tl;dr
Under the ABDM, the NHA stores widespread data of Indian citizens availing the AB PM-JAY scheme. IFF is concerned that the NHA potentially publishes and publicly displays the sensitive medical data of up to 28 Crore patient beneficiaries under the AB PM-JAY on its scheme websites, without patient consent and data security principles in place. Sharing personally identifiable information on a public forum is a glaring violation of constitutionally-guaranteed patient privacy and NHA’s own Health Data Management Policy which governs the AB PM-JAY. This obligation cannot be overridden through the Digital Personal Data Protection Act, 2023 either. We dig into the legality of this data display and demand for the removal of personal identifiable patient information.
Introduction
The Ayushman Bharat Digital Mission (“ABDM”) is a flagship initiative of the Ministry of Health and Family Welfare (“Health Ministry”) together with the National Health Authority (“NHA”), which “aims to develop the backbone necessary to support the integrated digital health infrastructure of the country” by creating tech ecosystems and channels to digitise India’s health system, and with it, the health data and medical histories of 140.8 Crore Indians. As part of this, in 2018, India launched what is proclaimed as one of the worlds’ largest Government-Funded Health Insurance Schemes (“GFHIS”), the Ayushman Bharat Pradhan Mantri Jan Aaroya Yojana (“AB PM-JAY”). The scheme seeks to promote universal health coverage in India by providing free health services to a bracket of “vulnerable” populations in India.
Since its launch, AB PM-JAY has registered over 28 Crore beneficiaries and empanelled over 27,000 hospitals. In line with the ABDM, this process is digitised from start to finish, and implicates the personal data of Crores of patient beneficiaries as they register and avail treatment under the scheme. In fact, information about patients who have availed treatment at empanelled hospitals is actively published by the NHA on their websites, along with their full names, date of discharge, and amount paid for treatment. When we first discovered this practice two months ago, we wrote to the NHA highlighting the glaring privacy concerns around publishing sensitive personal patient data on scheme websites, only to be met with silence (followed by a letter correcting the real number of affected beneficiaries). Last week, we wrote to the Joint Director, ABDM once again, reiterating the issue in response to his recent statements on how “comprehensive” data security measures under ABDM are (also followed by a letter of correction).
In this post, we dig deeper into how this public display of sensitive patient data on scheme websites violates core obligations under the fundamental right to privacy, and in the process, examine the consent and data security framework of the AB PM-JAY under ABDM.
How does AB PM-JAY work?
The scheme provides a health cover of Rs. 5 lakhs per family per year for secondary and tertiary care hospitalisation to a target of 55 crore beneficiaries, who form the “bottom 40%” of the Indian population. To avail the scheme, first, you must fall within the eligibility criteria, which varies state-to-state but is largely based on state-level SECC or BPL databases. Second, you have to register for the scheme and avail an Ayushman Card, which can be done at the empanelled hospital site, or a PM JAY kiosk. When you approach a registration desk, your name and ID card details are run through the Beneficiary Identification System (“BIS”), you are authenticated through a government ID, and issued an e-card.
From here, details of all the treatments you avail under the scheme are logged into the Ayushman e-card against your personal details. The empanelled hospital where you seek treatment as well as the NHA retain this data for an unspecified amount of time. Once you have successfully availed treatment under the AB PM-JAY, your personal identifiable data will shockingly appear on one of NHA’s scheme websites. If you liked our seamless privacy violation, rate us five stars!
Our methodology
We first identified a scheme website displaying statistics about the coverage and performance of the AB PM-JAY, and discovered that one section of the landing page allowed us to search for details of patient beneficiaries. We could search by state > district > hospital to land on a long list of results, which comprised: full name of the patient beneficiary, date of discharge, and amount paid by the patient for treatment. We ran a test search for close to 20 different filters, and landed on results anywhere between 23 to over 8,000 patient beneficiaries per search.
We have reason to believe that all patients who have availed treatment under the AB PM-JAY have been logged into this list, and to estimate the number of patient beneficiaries displayed, we have drawn inference from the number of Ayushman e-cards issued. Under AB PM-JAY, one is required to create an e-card before availing treatment, and the number of active e-cards currently is over 28 Crore. We acknowledge that some of these e-cards may be generated outside the context of hospital treatment, or that some hospital treatments may be repetitive. Thus, we are unable to arrive at the exact number of patient beneficiaries whose data is displayed, and will be relying on the number of e-cards issued.
