The National Digital Health Mission, which will be overseen by the National Health Authority, has now laid out a framework to run a sandbox to test new products and services to form a digital health architecture under the Mission. Here is an explainer of the sandbox.

What is the National Digital Health Mission sandbox?

Like any other sandbox, the National Digital Health Mission (NDHM) sandbox will allow technology and products to be tested in a contained environment for a defined period to eventually deploy successfully tested products to a larger market. It is understood from the sandbox document that the APIs developed under the Health Stack will be tested by participants under the mission. The sandbox mandatorily needs to include the building blocks of NDHM, with new or emerging technology or use of existing technology in an innovative way that also benefits consumers.

The “core building blocks of healthcare” Health ID, DigiDoctor, Health Facility Registry will be tested in the sandbox. According to the framework, it “paves the way” for an institution or system to become a Health Information Provider and Health Information User, concepts first introduced by iSPIRT in June.

The sandbox will help “organisations which want to be part of the National Digital Health Ecosystem to become a Health Information Provider or Health Information User or efficiently link with building blocks of NDHM”. Both alpha and beta testing of products will be allowed, and access to the NDHM ecosystem shall be “primarily through the sandbox”.

What can be tested:

The following products can be included for testing:

1. Products and services: Health ID, DigiDoctor, Health Facility Registry, Personal Health Records, Telemedicine, e-pharmacy, health clouds 

2. Convergence and expansion of NDHM for: retail healthcare, health insurance and assurance, healthcare marketplace and aggregation, digital KYC for health, health management, digital health identification services, smart contracts, cyber security products.

  • Products such as clinical decision support system (CDS), anonymisation-as-a-service, consent management-as-a-service

3. Technology: Data analytics, API services, blockchain applications, AI / ML applications

4. Becoming a Health Information Provider, a Health Information User, or a Health Repository Provider:

a. What is an HIP? Any healthcare provider that creates health information to treat a patient, and agrees to share it with the patient using the NDHM consent framework is a HIP. They will become a HIP by:

    1. Signing up with the NDHM facility registry to confirm that they are a healthcare provider
    2. Adopting certified Electronic Medical Records (EMR) software that that is compliant with NDHM standards
    3. Adopting identifiers maintained by NDHM (Health ID, DigiDoctor etc.)
    4. The HIP must share anonymized data as per policy laid down by NDHM or the National Health Authority in this regard.

b. A HIU will be any entity that wants to access a user’s health records, including hospitals or doctors, and mobile apps that want to display a user’s health data to them, including PHR applications.

c. HIPs are expected to store digital records of both outpatient and inpatient treatment in long-term storage and make them accessible. For this, HIPs are expected to partner with Health Repository Providers who will help them in implementing this obligation. This will cover health lockers and health data storage facility systems. They may act as HIPs and HIUs. Detailed guidelines for an organisation to become a HIP/HIU/Health Repository Provider will be separately issued.

Any product, service, company, or organisations which have been banned by the government shall be strictly prohibited.

Who can participate in the sandbox

The target applicants are healthcare or health-tech service providers, including public health programs at the centre and states, software providers, hospitals, labs, healthcare aggregators, and health tech companies and so on. The focus will be to encourage innovations intended for use in the Indian market in areas “where proposed innovation shows promise of easing or effecting delivery” of healthcare or health tech services in a significant way.

Eligibility criteria from the applicants

The entity has to demonstrate arrangement to ensure compliance with existing regulations on consumer data protection and privacy, including the Personal Data Protection Bill, 2019. It also has to develop a clearly defined exit and transition strategy, in case the tested service is discontinued or deployed on a broader scale. Only firms or entities incorporated or registered in India, or licensed to operate in India can enter the sandbox.

  • The applicants have to share results of Proof of Concept or testing of use cases, including any relevant prior experiences before being admitted into the sandbox.
  • Significant risks arising from the proposed solution or service should be assessed and a mitigation plan shall be submitted.
  • The applicant has to apply for an extension of the sandbox period a month prior to the expiration date, with valid reasons. The mission will decide whether to allow the extension based on the testing stage, results of testing until then, justification for continuance, and expected outcome in the extended period.

“Boundary conditions” should be clearly defined for the sandbox to be meaningfully executed while sufficiently protecting consumer privacy. Boundary conditions includes a clearly defined space and duration, within which any consequences of failure can be contained. The boundary conditions include a defining a start and end date, target customer, limit on the number of customers, security and privacy related conditions, and compliance to the standards for each building block of NDHM.

