BQ Explains: How The National Health ID Will Work

The national health ID Is the healthcare version of UPI, said NHA’s Dr. Gedam in an interview to BloombergQuint.

An oxygen cylinder sits next to a bed in a makeshift ward at an emergency Covid-19 care center set up in the Shehnai Banquet Hall at the Lok Nayak Jai Prakash Hospital Annexe in New Delhi. (Photographer T. Narayan/Bloomberg)
An oxygen cylinder sits next to a bed in a makeshift ward at an emergency Covid-19 care center set up in the Shehnai Banquet Hall at the Lok Nayak Jai Prakash Hospital Annexe in New Delhi. (Photographer T. Narayan/Bloomberg)

A UPI-like platform that allows electronic health records to be shared across patients, doctors and healthcare providers. That’s the simple illustration Dr. Praveen Gedam offered in an effort to explain the government’s national Health ID programme.

It has been work in progress for two years, first discussed by the NITI Aayog in 2018 as part of an initiative to build a National Health Stack and then reiterated last year in the National Digital Health Blueprint. On Aug. 15 this year, Prime Minister Narendra Modi announced the rollout of a National Digital Health Mission. That includes a health ID that “will work like a health account of every Indian”, Modi said.

“This account will contain your details of every test, every disease, the doctors you visited, the medicines you took and the diagnosis.”

Over the past decade, several countries have adopted different versions of national electronic health record systems. As far back as in 2016, the World Health Organization noted that 47% of countries had a national EHR system. The WHO report also noted that while “implementing EHR programmes is complex and costly, EHRs have the potential to provide clinical decision-makers with complete and accessible information for every patient at point of care, thereby improving the quality and timeliness of care, and, in aggregate, providing better data on effectiveness and coverage of interventions. Key international standards are being implemented for interoperability.”

The Indian national health ID programme is being first tested in six union territories: Puducherry, Chandigarh, Dadra and Nagar Haveli, Ladakh, Andaman & Nicobar Islands, Daman and Diu, and Lakshadweep. Learnings from that will be incorporated into a nationwide rollout.

How It Will Work

A national health ID will help ensure the longitudinal medical history of a person is available at one place and this has personal as well as public benefits, said Dr. Gedam, additional chief executive officer at the National Health Authority, in an interview to BloombergQuint’s Menaka Doshi.

The key features he described are:

  • The government will play a foundational role and facilitate interoperability, standardisation of medical nomenclature, etc.
  • While project cost has not yet been worked out, he estimates it to be in the region of Rs 150 crore.
  • It will be voluntary or opt-in for citizens, doctors and healthcare providers. There will also be an opt-out available.
  • The national health ID will be allocated online via a registration procedure that could take less than a minute.
  • Currently, in the pilot phase, the number is linked to a citizen’s Aadhaar number or phone number. At a later date more choices will be offered.
  • There will be three centralised registries—for citizens, doctors and healthcare providers.

The rest of the system is a “federated structure”, Dr. Gedam said.

“…if you go to hospital X, the reports will remain in the server or cloud or whichever system hospital X is using. It’s not going to go to a hospital Y or any other city; it’s going to remain there. Now if patient A goes to hospital Y and tells him that I’ve been to hospital X, the doctor in hospital Y will ask okay, can I access those records; patient will say yes and only then those reports will be accessible to the doctor to read in hospital Y. So, it’s like sharing the link of a Google doc if I can give a crude example.”
Dr. Praveen Gedam, Additional CEO, National Health Authority
  • Data accuracy will be the responsibility of the entity creating the data, say hospital, and corrections can be made by that entity with an audit trail.
  • The NHA is considering offline options as well to overcome connectivity issues.
  • Private sector participation will be sought to build the platform as well as populate it with services such as telemedicine, etc.
  • While anonymised data may be used for public health purposes, it cannot be used for commercial purposes, Dr. Gedam said.

Why No Law?

The 2016 WHO report noted that within countries with a national EHR system—78% reported legislation protecting the privacy of personal information, and 54% reported legislation to protect the privacy of electronically held patient data. But in India, neither exists. Like in the case with the early years of Aadhaar, there is no legislation in the works to underpin this national health ID project. As for a data privacy law, it is yet to be passed and has attracted much criticism for diluting rights. Yet, Dr. Gedam insists existing laws will be enough to protect citizens of any foul play or misuse in the national health ID programme too.

…we already have enough legal frameworks. We have to consider the legal framework available through our traditional laws that are CPC, CRPC, IPC, Consumer Protection Act and the various laws governing the medical and healthcare regulations including Clinical Establishment Act, NMC bill. So, we have those. Then IT Act which basically gives evidentiary and documentary electronic document now, on a similar level which is a paper document.
Dr. Praveen Gedam, Additional CEO, National Health Authority

Watch the full interview here:

Here are edited excerpts from the interview:

What’s The Use Case?