NHA’s data display problem
We are concerned that the personal details of up to 28 Crore patient beneficiaries availing treatment under the AB PM-JAY are potentially being displayed by the NHA on scheme websites and can be easily publicly accessed. From the personal information of patient beneficiaries made available on the website, coupled with the selected state, district, and hospital where the treatment is availed, anyone can possibly easily triangulate the individual the information pertains to. All this data is even available for download at state/district/hospital levels to any visitor. By sharing personally identifiable information on a public forum, presumably without taking specific consent from the data principals, i.e. the AB PM-JAY patient beneficiaries, the NHA recurrently violates patient privacy. Let’s find out how.
Display of data violates the fundamental right to privacy
The Supreme Court of India, in Justice K. S. Puttaswamy (Retd) v. Union of India (2017 10 SCC 1) (“Puttaswamy”), has held that privacy of medical or health data is a fundamental right under Article 21 of the Constitution. In order to infringe upon or limit the right to privacy under Article 21, the state intervention or action must comply with the three-pronged test laid down in the judgement. The intervention must be a) backed by law, b) necessary towards fulfilling a legitimate state aim, and c) proportionate with reasonable nexus to the legal objective. Justice S.K Kaul added a fourth prong, stating that it must have procedural guarantees to check against abuse by state or non-state actors.
By revealing the full names, districts, and hospitals visited by patient beneficiaries availing treatment, the data being displayed becomes personally identifiable, and draws the application of Puttaswamy principles. Here, the intervention under scrutiny is the publication of patient data on scheme websites. On an assessment of the backing policy framework, we find that the policy does not allow or legitimise the publishing of patient beneficiary data by the NHA anywhere. In fact, as we will learn in later sections, it prohibits it. Thus the first prong of this test fails. On the second and third requirement, it may be said that publishing statistics about scheme uptake by beneficiaries is necessary to show the success of AB PM-JAY. While true, this aim can easily be achieved by presenting anonymised aggregated data (or simply statistics) on the scheme websites, as many of the state portals and other nodal scheme authorities do. These prongs, too, remain unsatisfied.
Finally, a fourth requirement is to establish procedural safeguards against third-party misuse of the personal data. One does not need to spell out how, by exposing the sensitive medical information of “vulnerable” populations on a public forum, the NHA egregiously fails on this count as well. It did not even try to pass!
NHA contravenes its own Data Policy
…And after the massive Puttaswamy L, we are not surprised. Data collection, processing and storage under the ABDM is helmed by the Health Data Management Policy (“HDMP”). Clause 31.1 and 31.2 of the HDMP state, “[a]ny personal data of the data principal shall not be published, displayed or posted publicly by any person or entity… A database or record of any data which has been processed under this Policy shall not be made public, unless such database or record is in an anonymised/ de-identified and aggregated form and is processed in accordance with the terms specified in Clauses 29.2 and 29.5 of this Policy.”
In addition to the clear prohibition, the HDMP prescribes certain obligations on data fiduciaries such as the NHA, which include the core obligation to take free and informed consent before accessing, sharing, or processing the personal data of any patient beneficiary (Clause 26.4, Clause 9). Neither the HDMP nor the ABDM privacy policy make any mention of publishing patient data on their websites or seek specific or general consent for it. No such consent is sought during the e-card registration process or hospital transaction processes. Thus, NHA’s actions are in contravention of its own policies.
No refuge in the DPDPA
The HDMP, as any other specific personal data use policy, is overseen by the Digital Personal Data Protection Act, 2023 (“DPDPA”). Section 7(a) of the DPDPA specifies that the only purpose towards which a data fiduciary such as the NHA can process patients’ data is a purpose that the patients have voluntarily consented to. From an assessment of the available scheme documents, we note that NHA is not collecting consent for this action, and no ‘legitimate’ uses enumerated in Section 7(a-i) of the DPDPA allow NHA to assume the patients’ consent to be listed on a public website alongside their identifiable information. Therefore, the obligations under the HDMP cannot be overridden through the exemption provisions of DPDPA.
