A Digital Health Mission without a regulatory framework

With the launch of the National Digital Health Mission underway, India’s data regulatory framework needs to be reanalyzed. SIDRA JAVED questions the who, what and why of the protection of sensitive data with regard to the health records of the citizens of India.


ON September 26, 2021, Prime Minister Narendra Modi announced the National Digital Health Mission (NDHM) under which a citizen shall have the option to obtain a digital health ID. A digital health ID is a unique ID and will carry all health records of a person.

The digital health mission essentially aims at a situation where a citizen who presents their health ID to a participating healthcare provider will have the option to receive lab reports, diagnoses, and prescriptions digitally from verified healthcare providers and doctors.

A doctor will, therefore, be enabled to provide well-informed advice as patients may often not take into account various aspects of their medical history that may be relevant and valuable for a diagnosis. A digital health ID ensures that a person will never have to carry their reports around. However, it is unclear how the immobility of medical records is a hurdle between obtaining affordable and effective healthcare in India.

Also read: SC asks Centre to address issue of digital divide in registration for Covid vaccinations; says policymakers must show deference to Court

What is a digital health ID?

A health ID is a unique 14-digit identification number that will identify each citizen and act as a repository of their medical records. It will hold details of every test and every disease, the doctors consulted, the medicines prescribed, and the diagnosis. Through this ID, healthcare providers can easily access the medical records of their patients only if they consent to it. Such consent is established by setting up a username and a password by the citizen to access Personal Health Records (PHR).

The ID will function through a link between it and the medical records of the citizen which can be viewed by the healthcare providers. Additionally, the mission provides access to a Healthcare Professionals Registry and a Healthcare Facilities Registry that function as repositories of the healthcare providers.

Is there a need to digitalize health records?

The technological capacity of a public and private hospital varies drastically. In India, where hospitals fail to keep a record of even the basic parameters of their patients, including their date and time of consultation, it is imperative to dwell upon the need to digitalize health records in India.

A public hospital in India might face difficulty in maintaining a record of the services provided to their patient. This absence of health-related information leads to serious inconvenience, delay in treatment, increased expenses, and duplication of data such as prescriptions and diagnostics. Loss of records can also lead to the wrong diagnosis.

The adoption rate of digitization among non-profits, nursing homes, single-doctor clinics, and corporate hospitals such as Apollo, Max, and Fortis vary extensively. While a few corporate hospitals have adopted electronic health record standards voluntarily, their patients cannot transfer their health records from one hospital or healthcare service provider to another.

Unique digital health IDs provide a single source of health information for the patient, healthcare provider, and the government through an interoperable mechanism of storing health records. While the absence of a legal framework raises privacy concerns, research also shows that electronic health records increase the quality of healthcare for the patients and also reduce the costs of these services.

How is ‘consent’ going to work?

Data Empowerment and Protection Architecture (or DEPA) is a draft framework proposed by NITI Aayog in August 2020 to regulate the manner of accessing citizens’ data by private corporations and government agencies. Consent managers of DEPA will hand over an individual’s or organization’s data and act as an intermediary. These managers will not be able to access any data or create copies of it but only facilitate access to it.

A data user, for example, a government or a private agency, will submit a request to the consent manager. The consent manager will forward this request to the person whose data is in question. Such a person must also be informed what is the data being requested, the purpose for which it is being requested, the duration for which it will be shared, and whether it will be transferred to third parties.

If the request is granted by the person, a data fiduciary, which is the governmental or private parties hosting the data, will fulfil the request. For a smooth operation of this exchange, the data must be readable across all databases that are likely to use it.

Also read: PM Modi’s Digital Health Mission Might put Personal Data at Risk, Lead to Exclusion

Digital health mission and its regulatory framework

Generation of a unique digital health ID without obtaining the consent of an individual does raise privacy concerns. However, what is even more concerning is the lack of a legal framework to regulate the digital health mission.

The digital health mission concerns a constant exchange of information between the patient and the healthcare service provider. Rule 3 of the Data Protection Rules classifies the personal information of the patient including medical history and physiological conditions as Sensitive Personal Data or Information. The collection, storage, transfer, or process of such information by a body corporate, as defined under Section 43A of the Information Technology (IT) Act, triggers certain requirements under the Data Protection Rules.

One of the major requirements under the Data Protection Rules is that a doctor or any institution, before proceeding to do anything with their patient’s data, is required under law to take their consent in writing. It is also mandatory to inform the patient that their data is being collected, the purpose of collection, whether any third party will receive the data and the contact details of the agency that is collecting the data. Body corporates must also have a privacy policy that shall be published on its website.

The applicability of the IT Act differs slightly for digital health which is set up to merely facilitate the interaction between a patient and their healthcare service provider and does not directly involve them in service provisions such as website hosting and search engines. By virtue of this, the healthcare service provider shall be considered as an intermediary under the IT Act and the Intermediary Guidelines, thereby being afforded certain relaxations concerning liability for third-party data.

NDHM proposed a harmonization between existing laws such as the IT Act and the Aadhar Act. It also relies upon the Personal Data Protection (PDP) Bill, 2019, which is still pending before a joint parliamentary committee for a consultation. NDHM depends significantly upon different notions proposed under the Bill, such as specific user rights and qualified consent.

Therefore, it was assumed that the mission would be launched only after the proposed law, the PDP Bill, had been enacted. However, the voluntary deployment of digital health ID without a strong legal framework to protect health data has created a regulatory vacuum, making it difficult to implement NDHM’s health data management, which includes data exchange, privacy, and strategic control.

(Sidra Javed is an independent researcher and writer. The views expressed are personal.)