Why do we need a health ID and what is the established use case for a health ID or a health account?

A health ID is a key element of what we are envisaging to create the national digital health ecosystem. It’s a system of systems and we are planning to ensure that all the health records of all individuals shall be stored in a digital environment, in a secure and private fashion and shall be accessible to the doctors and other healthcare professionals as per the requirement. To make this happen, it is necessary to have a health ID to which these health reports can be linked to.

So for example, I have a particular health ID. I will go on linking my health records which have been accumulated till now and will also get them linked in future from various hospitals, laboratories and clinics so that the data of medical records get built up; what we call where the longitudinal medical history of a person is available at one place, which is so important for providing quality healthcare.

Of course, this has many other advantages going beyond personal healthcare in terms of public health and public policy, we are all witnessing the watershed moment in the history of humankind in the form of the Covid pandemic. So this data and this digital ecosystem will also be useful in managing that.

Why does the government need to be involved in creating a health ID? Why not leave it upto citizens to use private services to digitise their health records if they choose?

See, it is not an initiative of only the government. What is being planned is the collaboration or a joint effort between the government and the private sector, but the role of the government definitely comes in as far as one point is considered. We are planning to have three basic modules or fundamental registries. One is of a health ID, the other one is of doctors and the third one is health facilities. We must have a single source of truth; data which can be relied upon.

For example, when it comes to the data of a doctor, if a doctor is really a doctor or not that can be verified only by the Medical Council. Similarly, for health facilities, we have to have somebody certifying that yes this is the health facility rather than anything else. Also, obviously why the health ID is given by the government- because we want the health ID to be unique in the sense that the same number should not go to more than one individual and that is the reason there should be a single origin or single set of numbers from which the health ID is getting generated.

Now, this is not only a government initiative. I can give you an example of UPI interface which is used for financial transactions. You have the government app called ‘BHIM’ which is running on that interface, but all the private banks are linked to it and then we have other apps like PayTM, PhonePe, Google Pay and all that.

So what we are planning here is exactly the same. We will allow private players who follow the regulations assure of the privacy and security so that they can plug in their systems into the platform so that private players will have their electronic medical records running on the same platform. Similarly, private players can have a system of telemedicine running on this platform.

The health ID should be unique for the simple reason that you should be able to identify one particular number with one particular individual but the private sector is very much going to be involved in this whole effort and we look forward to collaborate with them. This has been discussed and described in detail in the National Digital Health Blueprint which forms the basic framework of the NDHM.

One last point about why the government is required. When issues of certain standardisations come, for example nomenclature of medical records is one very complex issue. So we should have some standardisation across various systems of private players. So there the role of the government will come and C-DAC, which is an agency of Government of India has been working into it so that the data should be able to talk to each other across various systems of various private names. So that’s the limited role that the government is going to play. Yes, it a very significant foundational role but the private sector is very much there.

The benefit for an individual citizen is the ability to have all of his/her health records in one place. That seems to be a limited benefit for a national programme of this scale. Have you done a cost benefit analysis of this programme?

So, how do you calculate cost of one life? That is the basic question and then how do you calculate the cost of 135 crore people? It is a very complex issue. The question is something like this, what is the cost benefit analysis of having an email account? So, it’s something very intangible but I’m certain that by investing a few hundred crore rupees, the cost of this initiative is really insignificant if you compare the budget of the ministry or the government but the benefits are humongous. I mean the best thing to happen for a doctor while seeking history from the patient is to have all the records which have been created in the past right from the immunisation in childhood or even the pregnancy of his mother till now-- it cannot be a ascertained in any monetary terms. That is one.

Then the cost in terms of public health, I mean, we are witnessing the adverse effects of the Covid pandemic on the economy. If we are to use the anonymised the data for proper decision making and to ensure correct interventions in the public health sector, the benefits will certainly be much, much higher than whatever the miniscule amount that we are going to invest. This is in fact the way to go forward, many countries have moved ahead and it’s time for India to go forward.

Yet there must be a rough cost to this project, what would it roughly cost to get every Indian a national health ID?

What we are doing right now is a pilot phase and we have developed the three basic softwares and we shall be developing the softwares even further and that will be after we float the RFP and follow the proper bid process. So the exact cost will come out of that bid process but I am certain that it will be probably be not more than Rs 150 crore but I cannot comment at this moment because it will come only after a competitive process is completed.

So Rs 150 crore is approximately for six union territories?

