use multiple digital pens. Right now, the company has over 2,000 doctors using its hardware. But while its focus today is on increasing the doctors using Doxper, Agarwal agreed that monetising data is something that is on the eventual roadmap. “Selling data is not economically viable,” he said, explaining that instead, companies need to find ways to use data to add more value to their offerings. However, he also cautioned that the market was still very nascent, and that data monetisation would only become a focus once it was saturated. “Data that is anonymised and aggregated could be used, for research only,” he said. Some of the areas where data could play a role, he added, were in public health, pharma, and insurance. “You don’t have to harass the patient, or offer a discount on the medicines, but you can use the data to understand what gaps are there in the country, and what the people need,” he added. “We are solving a universal and fundamental problem. Healthcare for an individual often spans multiple decades. Thus, historical records will always be vital for quality care. The sooner healthcare records are digitised in the patient journey, the greater the potential for a seamless ecosystem between providers, payers, patients, and policymakers,” Doxper CEO and co-founder Shailesh Prithani said. Keeping your data secure Doxper (and other companies acting in the health space) don’t have to comply with any privacy regulations in India. Therefore, the companies work to maintain compliance with the American Health Insurance Portability and Accountability Act (HIPAA). Karan Vijay Singal, MD India of Startup Genome, which is a data driven policy advisor to governments globally on issues related to bolstering local startup ecosystems, and who has worked in the healthcare and insurance space, told HuffPost India that “HIPAA compliance is necessary for any Health Data related company that is looking to grow in the US, and in the absence of legal provisions in India, is seen as the best possible alternative.”