New Delhi’s All India Institute of Medical Sciences (AIIMS) is renowned for the quality and popularity of its medical services. Interestingly, the hospital has also served as an important testbed for many of India’s digital health initiatives. It was among the first to adopt the National Informatics Center’s e-Hospital system, a cloud-based hospital management information system. In 2016, the hospital announced free registration for patients who furnish their Aadhaar ID. More recently, it has also started integrating the Health Ministry’s new universal health ID scheme—the Ayushman Bharat Health Accounts (ABHA) IDs—with its systems.
Riding on this digitization wave, in October 2022, AIIMS announced that it would go completely paperless by the start of 2023. But less than a month later, the hospital’s digital systems came to a complete halt following a major cyber attack. The hackers took over AIIMS’ servers and encrypted the data on it, making it impossible for AIIMS to access its own systems. This forced an unplanned switch back to manual processes resulting in significant delays and inconvenience. At the same time, the incident compromised the privacy of thirty to forty million individuals whose data is reported to have been exposed in the attack.
Based on the design of the e-Hospital system, one can surmise that the AIIMS servers included data relating to patient registration, admissions, billing, use of lab services, and clinical records. The last category consists of sensitive personal data about patients’ health conditions, diagnosis, medical history, and prescriptions. The sensitivity of this information arises from its immutable character—a person’s medical history is permanent and non-perishable—and the grave implications of its misuse, including the stigma attached to certain health conditions.
In Private and Controversial: When Public Health and Privacy Meet in India, a recent volume that I edited, I highlight three factors that make this a particularly ripe time to discuss the intersections between privacy and public health in India.
The first is the extensive reliance placed by the Indian government on digital technologies during the management of the COVID-19 pandemic. The two most talked about examples of this were the Aarogya Setu app for contact tracing and the CoWIN platform for vaccine delivery management. But with public health being a state subject under the Indian Constitution, a range of digital initiatives were also adopted at the state-level. A mapping exercise by the Internet Democracy Project identified 72 central and state-level applications that were being used for purposes like quarantine enforcement, self-screening of symptoms, lockdown monitoring through drones, and issuance of travel permits.
Amidst the urgency of the pandemic, much of this deployment took place without adequate debate on the effectiveness and suitability of the interventions or their impact on user privacy. For instance, the study found that only 27 of the 72 initiatives had a dedicated privacy policy. While the existence of such a policy does not indicate its sufficiency or actual implementation, its absence certainly demonstrates the low regard for privacy concerns.
The normalization of data collection and digital interventions during the pandemic also offered an impetus for India’s new health digitization architecture. The second development, accordingly, relates to the rollout of the Ayushman Bharat Digital Health Mission (ABDM). Announced by Prime Minister Modi in August 2020, the mission’s objective is to incentivize the creation of ABHA ID-linked digital health records that can be easily accessed by patients and shared among participating institutions.
In a bid to protect the autonomy of individuals, the National Health Authority (NHA) that implements the ABDM has declared that participation in the system will remain voluntary. The effectiveness of this claim is, however, colored by the reality of India’s health and privacy inequity. The ABHA ID is already being integrated with several government schemes and state-supported hospitals. For instance, AIIMS alone sees a daily footfall of eight to fifteen thousand persons in its outpatient department. A decision to mandate or incentivize ABHA IDs by such institutions will, therefore, make the system de-facto mandatory for large segments of the population. This is similar to the history of the Aadhaar project, which was launched as voluntary but over time, became mandatory for accessing any welfare benefits from the state.
About 40 percent of the current 328 million ABHA IDs originated from the CoWIN platform. In many cases, these IDs were automatically generated, without any information or consent from the user, when people used their Aadhaar as identification for booking COVID-19 vaccinations. The brazenness of this enrollment drive amidst the vulnerabilities created by the pandemic casts further doubt on the voluntary credentials of the digital health architecture.
The NHA has published a Health Data Management Policy that is supposed to be adhered to by all the participants in the ABDM ecosystem. The policy records a commitment to “privacy by design” and lays down requirements relating to notice and consent, right to access and erasure of records, and limitations on the collection, use, and storage of personal data. In addition, it outlines an electronic consent management architecture to collect and maintain verifiable records of user consent.
The introduction of the policy is no doubt a positive move and its contents are well aligned with the general principles of data protection. Yet, its effectiveness is marred by the lack of statutory legitimacy of the NHA itself and, consequently, of its policy guidelines. For instance, the only consequence of non-compliance with the NHA’s policy seems to be that the establishment could be excluded from further participation in the ABDM system. For the rest, any privacy violation will be governed by the provisions of applicable laws. But India is yet to put in place a legal framework for data protection, although discussions in this regard have been going on since the Supreme Court’s Puttaswamy verdict in 2017 declaring privacy to be a fundamental right.
The discussions surrounding the proposed data protection law, therefore, present the third framing point for the essays in Private and Controversial. The latest iteration of the draft bill, titled the Digital Personal Data Protection Bill, 2022, came out in November 2022. It contains several deviations from the previous versions that were under discussion since 2018, the last of which had even been debated upon by a Parliamentary Standing Committee. Notably, the new draft does away with the special category of sensitive personal data, including health data, which would have been subject to certain enhanced protections. The draft bill also introduces a concept of “deemed consent” recognizing medical emergencies and public health considerations as situations where data processing can take place without the individual’s consent.
There is much to be said about the contents of the new draft, but the delay in its adoption, especially after the previous draft was already at an advanced stage of discussion, is equally telling. Similarly, on the cyber security front, there has been much talk about the need to overhaul India’s cyber security framework. But this has so far not been accompanied by tangible actions that go beyond deliberation by councils and formulation of task forces. These gaps become all the more significant in light of the active push to encourage the digitization and sharing of personal data under projects like the ABDM.
To circle back to the AIIMS story, the incident offers a reason to question how we can balance the euphoria around health digitization with the legal and implementation realities of our system. What would it take for big institutions such as AIIMS and much smaller medical establishments across the country to have the incentives and systems to protect the privacy rights of their patients? And what responsibility does the state bear when patient rights are compromised in the wake of its push for digitization of health records sans effective safeguards?
Smriti Parsheera is a Fellow with the CyberBRICS Project, Fundação Getulio Vargas (FGV) Law School, Rio de Janeiro. She is the editor of Private and Controversial: When Public Health and Privacy Meet in India (HarperCollins India Pvt Ltd, 2023).
India in Transition (IiT) is published by the Center for the Advanced Study of India (CASI) of the University of Pennsylvania. All viewpoints, positions, and conclusions expressed in IiT are solely those of the author(s) and not specifically those of CASI.
© 2023 Center for the Advanced Study of India and the Trustees of the University of Pennsylvania. All rights reserved.