Health data retention policy proposed within the framework of the ABDM


A draft health data retention policy was proposed by the National Health Authority (NHA) through a consultation document published on November 23. This draft policy, which is open for consultation until December 24, includes provisions for data retention, different types of classification for stored data, and gives suggestions on how to store and exchange data. .

The document essentially revisits the Health Data Management Policy (HDMP), notified earlier this year, as part of the Ayushman Bharat (ABDM) digital mission. The NHA had said that a number of HDMP clauses would be implemented based on specific data retention policies to be notified from time to time.

Health data is classified as sensitive personal information under the Information Technology Act. The NHA cites user concerns over data security and the health ecosystem’s need for reliable, long-term data as the reasons for such a policy.

Comments on the consultation document can be submitted via the form on the NDHM website or by email to [email protected] You can read the full document here.

How will the draft policy be implemented?

Two approaches are suggested for policy implementation –

Advertising. Scroll down to continue reading.

i) Cover the entire health ecosystem: This would include healthcare providers and entities that may have chosen not to participate in the National Digital Health Ecosystem (NDHE). Entities would include insurance providers, third party administrators (TPAs) offering individual and group insurance plans, open API system providers, private PHR applications, teleconsultation platforms, data processors, etc., indicates the draft policy.

ii) Covering only health care providers under ABDM

Advantages and disadvantages of the two approaches

1st approach: The NHA said it could create a one-size-fits-all approach to health data retention, making it easier to enforce policies in the future and reducing opt-in and opt-out frictions. The downside would be the difficulties of application.

2nd Approach: Ensuring compliance would be easier, the document notes. However, this would create subsystems within the larger healthcare system, with disengaging entities not complying with the system.

The policy also recognizes the possibility that an entity may initially withdraw from NDHE, delete all of its records, and then comply sufficiently with the policy to join NDHE; However, he says it would defeat the ecosystem’s goal of creating reliable, long-term datasets.

Classification of data and their retention periods:

The document recommends a retention period based on classification. This, he says, is due to the fact that there may be circumstances where certain more valuable records should be retained for longer periods and a classification-based retention approach could reduce requests for extension of their. retention period. Daily monitoring records of patients with PDI may not fall under this policy.

Advertising. Scroll down to continue reading.

It offers the following major classifications:

  • Hospitalized patient
  • Non-Patient
  • Deceased patient
  • Exception cases

Data retention periods: A retention period of 10 years has been suggested for health data relating to deceased patients, inpatient and outpatient consultations.


  • In the case of minors, data from hospital consultations will be kept until the age of 18 or 10 from the last entry / meeting, whichever is later.
  • Data relating to medico-legal documents, birth register, vaccination, clinical trials and death register will be kept permanently.

Retention of pseudonymized and anonymized data

The policy makes separate provisions for pseudonymized data (data stored under a different name) and anonymized data (data from which all identifiers have been removed). He says these data sets should not be stored except for “specific, clear and lawful purposes and without informed consent of the main data ” (emphasis added). It also states that since pseudonymized data can be re-identified, it will have the same retention period as the original data.

In addition, it establishes the following conditions for the deletion and retention of this data:

For deletion

  • If the data controller has requested the deletion of data.
  • If the purpose of data anonymization / pseudonymization is achieved and there is no longer any obligation to store the data.
  • The data retention period has expired.
  • If prescribed under a law in force at that time.
  • In accordance with any relevant court order.
  • In accordance with any government regulations or directives issued from time to time.
  • For any other valid reason than those mentioned above.

For conservation, despite a request for deletion

  • If the data is not directly assigned to Data Principal.
  • So the same is required for the study of medical policies for the benefit of society as a whole.
  • If prescribed under a law in force at that time.
  • In accordance with any relevant court order.
  • In accordance with any government regulations or directives issued from time to time.
  • For any other reasonable reason notified by ABDM from time to time.

Mode and data storage

The policy recognizes three ways of storing health data: Electronic, physical or original form. He says electronic records will be preferred. However, later in the document it is stated that if the policy is applied to all health entities, the physical and original form records will be recognized.

For storage, The cloud is recommended: The document states that users and healthcare providers prefer the cloud for better access. However, it also indicates that small clinics and healthcare providers may face issues with how large format imaging files are stored; for example, MRI scans.

Data exchange

“..blockchain, digest chain, and structured peer-to-peer (P2P) networking techniques can help resolve issues with existing IT systems and data sharing agreements can also be defined,” the policy says. , regarding the sharing of inter-organizational information. health data, especially in the case of legacy IT systems which may not be as interoperable and given that users may have security concerns about cloud-based sharing.

Advertising. Scroll down to continue reading.

In addition, the policy states that the Data Trustee (the entity storing the data) will be responsible for ensuring that any processor to which they outsource work complies with HDRP guidelines to avoid any breach. Both will also be responsible for handling any requests for extended data retention periods and efficient storage techniques.

Storage and maintenance

Very briefly, the policy requires that stakeholders allow overwriting, anonymization, or other methods of deletion or erasure if a data principal (i.e. a patient) so requests. He also broadly wants the Trustees to adhere to the HDMP and Information Security Policy and enable interoperability and states that the Trustees will be responsible for maintaining the technology infrastructure.

How will this be framed?

The data retention policy indicates that it will follow more or less the same structure as the data management policy. A Data Protection Officer (DPO) appointed by Ayushman Bharat’s digital mission, who the HDMP says manages grievance resolution, will ensure compliance with the retention policy. The document also states that the DPD will have additional responsibility for creating an audit mechanism and in cases where a Health Information User (IUH) or Health Information Provider (HIP) no longer exists. , it will ensure that the data is not orphaned, via the data custodian. .

Recap: What happened with ABDM?

The ABDM, formerly known as the National Digital Health Mission, was rolled out nationwide in October after a pilot project in 7 Union territories for a year. Last week, MediaNama reported that so far nearly 14 crores of unique health identifiers have been created as part of the mission, of which 96% are connected to Aadhaar cards with the NHA also recently enabling the Driver’s license-based authentication for UHIDs. Like the HDRP, the NHA has also said it will release a consultation paper on the “drug registry” next month.

In the HDRP consultation document, the NHA said it has launched the following building blocks: health identification, personal health records (PHR) application, healthcare professional registry (HPR) starting with doctors, registry of health establishments (HFR) and health Information and consent exchange manager (HIE-CM). Although no consultation or document has been published on the HIE-CM, the NHA has published consultation documents on the Unified Health Interface (UHI), the Register of Health Professionals, the Register of Health Care Establishments. health, the draft NDHM implementation strategy, NDHM master plan, data policy, sandbox framework guidelines and other similar documents.

Read also :

Advertising. Scroll down to continue reading.

Do you have something to add ? Post your comment and give someone a MediaNama subscription.


Comments are closed.