Under NDHM, a health ID will be given to every citizen, which will contain details of every test, disease, the doctors consulted, the medicines taken and the diagnosis
So far, two thousand and twenty has been a year of many “firsts”. While COVID-19 pandemic, defined the “new normal”, it also led to the introduction of some key policies. Healthcare sector, which hitherto was not on top of the agenda item for many economies, has become a priority sector. Major reforms have been introduced in the healthcare sector across the globe, taking cue from the learnings of the gruesome COVID-19 pandemic. In recent years, India has witnessed a shift towards digitisation in the healthcare sector. Telemedicine was one of the very first steps taken in this regard. With healthcare becoming one of the key focus sectors, the Hon’ble Prime Minister of India announced the National Digital Health Mission (“NDHM”) on 15th August 2020, to pave way for accessible medical services for all citizens of the country.
Under NDHM, a health ID will be given to every citizen, which will contain details of every test, disease, the doctors consulted, the medicines taken, and the diagnosis. The aim is to ensure easy accessibility and portability of information. NDHM intends to integrate medical practitioners, hospitals, pharmacies, insurance companies, and other stakeholders to create a digital health infrastructure. NDHM is a step towards digital revolution.
The National Digital Health Blueprint, 2019, recommends a federal structure for the management of health data.
The National Digital Health Blueprint, 2019, recommends a federal structure for the management of health data. The data will be stored across three levels, i.e. at the central, state and health facility level which will ensure privacy and confidentiality. Against this backdrop, the National Health Authority released the draft of the Health Data Management Policy (“HDM Policy”) and has invited public comments on the same. The HDM Policy provides for minimum standards for the collection and protection of data.
Whom does it apply to?
The provisions of HDM Policyinter alia applies to all entities and individuals who have been issued an ID under the HDM Policy, healthcare professionals, hospitals and other entities which act as information providers, any healthcare provider who collects, stores and transmits health data in electronic form, insurers, drug manufacturers, medical device manufacturers and entities involved in relevant supply chain.
Collection of personal or sensitive personal data by data fiduciaries
Under the HDM Policy, “Data Fiduciary” means any person or an entity who determines the purpose and means of processing of personal data (“Data Fiduciaries”).Data Fiduciaries also include health information providers and health information users. The HDM Policy provides for a consent framework for collection and processing of personal or sensitive personal data. It is provided that Data Fiduciaries can collect personal or sensitive personal data only with the consent of the person to whom the data relates (“Data Principal”). Consent may be obtained electronically or physically on paper, either directly from the Data Principal or through an entity or individual which interacts with the Data Principal. The HDM Policy also sets out the parameters fora valid consent.
The HDM Policy further states that the consent framework should inter alia ensure that the Data Principalis given complete control and decision-making power over the manner in which personal or sensitive personal data is collected and processed further.
The NDHM will create a data warehouse for health practitioners and health facilities
The HDM Policy mandates Data Fiduciaries to provide a clear, concise and lucid privacy notice to Data Principals prior to the collection of personal or sensitive personal data. The Data Fiduciaries are also under an obligation to provide the privacy noticeprior to the collection or further processing of personal or sensitive personal data for any new or previously unidentified purpose.
Allocation and creation of health ID
- Any person may request for the creation of a health ID which will be required to participate in the national digital health ecosystem (“NDHE”). The personal data of such person will be linked to such person’s health ID. Such person shall be able to provide or revoke his/her consent in order to enable or restrict any sharing of personal data linked with such health ID.
- A Data Fiduciary intending to issue a health ID can register with the National Health Authority and obtain an authorisation key to access the services required to create a health ID. A Data Principal may create a health ID on his own or through a Data Fiduciary.
- Health practitioners and health facilities (i.e. a hospital, clinics, diagnostic centres etc.) may also request for creation of a health practitioner ID and health facility ID respectively, which will be required to enable such health practitioner and health facilities to participate in the NDHE.The health practitioner ID may be used to view the electronic health records of a Data Principal subject to the consent provided by the Data Principal.
