In December last year, Rajendra Butte was surprised to discover that he had an Ayushman Bharat health account number. He had not registered for one.
As a monitoring and evaluation officer in the health department of Maharashtra’s Palghar district, Butte is responsible for registrations to the Ayushman Bharat Digital Mission, which aims to digitise India’s health system by bringing patient records, hospital details and doctors’ credentials on one platform for easy paperless exchange.
On paper, the exercise is meant to be voluntary. A doctor is registered as a healthcare professional, a hospital or diagnostic laboratory as a healthcare facility and an individual as an Ayushman Bharat Health account holder.
The government began registrations in August 2020. But when Butte decided to register himself, he found a health account number already existed under his name, complete with details like his Aadhaar number and mobile number.
“It must have been automatically created when I registered on CoWIN,” Butte said, referring to the government’s Covid-19 vaccination app. Perplexed over how the account was generated without his consent, he added, “I have told [government] hospitals to inform and then create accounts when patients visit.”
But interviews with people across India suggest this isn’t happening. In Bihar’s Bhagalpur district, Sonu Adil, a 34-year-old shopkeeper, does not know what a health account number is, but his vaccination certificate features a 14-digit unique health ID. “I was not asked or informed about this account,” he told Scroll.in.
At a community health centre in Uttar Pradesh’s Faizabad, Ranvijay Singh, who is in charge of the Ayushman Bharat programme, said the system automatically created the health accounts of those who gave Aadhaar details under Pradhan Mantri Jan Argoya Yojana, or PMJAY, a government health insurance scheme.
“Once the health ID is generated, people receive a text message as confirmation,” said Singh. “That is when they come to know about their account.” He said it is not possible to call each PMJAY beneficiary to explain what the health account number is.
Of the 23.3 crore health account numbers generated for individuals till August 17, three-quarters have been created using the CoWIN and PMJAY databases.
At the same time, the government is struggling to register private hospitals and doctors. Until August 17, only 1.28 lakh healthcare facilities and 39,141 healthcare professionals had registered. The vast majority of them – 85% – are in the government sector. Several say they did it because they were asked.
“Since the direction came from higher officials, I registered myself. It was sort of compulsory for us,” said Dr Smita Vinod Bari, an ayurveda doctor employed as a medical officer in a government primary health centre in Dahanu, a taluka on the west coast of Maharashtra.
Most doctors and hospitals in the private sector are resolutely holding out, refusing to enroll in the digital mission, citing data security concerns.
“Digital prescriptions may be misused by others,” said Jayesh Lele, secretary general of the Indian Medical Association. “The data of patients with HIV, tuberculosis and psychiatric conditions is sensitive and confidential and needs to be well protected,” he added. The association, which is an umbrella group of 3.75 lakh allopathic doctors, has not asked its members to register on the portal so far.
Even private hospitals are wary of registering – just 5% of the registered hospitals are from the private sector which caters to nearly half of all patients. “For now none of our hospitals want to be part of it,” said N Santhanam, vice president of Association of Hospitals that has 53 large hospitals associated with it.
On its part, government officials claim to have addressed these concerns, and attribute the reluctance of doctors and hospitals to a resistance to change. “Digitisation of any sector is a difficult task,” said RS Sharma, chief executive officer of the National Health Authority, the agency implementing the project. “This is a culture which will slowly develop.”
Digital security experts, however, point out that these concerns are valid. India ranked second globally with the most data breaches in the first half of this year, says a report by virtual private network, or VPN, provider Surfshark.
Also, India still does not have a data privacy law in place. The Personal Data Protection Bill, 2019, in the making for several years, was withdrawn by the government this year. A new bill is awaited.
Raman Jit Singh Chima, Asia policy director for AccessNow, an online rights non-profit, said the Ayushman Bharat Digital Mission does not state if there will be any remedy or accountability in case of data leaks. Chima said the role of the National Health Authority is not indicated either. “Who do we go to complain if there is a breach?” he asked.
Digitising health records
Prime Minister Narendra Modi launched the Ayushman Bharat Digital Mission in September 2021. It was first conceptualised in 2018 as the National Health Stack. Blueprints released by the government’s think-tank, Niti Aayog, spoke about the creation of a “unique Digital Health ID” for all Indians with “a link to a strong foundational ID such as the beneficiary’s Aadhaar number”.
The term “Health ID” was later changed to health account number. An official said the term was changed to avoid an association with Aadhaar, the unique 12-digit biometric-linked number which was at the centre of a heated public debate as well as a legal challenge on grounds that included data security.
“Just like a bank account number is used to identify a bank customer, the health account number will identify the patient to transact his medical documents,” said the official from the National Health Authority, adding that the health account number will require a one-time password every time medical documents need to be accessed by a hospital or doctor, similar to a bank account that needs one for processing any transaction.
A person can create an Ayushman Bharat Health Account either through the mobile application or website. Hospitals – public and private – can also create account numbers for patients coming in for treatment after taking their informed consent. To create an account, one of the four identification proofs are accepted: Aadhaar, driving licence, PAN card or passport.
Once the account is created, patients can upload their medical documents, including vaccination certificate from CoWIN and records from DigiLocker, a government application that allows a user to virtually store identification proofs and certificates.
Further, hospitals, diagnostic laboratories, clinics and nursing homes can register as a healthcare facility and provide their address, registration licence numbers and details of their specialisation.
