Human Rights Implications of the Digital Revolution in Health Care in India

Volume 24/1, June 2022, pp. 5-19 |  PDF

Deekshitha Ganesan


The COVID-19 pandemic has ushered in rapidly evolving developments in digital health, and governments around the world are experimenting with different ways of introducing technological tools in the management and delivery of health care services. India, among the countries that faced one of the most serious outbreaks in the second wave of the pandemic, recently rolled out the National Digital Health Mission, which promises an integrated but federated digital architecture and a digital health ecosystem that will solve the information asymmetries of the health care sector in India. While the promises of the National Digital Health Mission are many, India’s experience with using another digital tool during the pandemic—the CoWIN portal for vaccine management—alerts us to the human rights concerns of rapid introductions of digital tools to address infrastructural and governance challenges in health care. This paper attempts to take a closer look at these two digital tools and the potential human rights implications of the National Digital Health Mission, particularly for the right to health.


The COVID-19 pandemic has tested countries across the spectrum of public health preparedness. The successive lockdowns and the rapidly spreading virus called for measures that could match its speed of transmission, and digital technologies emerged overwhelmingly as vital tools. From contact tracing, identifying clusters, triaging, and risk management to telemedicine, countries experimented with a range of digital technologies such as geolocation, big data analytics, and information communication technologies, with varying levels of success.

As a pioneer in the use of digital technologies in governance in the Global South, India rolled out many tools. Undoubtedly, these tools were released rapidly in response to a crisis, yet their speedy delivery might alert us to the fact that they were not developed overnight. Digital technologies have been increasingly deployed in health care in India in recent years. For instance, the National Health Policy of 2017 formally floated the idea of a digital health ecosystem for the first time, and the central government rolled out the National Digital Health Mission (NDHM) in 2021. The NDHM seeks to create a single, integrated digital health infrastructure and allocate a health ID to every individual along the lines of Aadhaar, India’s controversial biometric identification mechanism, which has been criticized both for engendering the exclusion of vulnerable groups from welfare measures and for enabling a surveillance state.[1]

The digital interventions in health care management suggest an ongoing digital revolution rather than isolated measures in response to a crisis. The impetus provided by the pandemic for the use of digital technologies and the experience of their associated fallouts during the COVID-19 crisis therefore present key moments to interrogate the frequently advanced notion that digital technologies are a panacea for all governance challenges. In the context of health care, the COVID Vaccine Intelligence Network portal (CoWIN), which the Indian government introduced to coordinate vaccinations, and the NDHM offer a glimpse of the many concerns that arise when relying on digital technologies to manage the delivery of health care, such as the absence of robust informed consent procedures, data protection concerns, the exclusion of vulnerable groups, and low levels of internet penetration and digital literacy. While anxieties around data protection and the right to privacy are well founded, this paper argues that the rapid digitalization of health care could have grave implications for the right to health.

The paper begins with an overview of the status of health care and the COVID-19 crisis in India. It then briefly evaluates CoWIN and provides an overview of its aims and functions, key concerns, and human rights implications. The focus then shifts to the NDHM to explore the history of its development, its key goals and functions, and potential concerns with its development and use. The final section comments on the NDHM’s implications for securing the right to health and offers some key considerations.

The COVID-19 experience and the state of health care in India

India witnessed at least two major waves of the COVID-19 crisis—first between March and September 2020 and then between March and June 2021. The second wave in particular unleashed extreme devastation, and the rapid spread of the virulent and highly infectious Delta variant was worsened by severe shortages of hospital beds and oxygen, as well as high rates of physician fatigue, leaving many people stranded outside hospitals and in their homes without medical care.[2] During 2020 and 2021, the number of deaths in India were estimated at around 4.74 million by the World Health Organization, while the Indian government has maintained the official overall number of deaths in this period to be 481,000. The second wave laid bare India’s poor public health readiness for a country that was thrown headlong into a crisis but for which it arguably had at least a year to prepare.[3]

This background to the second wave of the pandemic and the experience with the COVID-19 crisis provides the setting to assess the country’s need for and approach to the digital revolution in health care. Health care delivery in India is divided into public and private components, and the public provisioning of health care has slowly moved toward providing only those services that the private sector has been unable or unwilling to provide. Public health care is available in urban and rural areas; in the latter, it typically takes the form of primary health care centers that provide only basic facilities. The majority of private hospitals are concentrated in metropolitan and tier-two cities. In urban and rural areas, private medical practitioners and local clinics are the first point of contact for immediate medical care.[4] India’s 2021 budget expenditure on health care was only 1.8% of GDP, far below the 5% recommended by the World Health Organization. Further, more than 60% of health care spending is out of pocket; the bed-to-population ratio is 0.7 per 1,000; and there is about one doctor per 1,000 people.[5]

