Health Data Management Policy
Introduction
The Health Data Management Policy (HDMP) is envisioned by the Ministry of Health and Family Welfare (MoHFW) as “the first step in realising the NDHM’s guiding principle of ‘Security and Privacy by Design’ for the protection of individuals’/data principal’s personal digital health data privacy.” //10 Its objective is to guide the development of the National Digital Health Ecosystem** by providing minimum standards for the protection of data privacy, in compliance with the relevant laws, rules, and regulations. Chapter 1 of the HDMP states that the “Policy will be dynamic in nature and may be revised from time to time as may be required.” //10
Two drafts of the HDMP have been released and public consultation on the second draft close on 6th July, 2022.
First Draft
The first draft of the HDMP was opened for public consultation in September 2020. According to Section 2 (“Applicability”) in Chapter I //10, the Policy applies to all entities involved in the ecosystem, including but not limited to:
- participating entities and individuals who have been issued a Health ID;
- healthcare professionals;
- providers of health information, health facilities, and any other entities or individuals that collect, store, transmit, or process personal data in the context of healthcare;
- pharmaceutical companies;
- insurance companies;
- research institutions; and
- governmental bodies of the MoHFW
Chapters
The HDMP’s first draft comprises seven chapters and 35 sections.
| Chapter | Title | Summary |
| I | Preliminary | 4 sections; outlines the purposes, applicability, objectives, and definitions. |
| II | Entities under the NDHE, Applicable Law and Governance Structure | 2 sections; outlines the entities to which the National Digital Health Ecosystem applies, applicable laws, and governance structure. |
| III | Consent Framework | 8 sections; outlines the meaning and scope of consent in relation to collecting and processing personal data, rights of data principals, general governing principles for consent, processes for personal data collection by data fiduciaries, privacy notice details, method for obtaining consent, and personal data processing obligations concerning children, the mentally ill or incapacitated, or in case of a medical emergency with a threat to the data principal’s life. |
| IV | ID Policy | 11 sections; outlines the allocation and creation processes for Health ID, Facility ID, and Healthcare Professional ID (HPI), non-exclusion principle for Health ID, Facility ID, and HPI, scope of the Health Facility Registry (HFR), and safeguards for creation of Health ID, Healthcare Professional ID or Facility ID. |
| V | Obligations of data fiduciaries in relation to processing of personal data | 2 sections; outlines the privacy principles, and transparency and accountability measures to be followed by data fiduciaries. |
| VI | Sharing of personal data and obligations of entities with whom personal data is shared | 4 sections; outlines the obligations and procedures to be followed for the sharing of personal, de-identified, and anonymised data by data fiduciaries. the responsibilities of the Health Information Provider when personal data is shared, and restrictions on sharing, circulating, or publishing of personal data. |
| VII | Grievance Redressal and Compliance | 4 sections; outlines the procedures for grievance redressal and incident management in case of personal data breaches, compliance and policy governance, and consequences of non-compliance with the Policy. |
The HDMP characterized terminology such as “anonymisation”//, “de-identification”//, “health facility registry”//, “personal data”//, etc. in Section (“Definitions”). It notably defined “Health Information Providers” and “electronic medical records” in alignment with the NDHE’s goals, as follows:
“‘Health Information Provider’ or ‘HIPs’ means hospitals, diagnostic centres, public health
programs, or other such entities registered with the HFR or other entities which act as information providers (by generating, storing and distributing health records) in the digital health ecosystem;”
“‘electronic medical records’ or ‘EMR’ refers to a repository of records that is stored and used by the HIP generating such records to support patient diagnosis and treatment. EMR may be
considered as a special case of EHR, limited in scope to the medical domain or is focused on the medical transaction;”
Governance Structure
Chapter I specifies that the digitisation of India’s health ecosystem follow a federated architecture instead of a centralised one. In tandem with this, Section 6 (“Governance structure”) states that the MoHFW and the Ministry of Electronics and Information Technology (MeitY) will have the supervisory and guiding authority for the functioning and implementation of the HDMP, overseeing the work of the following major roles under the HDMP:
- Data Protection Officer (“NDHM-DPO”); a government officer who will be responsible for communication with external stakeholders and concerned regulators on issues of data privacy. The officer will have the authority to make decisions on how data-related governance and other relevant matters must be handled
- Grievance Redressal Officer (“NDHM-GRO”); they will be the authority for resolving complaints and other similar concerns, as set out in Clause 32.3 of the Policy, which states: “In the event that a complaint is not resolved by the Grievance Officer of the data fiduciary as referred to under Clause 32.2 above, the matter may be referred to the NDHM-GRO in writing or through an email ID or any other electronic means provided under the grievance portal of NDHM website.”
