Health Data Management Policy Great Improvement Over DISHA Regulations: IAMAI

The Internet and Mobile Association of India [IAMAI], on behalf of its members, has welcomed the Health Data Management Policy by National Digital Health Mission (NDHM). Digitization of healthcare facilities is critical for the last mile delivery of such basic services and this announcement strengthens the vision of a vibrant Digital India. The association welcomes the Health Data Management Policy as it is an improvement over the earlier DISHA which was much restrictive in its outlook.
However, IAMAI also pointed out that the Health Data management Policy does not recognize the role
played by intermediaries (especially digital intermediaries like healthtech service providers) who merely
facilitate the digital transit of information exchange without actually engaging in the act of providing
healthcare facilities. Such intermediaries may be the primary data collector (data fiduciary) but for all
practical purposes the Data Processors (or the actual healthcare service provider) have a much greater
role to play in processing of data in the healthcare sector. The liabilities and penalties for data breach
must be levied accordingly.
The association also highlighted the mirroring between the Personal Data protection Bill (PDP) that
awaits clearance by the parliament and the Health Data Management Policy, especially as the latter
replicates many of the definitions suggested in the PDP without explicitly aligning it with the PDP. This
then gives rise to the risk of multiplicity of compliance for healthcare service providers, in case both PDP
and Health Data Management Policy are adopted in parallel.
For instance, the PDP explicitly suggests certain extra measures for ‘significant data fiduciaries’ dealing
with ‘sensitive data’ and most healthcare service providers would qualify as such given health data is
recognized as sensitive data. There is no clarity as to whether the compliances suggested by the NDHM
sufficiently satisfy those conditions, failing which healthcare service providers may face contradictory
(and duplicate) compliance burdens. The duplication of the roles of the Data Protection Authority (DPA)
under PDP and Data Protection Officers under NDHM (NDHM-DPO) give rise to similar concerns of
duplication of regulatory Authority that may create more damage than good for this sector.
On the other hand, the PDP makes exceptions for processing of certain personal data without consent
and recognizes medical or healthcare needs as such exceptional circumstances. Ironically, the NDHM is
more rigid in its consent mechanism. According to IAMAI, Healthcare services often face emergency
conditions where a protracted consent mechanism may delay critical services. The exceptions as
recognized in PDP need to be replicated in the NDHM in greater details to allow for unfettered
healthcare services for every data principal under duress or emergency.
While it is understood that the NDHM in its present form only suggests a digital architecture and skips
on the implementation aspect of this vision, there are suggestions that the entire registration process
(for both individuals and healthcare service providers) is completely voluntary and no one can be denied
healthcare service (or prevented from offering such services) if they do not register. However, for the
entire vision to be truly effective, a market driven incentive mechanism needs to be developed to

encourage both individuals and service providers to register. Financial incentives for service providers
and ease of access and usage for users can be the best value propositions for the universal adoption of
the NDHM.