- The National Health Authority (NHA) has released the draft ‘Health Data Management Policy’ to seek suggestions from the public.
- The draft policy aims to develop a framework for “secure processing of personal and sensitive personal data of individuals” who are a part of the National Digital Health Mission.
- The draft includes various aspects related to health data such as data privacy, consent management, data sharing and protection
- Note: This is a draft, and not yet finalized. But nonetheless helps understand the major aspects from the government side, as well as the policymaking process.
About: National Digital Health Mission
- The National Digital Health Mission (NDHM), was recently launched by the Prime Minister in his independence day speech. It will initially be implemented in a pilot mode (test mode) in six union territories.
- The vision of the mission is to create a national digital health ecosystem which enables timely and efficient access to inclusive, affordable, and safe healthcare to all citizens.
- It will bring all the stakeholders together and connect them in an integrated digital health infrastructure, which will significantly improve the efficiency, effectiveness, and transparency of health services in India.
- The NDHM includes six key building blocks (components) or digital systems – HealthID, DigiDoctor, Health Facility Registry, Personal Health Records, e-Pharmacy and Telemedicine.
- The national health ID will store all health-related information of a person. It will contain information about medical data, prescriptions and diagnostic reports and summaries of previous discharge from hospitals for ailments.
- The National Health Authority (NHA) will design, build, roll-out and implement the NDHM in the country.
Highlights of the draft ‘Health Data Management Policy’
Applicability of the policy:
- The provisions of this policy shall apply to the entities involved in the NDHM, that includes individuals who have been issued an ID under this policy.
- The policy will apply to various entities like healthcare professionals, governing bodies of the health ministry, the NHA and relevant professional bodies and regulators.
- It would also apply to any healthcare provider who collects, stores and transmits health data in electronic form, insurers, charitable institutions and pharmaceutical companies.
Sensitive personal information:
- According to the policy, “sensitive personal information” that can be collected include, financial information such as bank account or credit card or debit card details; physical and mental health data; biometric data and genetic data.
- Other forms of sensitive personal information that can be collected are sexual orientation; caste or tribe details; and religious or political belief or affiliation.
Rights of the users:
- The draft states that people (known as data principals) who opt for the health ID will be given complete control and decision making power over the manner in which their personal data and any sensitive data is collected and processed.
- The data will only be accessible to medical professionals or institutions that also have IDs under the NDHM, provided the person gives consent (permission) for his or her data to be viewed.
- The patients will also have the right to cancel their Health ID, and ask for the removal of any personal data linked with such ID.
- If data is shared for clinical research or statistical analysis, it will have to be anonymised (hide the identity of the individual).
- The data, will be stored at three levels — central, state or union territory, and, lastly, at the health facility level. At each level, only that much data will be stored, which is necessary for functionality at that level.
- According to the policy, entities who will have access to NDHM data will have a designated data protection officer who can be approached with inquiries or questions by holders of health IDs.
- Those processing the data, including health information providers and health information users are expected to formulate and implement a “personal data breach (violation) management mechanism”.
- This is to ensure that any violation, unauthorised or accidental disclosure, sharing, alteration or use of the personal data, is immediately reported to the NHA and other relevant entities.
- Further, the NHA will formulate and implement procedures to identify, track, review and investigate, such incidents and will maintain a record of these instances along with the action taken.
- Any data violation, can result in the removal of the employee who is responsible for the violation or the cancellation of contracts where service providers are involved.
About: National Health Authority (NHA)
- National Health Authority (NHA) is an attached office of the Ministry of Health and Family Welfare, with full functional autonomy.
- It is governed by a Governing Board chaired by the Union Minister for Health and Family Welfare.
- It is headed by a Chief Executive Officer (CEO), who is an officer of the rank of Secretary to the Government of India.
- NHA is also the apex body responsible for implementing India’s flagship public health insurance scheme – Ayushman Bharat Pradhan Mantri Jan Arogya Yojana.