Health IDs to be based on KYC, data localisation required: What is the new Health Data Management Policy?

The National Health Authority (NHA), the body in charge of the government’s Ayushman Bharat Digital Mission (ABDM), released a revised version of its Health Data Management Policy (HDMP) in April. Opened for public consultation until the 21st of May, the new policy contains changes related to the creation and issuance of the Ayushman Bharat Digital Account (ABHA), non-consensual processing of data, a data localization requirement, and more.

Feedback and learnings from the pilot and nationwide roll-out of the ABDM, received since December 2020, led to the new draft policy, the NHA said in a press release.

The earlier version of the HDMP was released in August 2020 and received criticism for allowing private entities access to health data, allowing linkages with Aadhaar, a lack of backing by a data protection law, and so on. Then, a petition was also filed in the Delhi High Court challenging the time allocated for the public consultation on the policy, its accessibility, and the language it was made available in.

Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter to experience MediaNama in a whole new way.

In brief: What is the Health Data Management Policy?

1. The policy is essentially a personal data protection framework for health data and applies to everyone in the National Digital Health Ecosystem (NDHE).

This includes:

Advertisement. Scroll to continue reading.

• People who have been issued Health IDs (now known as ABHAs);
• Healthcare professionals;
• Governing bodies such as Health Ministry and NHA;
• Any healthcare provider that collects health data;
• Payors, i.e who pay for healthcare services, so insurance companies, state or central government(s) in case of welfare schemes, etc;
• Pharma companies; and so on.

2. It lays down conditions around the issuance of ABHA’s which are essentially accounts for users to access their health records through;

3. It also lays down conditions on how information can be shared, stored, and exchanged by defining security standards for companies, guidelines on privacy policies, defining the Health Information Exchange and Consent Manager, and so on.

The key changes in the new policy

1. On sharing and creation of ABHAs:

•  ABHA has to be generated through Aadhaar

“A data principal shall have only one ABHA (number), which shall be linked to his /her Aadhaar or any other KYC document such as PAN, Driving License, Passport, and others as may be Specified by the NHA from time to time,” the policy says, essentially taking away the earlier ability to create ABHA’s solely based on mobile numbers.

The policy further clarifies the distinction between ABHA (number) and ABHA (Address).

“ABHA Address” is an address in the format (username)@HIE-CM. An ABHA Address may be used to link and share health records”

“ABHA” (number) or “Ayushman Bharat Health Account” (number) refers to the 14-digit Identification number allocated to a data principal in accordance with Chapter IV of this Policy,” the policy says.

Further, the policy says when a person visits a government healthcare facility, a default ABHA address will be issued to them. This would look like (ABHAnumber)@HIE-CM.

Thus, to illustrate with an example, an ABHA address might function as a UPI ID linked to multiple banks such as johndoe@okicici, johndoe@ybl, etc. – created for the convenience of a transaction- however, the ABHA number would remain singular, ensuring linearity among consultations done across health facilities.

• Could charges be levied for ABHA creation?

“ABHA (number) may be created at no cost,” the policy says.

“This could mean that in some cases entities could charge for the creation of ABHAs,” Shweta Mohandas, a researcher at the Centre For Internet and Society (CIS), which has made submissions on the draft policy, told MediaNama.

Advertisement. Scroll to continue reading.

• Integrated IT platforms could be used for ABHA issuing;

Earlier, the issuance of ABHA’s was preconditioned upon an entity registering and getting an authorisation key from the NHA to issue ABHAs.

However, the new policy says that any IT platforms that are integrated with the ABDM can be used to issue ABHA (number). These platforms would then also be responsible for checking whether a certain user does not already have an ABHA (number), the policy says.

An integrated IT platform could mean an entity that has completed integration with the ABDM through its Sandbox. The process of integration involves sending a request to the mission, setting up Application Program Interfaces to integrate with the mission, passing assessments of compliance and so on. So far nearly 40 private and government sector entities have completed such an integration.

