This article is written by Nikita Arora from Trinity Institute of Professional Studies. This article gives an overview of the Policy’s provisions and how they will interact with the upcoming Personal Data Protection Bill, 2019 (‘the PDP Bill’).

Introduction 

The Health Data Management Policy was approved by the Government of India on December 14, 2020, according to the Ministry of Health and Family Welfare (‘MoHFW’). The Policy was first launched in September 2020 as part of the National Digital Health Mission (NDHM), a government initiative to digitize India’s healthcare system. More precisely, the Policy is the first step towards incorporating security and privacy by design principles into the proposed digital health framework, as well as defining data protection minimum standards. 

The organizations participating in the NDHM, as well as the partners/persons who are a part of the National Digital Health Ecosystem (NDHE), are included in the draft policy’s framework. Entities and individuals who have been given an ID under the draft policy, healthcare practitioners, health care providers who collect, store, and distribute health data in electronic form in connection with purchases, drug manufacturers, medical device manufacturers, insurers, research bodies, and regulatory bodies such as the MoHFW are among them.

Background 

The following was the target of the 2017 National Health Policy (NHP).

1. The achievement of the highest possible level of health and safety for all people of all ages as a result of a preventive and promotive health care focus in all developmental policies, and equitable access to high-quality health care services without financial hardship for anyone.
2. The Ministry of Health and Family Welfare established a committee headed by Shri J. Satyanarayana to create an implementation mechanism for the National Health Stack in response to the NHP’s clear goals for adopting digital technologies.
3. This committee created the National Digital Health Blueprint (NDHB), which lays out the foundations and a strategy for implementing digital health systematically and holistically.

Objectives

The NDHM expects to achieve the following distinct objectives:

1. To build-cutting edge, digital health system, manage core digital health data, and build the infrastructure needed for seamless data exchange;
2. Constructing a single source of truth for the clinical institution, healthcare professionals, health personnel, medication, and pharmacies by establishing registries at the required level;
3. To establish a health record registry based on international standards that is freely accessible to patients, healthcare professionals, and service providers, and is based on the individual’s informed consent;
4. To encourage the creation of enterprise-class health application system, with a particular emphasis on achieving the health-related sustainable development goals;
5. To coordinate with the states and union territories to achieve the vision while adhering to the best practices of cooperative federalism;
6. To ensure that private-sector healthcare institutions and practitioners effectively collaborate with public-sector health authorities in the creation of the NDMH, using a combination of prescription and promotion;
7. Established health information systems should be improved by ensuring their compliance with specified requirements and integration with proposed NDHM;
8. To promote the adoption of appropriate initiatives to ensure the quality of healthcare;
9. To make provisions for improving the quality and effectiveness of government at all levels;
10. To promote improved health sector management through the use of health data analytics and medical research;
11. To enable health professionals and practitioners to use clinical decision support (CDS) systems;
12. To ensure national portability in the delivery of health care services;
13. To persuade all national digital health stakeholders to follow open standards.

Definitions

The policy has coined several new terms that may be useful in interpreting and applying them. Quoting some examples, such as, the term “Personal Health Identifier,” which refers to information that could be used to identify a specific data principal and distinguish it from others. The policy distinguishes between “Harm” and “Significant Harm” with “Harm” referring to bodily injury, identity theft, financial or property loss, loss of reputation or humiliation, loss of employment, any discriminatory treatment, blackmail or extortion, and any denial or withdrawal of service. Any restriction placed or suffered directly or indirectly on speech, movement, or any other action arising out of a fear of being observed or surveilled that is not reasonably expected by the data principle, as a result of an evaluation decision about the data principal. The term “Significant Harm,” on the other hand, refers to harm that’s largely caused due to the nature of the personal data being processed, the impact, continuity, persistence, or irreversibility of the harm. 

The policy proposal and the PDP Bill also define ‘De-identification’ as a mechanism by which identities from personal data are deleted or masked with other values or names. Similarly, both the documents prohibit agencies from re-identifying from de-identified datasets, whether consciously or unknowingly. Personal health identifiers may be used to re-identify people, according to the policy proposal. According to the blueprint, competent authorities can use Public Health Information Services (PHIs) for re-identification, for example, to track the spread of notified diseases, make timely public health decisions, and so on. Due to the existence of the details, such data is categorized as sensitive personal data under both the policy proposal and the PDP Bill. It contains information about the individual’s finances, fitness, sex life, genetics, caste, and so on. The following changes are made to the list of such data in the Policy Proposal:

• Financial data should contain information about a bank account payment instrument.
• Health data is described as information about one’s physical, psychological, and mental health. 
• Medical records and history, as well as knowledge about clinical conditions and medications, such as the electronic health record, electronic medical record, and personal health record, may be considered sensitive personal data. 

Health ID 

The creation of heath id is proposed in the draft policy. A data principal can request the development of a health id, which allows them to participate in the NDHE environment at no cost. Any personal data processing required for the development of such an ID must be performed in compliance with the draft policy. The National Health Authority (NHA) may specify how the health ID is created, and the data principal’s Aadhaar number or any other identification document specified by the NHA may be used to authenticate the health ID. A data principal’s data will be connected to his or her health ID, and any data principal in possession of a health ID will be considered the owner of that personal data. Similarly, a health practitioner may request a free health practitioner ID, which will be needed to participate in the NDHE. 