I am talking about the whole platform throughout India. It is one online portal which we have opened only in six union territories. The same portal and the same server will serve for all other states and union territories. It’s only a matter of taking feedback from users who understand the feedback better so that we can then make certain changes, for example, in the case of user interface or user experience before we reach out to the remaining.

Surely the physical process of allocating a number to every individual is going to cost a lot more than just Rs 150 crore on a nationwide basis, isn’t it?

No. See, we are not going to insist for any printed card. A person is supposed to have a number and that’s all and once this is rolled out beyond the six union territories, it takes less than 60 seconds to have a number if you log on to the system through the website— That is one way of getting it.

The other way of getting the number will be whenever the person goes to a health facility—a hospital or a lab, he can get it there.

It’s not the case that it is something like the application for a passport or something else. It’s just like the creation of an email-id.

So I don’t think we require any specific amount or investment for creation of email-ids, as many email ids as possible. So you can visualise the system in that way.

Unique, Voluntary, Incentives

Will you link this number to some other national identity - Aadhaar number or a passport number or something else? How will you make sure that every individual in the country who wants to enroll in this has a unique health identity?

To start with we are allowing two types of verifications - one you can use Aadhaar and then in that case, our system talks to the Aadhaar server and verifies the person.

The other option is to use your mobile number.

In the long run, we may consider adding other alternative options like the passport, PAN card and the driving license but right now, we have rolled out the system using these two identifiers. Either use your Aadhaar number or use your mobile number and then create your health ID.

In semi-urban, rural areas, more than one member of the family might be using the same mobile or there might be just one or two phones in a family of five. You would have more than one identity linked to that number then?

So, we are definitely allowing more than one account to be linked to one mobile exactly because of the reason that you just quoted. In fact, if somebody’s not having a mobile, he also can have health ID created whenever he has his first interaction with any healthcare provider at the counter.

How will you verify identity? How would you do that in groups which might share the same phone number or where phone numbers might change or things like that?

See, as far as Aadhaar-verified numbers are concerned, there is no question. When you give your Aadhaar number, it will get verified only if Menaka Doshi’s OTP which is submitted in the system which will go to Menaka Doshi’s phone number.

Now coming to the second point, the mobile based verification. You will create your health ID and go have an interaction with a doctor. So, you have to visualise the NDHM ecosystem as a digital version of the existing system. So, whenever you interact with the doctor, what he does is; he gives you a couple of papers which are medical reports, a prescription and so on. What we are contemplating is that instead of giving those physical copies to you, he will ask for your health ID for which you will get prompt or a notification on your app or you will get an OTP the way it happens while interacting with two different systems. That will be transferred from his system to your mobile, or your tablet or laptop once you share the OTP.

Now, for example when Menaka Doshi goes and meets a doctor, he will send an OTP. It will obviously come on your mobile device you are supposed to share with him, or you will get a notification on your mobile which you are supposed to press ‘Yes’ for sharing and only then, the data exchange happens. So the system ensures that the records will reach the intended beneficiaries only and it is not possible that some other Menaka Doshi will receive an OTP. And she will obviously not give consent because she knows that she’s not with the doctor.

So there are enough checks and balances in the system to ensure that the records reach the right person.

This is a voluntary process, right? Citizens can opt to have this number or choose not to have it at all and continue with the way they’re currently accessing health services?

Yes, it is a voluntary service and an voluntary opt out is also there. So, if you join in and after a while you feel that okay, I don’t want to continue in the system and you can opt out as well.

So this is something like having an email id but there is a reason why we have kept it voluntary. We presume that the system has so many advantages. See, even now we haven’t made email mandatory, right? But still everybody ends up having an email id because the advantages are so many that we presume that people will realise the advantages which the system brings and people will join voluntarily and very proactively.

Will it also be voluntary for doctors and healthcare providers? How are you going to incentivise them to ensure that standardisation of systems and interoperability so as to share information seamlessly across the country?

The incentives are in-built. If a doctor or a health facility joins the health facilities registry, it is making itself available when the patient searches for them on his mobile.

Let’s say (you are searching for) nearest orthopaedic surgeon in Delhi. So, he is on boarding himself or his facility on the platform making it available for consultation so that is the biggest advantage the doctor has.  

The second advantage is obviously the ease of access to the medical history of the patient for providing better healthcare so these two are big enough incentives for them to join. It is not mandatory for these doctors and hospitals to join but we are sure that given the kind of benefits that the system offers, they also will join in a big number.

In fact we are very pleased to share that in six union territories, doctors and hospitals have already started enrolling on the platform. They have realised the importance. I have had extensive interactions with the stakeholders and I don’t see any reason or any concern among them for not joining.