Engagement with relevant laws and policies
By characterising the terminology for framing the data protection and digitisation ecosystem, the Policy is in close conversation with the Personal Data Protection Bill, 2019 // particularly with regard to the meaning, obligations, and rights of data fiduciaries, data principals, and consent-based specifications. Under “Definitions”, the HDMP specifies the following terms the same way the PDPB 2019 does:
“‘data fiduciary’ means any person, including the State, a company, any juristic entity or any
individual who alone, or in conjunction with others, determines the purpose and means of
processing of personal data. For the purpose of this Policy, data fiduciaries would include Health
Information Providers and Health Information Users if such entities are determining the purpose
and means of processing of personal data;”
“‘data principal’ means the natural person/individual to whom the personal data relates;”
“‘data processor’ means any person, including the State, a company, any juristic entity or any
individual, who processes personal data on behalf of a data fiduciary;”
Consent and protection of privacy for the data principal
Chapter III (“Consent Framework”) emphasises under Clauses 9.1 and 9.2 the necessity to obtain valid consent of the data principal such that the data principal has complete control and decision-making authority over the collection and processing of the personal data related to them. Consent under the HDMP is considered to be valid only if it meets the standard set in Clause 9.2, wherein it ought to be free, informed, specific, clearly given, and capable of being withdrawn at any point in time. Section 10 details the procedure and obligation on privacy notification for data fiduciaries, so as to meet the threshold on ‘informed’ consent for data principals. Section 8 (b) further elaborates upon the electronic consent management system as follows:
“Specifically, in case of electronic consent, data fiduciaries should make use of appropriate
technological means to prevent security breaches and to guarantee integrity of access permissions given by data principals. Such technological means must be in conformance with the national and international standards, as may be notified for the implementation of NDHM from time to time.”
With respect to the withdrawal of consent, the HDMP maintains that the data principals have the authority to exercise their rights of access, rectification, erasure, and restriction, as well as data portability, concerning their personal data and the data fiduciaries are required to comply with these.
However, the requirement of consent is removed in exceptional cases under the HDMP, as specified in Clause 13.5:
“The personal data of a data principal can be processed without consent in the following exceptional situations –
a) Medical emergency where there is a threat to the life or health of the data principal; or
b) Interest of Public health; or
c) Order of the competent court.” //10
Privacy by design
Clause 26.3 specifies how the HDMP aims to accomplish the stated objective of privacy by design, such that data fiduciaries follow the principles of accountability, transparency, consent-driven sharing, purpose limitation, collection, usage and storage
limitation, and the adoption of reasonable security practices, as mentioned in Chapter V. //10 There is a requirement for the data fiduciary to publish its privacy policy on the website that explains its business practices, obligations, technology usage, privacy protection procedure through the point of data collection to data erasure, and specifies that no harm shall be caused to the user’s privacy or interests at any stage
Privacy by design is characterised as follows: “They shall consider data protection requirements as part of the design and implementation of their systems, services, products and business practices.” //10 It further states that:
“The NDHM shall issue appropriate technological and operational guidelines providing for the establishment and maintenance of the federated architecture, for ensuring the security and privacy of the personal data of data principals, and for maintenance of electronic medical records and electronic health records.” //10
Grievance Redressal
Chapter VII of the HDMP lays out the mechanism for resolving grievances of users and elaborates on methods of punishing any individual and entity who does not comply with the Policy, leading to security breaches and data management issues.