Undoubtedly, the health care sector in India faces many challenges, such as a shortage of manpower and health infrastructure, low access to quality health care in rural areas, and dispersed information on the health needs of individuals—and digital technologies present viable solutions to only some of these concerns. It is worth mentioning that this paper acknowledges that digital technologies can play an important role in strengthening public health services and in planning for future large-scale health emergencies. That said, based on the experience of the CoWIN platform and the design of the NDHM, as explored in the following sections, the paper challenges the embedding of technology in the state’s imagination of development, which results in the painting over of serious structural concerns.[6]

Access to vaccines and the CoWIN platform

The first wave of the pandemic in India began to wane by September 2020, even as a number of countries began battling a second wave shortly after. In early 2021, as the prospect of effective vaccines seemed certain and in light of the low number of cases, India began exporting doses of vaccines manufactured by the Serum Institute and Bharat Biotech.[7] However, by March 2021, the second wave overwhelmed the strained health care system, and public and private hospitals alike struggled with serious shortages of oxygen and hospital beds. Large-scale vaccination was indispensable to control the situation, which was complicated by two factors—the unavailability of sufficient vaccines to inoculate enough of the population in the 18–45 age group, as well as the central government’s constantly changing decisions both on the purchase of vaccines for allocation to state governments and the possibility of direct sale by the vaccine manufacturers to listed private hospitals.[8]

This background provides essential context for understanding the distribution of vaccines through CoWIN. CoWIN is a cloud-based solution meant to coordinate, implement, and evaluate COVID-19 vaccinations.[9] The portal, which has now been made open source, can create and authenticate users, register bulk and individual beneficiaries, schedule vaccination sessions, and manage the distribution, monitoring, and wastage of vaccine stocks. Many of CoWIN’s features are not public facing. The most controversial aspect of its use, particularly from a human rights perspective, was its role in managing the registration of users for vaccination.

According to India’s COVID-19 vaccination guidelines, an individual is required to self-register on the CoWIN website or the Aarogya Setu mobile application by providing demographic details such as one’s name, date of birth, and address, and by uploading proof of identification, including but not limited to their Aadhaar number. Although the CoWIN website now has a simple privacy policy, when the application was first rolled out, no separate privacy policy accompanied it and instead a link was made available to the NDHM’s Health Data Management Policy, a nonbinding guidance document.[10] One possible, but unconfirmed, reason for this could be that the initial registrations for the NDHM were undertaken through CoWIN when individuals offered their Aadhaar number as the primary form of identification, demonstrating the close linkages between these two digital health technologies.

At the time of booking one’s appointment, the applicant could select the preferred state or private facility to receive the vaccine, but not the timeslot. The CoWIN system allowed only those who had preregistered to proceed for vaccination; walk-in vaccinations were not permitted, though some facilities for on-site registration were made available in public hospitals.[11] Private hospitals charged a fee for vaccination, and those who could afford the vaccine were encouraged to visit these hospitals, though the guidelines state that every person is entitled to a free vaccine.[12] Vaccine certificates were also made digitally available, which individuals could download onto their phones. Unlike paper documents, these digital certificates are claimed to be enduring and unique, linked to each person’s abstracted digital identity, easily storable, processible, and commodifiable if necessary.[13]

The CoWIN portal was riddled with problems as vaccine slots ran out at dizzying speed. Individuals who could access smartphones and book a slot reported discrepancies in the information on available slots and complained that the app would frequently crash. Further, prebooked appointments did not guarantee a vaccine since slots were often overbooked and stocks were rapidly exhausted.[14] Even as the second wave began to ease, preregistration on the CoWIN app was the only guaranteed way to receive the vaccine.[15] Health care professionals who were managing distribution in private hospitals also reported challenges with using the portal on a smartphone, frequent power outages that interfered with internet connections, and bottlenecks when the portal became unresponsive.[16] In areas with poor internet connectivity, insistence on preregistration through CoWIN led to delays in vaccination.[17] Further, the disbursal of the vaccines through private vaccination centers led to a concerning occurrence of fake vaccines and mobile apps, contributing to vaccine hesitancy.[18]

Recognizing that it would not be able to address all these issues, the government released an application programming interface (API) to enable developers to build other tools and software that could interact with CoWIN, illustrating the notion of participatory “government as platform” that used collaborative technologies to solve collective problems.[19] Third-party developers were given access to the CoWIN master database, which was to be the “single source of truth,” to carry out modifications.[20] They were permitted to retain copies of data relating to their customers to ensure that citizens had a consistent view of their own record, subject to the terms of service and supported by their privacy policy.[21] Soon, third-party tools that facilitated alerts on available vaccination slots, scheduling appointments, downloading vaccination certificates, and managing workflow became available. However, these too were accessible only for the those who had steady internet access and the skills and knowledge to access CoWIN with ease.