So, you are only enrolling doctors that are accredited with the Medical Council of India or the body that has now replaced it, and healthcare centres only the accredited ones?

The doctors are always registered with the Medical Council or whichever council it may be. So there is no case of a doctor who is not registered with the council.

So, you’d be double checking that the enrolled in the Digi-Doctor directory is a certified doctor?

I would like to clarify that we are not adding any more authority.

When the doctor applies on Digi-Doctor, the application is automatically routed to the Medical Council and they approve that okay, this person is in our register. So we are giving them two options. One is electronic verification where the data is digitised, and in those medical councils where the data is not digitised, we are allowing manual verification too. So we are not bringing in any additional authority for the regulation. So, a doctor is just applying saying that okay, I am doctor XYZ, having a degree in MBBS and MD, it will go to the Medical Council and the Medical Council will say okay and he’s on-board the platform. That’s the process.

What about clinics and hospitals?

As far as clinics, laboratories and hospitals are concerned, there is nothing like the Medical Council where a single source of data is there.

There are certain registries like the NHRR where a lot of data about these facilities is present. So, what we are doing right now is, we have pulled up this data of NHRR which has around 8.5 lakh facilities already registered and we are allowing these facilities to get on-boarded. It’s a multi-layer verification. The first and foremost verification will be by the district authorities who will just verify the existence of that particular facility and then that facility will be on-boarded. So right now, that will take place and then to ensure the ease of doing business of this facility; see what is happening right now is, each facility is required to take numerous permissions. One permission for fire, one for PC-PNDT, another from the Atomic Energy Regulatory board and so on and so forth depending on the facilities. So, what we are planning is basically trying to give access to all these regulatory bodies to our platform. So, it will again provide an extremely easy process of getting these accreditation from various bodies; more than 60 such bodies for these facilities as well and it will reduce the paperwork to a large extent and increase the ease of doing business for these facilities.

So, it will be a two-stage process. First, we will be verifying that yes, this facility, lab or the hospital exists in this city and it is on boarded and other agencies will then start renewing their certifications/licences on the same platform. That’s the idea.

Have you modeled this on system on another country’s experience. Ofcourse the most cited model is the U.K. one - NPFIT that failed.

I will put it like this. We have studied similar models for various countries like Korea, Singapore, Australia, Estonia, Israel, U.K., U.S.A., Egypt, U.A.E. and so on and so forth... but given the complexities, the size and heterogeneity of the country, which is actually a continent called India under a very peculiar administrative setup, we have incorporated best features of these various countries but definitely our model is tailor-made to India needs.

There is one particular issue of standardisation of nomenclature which is a very complex issue in medical science. So, we have taken the internationally accepted standards such as the International Classification of Diseases by WHO and again, we are adding India-specific words to that. 

For example, Ayurveda is almost exclusively an Indian system of medicine. So, it requires additional modification in this nomenclature which we are doing with the help of C-DAC and we can say that what we are doing is an Indian model learning from the experience of the other countries.

For a hospital or clinic to enroll and share data seamlessly it will have to invest in systems besides the ones it runs? How are you going to defray that cost? Because that was one of the biggest stumbling blocks many countries have faced when encouraging private service healthcare providers to join an electronic health records programme of this sort.

Most of the major hospitals or almost all the laboratories already have a system which will continue to be used and they will be integrated. So it’s not the case that they will be required to have a totally new system.

What we are planning is to have a sandbox that will be up and live hopefully today (Aug 26) in which we will start integration of all the existing systems in India which are already being used. What will happen is only the inter-connectivity will be getting established between two different systems. So, we already have different electronic systems of banking running and UPI only got them connected together. So, we are doing something like this.

Now, there is a question - what happens if any doctor or hospital doesn’t have any system right now? So, for him it will be a new investment which would have been done in any case even if the system was not to come because most of the diagnostics have already shifted to some or other IT-based system and most of the major hospitals and even medium-sized hospitals have also shifted.

For the benefit of smaller establishments, we are definitely considering roll-out of a basic software that is free of cost. So for those who are not keen to invest in anything, they can use this basic software like the BHIM app for example and those who really want value-added services, they can go for any private product. So I think this is not going to be an issue of much concern as far as I see.

You’ve cited the UPI model - but in the case of a financial transaction there is a limited amount of information that is to be shared in a transaction. In the case of health records, you would have X-rays, you would have prescriptions etc. How will all this data  be shared among stakeholders without any major system change?

What we are contemplating is a federated architecture.

Except for the three registries that I talked about- those three registers will be central, everything else will be decentralised and close to the point of delivery of healthcare.

So it has been described in detail in the blueprint but to tell you very briefly...

