wordpress blog stats
Connect with us

Hi, what are you looking for?

Summary: Draft Health Data Retention Policy

The proposed policy framework specifies retention timelines with separate rules for pseudonymised and anonymised data.

A draft Health Data Retention Policy was proposed by the National Health Authority (NHA) through a consultation paper released on November 23. This draft policy, which is open for consultation until December 24, lays down provisions for retention of data, different types of classification for the retained data, and gives suggestions on the mode of data retention and exchange.

The paper essentially irons out the Health Data Management Policy (HDMP), notified earlier this year, under the Ayushman Bharat Digital Mission (ABDM). The NHA had said that a number of clauses in the HDMP will be implemented based on specific data retention policies to be notified from time to time.

Health data is classified as sensitive personal information under the Information Technology Act. The NHA cites user concerns on data security and the healthcare ecosystem’s need for reliable, long-term data as reasons for such a policy.

Comments on the consultation paper can be submitted through the form on the NDHM’s website or via email to abdm@nha.gov.in. You can read the full paper here.

How will the draft policy be implemented?

Two approaches are suggested for policy implementation –

Advertisement. Scroll to continue reading.

i) Covering the entire health ecosystem: This would include healthcare providers and entities who may have opted out of the National Digital Health Ecosystem (NDHE).  The entities would include insurance providers, third-party administrators (TPA) offering individual and group insurance schemes, providers of open API systems, private PHR apps, teleconsultation platforms, data processors, etc, the draft policy says.

ii) Covering only healthcare providers under ABDM

Advantages and disadvantages of both approaches

1st Approach: The NHA said that it could create a uniform approach for health data retention, easing the future application of policies and reducing the friction of opt-in and opt-out. The disadvantage would be the challenges in enforcement.

2nd Approach: Ensuring compliance would be easier, the paper noted. However, it would make subsystems in the larger healthcare system, with entities that opt-out not complying with the system.

The policy also recognises the possibility that an entity may initially opt-out of the NDHE, delete all their records, and then be policy compliant enough to rejoin the NDHE; However it says this would defeat the purpose of the ecosystem i.e to create reliable, long-term data sets.

Classification of data and their retention periods:

The paper recommends a classification-based retention period. This, it says, is because there may be circumstances where certain records with more value would need to be kept for longer periods and a classification-based retention approach could reduce requests to extend their retention period. Daily monitoring records of IPD patients may not fall under the guidance of this policy.

Advertisement. Scroll to continue reading.

It proposes the following broad classifications:

  • In-Patient
  • Out-Patient
  • Deceased Patient
  • Exception cases

Timelines for data retention: A 10-year retention period has been suggested for the health data related to deceased patients, in-patient and out-patient consults.


  • In the case of minors, the data from in-patient consults will be retained till they turn 18 or 10 years from the last entry/encounter, depending on which is later.
  • Data related to medico-legal documents, birth register, immunisation, clinical trials, and death register will be kept permanently.

Retention of pseudonymised and anonymised data

The policy lays down separate provisions for pseudonymised data (data stored under a different name) and anonymised data (data from which all identifiers have been removed). It says that these data sets should not be stored except for any “specific, clear, and lawful purpose and without the informed consent of Data Principal” (emphasis ours). It also says that since pseudonymised data can be re-identified, it will have the same retention period as the original data.

Further, it lays down the following conditions for deletion and retention of such data:

For deletion

  • If the Data Principal has made a request for data deletion.
  • If the purpose for data anonymisation/pseudonymisation is achieved and there is no requirement further to store data.
  • Data retention period has expired.
  • If prescribed under any law prevalent at that point in time.
  • As per any relevant court order.
  • As per any government regulation or directive issued from time to time.
  • For any other valid reason that those mentioned above.

For retention, in spite of a request for deletion

  • If the data does not directly attribute to Data Principal.
  • If the same is required for study of medical policies for benefit of society at large.
  • If it is prescribed under any law prevalent at that point in time.
  • As per any relevant court order.
  • As per any government regulation or directive issued from time to time.
  • For any other reasonable reason as notified by ABDM from time to time.

Mode and storage of data

The policy recognises three modes of health data retention: Electronic, Physical or Original Form. It says that electronic records will be preferred. However, later in the paper, it says that in case the policy is applied to all healthcare entities, Physical and Original Form records will be recognised.

For storage, Cloud is recommended: The paper says that both users and healthcare providers prefer Cloud for better access. However, it also says that smaller clinics and healthcare providers can face issues in the mode of storage of large format imaging files; for example, MRIs.

Exchange of Data

“..blockchain, digest chain, and structured peer-to-peer (P2P) networking techniques may help resolve issues with legacy IT systems and data sharing agreements may also be defined,” the policy says, with regards to sharing of inter-organisational health data, especially in the case of legacy IT systems which may not be as interoperable and considering users may have security fears over cloud-based sharing.

Advertisement. Scroll to continue reading.

Further, the policy says that the data fiduciary (entity storing the data) will be responsible for ensuring any processor it outsources work to, is in compliance with the HDRP guidelines to avoid any breaches. The two will also be responsible for managing any requests for extensions on periods of retaining data and efficient storage techniques.

Storage and maintenance

Very briefly, the policy asks that stakeholders enable over-writing, anonymisation, or other methods for removal or erasure if a data principal (i.e. a patient) asks for it. It also broadly wants fiduciaries to adhere to the HDMP and Information Security Policy and enable interoperability and says fiduciaries will be responsible for maintenance of technology infrastructure.

How will this be supervised?

The data retention policy says that it will follow more or less the same structure as the Data Management Policy. A data protection officer (DPO) appointed by the Ayushman Bharat Digital Mission, which as per the HDMP manages grievance redressal, will look after compliance with the retention policy. The document also says that the DPO will have the additional responsibility of creating an audit mechanism and in cases where a Health Information User (HIU) or Health Information Provider (HIP) no longer exists, they will ensure data is not orphaned, through data custodian.

Recap: What has been happening with the ABDM?

The ABDM, previously known as the National Digital Health Mission, rolled out nationwide in October after a pilot in 7 Union Territories for a year. Last week, MediaNama reported that so far nearly 14 crore Unique Health IDs have been created under the mission, 96% of which are connected to Aadhaar cards with the NHA also recently enabling driving license-based authentication for UHIDs.  Like the HDRP, the NHA has also said that it will be releasing a consultation paper on the ‘Drug Registry’ in the next month.

In the HDRP consultation paper, the NHA says that it has launched the following building blocks under it: Health ID, Personal Health Records (PHR) App, Healthcare Professionals Registry (HPR) starting with doctors, Health Facility Registry (HFR), and Health Information Exchange & Consent Manager (HIE-CM). While there hasn’t been any consultation or paper released on the HIE-CM, the NHA has released consultation papers on the Unified Health Interface (UHI), Health Professionals Registry, Health Facility Registry, NDHM draft implementation strategy, NDHM blueprint, data policy, sandbox framework guidelines, and other such papers.

Also read:

Advertisement. Scroll to continue reading.

Have something to add? Post your comment and gift someone a MediaNama subscription.

Written By

I cover health technology for MediaNama, among other things. Reach me at anushka@medianama.com

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