To register, a doctor or nurse must furnish a copy of their degree, state council registration number and share details of their specialisation. The doctors’ degree is verified by the medical council they belong to, whether of unani, allopathy, homeopathy, siddha or ayurveda.
The system is designed to work in the following way: when a patient visits a hospital, it can access their medical records through the health account number. The patient can grant access by either providing a one-time password they receive on their registered mobile number or by giving approval to a request generated by the hospital on their mobile application account of the Ayushman Bharat Health Account.
Once granted approval, a hospital can access a patient’s medical records, upload fresh records, diagnostic reports and prescriptions. Similarly, a diagnostic laboratory can upload the reports of a patient as well. If the patient visits another hospital or laboratory, they can choose to share these records through the health account number.
“The medical files are essentially stored on hospital A’s server,” the National Health Authority official said. “The patient is only giving access to hospital B to see that particular file from hospital A’s server.” According to him, the National Health Authority will hold no medical records of patients on any central database. A patient can also decide to provide access to one and not all reports and for a specific time period.
Professor Arnab Mukherji, from the Centre for Public Policy at the Indian Institute of Management, Bangalore, said, “A unique health account has the potential to solve a standard problem we routinely face – the archival and storage of information generated at each touch-point with the health system from birth till death for every person on the platform.”
For the vision to succeed, however, all stakeholders – doctors, clinics, hospitals, diagnostic laboratories and individual citizens – need to be registered on the portal.
Consent, data privacy concerns
On paper, the exercise is meant to be voluntary and a person can opt out and delete their account anytime. But anecdotal accounts suggest that enrollment is far from voluntary.
In fact, data from the National Health Authority shows that the creation of health accounts rose sharply from March till September 2021 when Covid-19 vaccination and registration on CoWIN were at its highest in India. The second noticeable rise came between January till March this year when Pradhan Mantri Jan Arogya Yojana accounts were linked to create Ayushman Bharat Health Accounts.
The website of the Ayushman Bharat Digital Mission has 23.3 crore health account numbers so far. According to the site, 12.9 crore accounts have been created on the basis of information taken from the CoWIN portal, followed by 4.5 crore accounts linked to Pradhan Mantri Jan Arogya Yojana.
Among the remaining, some may have been created by citizens themselves and some others through different government programmes like the ones for non-communicable diseases and tuberculosis.
Abhay Shukla, public health expert with Jan Swasthya Abhiyan, a network of civil society organisations and movements working for health rights, said accounts are being created without the knowledge of citizens. “This is to populate the database and show high registrations,” he said.
The health account number also includes demographic information of a person such as age, gender and address. Once sensitive health information is linked with the account, it may be at greater risk of leak or hacking, Chima from AccessNow said. “Why can’t you [government] create a health ID system based on consent?” Chima asked.
He referred to the August 5 outage of the UK’s public healthcare system the National Health Service that was later confirmed to be a cyberattack, which affected the patient referring system. Similarly, India’s Ayushman Bharat Health Accounts can also be prone to such an attack.
According to Chima, India is trying to create a complicated network of data exchange without any legal protection. There is also no information on how private entities misusing the data may be penalised.
Data from the National Health Authority shows that health records have been uploaded for over 3.4 lakh accounts. Andhra Pradesh has uploaded the health data of the highest number of account holders.
Cyber security expert Vandana Verma said digital health records may be a well-meaning idea but for the government to say it is completely secure can be misleading. “Even top companies that invest a lot in cyber security are seeing breaches,” she said. “It is not possible that a system is completely safe.” Verma added that anything on the internet can be breached. “And in India we know that health systems are already not very secure.”
Smaller clinics in India do not usually have the money to buy online cloud storage or a server to store patient data. A National Health Authority official said they are designing inexpensive solutions for this. A National Digital Health Mission Sandbox has been created to share software solutions with the other stakeholders. ESanjeevani, the government’s online telemedicine facility, is also being integrated with the National Health Authority.
“We have to start somewhere to allow the ecosystem to build and innovate,” said Sharma, the chief executive officer of the National Health Authority.
Muslim Koser, a cyber security expert, explained that storing information in a distributed system instead of a central database is a good idea technologically but not cyber security-wise. “It might create excessive overheads of managing security at every point of care and an oversight by the operators can lead to compromise of the system,” he said.
Koser also referred to the Health Insurance Portability and Accountability Act, or HIPPA, that regulates the privacy and security of health information in the United States. It lists technical safeguards that organisations must put into place to secure an individual’s health information.
“With the lack of a regulation of health data safety in India such as there is HIPPA in the US, it will be difficult to have a standard audited infrastructure connecting to a centralised system,” he said.
Despite the regulation, data breaches in the United States have cost the health industry an estimated $6.2 billion each year, a study by Ponemon Institute found in 2016.
In India, electronic health records are a goldmine of information – insurance companies can predict trends, pharmaceutical companies can focus on intervention for a particular disease and diagnostic laboratories can target a particular audience for advertising their tests. This is called secondary use of data.
Anita Gurumurthy, executive director of the non-profit IT for Change, which works at the intersection of technology and social justice, expressed concern that small clinics or nursing homes may not be able to secure data.
Health data is sensitive, complex and valuable for large corporations. “We need to understand what kind of fissures we are creating for abuse of data by large corporations,” said Gurumurthy. She said data sharing norms have to be centrally defined and the highest degree of ethics must be applied.
This reporting was supported by a grant from the Thakur Family Foundation. Thakur Family Foundation has not exercised any editorial control over the contents of this article.