Clause 32 proposes a process through which data principals may redress grievances
with data fiduciaries, Clause 33 obligates data fiduciaries to formulate and implement a
personal data breach management mechanism, Clause 34 empowers the DPO
as the principal authority to ensure compliance, and Clause 35 imposes penalties for
any breach. Clause 32.3 empowers the Grievance Redressal Officer to resolve issues not satisfactorily addressed by the Data Protection Officer, stating:
“In the event that a complaint is not resolved by the Grievance Officer of the data fiduciary as referred to under Clause 32.2 above, the matter may be referred to the NDHM-GRO in writing or through an email ID or any other electronic means provided under the grievance portal of NDHM website. The details of the NDHM-GRO shall be displayed on the website along with the procedure for contact and the format and processes for filing the above.” //12
Second Draft
Released in April 2022, the second version of the HDMP has been criticised for its “weak legal
foundation and inadequate preparatory groundwork; excessive delegation; a constricted
digital consent, confidentiality and privacy framework; over-reliance on an Aadhaar-based
authentication system; and, vague systems for anonymisation and de-identification, as well
as the complete absence of strict access control requirements for personal health data.” //13 In the “Purpose” section of Chapter I, the second draft introduces the concept of the “ABHA” and elaborates on the first draft’s guidelines on the relationship between the Aadhaar with the unique health ID, as follows:
“Currently, healthcare programs and facilities register patients/beneficiaries by numbers on their own leading to multiplicity of numbers. Therefore, numerous numbers are assigned to one individual across different healthcare facilities and programs. For creating an integrated, uniform and interoperable ecosystem in a patient or individual centric manner, all the government healthcare facilities and programs, in a gradual/phased manner, should start assigning the same number for providing any benefit to individual. This number, created with KYC using Aadhaar or any other digital system, will be known as Ayushman Bharat Health Account (ABHA(number)).” //12
It also emphasises upon consent from users within the same section, while the previous draft had made no mention of a “Health Information Exchange - Consent Manager” //14 in that section, only defining it in the section on “Definitions”. The second draft states, “Linked health records can be shared after consent through Health Information Exchange - Consent Manager (“HIE-CM”).” //12
However, Section 3(c) specifies one of the “Objectives'' as follows: “to create a system of digital health records which is easily accessible to individuals and healthcare service providers and is voluntary in nature, based on the consent of individuals, and in compliance with relevant standards.” //12 The notion of relevant standards has been critiqued by policy experts //13 as the first draft specifically noted “international standards” as a benchmark for compliance. //10
The first draft of the HDMP defined “Personal Health Record” (“PHR”) in Chapter I, stating that PHRs ought to be maintained in secure and confidential environments like a health locker, wherein only the individual related to the record and people authorised by that individual can access their medical data. However, it is only in the second draft that the secure environment is associated with “PHR Apps,” noting that such a front-end application will be under the close supervision of an HIE-CM. These apps will function to create ABHA addresses and link health records from health insurance providers such as hospitals, diagnostic centres, public health programs, etc. Through the PHR Apps, individuals will be able to view and access their records and such records will be stored for the long-term on these apps, allowing people to upload and share their health records with the ABDM network. //
Responses and Criticism
Both drafts of the HDMP and the concept of the unique health ID have been heavily criticised by policy researchers, civil society organisations, journalists, and lawyers.
[Make a list of which parties wrote papers and critiqued it.]
The major grounds of critique have been the following: the public consultation process, prerequisites to a digital health records system, governance framework, consent and confidentiality, data privacy and security, inclusion, and access to health data by private entities.
Lack of infrastructural preparation, internet access, and digital literacy
The implementation of the NDHE with inadequate groundwork has been criticised as previous efforts such as the health information systems (HIS) have reported a poor quality in data recording practices in Haryana. //16 The concern is that the Policy in its present form emerged despite unaddressed issues of skilled human resources trained in data recording and analysis, infrastructural capability, and provisions for maintaining the security, privacy, and quality of collected data.
Internet connectivity further remains a key concern for the implementation of the HDMP and a digital healthcare ecosystem, as the internet penetration rate remained under 50% for India until 2019 //17 and the NSSO finds that only 16.1% households in rural areas, 48.7% households in urban areas, and 26.7% households in urban and rural areas combined report at least one member with internet access. //18
Poor grievance redressal mechanism and penalty system for non-compliance
The major critique of the grievance redressal mechanism outlined in Chapter VII of the HDMP stems from the absence of specific legal processes that users may turn to in case of issues or challenges with the actions taken by the DPO and the GRO. Clause 32.2 specifies that “The Grievance Officer shall redress the grievances of the data principal expeditiously but within one month from the date of receipt of grievance.” //12 However, the redressal process remains unclear and at the discretion of the data fiduciary. There is also concern of the GRO randomly rejecting complaints since no method for appealing their decisions and settlements has been defined within the HDMP.
