India has made significant strides in the adoption of information technology, and the Indian government’s renewed focus towards digitising the healthcare industry seeks to bridge a critical gap. This has been evident through several policy initiatives, including the revised Electronic Health Record (EHR) Standards 2016, the National Health Policy 2017, the draft Digital Information Security in Healthcare Act, NITI Aayog’s National Health Stack 2018 and the National Digital Health Blueprint in 2019.

Against this backdrop, the launch of the National Digital Health Mission (NDHM) in 2020 underlines the criticality of an integrated digital healthcare system during an unfurling global pandemic. However, the absence of a comprehensive personal data protection mechanism applicable to digital health records leaves open the need for an interim policy to address India’s privacy concerns.

National Digital Health Mission

The NDHM has commenced implementation of a unique digital health identity number (the Unique Health Identifier (UHID)), facilitating a standardised process to identify and authenticate individuals (through e-Aadhaar or phone number) and thread together medical records across healthcare facilities and professionals, based on consented access.

Simply put, the health ID will contain details of tests, diagnosis, consultations and medicines, and can be linked to personal health data generated through fitness apps, etc. This will result in accessibility of health records generated over an individual’s lifetime in cloud-based health lockers, such as MeitY’s DigiLocker.

In terms of the regulatory ecosystem, NDHM intends to harmonise with existing and proposed laws, such as the Information Technology (IT) Act, Aadhaar Act, along with applicable medico-legal regime and the proposed Non-Personal Data Framework. It predominantly relies on the Personal Data Protection (PDP) Bill, 2019 for general privacy safeguards. However, the PDP Bill is pending consultation before a joint parliamentary committee, leaving India without a generic or specific health data protection law, akin to US’s Health Insurance Portability and Accountability Act.

The NDHM depends significantly on principles under the PDP Bill (such as qualified consent and specific user rights) which do not have legal precedence in India. Without such law, the data controls envisaged by NDHM rely primarily on recommendatory concepts encapsulated in its Health Data Management Policy read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules).

Thus, it was assumed that the issuance of health IDs would commence post the enactment of the proposed law. Yet the launch of UHID on a voluntary basis, without a robust legal framework to protect health data, has resulted in a regulatory vacuum and poses a challenge to the implementation of NDHM’s health data management, including data sharing, privacy and strategic control.

Specifically, in contrast to global standards, the SPDI Rules are relatively rudimentary and their inconsistent implementation over the last decade has caused uncertainty around the safety of UHID and underlying health records. To elaborate, consent driven data access and sharing are key to NDHM’s mission. While the PDP Bill identifies separate thresholds of consent for processing personal and sensitive personal data (SPD), providing for a higher threshold for SPD including health data, this is absent under the SPDI Rules.

In comparison to the PDP Bill, the applicability of SPDI Rules to only body corporates also makes the liability of individual healthcare providers ambiguous. Additionally, specific liabilities for data fiduciaries and data processors provided under PDP Bill are not addressed under SPDI Rules, resulting in enforcement lacunae.

Need for interim measures

In view of these considerations, the sensitivity around health data especially in light of the Covid-19 pandemic coupled with increased awareness surrounding privacy issues, may force average Indians to reconsider UHID registration. Until such time that the PDP Bill comes into force, concerns around protection of health data and associated analytics could be addressed through introduction of an interim policy setting out legally binding privacy safeguards.

Towards this objective, the Ministry of Health and Family Welfare may, under the aegis of NDHM, consider implementing privacy regulations for all entities under its data structure. This may be done by identifying thresholds of consent and other compliance measures aimed at securing health records, including leveraging existing guidelines such as EHR Standards 2016. Such measures may also include patients’ data rights (as enumerated under NDHM’s strategy statement), while providing for a liability regime that may be linked to the IT Act.

Given that the implementation of NDHM is expected to improve access to healthcare and create data resources for policy-making and research, public participation in this initiative is crucial. Therefore, the incorporation of these safeguards could potentially become a key building block for the success of the mission, by providing citizens with the controls required to protect their data while enjoying the benefits of integrated healthcare through UHID.

Shahana Chatterji is Partner, and Nidhi Chikkerur and Niti Chatterjee are Associates, Shardul Amarchand Mangaldas & Co. Views are personal