Health IDs: Unpacking the Narrative That Underpins India's New Digital Superstructure

Is ‘consenting’ to share our data enough to decide what happens with it?

Listen to this article:

Note: This is the first of a two-part series explaining India’s plunge into digitising healthcare data, the ecosystem this is being built on, the key players involved and the set of governmental and private interests behind this push. Read the second part here.

On Monday, Prime Minister Narendra Modi launched the Ayushman Bharat Digital Mission, a platform to digitise citizens’ health records and provide them to public and private hospitals, testing laboratories and pharmacies.

“Every Indian will be given a Health ID,” the prime minister had promised on August 15 this year, from the ramparts of the Red Fort, elaborating, “This Health ID will work like a health account for every Indian. Your every test, every disease – which doctor, which medicine you took, what diagnosis was there, when they were taken, what was their report – all this information will be included in your Health ID.”

As a part of the online registration process for vaccinations against COVID-19, anyone who uses their Aadhaar details to sign in to the CoWIN platform is automatically issued a new health ID.

Apart from issuing Health IDs and digitising citizens’ personal health records, including prescriptions, diagnostic reports, medical histories, and billing information, the Ayushman Bharat platform will also maintain a digital register of medical practitioners, hospitals, and clinics. These will integrate private telemedicine and e-pharmacy operators with the public citizen-facing ecosystem to facilitate digital consultations with doctors, book appointments with diagnostic laboratories, order medication to be delivered home, or integrate health insurance payments for these services.

“The core building blocks… shall be owned, operated and maintained by the Government of India. Private stakeholders will have an equal opportunity to integrate with these building blocks and create their own products for the market,” senior bureaucrat Indu Bhushan, who was spearheading the digital health mission earlier, told reporters during its launch.

Major private players have heralded the Ayushman Bharat initiative for allowing them parity with the governmental healthcare system.

“The implications of this programme are far wider than what is being perceived today. It’s like a neural system for the entire ecosystem where the signals will flow up and down. That is what would bring in efficiency in the healthcare system,” Ashutosh Raghuvanshi, managing director and CEO, Fortis Healthcare, told Business Standard.

However, critics warn that such platforms will be used by the government to shirk off its responsibilities towards developing public healthcare infrastructure and have questioned the lack of adequate data protection laws in India.

Before the COVID-19 pandemic, in July 2018, the NITI Aayog had released its strategy document for the National Health Stack. This marked India Stack’s foray into healthcare, promising to build a key link in providing better ‘quality of care’ to citizens. India Stack refers to a set of application programming interfaces (or APIs) for integrating software and hardware, developed in conjunction with UIDAI’s Aadhaar project, that will facilitate ‘cashless’, ‘paperless’ and ‘presence-less’ services from business and government. This idea was developed into the Data Empowerment and Protection Architecture (or DEPA), a draft framework proposed by NITI Aayog in August 2020 for how private corporations and government agencies can access citizens’ personal data. DEPA calls upon private developers to design ‘consent managers’ – software that will allow exchanges from databases holding citizens’ personal data with those agencies seeking it, with the individual’s consent. DEPA stipulates certain financial and regulatory obligations under which consent managers will be governed. 

How does DEPA seek to make India ‘data rich’ even while a lot of Indians remains very poor? And what are the threats that we must be protected from on this path to ‘data empowerment’? These are some questions that we delve into here. The rapidly expanding ecosystem of personal data-reliant services demands that we, as a society, face up to new challenges. But all that is silicon may not be gold. The role played by a small coterie of the financial and political elite in shaping India’s personal data governance machinery, in the pursuit of consent-based data sharing, is far from selfless. The Indian experience with personal data may have been different from the US, European, or Chinese ones, but it will be no less a stranger to controversy.