If you go to hospital X, the reports will remain in the server or cloud or whichever system hospital X is using. It’s not going to go to a hospital Y or any other city; it’s going to remain there. Now if patient A goes to hospital Y and tells him that I’ve been to hospital X, the doctor in hospital Y will ask okay, can I access those records; patient will say yes and only then those reports will be accessible to the doctor to read in hospital Y.

So, it’s like sharing the link of a Google doc if I can give a crude example.

So it’s not going to be the case that the data will keep moving from one system to another. It is only based on the requirement and only after the consent - which can be partial or complete or it can be given for a limited period of time; it can be even limited number of records rather than all the records; so this consent will be given to the doctor by the patient that yes please access my documents or read my documents which in any case he does in the physical format right now. He can take the earlier reports, the xerox copies or originals to the next doctor so; the same thing will take place in the digital environment.

It’s not going to be the case that the reports will be going from here and there; they will be stored in a federated fashion, in a decentralised fashion in various systems. The only requirement that we are seeing is that the system should be compliant with the basic requirements of security and privacy. Only then they can log in and get integrated with the platform.

So, this federated system that you’ve been describing to me, is it already in play in the six union territories or are you still building it out?

So, we have built three directories and we have created a sandbox and various systems are already in use in the various union territories.

For example, there is a system in Chandigarh, Pondicherry, Dadra and Nagar Haveli, and we will be linking in and plugging in those systems into our sandbox. The sandbox is a testing environment. So, once the testing is done, it is certified and then those systems will get corrected. So at this moment, the sandbox will be live maybe today and then the process of integration will start and in a matter of few weeks, the integration will be complete.

Is There A Law?

Why do we need a separate number? If people have enrolled for Aadhaar, why can’t that Aadhaar number itself be the one that gets used?

The reasons are legal rather than technical. So for the legal reasons, we can’t make Aadhaar mandatory for this particular purpose but we are definitely giving them an option to use Aadhaar.

If you use Aadhaar and generate your health ID, then I am not saying that you must remember your health ID separately. You can still remember only Aadhaar, log in using that or you can also have additional alias like Praveen@ndhm which is easy to remember. So, we are allowing all the options to the patients.

You would have noticed many websites; where they ask you to create a new account login using a Facebook account or login using a Google account. So, it is these kinds of options we are giving, we are trying to make things simple but for legal reasons, we cannot say that Aadhaar numbers should be used and that is the reason we have given an additional option. Obviously, they can use either - they can use the Aadhaar number; they can use their mobile number as well for logging in. So we are giving out multiple options.

You’re comfortable with the fact that all it will take is a simple mobile number to log in and access my health records with an OTP? You’re not worried about the safety or the integrity of this?

See, let’s believe in the IT power of India.

There are two ways of safety, integrity, privacy, one is the legal aspect and the other is the technical aspect.

We have already proven with the successful rollout of Aadhaar; which is the largest database of its kind, very complex and actually sensitive data- we have successfully proven to the world that we can secure and store it in a very secure fashion and use it for the benefit of mankind. So, let us not have any doubt about the capabilities on the technical side as far as India is concerned.

Now, I come to the legal point. The legal point is that there are certain principles of law that are laid down in various judgments of the Supreme Court like Puttaswamy, then the others like the PDP bill which is in consideration in the Parliament. So, we have considered all these aspects and all these precautions which are envisaged from the legal point of view have already built into the design. It’s not added as an add-on thing later on.

So all the legal and technical precautions have been taken to ensure that the data remains secure, it will be the patient’s data and the patient will be the master of the data. It will be accessible to the doctor to the extent and for the time the patient or his legal guardian desires. So, that is the system and I assure you on behalf of the Government of India and to all citizens of India that rest assured your data will be very secure and very safe.

I appreciate the assurance but I think in the case of Aadhaar as well, we’ve seen over the last several years several data leaks, private information being available publicly, we’ve seen misuse of the data, we’ve seen correlation of Aadhaar data with other data that is an invasion of privacy of the individual.Besides, what if my phone is stolen and someone uses my phone number and the OTP to be able to access my health records?

These are all simple to complex concerns which brings me to the broader question, is there a law backing this national health identity?

I will come to a phone getting stolen; it is parallel to your medical file getting stolen. So that is the case even now your physical file can get stolen but in the case of your phone, probably you can have an additional feature; it is better than the existing system. We can have a lock-my-app kind of a feature which is there in many phones even now. For example, nobody can access my phone and it opens up only when my fingerprints are in or when I put my own OTP. So, it’s in fact going to improve what the situation is right now, that is first. Again, we will definitely have that option of disabling access. When you try to do some banking transactions, you always get a message ‘If it was not you, please call this number’. So I think things have been made easy by the use of technology rather than difficult.

