wordpress blog stats
Connect with us

Hi, what are you looking for?

New document reveals software to be used for certifying NDHM sandbox participants

The empaneled agencies will be assessing the integration of other private or public entities who participate in the NDHM sandbox to build products and services.

A new Request for Empanelment (RFE) issued by the National Health Authority has revealed the NHA’s plans to use software to facilitate the exit of players from the National Digital Health Mission Sandbox. The players would then enter the live environment of the mission.

Why it matters? Earlier, the framework of the Sandbox said that the certification would be the responsibility of MeitY’s Standardization Testing and Quality Certification Directorate (STQC). Players who are a part of the NDHM Sandbox create products and services which could, following certification, become a part of the actual mission. The NDHM has been built to handle sensitive health data like Unique Health IDs, longitudinal health records (potentially from birth to death), health professionals and health facilities’ registries, and so on. Although the initial guidelines from the NHA had mentioned that it would use the services of ’empaneled vendors’ in the certification process for the “NDHM Sandbox exit”, it did not mention who these vendors would be or that the certification would be determined using software.

What the RFE requires empaneled agencies to do

  • Develop a self-assessment certificate service/tool to automate the Sandbox exit process within a period of 4 months

This tool will evaluate the integrations performed by each participant in terms of functionality with NDHM ecosystem APIs and issue a pass and fail certification.

Application Programming Interfaces (APIs) allow a platform or service to connect to other platforms and services. APIs are an integral part of programming. Open APIs allow any service or app to freely connect to a resource, and are generally published openly.

  • Based on the certificate, the NHA will sign off on a participant’s final integration into the NDHM.

The RFE says that the integration would initially only be for use-cases related to:

  • Creating a Health Locker service: The Sandbox defines this as a software system where a patient’s longitudinal health records are stored either on the patient’s personal devices or on a user-trusted cloud service.
  • Building a Health Information Provider (HIP) service: A Health Information Provider can be a hospital, laboratory, health care center, clinic, or pharmacy – basically, any entity that creates medical data pertaining to a patient.
  • Developing a Health Information User Service (HIU) service: A Health Information User is an entity that will have access to digital health information from HIPs, in order to provide services to the patient to whom the information belongs.
  • Health ID creation and sharing: The Health ID will be used for the purposes of uniquely identifying persons, authenticating them, and threading their health records (with the informed consent of the patient) across multiple systems and stakeholders.

However, the integration can expand to more use-cases and other building blocks of the NDHM once they are operational.

Criteria for agencies to qualify for empanelment

The agencies applying to build the software will need to have:

  • Successfully completed at least 1 project on developing a self-assessment toolkit to test functional compliance for an API-based integration in the last 5 years.
  • Average turnover of over 3 crores in the last 5 years
  • A valid STQC empanelment certificate for ISO/IEC 17025: 2017 or a valid CERT-IN empanelment for information security auditing services

The RFE says that the empanelment will be for three years. The empaneled agencies’ software can be used by a Sandbox participant at a cost decided mutually between the agency and participant.

How the NDHM Sandbox functions

Stage 1: The Health Tech Committee (HTC) will shortlist applicants such as health service providers, hospitals, clinics, laboratories,etc. meeting the eligibility criteria for entry into the Sandbox.

Advertisement. Scroll to continue reading.

Stage 2: Test design for 4 weeks

Stage 3: Application assessment for 3 weeks

Stage 4: Testing for up to 12 weeks.

Stage 5: Finally, the evaluation would take place over 4 weeks after which the participant can enter the live NDHM environment.

Previous method of certification

According to the Sandbox framework guidelines released last year, the certification for sandbox participants. was to be done via two approaches. One to evaluate the process by which the product was developed, and the other to evaluate the quality of the end-product.

The guidelines said that the Ministry of Electronics and Information Technology (MEITY) has to verify, validate, and certify products/solutions that have onboarded with the NDHM Sandbox.

Advertisement. Scroll to continue reading.

Standardisation Testing and Quality Certification Directorate (STQC), an office under MEITY, will be responsible for ensuring certification of the software/product with NDHM before it is rolled out in the open market. The certification/audit of the product shall be mandatory and shall be undertaken by STQC or its empanelled vendors, the guidelines said.

Also read:

Have something to add? Subscribe to MediaNama and post your comment

Written By

I cover health technology for MediaNama, among other things. Reach me at anushka@medianama.com

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