Digital health ID concerns

The idea is good but govt must address privacy issues

The official launch of the Ayushman Bharat Digital Mission (ABDM) started an initiative that will give every citizen a unique digital health ID, linked to a personal health record (PHR). The ID will also be linked to the Aadhaar. The process of assigning these health IDs started months ago when individuals using the Aadhaar to sign up for vaccinations on the CoWin app were assigned Digital Health IDs by default. It is hoped the ABDM will significantly improve the efficiency, effectiveness, and transparency of health service delivery. Someone with a health ID and PHR will be able to store personal medical history digitally (including prescriptions, diagnostic reports, discharge summaries, etc), access it, and share it as required. This can, for example, be of benefit to a patient with a medical issue while travelling. Similarly, it will allow for the seamless transfer of patients across health care facilities. Health insurance providers will also find it useful for more efficient service delivery.

For health ID creation through the mobile or the Aadhaar, the beneficiary will be asked to share details of the name, year of birth, gender, address, and mobile number/Aadhaar. However, there are serious concerns about such digital systems in key areas of privacy and consent, particularly because India does not have a personal data protection law. Reports indicate over 125 million people — anybody who used the Aadhaar to sign up for the CoWin app — has been assigned a health ID by default. Their consent was not explicitly sought, though it might have been hidden in the fine print of permission for CoWin. This is not an auspicious beginning in terms of consent and privacy. The security features of the PHR servers where the data will be recorded are also quite hazy. By definition, millions of individuals and multiple different agencies, institutions, and stakeholders will seek access to this data and leakages can prove damaging.

It should be possible for users to opt out of the health ID and ADBM and still receive health care. Also, user-consent for every granular access of the PHR and of the demographic data should ideally be built in. The official website says users will be allowed to permanently delete, or deactivate their PHR and health ID, if they desire. This would mean all demographic details would be erased. The devil will be in the detail of this inbuilt feature, but it will surely take care of some consent issues. The health ID will collate data and create a repository. This can, in theory, lead to better health care services and also aid in the creation of better health policies if that data is analysed for trends. But Aarogya Setu and the CoWin app, and their efficacy in practice, raise questions about some basic issues.

For instance, those without smartphones found it difficult to get onboard and exclusivity could be a problem here as well. More worrying, despite the obsession with gathering data, the pandemic was not efficiently tackled. Many died due to lack of oxygen, and the vaccination programme moved by stops and starts due to the late procurement of vaccines. Data collection is necessary to deliver more efficient services, but that in itself is not sufficient to assure such services if attention is not paid to the basics.