Electronic health records are a goldmine of information in India; insurance providers can forecast trends, pharmaceutical firms can concentrate on intervention for a specific disease, and diagnostic laboratories can advertise their tests to a specific audience. This is how India is creating digital health accounts of its citizens without their knowledge.
Rajendra Butte was shocked to learn that he had an Ayushman Bharat health account number in December of last year. He had not signed up for one.
Butte oversees registrations for the Ayushman Bharat Digital Mission, which seeks to digitalize India’s healthcare system by attempting to bring patient information, hospital information, and doctor credentials onto one platform for simple paperless interaction, as a monitoring and assessing officer in the Palghar district of Maharashtra.
The exercise is intended to be voluntary on paper. A hospital or diagnostic lab is registered as a healthcare facility, a doctor is enlisted as a healthcare professional, and an individual is registered as an Ayushman Bharat Health account owner.
Registrations were opened by the government in August 2020. But when Butte made the decision to sign up for himself, he discovered a health account number with his name on it and information like his Aadhaar and mobile number already there.
“It must have been automatically created when I registered on CoWIN,” Butte said of the government’s Covid-19 vaccination app. He added, baffled as to how the account was created without his permission, “I have told [government] hospitals to inform and then create accounts when patients visit.”
Interviews with people across India, however, indicate that this is not the case. Sonu Adil, a 34-year-old shopkeeper in the Bhagalpur district of Bihar, is unaware of what a health account number is, but his vaccination record includes a 14-digit unique health ID. “I was not asked or informed about this account,” he told the media.
Ranvijay Singh, in charge of the Ayushman Bharat program, said at a community health center in Uttar Pradesh’s Faizabad that the software automatically formed health accounts for those who provided Aadhaar details under the Pradhan Mantri Jan Argoya Yojana, or PMJAY, a government health insurance scheme.
“Once the health ID is generated, people receive a text message as confirmation,” said Singh. “That is when they come to know about their account.” He stated that it is not possible to contact each PMJAY beneficiary and explain the health account number.
Three-quarters of the 23.3 crore health account numbers that have been produced for people as of August 17 came from the CoWIN and PMJAY databases.
The government is having trouble registering private hospitals and physicians at the same time. Only 1.28 lakh medical facilities and 39,141 medical personnel had registered as of August 17. Eighty-five percent of them work for the government. Many claim they did it because they were urged to.
"Since the direction came from higher officials, I registered myself. It was sort of compulsory for us," said Dr Smita Vinod Bari, an ayurveda doctor working as a medical officer in a government primary health center in Dahanu, a taluka on Maharashtra's west coast.
The majority of hospitals and doctors in the private sector are stubbornly refusing to join the digital mission, invoking data security issues.
“Digital prescriptions may be misused by others,” said Jayesh Lele, secretary general of the Indian Medical Association. “The data of patients with HIV, tuberculosis and psychiatric conditions is sensitive and confidential and needs to be well protected,” he added. The association, which serves as an umbrella organization for 3.75 lakh allopathic physicians, has not yet requested that its members register on the website.
Even private hospitals are hesitant to register; only 5% of the hospitals that are registered are in the private sector, which serves almost 50% of all patients. According to N Santhanam, vice president of the Association of Hospitals, which has 53 significant hospitals as members, "for now none of our hospitals want to be part of it."
Government officials contend to have acknowledged these worries and ascribe doctors' and hospitals' unwillingness to aversion to change. “Digitisation of any sector is a difficult task,” said RS Sharma, chief executive officer of the National Health Authority, the agency implementing the project. “This is a culture which will slowly develop.”
Nevertheless, specialists in data security point out that such worries are legitimate. In the first half of this year, India ranked second worldwide for the number of data breaches, according to a study by virtual private network (VPN) service provider Surfshark.
Additionally, India still lacks a data privacy law. The government withdrew the Personal Data Protection Bill, 2019, which had been in the works for several years. A fresh bill is anticipated.
According to Raman Jit Singh Chima, Asia policy director for AccessNow, an online rights non-profit, the Ayushman Bharat Digital Mission makes no mention of any remedy or accountability in the event of data leaks. Chima also stated that the role of the National Health Authority is not specified. “Who do we go to complain if there is a breach?” he asked.
Digitising health records
In September 2021, Prime Minister Narendra Modi debuted the Ayushman Bharat Digital Mission. It was first conceived of as the National Health Stack in 2018. Blueprints issued by the government's think tank, Niti Aayog, called for the founding of a "unique Digital Health ID" (read below) for all Indians, with "a link to a strong foundational ID such as the beneficiary’s Aadhaar number."
Later, the phrase "Health ID" was replaced with "health account number." According to an official, the term was changed to avoid being associated with Aadhaar, the distinctive 12-digit biometric-linked number that was the subject of a contentious legal dispute on the basis of data security.
According to a representative of the National Health Authority, "just like a bank account account number is used to identify a bank customer, the health account number will identify the patient to transact his medical document." The official added that the health account number will necessitate a one-time password each time a hospital or physician would need to obtain a patient's medical records, much like a bank account does for handling any transaction.
Ayushman Bharat Health Accounts can be created via the mobile application or the website. After receiving informed consent from patients, hospitals, both public and private, can create account numbers for them. To open an account, one of the following identification documents is required: Aadhaar, driving license, PAN card, or passport are all acceptable forms of identification.
Patients can upload their medical records, including vaccination records from CoWIN and documents from DigiLocker, a government app that lets users virtually store identification documents, once their accounts have been created.
Additionally, to register as a healthcare facility, hospitals, diagnostic labs, clinics, and nursing homes must provide their address, registration license numbers, and details of their specialization.
