New Delhi’s All India Institute of Medical Sciences is renowned for the quality and popularity of its medical services. Interestingly, the hospital has also served as an important testbed for many of India’s digital health initiatives. It was among the first to adopt the National Informatics Center’s e-Hospital system, a cloud-based hospital management information system.

In 2016, the hospital announced free registration for patients who furnish their Aadhaar ID. More recently, it has also started integrating the Health Ministry’s new universal health ID scheme – the Ayushman Bharat Health Accounts IDs – with its systems.

Riding on this digitisation wave, in October 2022, AIIMS announced that it would go completely paperless by the start of 2023. But less than a month later, the hospital’s digital systems came to a complete halt following a major cyber attack.

The hackers took over the servers of AIIMS and encrypted the data on it, making it impossible for the hospital to access its own systems. This forced an unplanned switch back to manual processes resulting in significant delays and inconvenience. At the same time, the incident compromised the privacy of 30 to 40 million individuals whose data is reported to have been exposed in the attack.

Based on the design of the e-Hospital system, one can surmise that the AIIMS servers included data relating to patient registration, admissions, billing, use of lab services, and clinical records. The last category consists of sensitive personal data about patients’ health conditions, diagnosis, medical history, and prescriptions. The sensitivity of this information arises from its immutable character – a person’s medical history is permanent and non-perishable – and the grave implications of its misuse, including the stigma attached to certain health conditions.

In Private and Controversial: When Public Health and Privacy Meet in India, a recent volume that I edited, I highlight three factors that make this a particularly ripe time to discuss the intersections between privacy and public health in India.

The first is the extensive reliance placed by the Indian government on digital technologies during the management of the Covid-19 pandemic. The two most talked about examples of this were the Aarogya Setu app for contact tracing and the CoWIN platform for vaccine delivery management. But with public health being a state subject under the Indian Constitution, a range of digital initiatives were also adopted at the state-level.

Official CoWIN website.

A mapping exercise by the Internet Democracy Project identified 72 central and state-level applications that were being used for purposes like quarantine enforcement, self-screening of symptoms, lockdown monitoring through drones, and issuance of travel permits.

Amidst the urgency of the pandemic, much of this deployment took place without adequate debate on the effectiveness and suitability of the interventions or their impact on user privacy.

For instance, the study found that only 27 of the 72 initiatives had a dedicated privacy policy. While the existence of such a policy does not indicate its sufficiency or actual implementation, its absence certainly demonstrates the low regard for privacy concerns.

The normalisation of data collection and digital interventions during the pandemic also offered an impetus for India’s new health digitisation architecture. The second development, accordingly, relates to the rollout of the Ayushman Bharat Digital Health Mission. Announced by Prime Minister Narendra Modi in August 2020, the mission’s objective is to incentivise the creation of Ayushman Bharat Health Account ID-linked digital health records that can be easily accessed by patients and shared among participating institutions.

In a bid to protect the autonomy of individuals, the National Health Authority that implements the Ayushman Bharat Digital Health Mission has declared that participation in the system will remain voluntary. The effectiveness of this claim is, however, coloured by the reality of India’s health and privacy inequity.

The Ayushman Bharat Health Account ID is already being integrated with several government schemes and state-supported hospitals. For instance, AIIMS alone sees a daily footfall of 8,000 to 15,000 persons in its outpatient department. A decision to mandate or incentivise Ayushman Bharat Health Account IDs by such institutions will, therefore, make the system de-facto mandatory for large segments of the population. This is similar to the history of the Aadhaar project, which was launched as voluntary but over time, became mandatory for accessing any welfare benefits from the state.

About 40% of the current 328 million Ayushman Bharat Health Account IDs originated from the CoWIN platform. In many cases, these IDs were automatically generated, without any information or consent from the user, when people used their Aadhaar as identification for booking Covid-19 vaccinations. The brazenness of this enrollment drive amidst the vulnerabilities created by the pandemic casts further doubt on the voluntary credentials of the digital health architecture.

Credit: Ayushman Bharat Digital Mission website.

The National Health Authority has published a Health Data Management Policy that is supposed to be adhered to by all the participants in the Ayushman Bharat Digital Health Mission ecosystem. The policy records a commitment to “privacy by design” and lays down requirements relating to notice and consent, right to access and erasure of records, and limitations on the collection, use, and storage of personal data. In addition, it outlines an electronic consent management architecture to collect and maintain verifiable records of user consent.

The introduction of the policy is no doubt a positive move and its contents are well aligned with the general principles of data protection. Yet, its effectiveness is marred by the lack of statutory legitimacy of the National Health Authority itself and, consequently, of its policy guidelines.

For instance, the only consequence of non-compliance with the National Health Authority’s policy seems to be that the establishment could be excluded from further participation in the Ayushman Bharat Digital Health Mission system. For the rest, any privacy violation will be governed by the provisions of applicable laws. But India is yet to put in place a legal framework for data protection, although discussions in this regard have been going on since the Supreme Court’s Puttaswamy verdict in 2017 declaring privacy to be a fundamental right.

The discussions surrounding the proposed data protection law, therefore, present the third framing point for the essays in Private and Controversial. The latest iteration of the draft bill, titled the Digital Personal Data Protection Bill, 2022, came out in November 2022. It contains several deviations from the previous versions that were under discussion since 2018, the last of which had even been debated upon by a Parliamentary Standing Committee.

Notably, the new draft does away with the special category of sensitive personal data, including health data, which would have been subject to certain enhanced protections. The draft bill also introduces a concept of “deemed consent” recognising medical emergencies and public health considerations as situations where data processing can take place without the individual’s consent.

Credit: Ayushman Bharat Digital Mission website.

There is much to be said about the contents of the new draft, but the delay in its adoption, especially after the previous draft was already at an advanced stage of discussion, is equally telling. Similarly, on the cyber security front, there has been much talk about the need to overhaul India’s cyber security framework.

But this has so far not been accompanied by tangible actions that go beyond deliberation by councils and formulation of task forces. These gaps become all the more significant in light of the active push to encourage the digitisation and sharing of personal data under projects like the Ayushman Bharat Digital Health Mission.

To circle back to the AIIMS story, the incident offers a reason to question how we can balance the euphoria around health digitisation with the legal and implementation realities of our system. What would it take for big institutions such as AIIMS and much smaller medical establishments across the country to have the incentives and systems to protect the privacy rights of their patients? And what responsibility does the state bear when patient rights are compromised in the wake of its push for digitisation of health records sans effective safeguards?

Smriti Parsheera is a Fellow with the CyberBRICS Project, Fundação Getulio Vargas (FGV) Law School, Rio de Janeiro. She is the editor of Private and Controversial: When Public Health and Privacy Meet in India (HarperCollins India Pvt Ltd, 2023).

This article was first published on India in Transition, a publication of the Center for the Advanced Study of India, University of Pennsylvania.

Also read:

How India is creating digital health accounts of its citizens without their knowledge

AIIMS is struggling to restore services after hackers cripple its computer systems

Amid India’s mega-push to digitise health records, AIIMS cyberattack comes as a wake-up call