Certain key compliances

The drafted policy stipulates a range of criteria for the collection and processing of personal and confidential personal data. Only with the permission of the data principal may data controllers collect or process personal or sensitive personal data. The purposes for which personal data will be limited to those that the NHA may define. Certain standards, such as openness, accountability, and fair security policies and procedures, are also expected from data controllers. Data processors must sign confidentiality and non-disclosure agreements that resolve data protection and privacy concerns as part of a data contract.

Rights of data principles 

The policy proposal serves as a “guideline document” for regulating the massive quantities of data that will be produced and processed as a result of his architecture. The importance of protecting the privacy of sensitive health data is, without a doubt, the guiding force behind the initiative. It aims to expand on the Personal Data Protection Bill, 2019 (PDP Bill,2019), which is currently being debated in the House of Commons. Building a digital health environment has long been recognized as beneficial. Better access to health information through primary, secondary, and tertiary care, improved decision-making for service delivery, and testing for new solutions are just a few of the benefits. The policy proposal and the PDP Bill, 2019, both seek to provide a legal structure under which organizations in the health ecosystem can carry out such activities. The policy proposal states right away that no person will be entitled to any rights above those provided by other existing laws, which will likely include the PDP Bill, 2019, and any rules and regulations enacted under it until it is passed by parliament.

Sharing of sensitive and personal data governance structures 

For confidential personal data, the PDP Bill expressly forbids obtaining consent through “inference from behavior in a sense.” In contrast, no such ban exists in this Policy Proposal. Furthermore, the data fiduciary is not obligated to provide individuals with the option of separately consenting to the use of various types of confidential personal data. As opposed to obtaining clear and positive consent, data fiduciaries may be required to infer consent from the patient’s behavior. 

The PDP Bill also permits the collection of personal data without permission in the event of a medical emergency involving the data principal or another individual to provide medical care or health services. Under the policy proposal, data fiduciaries are also eligible for the exemption. The language used in the policy proposal and the PDP bill differs by a few words. Where data is not obtained from the data principal, a privacy notice must be issued at the time of collection, or as soon as reasonably possible afterward. The privacy notice must be provided before the collection of personal or sensitive personal data, and each time such data is processed for some new or previously undisclosed purpose, according to the policy proposal. The two documents have a lot in common when it comes to the substance of the privacy notice that must be issued to receive consent. Under the terms of the policy proposal, three additional pieces of information must be presented. These are:

1. The data collection process or mechanism. 
2. The identification and contact information for the data fiduciary.
3. The process for dealing with grievances, inquiries, and processing, storage, and transmission process and procedures.

Furthermore, information about the cross-border transfer of personal data is not required to be included in the privacy notice under the policy proposal. This is most likely due to the government’s plan to make health and medical data processing mandatory within India. The policy proposal also mandates that the privacy notice be available in as many languages as the organization plans to offer its service, by the informed consent provision. 

Health policy and programs in India

The imposition of responsibilities is where the PDP Bill and the policy proposal diverge the most. Under the PDP Bill, 2019, all data fiduciaries in the digital health environment have responsibilities close to those of “important data fiduciaries”. The data protection authority may notify an individual as a significant data fiduciary under Section 26 of the PDP Bill based on factors such as volume, sensitivity, or risk of harm from processing personal data, among others. These duties, on the other hand, are placed on all data fiduciaries by the policy proposal. This is most likely to recognize the importance of the information that will be processed in the health ecosystem.

Though the right to erasure is still included in the PDP Bill, the policy proposal specifically mentions erasure when the handling of personal data violates certain data privacy principles or when the original reason for collection is no longer valid. Besides, where personal data cannot be deleted due to legal requirements or excessive efforts on the part of the data fiduciary, the policy proposal recommends using over-writing, anonymization, or other methods of data removal from live systems; these options are exclusive to the proposal. Before any processing operation can take place, the PDP Bill requires that the data fiduciary and the Data Processor sign a contract. The policy proposal goes even further, requiring the Data Processor to undergo due diligence and the signing of a confidential and non-disclosure agreement between the two parties. Furthermore, data can only be exchanged with a Data Processor that has a legitimate need to know.

Conclusion

As the government attempts to digitize the medical sector, the Digital Health Management Policy is a watershed moment in the medical industry, allowing for Improved data Management and access to better medical care for individuals. Besides that, telemedicine is a pioneer of digital patient care and is also cost-effective. Concerns over patient’s data security and the lack of a rock-solid data protection act, on the other hand, pose a significant problem and should be a major priority. 

References 

1. https://hispindia.org/docs/ndhm.pdf
2. https://ndhm.gov.in/health_management_policy 
3. https://www.nhp.gov.in/nhpfiles/national_health_policy_2017.pdf
4. https://main.mohfw.gov.in/newshighlights/final-report-national-digital-health-blueprint-ndhb
5. https://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf 

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join:

https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.