The NDHM will enable the Data Principal to maintain hispersonal data efficiently and will assist them in sharing all crucial details with the health practitioners and health facilities. Considering that crucial medical records of patients will be readily available, it will assist the health practitioners and health facilities to study the diagnosis and treatment conducted by other health practitioners and health facilities meticulously. This in turn will act as a catalyst while diagnosing and treating other patients.
Further, the NDHM will create a data warehouse for health practitioners and health facilities. The health practitioners and health facilities will get first-hand access to data regarding various patients and the complexities faced by them which will enhance their knowledge and offer them ample opportunities in the field of medical research.
Call for Greater Accountability?
- The HDM Policy provides for creation of a National Health Infrastructure Registry which shall verify whether the services offered by a health facility are authentic.
- The HDM Policy pins greater responsibilities on Data Fiduciaries. The HDM Policy mandates the Data Fiduciaries to:
- Take necessary steps to maintain transparency in processing any personal data.
- Devise a procedure for exercise of rights by Data Principal and also provide a grievance redressal procedure. The Data Fiduciaries are under an obligation to prepare a comprehensive privacy policy.
- Take necessary steps to ensure that the personal data which is processed is updated, complete, accurate and not misleading.
- Be responsible to implement security practices and standardsand have a comprehensive, documented information security programme and information security policy that contains managerial, technical, operational and physical security control measures that are commensurate with the data being protected by them.
- Conduct appropriate due diligence covering data privacy and security prior to engaging with any data processor. The Data Fiduciaries will require their data processors to execute confidentiality agreements and non-disclosure agreements covering data protection and privacy responsibilities.
Sharing of personal data by Data Fiduciaries
- Any personal data processed by a Data Fiduciary may be shared with a health information user (“HIU”) in response to a request made by such HIU with the consent of the Data Principal. Anonymised data may also be made available for facilitating health and clinical research, statistical analysis, policy formulation and promotion of diagnostic solutions.
- HIUs are not permitted to disclose any personal data without obtaining the consent of the Data Principal. The liability of HIUs with respect to data protection is akin to that of a Data Fiduciary.Further, HIU shall maintain a record of personal data disclosed to another entity.
- Strict restraints have been imposed on the participants under the NDHE frompublishing or posting any personal data or sensitive personal data.
The new regime provides for integration of data which will smoothen the process of data collection and data accessibility by medical practitioners and other stakeholders
A step in the right direction?
While it is voluntary, the HDM Policy is the first step towards integration of the healthcare sector with crucial data. The HDM Policy provides for a robust framework for obtaining consent from Data Principals to collect their personal or sensitive personal data and at the same time mandates strict compliance for protection of personal data and sensitive personal data which will boost confidence amongst the participants.
Until now, there were no comprehensive guidelines in relation to collection of personal data and sensitive personal data in the healthcare sector. Further, prior to the introduction of the NDHM regime, the data was not available to all medical practitioners and other stakeholders which proved to be a roadblock in effective treatment and also hampered medical research. Such an integrated database would have been like a silver bullet in the present scenario.
The new regime provides for integration of data which will smoothen the process of data collection and data accessibility by medical practitioners and other stakeholders. This will go a long way in facilitating successful research programs and will also ensure the provision of quality medical treatment to the Data Principal. While the HDM Policy looks promising, it will be interesting to seehow the same is implemented and also the kind of confidence it will be able to manifest to make a common man be a part of this ecosystem.
Avikshit has successfully led several high-value mergers & acquisitions for domestic and offshore clients. His expertise in corporate advisory work mainly comprises of deal structuring, negotiations, documentation, and execution of transactions. He is leading a mandate with a pharma giant for developing content for one of India’s first comprehensive Medico-Legal Applications. Presently associated with Juris Corp.
Anirudh has acquired experience in drafting and negotiation of various commercial contracts and transaction documents. He has also advised pharmaceutical companies and hospitals on their medico-legal queries and is currently advising one of the largest pharmaceutical company and developing content for their medico-legal application.Presently associated with Juris Corp.