A doctor or nurse must provide a copy of their degree, their state council registration number, and information about their area of specialization in order to register. The medical council a doctor belongs to, whether it be for unani, allopathy, homeopathy, siddha, or ayurveda, verifies their degree.
As soon as a patient enters a hospital, the system can obtain their medical records using their health account number. The patient has the option of granting access by entering a one-time password they receive on their registered mobile number or by approving a request sent by the hospital through their Ayushman Bharat Health Account mobile application account.
A hospital may access a patient's medical records and upload new records, diagnostic reports, and prescriptions after receiving permission. In a similar manner, a diagnostic laboratory may also upload a patient's reports. The patient has the option to share these records via the health account number if they go to another hospital or laboratory.
“The medical files are essentially stored on hospital A’s server,” the National Health Authority official said. “The patient is only giving access to hospital B to see that particular file from hospital A’s server.” He claims that the National Health Authority will not keep any patient medical records in a central database. Additionally, a patient has the option to grant access to only a select few reports for a predetermined amount of time.
Professor Arnab Mukherji, from the Centre for Public Policy at the Indian Institute of Management, Bangalore, said, “A unique health account has the potential to solve a standard problem we routinely face – the archival and storage of information generated at each touch-point with the health system from birth till death for every person on the platform.”
Professor Arnab Mukherji, from the Centre for Public Policy at the Indian Institute of Management, Bangalore, said, “A unique health account has the potential to solve a standard problem we routinely face – the archival and storage of information generated at each touch-point with the health system from birth till death for every person on the platform.”
Consent, data privacy concerns
The exercise is presumably voluntary, and anyone can choose not to participate or delete their account at any time. However, anecdotal evidence indicates that enrollment is not at all voluntary.
In fact, data from the National Health Authority reveals that from March to September 2021, when Covid-19 vaccination and registration on CoWIN were at their peak in India, there was a sharp increase in the creation of health accounts. The creation of Ayushman Bharat Health Accounts, which involved linking Pradhan Mantri Jan Arogya Yojana accounts, caused the second notable increase between January and March of this year.
The Ayushman Bharat Digital Mission website currently lists 23.3 crore health account numbers. On the basis of data obtained from the CoWIN portal, 12.9 crore accounts have reportedly been created, followed by 4.5 crore accounts connected to the Pradhan Mantri Jan Arogya Yojana.
The remaining ones could have been developed by the people themselves or through various government programs like those for tuberculosis and non-communicable diseases.
Accounts are being generated without the knowledge of the public, according to Abhay Shukla, a public health expert with Jan Swasthya Abhiyan, a network of civil society organizations and movements working for health rights. He explained, “This is to populate the database and show high registrations,” he said.
Demographic details about a person, including age, gender, and address, are also included in the health account number. According to Chima from AccessNow, once private health information is connected to the account, there may be a higher risk of leak or hacking. “Why can’t you [government] create a health ID system based on consent?” Chima asked.
He was trying to refer to the August 5 outage of the United Kingdom's public healthcare system, the National Health Service, which was eventually revealed to be a cyberattack that impacted the patient referral system. Similarly, Ayushman Bharat Health Accounts in India are vulnerable to such an attack.
According to Chima, India is attempting to establish a complex network of data exchange without legal protection. There is also no information on how private entities that misuse data may be punished.
According to National Health Authority data, over 3.4 lakh accounts' health records have been uploaded. Andhra Pradesh has uploaded the health information of the most account holders.
According to cyber security expert Vandana Verma, while digital health records are a noble goal, the government's claim that they are completely secure is deceptive. “Even top companies that invest a lot in cyber security are seeing breaches,” she said. “It is not possible that a system is completely safe.” Verma added that anything on the internet can be breached. “And in India we know that health systems are already not very secure.”
Smaller Indian clinics typically lack the funds to purchase a server to store patient data or online cloud storage. According to a representative of the National Health Authority, they are developing affordable solutions for this. To share software solutions with other stakeholders, a National Digital Health Mission Sandbox has been established. Additionally, the National Health Authority is being integrated with ESanjeevani, the government's online telemedicine service.
“We have to start somewhere to allow the ecosystem to build and innovate,” said Sharma, the chief executive officer of the National Health Authority.
A distributed system rather than a central database is a good idea technologically but is not secure, according to cyber security expert Muslim Koser. “It might create excessive overheads of managing security at every point of care and an oversight by the operators can lead to compromise of the system,” he said.
Koser also mentioned the Health Insurance Portability and Accountability Act, or HIPPA, which governs health information privacy and security in the United States. It outlines the technical safeguards that organizations must implement in order to protect an individual's health information.
“With the lack of a regulation of health data safety in India such as there is HIPPA in the US, it will be difficult to have a standard audited infrastructure connecting to a centralised system,” he said.
Despite the regulations, data breaches in the United States cost the health care industry an estimated $6.2 billion per year, according to a Ponemon Institute study published in 2016.
Electronic health records are a goldmine of information in India; insurance providers can forecast trends, pharmaceutical firms can concentrate on intervention for a specific disease, and diagnostic laboratories can advertise their tests to a specific audience. This is known as secondary data use.
Anita Gurumurthy, executive director of the non-profit IT for Change, which works at the crossroads of technology and social justice, voiced concern that small clinics or nursing homes might be unable to secure data.
For big corporations, health information is sensitive, intricate, and valuable. "We need to understand what kind of fissures we are creating for abuse of data by large corporations," Gurumurthy said. She stated that data sharing standards must be centrally defined and that the highest level of ethics must be implemented.
Read the document below:
Support GreatGameIndia