The penalties specified for non-compliance include a ban, suspension, and consolation of digital IDs for HIPs and health facilities. Considering the extreme nature of these penalties, there is criticism that minor violations might go unpunished within the HDMP or that penalties may be disproportionately handed out for such violations.
Consent critique
Chapter III of the HDMP lays out the consent framework, which has been critiqued due to the default creation of unique health IDs, absence of guidelines on specific consent, incomplete nature of the NDHM Consent Form, and concerns of low digital literacy which are related to a gap in the practice of informed consent for all users.
Clauses 9.1 and 10.1 both mention only personal data as requiring consent from the user before being collected and processed by data fiduciaries, leaving out non-personal data as well as unique health IDs. This concern has been exacerbated by the fact that unique health IDs have been generated without explicit consent or notice of users on the CoWIN platform. //19 and //20 _The Quint _criticised the absence of consent and privacy from this practice:
“The Central government automatically generated unique health ID numbers for all individuals who chose to register on Co-WIN by using their Aadhaar number as ID. This was carried out without the free and informed consent of those individuals. According to an RTI filed by Medianama, the National Health Authority has stated that it has already generated 11 crore unique IDs. This is also reflected in vaccine certificates, where many have found a 14-digit health ID in their names.” //19
The issue of consent being exploited by data processors also worries digital rights experts as the HDMP’s Clause 10.2 only requires fresh consent to be acquired only if there is any change in the privacy policy. Policy experts at IFF recommend, “In addition to the broad consent taken in the beginning, specific consent must also be taken at each instance of data processing and sharing.” //13 The absence of any data masking //21 or obfuscation techniques, where sensitive data can be protected through the use of modified content like characters or numbers, can also lead to the user's consent even when being used for a specific purpose. Furthermore, exceptions to the consent requirement, such as public health interest, have been critiqued for not being specific and clearly defined in the HDMP.
Another critique has been regarding the Personal Data Processing Model Consent Form //22 that currently fails to mention that the collection of data is voluntary, specifying that refusing such consent will not lead to exclusion from any services. The exact duration of data retention by data fiduciaries or any third party has also not been specified. Furthermore, as digital literacy rates in India are low //23 //24 //25 experts recommend that the Consent Form should be accompanied by easy-to-understand information on the users’ rights under the HDMP and the mechanism for grievance redressal, so that the user consent is well-informed and valid. Efforts to improve digital literacy across the country are also seen as crucial for the success of the NDHM and vision of digitising healthcare.
Problems with ‘Privacy by Design’ implementation
Apart from the requirement for a privacy policy specified in Chapter V of the HDMP, civil society organisations have criticised the absence of a comprehensive legal framework and data protection law, as this absence will defy privacy rights of Indian citizens when their health data is processed on a large scale by the government and private entities. // The HDMP and the NDHM have thus been critiqued for promising privacy by design without any statutory guidelines to enforce data protection and privacy.
In addition to this, Clause 33.2 of the HDMP does not mention that the user must be intimated in case of any security breaches of their data, mandating that only the NDHM be notified. //12 Some digital security experts trace this failure to the absence of any association between the HDMP and a comprehensive Indian data protection law. // 27
The sharing of non-personal data and de-identified or anonymised personal data have also been criticised, as the HDMP states that Personal Health Identifiers or “PHIs could also be used for re-identifying previously de-identified data. It could include a data principal’s demographic and location information, family and relationship information and contact details”. //12 This acknowledges that de-identification of data is reversible //28 and yet the HDMP allows for such data to be shared with data fiduciaries, causing major concerns for the privacy of users as digital health records can be used by private parties for their own commercial or profit-centric interests.