Even if I take at face value - can you tell me if there is a law underlying this entire system?

See, we go by three-four laws, all the judgments of the Supreme Court, because of constitutional provision, they have force of law. So all the judgments including Puttaswamy, then the IT act of 2000 as amended in 2008 and PDP bill which is expected to be passed in the parliament and obviously the general laws like CRPC and IPC will be applicable.

So, there are enough legal provisions to ensure that number one, the data is not breached and if somebody tries to do mischief, the severest punishments can be given. So I think there are enough provisions.

One of the criticisms Aadhaar faced was that the entire programme was rolled out several years ago without a clear legislation that underpinned the programme - that ensured that it would work in a certain way, that it afforded privacy in a certain way, it afforded security in a certain way and how it could not be exploited.

So why is it that we haven’t learned from Aadhaar...and decided that an ambitious program of this scale should not be underpinned by a legislation?

First, who decides whether a particular programme has legal validity or not. It is the higher judiciary of India, High Courts and Supreme Courts. As far as Aadhaar is concerned, numerous cases were filed against Aadhaar and it came out to be a winner and the Supreme Court has upheld the validity of this programme even before the Aadhaar Act was passed. The Aadhaar Act was passed quite recently in fact compared to the rollout that is one.

Secondly, we already have enough legal frameworks. We have to consider the legal framework available through our traditional laws that are CPC, CRPC, IPC, Consumer Protection Act and the various laws governing the medical and healthcare regulations including Clinical Establishment Act, NMC bill. So, we have those. Then the act called IT Act which basically gives evidentiary and documentary value to electronic document now on a similar level which is a paper document. So, the laws have to be read together, you cannot read laws in isolation.

But that still doesn’t take away from the fact that an extensive national health identity programme of this nature, where anonymised data might be used, where data might be shared with private sector entities... that data might be shared internationally and with international health entities, all of these issues—whether it’s the sharing of data, the securing of data, the privacy of data, whether it is the right with regards of the person enrolling in this program to be able to correct inaccurate data—what happens if the inaccuracy lies at the data entry point of the hospital? What happens if the inaccuracy lies at the data entry point of the doctor? Who’s liable in situations like these?
All of these are very complex issues that should be captured by a law that lays all of this very clearly.

Laws are there to lay down the way in which executives are supposed to function. There is a clear cut distinction between the roles of legislature and executive we already have a mandate from legislature supported by various judgments of the Supreme Court and I don’t see a single step in our implementation which is going beyond the mandate of any law or any second the principle of law.

I am not suggesting you are violating the laws or violating any judgment. There is no judgment on the national Health ID because there hasn’t been an ID all this time. Why not have a legislation that clearly identifies how this programme is going to work, who bears what responsibility for security, for accurate data, for access? Who bears what liability for inaccurate information, for leak of data. This is exactly the problem we ran into with Aadhaar.

We already have provisions. For example, for the leak of data we already have provisions in the various laws that I explained. So, the law is fairly well defined and codified in the Indian judicial system.

So, if there is an entry of inaccurate data - suppose a hospital system messes it up - or suppose there is an internal mess up by the National Health Authority, where will the liability will lie?

You have to compare this with the present scenario.

So, a hospital X generates an incorrect report, let us presume, and that is taken to hospital Y - whose liability is fixed? It is the report-generating person in hospital X and both on the civil and criminal side, the responsibility lies with the hospital X.

So, in each step, it is possible to fix the responsibility if inadvertently or deliberately incorrect data entry is done and there is a very nice feature that we are building into the system. We are logging and keeping the audit trail of each and every alteration in the record.

So, it is not the case that somebody is going to say, okay, I’m deleting my earlier record and replacing it with this. Both the reports will remain, the newer version will be seen but older version- who made that version, from which IP address, who was the user, what were his credentials, when were they logged into the system (will remain).

So, I see things moving to more accountability than the present system with what we are having right now. In fact, this is beneficial as far as tackling the problem that you are just citing as an example.

Digital Disadvantage

What about the denial of service due to the lack of bandwidth or connectivity?

Two things. One, we’re definitely considering offline modules. We understand the problem of connectivity in India and that exactly is the reason we have Ladakh, Andaman and Lakshadweep—the far flung areas in our pilot to test our system.

Secondly, once the connectivity is established, whenever it may be, you can have your record and store it in your mobile. So even if the connectivity is lost later, you can still make it accessible to the doctor. So we are definitely considering certain limited features as well. For example, feature phones don’t have those display arrangements which a smartphone has. So we are definitely moving on the principle of inclusivity and definitely not trying to exclude any possibility.