Compliance requirements; includes compliance with PDP Bill

Apart from compliance to medico-rules, regulations, and guidelines, security of transactions, rules and regulations from the MEITY and Health Ministry, participants will also have to comply with the Personal Data Protection Bill, 2019. Organisations entering the sandbox also have to mandatorily get a technology or security audit done to be onboarded. “The check on all compliances shall be a part of the audit,” per the document.

Pariticipants also have to comply with customer privacy and data protection, secure storage of and access to data of all stakeholders, (including health data), core principles and related requirements of the NDHM itself, and any other statutory restrictions.

When the sandbox can be discontinued

The entity does not achieve its intended purpose, if it is unable to fully comply with the relevant requirements, and if it has not acted in the best interest of the consumers. The entity can also exit the sandbox by informing the mission a month in advance. It needs to ensure that any existing obligation to customers is fully completed before exiting the sandbox.

Requirements around consumer protection: notice to customers of potential risks, explicit consent for sandbox

Applicants have to present a plan with adequate protections for consumers, including marketplace disclosures, a risk management plan, safeguarding procedures, redressal mechanisms, and so on. The participants will also have to “in an upfront and transparent way” notify test customers of potential risks and available compensation, and “obtain their explicit consent in this regard”. There should be an appropriate arrangement for customers to withdraw from the test.

Sandbox entities have to take liability or indemnity insurance of an adequate amount and period of safeguard customer interest. This will be based on the maximum possible liability.

Existing regulations would continue to apply during the test to all their routine, non-sandbox activities. Their sandbox activity will be permitted to tested according to a test plan without a separate license or authorisation, once the mission approves the application and completes audits successfully.

Sandbox process and stages

End-to-end sandbox process: This will be a detail “end-to-end” sandbox process, wherein the testing of the product will be overseen by the NDHM Health Tech Committee under the guidance of the NDHM Mission Director, with the participation of domain experts.

Each product on NDHM will have five stages:

  1. Preliminary Screening: The Health Tech Committee will shortlist applicants meeting the eligibility criteria, and ensure that the applicant clearly understands the objective and principles of the sandbox and conforms to them.
  2. Test Design: Lasting four weeks, the HTC has to finalise the test design through an iterative engagement with the applicants, and identify quantitative and qualitative outcome metrics for evaluating evidence of benefits and risks.
  3. Application Assessment: Lasting for three weeks maximum, the HTC shall vet the test design and propose any modifications.
  4. Testing: This phase may last for a maximum of 12 weeks. The HTC shall assess by close monitoring.
  5. Evaluation: This phase may last for 4 weeks. The outcome of the product, its viability under the sandbox, will be confirmed by the NDHM. The HTC shall assess the outcome reports on the test and decide on whether the product/service is compliant with various NDHM guidelines.

Once the entity is approved for operating in the sandbox, the NDHM will provide appropriate support by relaxing specific requirements which the entity would otherwise be subject to, for the duration of the sandbox. The participant will bear any liability arising out of this. Once the sandbox ends, the participant must exit it, and “start utilising the production services of the NDHM ecosystem to be continuing for live implementation”.

Certification process: MEITY and a body under it

NDHM certification will be done via two approaches, one to assure that process by which the product was developed, and the other to evaluate the quality of the end-product.

  1. NDHM has engaged MEITY to verify, validate and certify products/solutions who have onboarded with the NDHM Sandbox and shall be going live with the products, with mandatory integration of NDHM building blocks through APIs.
  2. Standardization Testing and Quality Certification Directorate (STQC), an office under MEITY, will be responsible for ensuring certification of the software/product with NDHM before it is rolled out in the open market. The certification/audit of the product shall be mandatory and shall be undertaken by STQC or its empanelled vendors.

Organisations which receive clearance from the HTC will reach out to the directorate for certification or audit of their product. A detailed audit process will follow, and this will be completed per a checklist finalised by the NDHM.

Read more:

  1. All you need to know about the National Digital Health Mission [read]
  2. Ministry of Health’s public consultation on National Digital Health Blueprint: Legal issues around telemedicine, consent, and ‘egosystems’ in healthcare [read]
  3. iSpirt demos a key part of Health Stack — the health data consent manager. Some questions. [read]