(This is a continuation of the earlier article)
Before we dive deeper into the NDHM’s Health Data Management policy, there is a need to discuss one philosophical issue about what should be the objective of such policy and even the laws such as PDPA.
For the time being we shall assume that this “NDHM-HDM Policy is a directive from the Ministry to all the participants of the NDHM eco system and hence has the force of a near statutory regulation. Presently it is aligned to Section 43A of the ITA 2000 and once PDPA comes into existence, this policy will get aligned to the PDPA and get a real legal force.
Hence we need to discuss what should be the objectives of such laws/regulations.
The ITA 2000 objective was to promote E Commerce and to protect data through various measures of information security and cyber crime control. The objective of PDPA is to protect the “Privacy of an Indian Citizen”.
The policy declares that it is the first step in realizing NDHM’s guiding principle of “Security and Privacy by Design” for the protection of individual’s data privacy. This statement is in alignment with the objectives of PDPA. The policy is also careful to declare that it is subordinate to other applicable laws.
However, in Paragraph 3 of the Policy, the policy has stumbled to declare that one of the key objectives of this policy includes
“to create a system of digital personal and medical health records which is easily accessible to individuals and health service providers and is purely voluntary in nature, based on the consent of individuals, and
in compliance with international standards such as ISO/TS 17975:2015 (defines the set of frameworks of consent for the collection and processing of health data by healthcare practitioners and other entities) and
other relevant standards related to data interoperability and data sharing as may be notified for the implementation of NDHM from time to time”
It is difficult to understand whether the second para above was required or could have been deleted altogether since it indicates as if it is one of the objectives of this policy to be compliant with an ISO standard.
It appears that there is no need to frame a law or a regulation to be compliant with a “Standard” unless the “Standard” itself is a law as it happens in a prescriptive law such as HIPAA.
In other laws, the law sets down a principle which is expanded in the regulatory notifications. After this it is for the industry to develop their own best practices which may be called “Standards” or by any other name. Those who develop “Standards” align the standards to the law and not the other way round.
ISO standards some times are mistaken as “Regulatory Standards” and this perception needs to be changed. ISO standard is subordinate to law and is a tool of compliance. Law cannot be a tool of compliance of an ISO standard.
It would be better to correct this aspect in the policy.
(To Be continued)
Naavi
All Articles in the series:
1.National Digital health mission shows the way… Be Ready before PDPA becomes effective
2.NDHM is a trend setter… Get started early on the Privacy Protection journey
3.Consent Management under NDHM
4. NDHM-Health Management policy Objective need not be linked to ISO standard