We understand that a lot of areas in India, rural, tribal, hilly or the remote terrains-they need to be seen with extreme sympathy and we cannot end up catering only to metros. So we are definitely considering those systems but let us also not wait for the day which may not come when the mobile range is available in each and every 33 lakh square kilometres of India. It’s a movement forward, we are going forward and simultaneously infrastructure is getting ramped up.

Now, till yesterday, Andaman and Nicobar was a problem but last week we had this undersea cable connectivity to Andaman all of a sudden increasing connectivity and now it has connectivity which is better than many countries in the world. So I’m in touch with the authorities in Port Blair and they were extremely happy with this new cable. So, we are definitely trying on all the fronts and at the same time taking care of basic features and also, some disadvantages that certain locations may have.

Who will have the right to correct inaccurate data? Will the user or the patient himself have the right to do that; will hospitals have the right to do tha?

It is with the person who creates the data.

Let us say I have done my haemoglobin examination and by mistake, it is written 15 and the technologist feels that it should not be 15 but it should be 14.5. So, it is the pathologist that corrects it.

In case there is some spelling mistake in some prescription, let’s say Crocin is incorrectly written, then the physician will realise the mistake and he will correct it.

So, what I’m saying is that the existing systems, the existing legal rights and the existing legal liabilities will continue to remain as it is. The only difference is that the paper is replaced by a digital document. That’s it.

This will exist also, I would imagine, in regional languages? Because one of the broad concerns is how will semi-urban and the rural populations, that may not be digitally savvy, be able to make best use of this? Or detect misuse.

When we talk about digital health data, we are not presuming that every single hospital has high-end and state-of-the-art digital ID systems which has inbuilt features of ICD, FHIR etc. We can still continue to call the same disease by 10 different names and all are scientifically correct names. For example, cardiac arrest, heart attack, myocardial infarction, blockage of coronary artery. All are the same disease and all are correct names and I don’t expect that from tomorrow all doctors in India will start learning that you have to call it cardiac arrest and not the heart attack. No, it’s not going to happen and we don’t expect that.

So what we are planning is as follows.

We have a spectrum. On one end of it, we expect that as far as possible, kindly use ICD guidelines. The other end of spectrum is - okay, if you want to continue to scribble on the piece of paper because you’re comfortable, the OPED runs into hundreds of patients so please continue scribbling on the paper and upload the PDF or JPEG. The middle end of the spectrum is that you can enter free text but not in a standardised form. So, it’s a whole spectrum that we are allowing.

Now this whole spectrum of data will be available to the other side. Obviously when it comes to AI and ML-based algorithms; it will be the standardised data which will be more amenable to the algorithm. The middle part will be slightly less amenable to algorithm and the PDF may not be available unless you have a machine reader kind of additional add-on facility.

We don’t see that from Sept. 1 for example, everything starts in ICD-11,  it is not going to happen. We are going to allow, and give that transition period for doctors, patients and everybody so that the transition is actually smooth.

You may recall the earlier days and I remember receiving some emails in which letters were written, scanned and forwarded or sometimes I received WhatsApp messages written instead of typing. So, somebody takes a photo and then sends it across. So, that’s the flexibility that WhatsApp or email offers. The same kind of flexibility we are going to provide in this system.

Have you involved states in this because health is a state issue?

I’m happy to share that we have interacted with states in numerous meetings, the whole NDHB was created after extensive stakeholder consultation including the states and even this implementation of national digital health mission, we already had meetings with all health secretaries of various states, union territories.

I’m very happy to share that many states are in fact are requesting us why we have not taken to the second stage - because we wanted to start small and then scale fast. That’s why we started with union territories. So the states are excited to join this initiative and there is extremely positive feedback. We already have requests coming from many states that they may be taken up in the subsequent days as soon as possible.

Not only states, we have had interactions with hospitals from the smallest hospital to the biggest hospital, from the remotest village to the topmost specialist in metros. We have had interactions with more than 600-700 stakeholders so far and we continue to have interactions. Our website is open for feedback, anybody can go and give your feedback and we are constantly reading, analysing and trying to improvise the system.

Private Sector Participation

In the six union territories that you are currently rolling out this pilot programme, have you already identified private partners? I’m looking at private sector participation in two ways. One is in being able to facilitate your rollout of this programme and the second is when you eventually choose to share data with private entities. I want to talk about both of them.

When I say that we discussed with almost 700 stakeholders, 150 were companies providing various solutions in health care and we have their presentations in the public domain as well on our website. We have definitely involved them and definitely the umbrella associations like NASSCOM, CII. So, we have spoken to as many players as possible and we are willing to speak to more but I don’t think we have left out any company in India to speak to.

