The Ayushman Bharat Digital Mission ('ABDM') also known as the National Digital Health Mission ('NDHM') was announced on 15th August, 2020 and formally launched by the Prime Minister of India on 27th September, 2021. Amongst other things, the NDHM's principal stated intent and goals are to: (i) create a unique health ID assigned to each person, and which will centrally hold digital health records including tests, prescriptions, treatments etc., of the individual; and (ii) create and maintain registries of healthcare facilities, healthcare professionals, drugs, disease and health data fiduciaries. And, on two of the broadly categorised core building blocks of health ID and registries, additional layers are envisaged to be built, such as that of personal health record, electronic medical record, consent manager and health information exchanges, health locker etc.
The NDHM as a policy intervention flows from the overall vision of digitising healthcare in the country as set out the National Health Policy, 2017 ('NHP, 2017')1 and the practical road-map outlined by the National Digital Health Blueprint ('NDHB')2 of a federated data architecture and an ecosystem based on technological interoperability, 'consent' as well as 'privacy and security of personal data'. Under the aegis of the NDHM, the National Health Authority ('NHA') has placed in the public domain, specific policies related to the management and retention of health data, namely, the NDHM Health Data Management Policy, 20203 and the Data Retention Policy, 20214 ("Policy Documents").
The Supreme Court of India, in Justice K.S. Puttaswamy (Retd.) v. Union of India5, while declaring informational privacy as a fundamental right protected by Article 21 of the Indian Constitution had also specifically opined on the need to ensure the confidentiality and privacy of medical/health data given the new dangers like profiling and surveillance that technology has created. Consequently, any state policy that infringes on this right must meet the four-pronged proportionality test laid down in Puttuswamy i.e. there must be a (i) procedure established by law aimed at a legitimate goal; (ii) just, fair and reasonable; (iii) proportionate to the objective sought to be achieved; and (iv) have guarantees to check against any abuse by state or private actors.
While the other prongs laid down in Puttuswamy are to be examined separately and will be based on a subjective determination by a constitutional court, what is important to note is that, currently the NDHM and its constituent units such as the health ID, its linkages to electronic health records etc., as a whole have no legal foundation and is operational vide policy documents issued by the NHA with significant regulatory vacuum. Therefore, in the absence of a comprehensive legislative framework on data protection that adequately safeguards the fundamental right to privacy including of consent, confidentiality, privacy and security of an individual and their sensitive health data, the NDHM itself is constitutionally suspect.
The common thread that ties together the above-mentioned policy documents is that they despite containing key points of differences on definitions and obligations of data fiduciaries, they do place reasonable reliance on some of the principles such as qualified consent and specific user rights that were included in the earlier proposed data protection law i.e. the Personal Data Protection Bill, 2019 ("PDP Bill, 2019"). In any event, the policies will have to necessarily be re-drafted once the Data Protection Bill, 2021 ("DPB, 2021") becomes a validly enacted law.
Having said the above, the Data Protection Bill, 2021 and the recommendations of the Joint Parliamentary Committee on Data Protection, which had reviewed the PDP Bill, 2019, on an overall basis will significantly impact the governance of and regulation of sensitive health data. The Data Protection Bill, 2021 includes 'health data' as sensitive personal data and defines it as the data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associated with the data principal to the provision of specific health services. With respect to the same, the primary question that arises from a bare reading of this definition, is whether 'health insurance' which practically, is only an enabling tool that facilitates an individual to pay for health services, can be classified as a health service and insurance data be treated as being collected in the provision of health services i.e. as health data?
Furthermore, the DPB, 2021 allows personal data to be processed without obtaining consent from the data principal under certain grounds that includes but not limited to broadly, (i) responding to any medical emergency; and (ii) for any provision or service to be received by an individual from the State. Two separate points emerge from the above stated exceptions to consent in the DPB, 2021. First, there is a requirement for a definition of what constitutes as a 'medical emergency' given the fact that the Kerala HC in the Sprinklr6 case, in relation to a COVID-19 contact-tracing application used by the Kerala Government, had strongly reiterated the imperative need to ensure safeguards for data processing are strictly followed including the obtaining of specific consent of individuals. Second, considering the blanket waiver on the consent requirement for processing of data of a beneficiary of a provision or service from the State, does it follow that the personal data of an individual beneficiary of the Ayushman Bharat Yojana can be processed without their consent?
Additionally, the DPB, 2021, enables an individual to decide how their personal data is to be handled in event of their death, and these include the right to (i) nominate a legal heir or nominee, (ii) exercise the right to be forgotten. While this is a crucial addition that the JPC has made in the DPB, 2021 and which was missing in the PDP Bill, 2019, a question that comes up is what happens when a person is incapacitated or mentally unsound, how would their consent be obtained? Perhaps, the detailed standards set out in the Mental Healthcare Act, 2017 for a nominee representative to take treatment decisions on behalf of an incapacitated person can be drawn from to account for such scenarios.
Aside from the key players in the healthcare sector including hospitals, clinical establishments and digital health technology platforms, a segment of the healthcare sector that will be particularly affected if the DPB, 2021 is enacted are companies that manufacture/operate health wearable smart devices. And, this is specifically because beyond having to comply with the requirements related to the collection, processing, storage and sharing of data, the DPB, 2021 mandates entities to submit to the monitoring, testing and certification of hardware/software computing equipment/applications process to be framed by the Data Protection Authority ("DPA").
Separately, a structural concern that looms large over both the DPB, 2021 and the NDHM is in relation to multi-tiered federal arrangement set out in the constitutional scheme i.e. Seventh Schedule of the Indian Constitution. Specifically, the question is how can a DPA that is functionally under the control of the Union Government, exercise control over data related to health, which is a state subject mentioned in List II of the Seventh Schedule?
Considering the rapid pace in which the digitisation of healthcare is progressing, and as an increasing volume of health related sensitive data is being transferred, between individuals, digital health/health technology platforms. Therefore, it is all the more imperative that the DPB, 2021 is enacted into law with issues related to health data, including those highlighted above, are addressed as well as the policies framed under the NDHM are re-examined and brought in line with the principles enunciated in the enacted DPB, 2021.
5. (2017) 10 SCC 1.
6. W.P. (C). Temp No. 84 of 2020.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.