National Digital Health Mission (NDHM)

The Ministry of Health and Family Welfare ('MoHFW') announced, on 14 December 2020, that the Government of India had approved the Health Data Management Policy ('the Policy'). The Policy was first introduced in September 2020 and forms part of the framework for the National Digital Health Mission, a government initiative to digitise the healthcare system across India. More specifically, the Policy represents the first step towards implementing the principles of security and Privacy by Design into the proposed digital health system as well as establishing minimum standards of data protection therein.

NDHM is a mission to harness technology to improve the efficiency, effectiveness, and transparency of healthcare delivery in India, through better access to healthcare data. A national digital health ecosystem will be created through the provision of a wide-range of data, information and infrastructure services, duly leveraging open, interoperable, standards-based digital systems while ensuring the security, confidentiality and privacy of health-related personal information.

NDHM seeks to create a national digital health infrastructure starting with the building of Health IDs, Unique Identifiers for doctors and health facilities, Personal Health Records, and telemedicine and e-pharmacy, among other components.


Scope of the Policy

According to Section 2, the Policy applies to all entities involved in the ecosystem, including but not limited to:

  • participating entities and individuals who have been issued a Health ID;

  • healthcare professionals;

  • providers of health information, health facilities, and any other entities or individuals that collect, store, transmit, or process personal data in the context of healthcare;

  • pharmaceutical companies;

  • insurance companies;

  • research institutions; and

  • governmental bodies of the MoHFW.

More importantly, whereas the Policy generally requires the aforementioned entities to adhere to all applicable laws and standards pertaining to data protection, the Policy also imposes specific obligations on entities falling within the meaning of 'data fiduciaries.'

A data fiduciary is defined by both the Policy and the PDP Bill as any individual or juristic entity who, alone or in conjunction with others, determines the purpose and means of processing of personal data. For the purposes of the Policy, this category includes providers of health information, such as hospitals and diagnostic centres, as well as users of such information (i.e. entities who have access to health-related personal data in accordance with the Policy).

Consent based Framework

Chapter III of the Policy introduces a framework for collecting and processing personal data based on consent that is similar to the PDP Bill. In particular, personal data may only be collected and processed with the consent of the individual (i.e. the 'data principal'), obtained either directly from the data principal or through an electronic consent management system. Data principals may also provide consent to third-party access to their personal data and control the parameters and scope thereof through the consent manager.

In relation to sensitive personal data, processing activities may only be carried out after the data principal has been sufficiently informed of the corresponding risks. In this regard, all data fiduciaries, whether processing sensitive information or not, must provide a clear privacy policy to data principals prior to the collection of personal data.

In addition to obtaining informed consent, the processing of personal data must be limited to health-related purposes or other incidental purposes, provided that they are reasonably expected by the data principal. Data fiduciaries must also comply with the principles of accountability, transparency, Privacy by Design, purpose limitation, and data quality, as set out in Chapter V of the Policy.

Furthermore, the Policy provides several rights for data principals under certain circumstances, including rights of access, rectification, erasure, and restriction, as well as data portability.

Data Sharing

Chapter VI of the Policy outlines the conditions for sharing personal data and the obligations of entities or so-called 'Health Information Users' to whom personal data is shared. In this regard, personal data may only be shared with the consent of the data principal, and it is the responsibility of the data fiduciary who is sharing the personal data to verify that consent has been validly given. However, data fiduciaries may make anonymised or pseudonymised data available for the purpose of research, archiving, statistical analysis, or policy making, but only in aggregated form and in accordance with the procedures prescribed by the Policy.

Moreover, Health Information Users with access to personal data must ensure that personal data is:

  • not used for any purpose other than the purpose specified to the data principal at the time of obtaining their consent;

  • not disclosed further without obtaining the consent of the data principal;

  • afforded the same level of data protection and only processed in accordance with the Policy, particularly the principles laid down in Chapter V; and

  • retained only to the extent necessary for achieving the specified purpose.


Health ID as a voluntary scheme

While it is notable that seeking the various types of Health IDs is a consensual requirement, and will not affect either the provision or receipt of healthcare services, one hopes that this will not be limited to just theory. There are already cases of certain institutions imposing mandatory Health ID requirements. Without an effective penal structure, which the policy cannot provide for as this should be based on legislation issued by Parliament, it is unclear how institutions and agencies will be deterred from imposing mandatory ID requirements.

Nevertheless, the MoHFW published, on 1 January 2021, its Unique Health Identifier Rules, 2021, which permits the creation of Health IDs via Aadhaar, the authentication system established by the Unique Identification Authority of India, albeit on a voluntary basis.

Latest Update

Health service sector has been the most crucial during the pandemic outbreak. The medical services have been made accessible to poor and rural people through tele consultancy by the government. eSanjeevani scheme is getting popular during covid 19 lockdown as people are not able to travel to hospitals and doctors are busy treating covid 19 patients.

Since the launch of NDHM, the digital modules and registries have been developed and the mission has been rolled out in six Union Territories. So far, nearly 11.9 lakh Health IDs have been generated and 3106 doctors and 1490 facilities have registered on the platform. Digital health cards will help doctors treat patients with their past medical history accessible. This indeed will revolutionise the health care system of our country and will bring cheers to the poor and disadvantaged.

Unified Health Interface (UHI) - an open and interoperable IT network for digital health should soon be rolled out. This interface shall enable public and private solutions and apps to plug in and be a part of the National Digital Health Ecosystem. It will allow users to search, book and avail necessary healthcare services such as tele-consultations or laboratory tests. The system will ensure that only verified healthcare providers join the ecosystem. This is likely to unleash a digital health tech revolution with innovations and various services for citizens though the technical platform. Furthermore the utility of the platform to the citizens will be visible only by way of enabling citizens across the country to avail of services like tele consultation with a Doctor, availing services of a lab, transferring test reports or health records digitally to the Doctor and paying digitally for any of the above services.

Section -7

Many companies have attained stepladder growth by identifying the winds of change in policies, which sometimes open up new business models. Those companies are also able set the agenda for future industry reforms through sustained dialogues.

Policy agenda might be construed as a specific policy ask, but this is not always the case. Moreover, a good policy agenda is accomplished only after several revisions, lengthy discussions, and healthy debate. Therefore, in the best interest of industry, leading companies deliberate, discuss and voice their concerns to the policy makers and parliamentarians.

Given the potential for a seismic shift in our nation’s political and regulatory landscape, we believe; these are times when close attention should be paid to regulatory developments. In times to come, when regulatory supervision is only going to increase, more proactive companies would continue to bear the fruit of favourable and accommodating rules.
Back To Top