Health Authority (NHA), the implementing agency for the NDHM, had reassured that the data would not be pulled into any central server and that a prime feature of the scheme was the concept of a consent manager.
The NDHM seeks to provide a unique health ID to each citizen who wishes to have one and also on-board the healthcare service provides (hospitals, pharmacies and diagnostic labs, among others). It will have an online database of doctors (DigiDoctor) and personal health records (PHRs).
To access one’s PHR, any doctor or institution would have to seek permission from the health ID owner, who can give selective access authorisation too. This authorisation can even be revoked.
The Centre has now reiterated the same in the draft health data management policy – everyone enrolled for the mission will get a Health ID free of cost and have complete control over his or her data.
The government has proposed a framework and a set of minimum standards for data privacy protection to be followed across the board in compliance with applicable laws and regulations.
Data collected across the National
Digital Health Ecosystem (NDHE) will be stored at the central, state or the union territory level and at the health facility level. It will adopt the principle of minimality at each point, according to the document.
Indu Bhushan, chief executive officer (CEO), NHA, said, “The Draft Health Data Management Policy is the maiden step in realising NDHM’s guiding principle of ‘Security and Privacy by Design’ for the protection of individuals’ data privacy.”
The provisions of this policy will apply to the entities involved in the NDHM and those who are a part of the NDHE. These include all entities and individuals who have been issued an ID under this policy, health care
professionals, governing bodies of the health ministry, the NHA, relevant professional bodies and regulators.
It would also apply to any health care
provider who collects, stores and transmits health data in electronic form, insurers, charitable institutions and pharmaceuticals. It will include all individuals, teams and entities who collect or process personal or sensitive data of any individual as part of the NDHE.