Prime Minister Narendra Modi virtually launches Ayushman Bharat Digital Mission, in New Delhi, September 27, 2021. Photo: Screengrab via PTI

Consent in code

DEPA’s consent managers will serve as intermediaries for handing over an individual or organisation’s personal data, similar to a notary or broker handling more traditional transactions. Consent managers will be ‘data-blind’, that is, they will not access any of the data under question or create copies in their own database but merely facilitate access to it for a fee. 

This is how the technology will work: A ‘data user’, which could be either a government or a private agency, will submit its request in a standardised format to the consent manager. The consent manager will inform the person or organisation, whose data is in question, of the kind of data being requested, what purpose it will be used for, how long it will be shared, and whether it will be handed over to third parties.

If the request is granted, one or more ‘data fiduciaries’ – the governmental or private entities hosting the data – will fulfil the request. DEPA stipulates certain design principles to ensure that what is being consented to can be clearly understood, arguing that market-based competition among consent managers will ensure that diverse populations are catered to as porting between them will not be a hassle.

Source: Data Empowerment and Protection Architecture draft

For this exchange to work, the data will have to maintain ‘interoperable’ standards, that is, it must be readable across consent managers and the databases which could potentially use it. DEPA proposes using Open Standards to allow data sharing and portability between applications, tasking relevant agencies under the central government to set up data ‘sandboxes’ – toolkits that allow commercial entities to test their products before release using anonymised data sets maintained by the government. 

While NITI Aayog predicts that individuals or small business can profit from allowing access to their data through a consent manager, charging them for each transaction may not be viable commercially. This is why consent managers may set up a subscription rate or enter into financial agreements with the entity requesting access to the data, the ‘data user’, to facilitate the transaction.

The regulation of DEPA’s consent managers has been delegated by NITI Aayog to sectoral authorities, as designated by the relevant Union ministry. Unregulated sectors can also use consent managers, in which case, the newly-designated Data Protection Authority (DPA) will serve as the regulatory authority. The Personal Data Protection Bill, tabled in the lower house of parliament in 2019, proposed setting up the DPA to monitor the use of public data, along the lines of the regulator SEBI in the securities market, IRDA in insurance, or TRAI in telecommunications. Currently, the DPA is set to be a wholly nominated body, while the data protection law awaits parliamentary approval for close to two years.

DEPA also states that, in certain cases, self-regulatory bodies may also be set up by businesses ‘to ease the burden on regulators’. An industry body called Sahmati is already performing such a role in the banking sector. 

‘Data empowerment’ in practice

The draft framework states that ‘financial inclusion’ is DEPA’s immediate objective, something it has in common with the ‘Jan Dhan-Aadhaar-Mobile’ trinity. Speaking at a Microsoft policy conclave back in 2016, Nandan Nilekani, ex-chairperson of the UIDAI, had illustrated what this brave new world of consent-based data sharing for banking could look like.

“Suppose I want to get a loan from someone, I can tell my bank, ‘Give me my bank statement, electronically signed,’ and I’ll give it to the lender. I can tell the Income Tax [department], ‘Give me my tax records,’ I’ll give it to the lender. I’ll ask the, you know… my social media guys to give me my behavioural data, and I’ll give it to the lender.”

However, NITI Aayog’s report also clarified that DEPA will be applicable beyond banking and insurance. Apart from Ayushman Bharat in healthcare, the Telecom Regulatory Authority of India’s recommendations for ‘user empowerment’ in telecommunications, ‘e-credentialing’ for vocational education, and the India Urban Data Exchange for ‘smart city’ governance are some other places this will play a key role. Earlier in September, the Reserve Bank of India gave its nod to expand ‘account aggregators’ (AAs), the technology behind the Unified Payments Interface (UPI), into lending. AAs can now digitally serve the financial information of individuals and small businesses to lenders. Over 14,000 accounts have requested to join the new platform within a fortnight, making details of bank statements, insurance policies and mutual fund holdings just a tap away for lenders.

Health’s data-sharing quest

What will DEPA look like when the healthcare sector embraces its data sharing potential? Progress made on implementing consent managers in healthcare that is demonstrated on the National Digital Health Mission’s sandbox website hints at what lies ahead.

