On September 27, the Prime Minister launched the ‘Aayushman Bharat Digital Mission’ (ABDM) to create a seamless online platform that will enable interoperability within the digital health ecosystem.
As per the statement issued by the Prime Minister, “every citizen will now get a Health ID and their records will be digitally protected.”
The ABDM is the latest of the government’s attempts at digitising service delivery in India under its flagship Digital India Mission launched in 2015.
The ABDM is the successor of the National Digital Health Mission (NDHM), which was launched by the Prime Minister in August 2020. The rollout of the NDHM (and now the ABDM) has raised crucial questions regarding the integrity and safety of an individual’s data, as well as accessibility for marginalised and impoverished communities. It has also led to concerns that those without a health ID could become targets for healthcare exclusion.
Attempting to answer these questions requires a historical understanding of the government’s digitisation process and how the ABDM fits within it. Doing so reveals the fact that while digitisation may be a necessary step to future proof our systems of governance, it is currently hindered by legislative, infrastructural and accessibility roadblocks.
The history of public sector digitisation can be traced back to the 2006 National e-Governance Plan (NeGP). The plan attempted to expand digital infrastructure within remote parts of the country and ensure that government services were easily accessible.
Initially, it focused on governance schemes such as banking, land records, issuance of pensions and passports. However, with the introduction of the Digital India Mission in 2015, the ambit of the digitisation process was expanded to include nearly all the interactions between the state and its citizens such as healthcare, education and transportation.
Throughout this time, instances like the introduction of Aadhar have pointed to the shortcomings of viewing digitisation as a silver bullet for nationwide welfare service delivery.
The use of Aadhar over the past 10 years has been fraught with concerns over privacy, data security and exclusion, all of which are applicable now in the case of the ABDM.
No legislative framework
In most cases, the digitisation of public delivery services has been done in the absence of any legislative framework. Rather, they have primarily been undertaken through a series of administrative orders with minimal judicial and legislative oversight. The ABDM is no exception to this.
The Government first announced the NDHM policy in 2020 in the six union territories, later extending the ABDM to the entire country, all in the absence of clear law. The state may point to ‘The Health Data Management Policy’ as justification for such policies. However, a policy cannot be a substitute for a law passed by Parliament.
It is also important to note that the ambit of these digitisation measures ranging from the PM-JAY scheme to ABDM has been undertaken and extended in the absence of any cohesive data protection law in the country. The Personal Data Protection Bill, 2019 is still pending before the Joint Parliamentary Committee.
Further, in certain jurisdictions, states like Delhi and Tamil Nadu have also announced the launch of health identity cards for residents of their states; and there is little or no clarity on the relationship between the state and central cards.
No informed consent
The Health Data Management Policy recognises the Health ID as “requiring the express consent of an individual prior to its creation.”
However, multiple reports have pointed to Health IDs also being generated for citizens who used their Aadhaar card to register for their Covid-19 vaccines on CoWIN. This process was seemingly done without any prior attempt at informing citizens that the use of Aadhar would result in the creation of a health ID.
The Ministry of Health and Family Welfare, in its response to an RTI application filed by Medianama, stated that as of August 16, 2021, 11,05,42,794 Health IDs have been created through the CoWIN platform. This is in addition to the Health IDs which have been generated in the six union territories.
Inadequate infrastructure
The pandemic has underlined the importance of a health system that ensures both quality and affordability. Digitisation of healthcare will play a crucial role in this, provided that there is an underlying robust technological system.
A report by the Ministry of Electronics and Information Technology titled ‘Adoption of Electronic Health Records: A Roadmap for India’ highlighted that the government hospitals and dispensaries have very little ICT infrastructure with only some major public hospitals having computers and connectivity.
As per the findings of another study, apart from poor infrastructure and poor connectivity, there are also issues relating to low spending/budget on information technology of hospitals. In comparison to many countries that spend close to 5% of the total hospital budget on IT, Indian private hospitals tend to spend only 2.5% of the total hospital budgets on IT. The corresponding share is much lower in government hospitals.
Data security, data sharing
The government has stressed the voluntary nature of the health ID and how its absence cannot be used as a justification for failing to provide health services. However, as was demonstrated during the vaccination drive, the ground realities of introducing a new ID can be different from those mandated by the state. For example, despite Aadhar not being a mandatory requirement for obtaining vaccination, there have been instances of hospitals refusing to accept IDs other than Aadhar. The worry, therefore, becomes that there will be a similar disconnect in the case of the health ID.
Given the sensitive and private nature of data associated with the health ID, concerns persist over its security and the extent to which it can be shared. The health management policy does lay out security measures that must be taken when handling such data; though with previous reports of Aadhar data being leaked, such measures are far from infallible — especially when data is shared across a number of entities.
The policy also allows for the sharing of de-identified health data for research and policy formulation purposes.
However, the policy fails to identify the appropriate de-identification methods that would be necessary for such sharing. This combined with the absence of a clear non-personal data governance framework can cause ambiguity as to the extent to which information is de-identified prior to sharing.
The Covid-19 pandemic has shown and highlighted the role that a well functioning public healthcare system plays in healthcare management.
And while digitisation of the healthcare system is necessary and can help in addressing certain challenges such as transparency, maintenance of large and voluminous health records, access by doctors to the patients' older records, it should not be at the cost of addressing the basic challenges faced by a large part of the population in accessing affordable and effective healthcare.
To that end, any attempt at digitisation should be very specific, limited in scope and have adequate protections to ensure that individuals are not excluded.
And such a process must be part of a much wider healthcare strategy that focuses primarily on ensuring that existing systems are strengthened and enhanced rather than replaced by technology.
(Aman Nair is a Policy Officer at the Centre for Internet and Society, Pallavi Bedi is a Senior Policy Officer at the Centre for Internet and Society)
Watch the latest DH Videos here: