It’s a wishful document with no details on how things will work out in practice.
There’s no EHR standard that’s mentioned. (As per page 10 of https://ndhm.gov.in//assets/uploads/NDHM_Strategy_Overview.pdf things like discharge summaries will have to be digitized in FHIR-R4 but which EHR providers are implementing these standards?) So, what can a data principal give consent for sharing on? How much granularity would there be in giving consent?
This brings on a high risk that the consent will become a blanket consent to share all data.
Also, when is the consent taken? Is it always taken after data is collected? Can a consent that is taken today be valid for data that is generated tomorrow? You can see in hospital admission forms today that there is a “consent” given while getting admitted. Will the NDHM consent become a casually obtained, time-machine like this?
There is repeated mention of revoking consent. How does that work in practice? What happens to data that was already shared? Will the health information user delete the data for which consent was revoked? Who verifies that?
Can HIP deny request for data sharing? Can I, as a doctor, act on behalf of my patient to protect my patient’s privacy by refusing to share data?