Further, many provisions of the DPDPA in itself are skewed to the detriment of data principles like the affected patient beneficiaries. At the outset, the DPDPA falls short in categorically preserving patient privacy and according health data the high degree of protection it needs. The Act does not specifically define either health or health data. Special safeguards for ‘sensitive personal data’, which included health and medical data in earlier versions of the law, are absent in the incumbent DPDPA. Going deeper, some of its provisions can make matters worse. Section 8 allows for the non-consensual processing of health data in certain situations, “deeming” consent of patient beneficiaries. As we will learn, this is a dangerous power especially at the hands of government agencies like the NHA, which actively circumvent patient consent to publish information under its various schemes. Further, the proposed Digital Information Security in Healthcare Act (“DISHA”), 2017, which couches some substantive safeguards and rights-centric provisions, has not yet been enacted. So the data privacy of patient beneficiaries are to the mercy of the HDMP, or hang in the balance.
A closer look at the HDMP consent framework
The HDMP suffers from many deficiencies as a policy backing one of the world’s largest health data collection drives, the ABDM. We have previously recorded our concerns in submissions we made to the NHA on the draft HDMP. Here is a quick recap.
Under the HDMP, consent taken is required to be specific only to the purpose for collecting and processing personal data. In effect, data fiduciaries (such as the NHA) can secure one-time consent from users for collecting and processing personal data for one or more broad purposes. Such a policy precludes the user from giving or refusing consent on specific lines. The display of patient beneficiary data is a good example of this oversight – while one may have consented to the NHA processing their data, they have not specifically consented to them publishing it on the website.
The ABDM Personal Data Processing Model Consent Form acts as a tool for empowering patient beneficiaries, who belong to “vulnerable” groups and often do not possess the complete understanding of their data privacy or the dexterity to actively protect it. The form is deficient on many counts. It needs to explicitly mention that the collection of data is voluntary and refusal will not entail denial of services under the AB PM-JAY or any other scheme, and note the exact duration of time that the data will be retained for. Overall, the HDMP consent framework suffers from lacunae that can be exploited by data fiduciaries, such as the NHA itself, to violate patient data privacy.
You’re insecure, don’t know what for
Statedly, the HDMP is founded on the guiding principles of ‘data security and privacy by design’, as enshrined in Chapter V. Data fiduciaries under HDMP are bound by the principles of accountability, transparency, privacy-by-design, consent and choice-driven sharing, purpose limitation, collection, usage and storage limitation, and the adoption of reasonable security practices. It is pertinent to note that, according to Clause 4(g) of the HDMP, ““data fiduciary” means any person, including the State” and hence, the NHA is very squarely obligated to follow the same principles. We see that this is not the case. By making publicly available the sensitive medical information of Crores of patient beneficiaries on scheme websites without procedural propriety, the NHA is not only in contravention of the principles, but is also making this data vulnerable to leaks and security breaches.
Executives and stakeholders in the healthcare sector have recognized the cybersecurity risks posed by the ABDM. For instance, a healthcare firm’s executive has been quoted stating about ABDM that “There would be a need to have 24x7 security surveillance ensuring every data byte is highly secure else it would open doors to hackers also in terms of exploiting the vulnerabilities and getting the access to relevant and valuable healthcare data.” This is even more concerning in recent times with an increase in data leaks and security threats on public and private datasets. In 2023 alone, there have been several large-scale data breaches at BSNL, Redcliffe, Zivame, Taj Hotels, the Madhya Pradesh e-Nagarpalika portal, and of Aadhaar linked data, to name a few. Any similar leak of sensitive health data collected as part of ABDM would cause severe and irreparable harm to Crores of citizens, which cannot be quantified or compensated in monetary terms.
Delulu is not the solulu
Vikram Pagaria, Joint Director at ABDM, recently spoke to ANI News about patient data security measures under the Mission. He claimed that “[P]atient information is obtained with patient’s consent, and individuals have the authority to decide for how long hospitals or doctors can access their information. Once treatment is completed, the patient's data is deleted, giving the patient control over the duration of access.” He further stated, “[P]atient data is not stored centrally…Under ABDM, no patient data is retained by the government or the National Health Authority. The data remains with the hospital only for the duration of the patient's treatment. Doctors can access the information only with the patient's consent.”
Needless to say, the current data practices under ABDM are nowhere close to the picture painted by NHA officials. The display of data on the AB PM-JAY scheme websites cannot be possible if, according to these press statements, “patient data is deleted” or “not stored centrally.”
Unless the beneficiaries have specifically consented to NHA publishing their details on its websites, which presumably they have not since the permission is not specifically sought by the NHA, we demand that their personal data be taken down. Here we echo the ideals of the Joint Director, that patient data should, in fact, not be stored centrally after the conclusion of their treatment, and that patients must be empowered to have control over the storage and sharing of their health data.