2. Non-consensual processing of data

The personal data of a person can be processed without consent in the following situations, according to the new policy. 

a) “Medical emergency where there is a threat to the life or health of the data principal; or

b) Interest of Public health; or

c) Order of the competent court”

“The first condition was a feature of the NDHM-HDMP (earlier policy) as well, while the third condition may be understandable. However, the second condition’s ambiguous framing implies a considerable amount of arbitrariness that may provide the discretion to extract significant amounts of personal data in the name of public health,” the Internet Freedom Foundation (IFF), a digital rights advocacy, said in its blog on the policy.

Advertisement. Scroll to continue reading.

“All provisions with respect to the non-consensual processing of personal data (such as in the “interest of public health”) must be narrowly tailored and must contain explicit definitions of the data allowed to be processed under such exceptions,” the CIS wrote in a submission it sent on the policy, along with 11 other organisations, which has been viewed by MediaNama.

3. Data localisation requirement for personal data

“No personal data shall be stored beyond the geographical boundaries of India, subject always to the provision of applicable laws,” the new policy says.

4. Opt-out for underage enrolments removed

While the earlier policy allowed for the enrolment and an eventual choice for opting out of the ABDM for minors, the new policy has removed the provision for opting out.

5. Removal of the word ‘ownership’

The earlier policy had said that while fiduciaries (entities dealing with data) dealing with health data will have to comply with all measures to ensure privacy protection, the true ownership and control of the personal data will remain with data principals (users).

However, the new policy removes the word “ownership” from the same clause.

“The draft policy, in Clause 26.1, has removed the term “ownership’’, seriously going against the idea that and demand that data principals should be owners of their personal data,” IFF said in its submission.

5. Security standards requirement removed.

“Data fiduciaries will implement International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” as well as any other standard as may be applicable to them,” the earlier policy had said. Thus, in the earlier policy, entities storing health data would have had to comply with certain security standards.

Advertisement. Scroll to continue reading.

The new policy removes this requirement.

6. Report incidents to the data principal and the ABDM

While the earlier policy required that any data breaches or leaks be reported only to the ABDM, the new policy requires the data principal to also be notified.

7. Definition of sensitive personal data different from data protection bill

According to submissions made by CIS, the definition of sensitive personal data in the new policy is not in line with one laid down in the Data Protection Bill.

“This could lead to confusion in compliance requirements once the Data Protection Bill comes into play, ” Mohandas told MediaNama.

The new version defines it as the following:

(i) password;

Advertisement. Scroll to continue reading.

(i)financial information such as Bank account or credit card or debit card or other payment instrument details;

(i)physical, physiological and mental health condition;

(iv)sexual orientation;

(v) medical records and history;

(vi) Biometric information

vii) any detail relating to the above clauses as provided to body corporate for providing service; and

Advertisement. Scroll to continue reading.

(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise

This, CIS says, is a departure from the DPB which defines sensitive personal data as information such as genetic data, intersex status, caste or tribe, etc in its definition.

8. Transgender people not included in the policy

A line in the older policy said “Subject to applicable law, the data principal can restrict or object to the disclosure of their personal data by the data fiduciary.

However the same line in the new policy says, “Subject to applicable law, the data principal can restrict or object to the disclosure of his/her personal data by the data fiduciary”

In its submission, CIS said that the use of ‘his/her’ reflects gender binaries, and does not reflect the identity of the transgender data principals who identify themselves with ‘they/them’ pronouns. Adding that the transgender community has been recognised and given legal status per the NALSA judgement, the submission said that the policy should thus be modified.

Also read:

Advertisement. Scroll to continue reading.

• Key Aspects: National Digital Health Mission’s Data Management Policy | MediaNama
• FICCI cautions against violating consent of citizens on Health Data policy
• At UHI consultation meet, NHA reveals details on NDHM governance, roll-out, and more