These concerns have been exacerbated by the potential of surveillance through the NDHM and the HDMP in the Indian political sphere. Chhattisgarh Health Minister, TS Singh Deo, expressed his concerns to the former Union Minister of Health and Family Welfare, Harsh Vardhan, stating that “the policy can be ‘misused by an authoritarian state for surveillance purposes’, and use sensitive personal information for manipulation in addition to ‘overt coercion’.” //26
Linking with Aadhaar: Coercion and Exclusion
While verification of the health IDs for individuals and facilities mentions Aadhaar, the Policy also clarifies the voluntary nature of this verification, stating:
“Where an individual wishes to avail of any health services, the Health ID of the individual may be verified by the use of Aadhaar or any other method of identification as may be specified by the NDHM. The voluntary use of Aadhaar in this Policy is envisaged as per the Aadhaar Authentication for Good Governance (Social Welfare, Innovation, Knowledge) Rules, 2020. The failure or refusal to make use of Aadhaar would not result in the denial of access to any health facility or service.” //12
However, there are concerns that the Aadhaar-based authentication will become mandatory in practice and lead to large-scale exclusions from healthcare services. An example of this is the FAQs on the NDHM website specifying that it would be mandatory for doctors to create a DigiDoctor ID:
“2) Is Aadhaar mandatory to create a DigiDoctor ID? In Phase I, an Aadhaar enabled DigiDoctor ID is necessary to authenticate the doctor and enable them to e-sign documents. Later versions will allow doctors to enroll using other ID Proofs as well.” //29
From the Health Facility Registry FAQ:
_“10) What do I need for registering in the Health ID? A user needs to register using his Aadhaar and his/her registered mobile number linked to the Aadhaar. Once registered, he/she will be automatically directed to the HFR module.” _//30
Not only is this in violation of the Aadhaar Act post the _Puttaswamy _judgement //31 by the Supreme Court of India, but it has also been critiqued as Aadhaar-based authentication had a failure rate as high as 12% in 2018 according to the CEO of UIDAI. Furthermore, there has been criticism that while the HDMP touts Aadhaar-based verification as voluntary on paper, it will become mandatory in practice just like the Aadhaar itself, as mentioned in media reports: //32 “Experts I_nc42_ spoke to, felt that the Digital Health ID program could be very similar to Aadhaar, which is also ‘voluntary’ on paper, but made mandatory by certain institutions, both government-owned and private.”//33
This issue became evident during the vaccination process for the COVID-19 pandemic. For instance, reportedly the Gurugram administration imposed a rule that an Aadhaar card with a Gurugram address was mandatory for getting a COVID-19 bed at hospitals and several states mandated Aadhaar cards for conducting RT-PCR tests. //34 //37 IFF launched a Twitter campaign on #VaccinesForAll, wherein one of the demands was de-linking of Aadhaar with the process of vaccination and COVID care, and they advocated before the Delhi High Court as well. //35 //36 Policy experts at IFF have thus recommended to the MoHFW: “Aadhaar-based verification should be removed so as to ensure that issues related to privacy are at the very least partially addressed.” //13
Faulty consultation process
The public consultation process for the first draft of the HDMP occurred in September 2020, in the middle of the COVID-19 pandemic. It was the subject of controversy due to its inconsiderate and short deadline for feedback submission during the public health crisis, making the consultation exclusionary for disabled and non-English speaking individuals, as well as for people without access to the internet. These concerns were highlighted in a petition filed before the Delhi High Court on September 8th, 2020, by Dr. Satendra Singh. //45 //46
IFF provided legal support to Dr. Singh for the petition, and the Delhi High Court directed the government //50 to work on its consultation process based on policies such as the Pre-legislative Consultation Policy. //51 The deadline for feedback submission was also extended to 21st September, 2020, //52 but issues with digital inaccessibility, the English-only mode of consultation, and exclusion of people with visual impairments, persisted after the petition //53 as well.
While the second draft’s consultation timeline was not critiqued, IFF noted that the second draft itself had failed to inculcate the comments from the first consultation process and several significant concerns had been neglected in the second draft of the HDMP:
“While the latest version of the Draft policy provided a reasonable deadline for inviting comments during the consultation process, it didn’t address many of the other concerns. The concerns and demands voiced in our earlier comments and working paper are echoed in our latest comments, since most concerns around the policy remain unaddressed.” //13