I’m just wondering if you already identified any private partners for the pilot rollout?

We have the used NHS IT resources which we are using for the Pradhan Mantri Jan Arogya Yojana, and Ayushman Bharat already with. So we have developed a basic system using them. For a larger implementation we will get a player on board through a competitive, open and a transparent process.

This player will have access to private health data - how you will ensure that that is secure? On the second end my concern is about how you will ensure that sharing of data on a commercial/non-commercial basis, even for research purposes, with private entities is done in a secure, non-invasive fashion?

I’d like to answer it quickly. The provisions and legal provisions for sharing of such data are already laid out and they are also contained in the PDP bill. Now, even though the PDP bill is not passed we are going by it.

So, the data cannot be used for commercial purposes. For example, we won’t be allowing insurance companies to use the data for deciding what kind of premium they want to fix.

We may allow the use of data only by certain authorities after following certain guidelines which will be defined and only for anonymised data.

So, as a health secretary for example a Director General of ICMR will be able to see what is the temporal and spatial distribution which is taking place pertaining to a particular disease given the pandemic or epidemic or endemic kind of a situation - so that I can make suitable public policy and public health interventions. That kind of a use may be allowed but only subject to anonymisation. For example, Delhi is having 100 cases or someone is having 200 cases and not that Dr. Praveen Gedam is having a X disease and so and someone is having Y disease.

So, these are the legal issues which are already contained in the PDP bill and which will be further fine-tuned. Let me assure you we don’t want this to be given for any commercial exploitation.

I come back to the issue for the need of an underlying legislation, for the need of an independent regulator. This programme is currently being implemented by an arm of the ministry itself. There is way too much conflict in that.

Who is going to independently regulate the rollout of a program of this nature and ensure that whatever the goals or objectives are met in a fair fashion?

Again, I go back to the same answer.

We do have regulators for doctors; we have councils who are empowered to revoke the license if something goes wrong. We have local authorities, which are empowered to take action against health facilities. What we are providing is only an online platform. We don’t see of ourselves as a regulator at all. We are just a facilitator providing an online platform.

You don’t believe that an underlying law would give this a lot more strength and give users a lot more comfort?

See, throughout the history of mankind, law is always an evolution. Law always evolves as per the requirement of the state and the requirement of the civilisations. Medical or the healthcare field cannot be objectively converted into zero or one kind of scenario. It’s a highly complex issue. Whenever any issue of legal repercussions arise, it goes beyond the law into the realm of medicine which cannot be just defined in your algorithmic base. So, what happens, we already have evolved laws.

For example, let’s say the case of medical negligence which can come in this case also because of negligence through telemedicine—let’s take that case.

So we already have certain principles of law which say that okay, the judge will not go into the medical aspects of the case but this will be dealt with by experts of the same speciality based on which the judge will make the decision. This is what our consumer law for example plays out in actual judicial practice. So those laws are already there, they will continue to regulate and govern whatever practice will come through this platform.

As far as the IT platform is concerned, again, maintaining the integrity of the IT platform there’s a separate law in the form of the IT Act and other relevant regulations.

Obviously, the requirement of better laws is there not only in the medical field or the finance field but everywhere. It is always there and that’s why we have a parliament and so many assemblies, right? So, these are being discussed they will evolve and we will adapt our platform to the evolving laws.

One of the most frequently cited instances of an effort of this nature on a national scale is the experiment that the U.K. tried - NPFIT. I’ll list some reasons for its failure.

One is, there were frequent tech failures, several major incidents, the inability to protect all of the data or make the data easily accessible.

The second is that many of the electronic forms - the nomenclature was not standardised, they didn’t talk to each other and therefore the data entry was all over the place.

The third one was the costs that stakeholders had to bear to be a part of the system, or to ensure that the interoperability worked.

Fourth, it was very ambitious, it didn’t seem very essential and nobody was even clear as to what the individual’s benefit was in this case.

What makes you think that in India this will be a success?

We will be learning from the mistakes of other countries. We are not going to repeat the mistakes and let us believe in India’s capacity. I repeat, we are the nation which has sent satellites and rockets at the cost of less than the production cost of a Bollywood movie.

We are also the nation that is taken more than two or three years to stabilise the GST back-end system and we are also the nation that has seen frequent failures in Aadhaar.

So the time will tell whether we succeed or fail. I strongly feel that we are going to succeed and we are going to take all the precautions to ensure that we don’t fail.

I think I’m not going to get intimidated by the fact that another country has failed and that is not going to stop India for trying to do something which must be done and which is the need of the hour.