Source: National Digital Health Blueprint

In one scenario, a cancer patient may provide her Health ID to her diagnostics lab. Her reports will then be available to her on any consent manager of her choice by simply linking her Health ID to the app.

Now, if a ‘health information user’, such as an insurance agency, requests to view the patient’s radiology reports, this pop up on the consent manager application. She can then choose to share the reports with the agency for a designated period of time by ‘agreeing’ to do so on the app, as shown below.

Linking records. Source: NDHM Sandbox website


Health Information User dashboard. Source: NDHM Sandbox website

In practice, however, it may happen that a private insurance agency may choose to grant medical coverage only to customers willing to link their Health IDs and share other digitised records. Similarly, they may offer special incentives to those who share their medical history and financial statements for more customised insurance premium plans. In both these cases, while consent managers may allow citizens to exercise their choice, as defined in technological terms, odds will weigh against the individual for withdrawing consent because they entail putting her insurance coverage on the line. 

The government, which is investing public resources in operationalising this digital ecosystem, is unlikely to play the role of a neutral arbiter either. Experience with voluntary enrolment under the UIDAI’s Aadhaar project, a biometrics-based identification system, illustrates this. With Aadhaar, not sharing biometric details with state and non-state agencies comes at a high cost. Activities ranging from opening Jan Dhan Yojana bank accounts, receiving subsidies or even buying a SIM card may be stalled, or become incredibly more tortuous, without Aadhaar linkage. In some cases, not sharing biometric details has resulted in being denied elementary government welfare schemes such as Mid Day Meals. With the prime minister’s public push for Health IDs, it seems that Ayushman Bharat is also heading the Aadhaar way. Welfare schemes in healthcare may be made contingent on digitising one’s health records, as has been done with a host of targeted benefits delivery schemes in the case of Aadhaar

India has roughly twice as many private hospitals as government ones, despite less than a quarter of its citizens having access to medical insurance. There is one Indian doctor for every 11,082 citizens, more than ten times the doctor to patient ratio prescribed by the World Health Organisation. Prasanna S., a Supreme Court lawyer who has challenged the mandatory linkage of Aadhaar, warns that the digital health mission’s data policy puts the cart before the horse. Without clearly outlining its public healthcare benefits, the government has restricted public consultation to the fine print of how a massive database of citizen’s health data will be created. How the NDHM, which facilitates the entry of private medical technology companies using publicly-funded infrastructure, will help India reduce its healthcare deficit has not been addressed.

Moreover, a nine-judge bench of the apex court in the K. S. Puttaswamy vs Union of India verdict had designated certain types of data, such as that related to healthcare, as ‘sensitive personal data’ requiring legal safeguards. “So once this private information is at play, any state measure necessarily requires law,” Prasanna pointed out to this reporter during a discussion on the NDHM’s health data policy last September. “Where is this law? There is no law as on date.” The proposed Personal Data Protection Bill, 2019 is yet to be adopted by the Lok Sabha. In effect, a series of position papers from NITI Aayog and private think tanks seen as being close to the government have substituted any general or sectoral legislation related to personal health data.

Over 55,700 Health IDs had been issued within a fortnight of the prime minister’s announcement.  Only on August 26 did the NDHM release a draft National Health Data Policy, which outlined certain protections for citizens’ sensitive personal data related to health. A week was initially provided for consultation with the public, which led technology watchdog groups such as the Internet Freedom Foundation to argue that the government was showing undue haste during a global pandemic.

Major conglomerates were already in the fray over this development. A day before Modi’s Independence Day address, the US-based retailer Amazon had launched its online pharmacy services in Bengaluru. Three days after the announcement, Mukesh Ambani’s Reliance Industries inked a Rs 620 crore deal to pick up 60% stake in the e-pharmacy company Netmeds.

Sourya Majumder is an independent researcher.