The Internet and Mobile Association of India [IAMAI], on behalf of its members, has welcomed the Health Data Management Policy by National Digital Health Mission (NDHM). Digitization of healthcare facilities is critical for the last mile delivery of such basic services and this announcement strengthens the vision of a vibrant Digital India. The association welcomes the Health Data Management Policy as it is an improvement over the earlier DISHA which was much restrictive in its outlook.

However, IAMAI also pointed out that the Health Data management Policy does not recognize the role played by intermediaries (especially digital intermediaries like healthtech service providers) who merely facilitate the digital transit of information exchange without actually engaging in the act of providing healthcare facilities. Such intermediaries may be the primary data collector (data fiduciary) but for all practical purposes the Data Processors (or the actual healthcare service provider) have a much greater role to play in processing of data in the healthcare sector. The liabilities and penalties for data breach must be levied accordingly.

The association also highlighted the mirroring between the Personal Data protection Bill (PDP) that awaits clearance by the parliament and the Health Data Management Policy, especially as the latter replicates many of the definitions suggested in the PDP without explicitly aligning it with the PDP. This then gives rise to the risk of multiplicity of compliance for healthcare service providers, in case both PDP and Health Data Management Policy are adopted in parallel.

For instance, the PDP explicitly suggests certain extra measures for ‘significant data fiduciaries’ dealing with ‘sensitive data’ and most healthcare service providers would qualify as such given health data is recognized as sensitive data. There is no clarity as to whether the compliances suggested by the NDHM sufficiently satisfy those conditions, failing which healthcare service providers may face contradictory (and duplicate) compliance burdens. The duplication of the roles of the Data Protection Authority (DPA) under PDP and Data Protection Officers under NDHM (NDHM-DPO) give rise to similar concerns of duplication of regulatory Authority that may create more damage than good for this sector.

On the other hand, the PDP makes exceptions for processing of certain personal data without consent and recognizes medical or healthcare needs as such exceptional circumstances. Ironically, the NDHM is more rigid in its consent mechanism.According to IAMAI, Healthcare services often face emergency conditions where a protracted consent mechanism may delay critical services. The exceptions as recognized in PDP need to be replicated in the NDHM in greater details to allow for unfettered healthcare services for every data principal under duress or emergency.

While it is understood that the NDHM in its present form only suggests a digital architecture and skips on the implementation aspect of this vision,there are suggestions that the entire registration process (for both individuals and healthcare service providers) is completely voluntary and no one can be denied healthcare service (or prevented from offering such services) if they do not register. However, for the entire vision to be truly effective, a market driven incentive mechanism needs to be developed to encourage both individuals and service providers to register. Financial incentives for service providers and ease of access and usage for userscan be the best value propositions for the universal adoption of the NDHM.