This method of distributing vaccines does not comport with the right to health as guaranteed by article 12 of the International Covenant on Economic, Social and Cultural Rights.[22] The right to health at all levels, including the allocation and distribution of essential medicines and vaccines, requires ensuring availability, accessibility, acceptability, and quality.[23] During the distribution of the COVID-19 vaccines in India through CoWIN, these elements were not sufficiently foregrounded: the availability of vaccines was not properly planned for, vaccines were not affordable or accessible in a timely manner for a majority of the population, and the surrounding conditions gave way to fake vaccinations.

Many forces acted simultaneously to complicate the process of vaccinating India’s population. Yet the CoWIN portal’s limited functionality and the very decision to rely on an online platform to distribute vaccines did not take into account the gaps in digital literacy or the fact that many in India, including those residing in urban centers, do not have continuous data connections or electricity that can support internet services, sufficient data packages, or enough phone memory to host large applications. By distributing vaccines through CoWIN, equity was no longer the primary goal, and an effective hierarchy of who could receive vaccines was created—first would be those who are digitally literate, conversant in English, and able to pay for their vaccines; after them would be poor people, women, migrants, persons with disabilities, and other vulnerable populations.[24] The government’s attitude was exemplified in a statement to the Supreme Court of India noting that those without digital access could accept the help of nongovernmental organizations, friends, family members, and common service centers established by local self-governments in villages to book appointments. However, the efficacy of these centers in facilitating vaccine registrations is largely unclear.[25] Some reports suggested that as of May 2021, a network of 400,000 such centers in rural areas had integrated their back end with the CoWIN portal and had registered close to 430,000 people through registration drives. The government also claimed that it had strengthened security features on the platform to reduce the possibilities of bots booking slots, introduced the telephone booking of vaccine slots, and made it possible for multiple slots to be booked through one phone number to enable those with digital access and skills to assist others.[26] However, other conflicting reports from the same time period have shown that out of a total of 300,000 common service centers, only 54,460 were active and only 170,000 individuals had been registered.[27] The inconsistency in reported data on the service centers and reports of vaccinations being impeded due to logistical difficulties in accessing the centers amid lockdowns renders doubtful claims of their efficiency in boosting vaccine registrations and their sufficiency as an alternative to the CoWIN platform.

National Digital Health Mission: A digital solution to a governance challenge

India’s experience with CoWIN provides an indication of the limitations of relying exclusively on digital technologies. However, the NDHM also ushers in a digital revolution in health care without addressing the many deficiencies of the Indian health care system that were revealed during the first two waves of the pandemic. Considering that the COVID-19 threat has not yet passed and the second wave is fresh in India’s collective memory, NDHM’s promises and ability to alter the landscape of health care are worth interrogating.

The NDHM is a federated digital architecture comprising electronic health registries, personal health records, and a health analytics platform, atop which other components and health care services may be built. The stated objective is to make available efficient, accessible, inclusive, affordable, timely, and safe universal health coverage by leveraging data and digital infrastructure built using open, interoperable, and standards-based systems that ensure the security, confidentiality, and privacy of health-related personal information.[28]

A brief timeline of the NDHM’s development offers insight into the motivations behind its conceptualization, the different government agencies involved, and its key aims and functions. Its origins can be traced back to 2011, when the idea of using Aadhaar numbers to create a database of all patients “for seamless use by various health chains [t]hat could also be used for insurance claims” was first floated.[29] This found expression in the National Health Policy of 2017, which proposed a digital health technology ecosystem and a national digital health authority to “regulate, develop and deploy digital health across the continuum of care.” The aim was to create an integrated but federated health information infrastructure that would link systems across private and public health care service providers and allow for the creation of massive registries and databases to facilitate big data analytics.[30] At the time, the policy anticipated the use of Aadhaar for this purpose, especially as Aadhaar was envisaged as the single identity system for all Indian residents.

Shortly after, in 2018, the National Institution for Transforming India released a consultation document on the National Health Stack, which is a digital infrastructure that constitutes the building blocks of all the digital health initiatives envisaged under the NDHM and comprises electronic health registries, an insurance claims platform, a personal health records framework, health analytics, and other components. The preface to the consultation document affords an indication of the government’s approach to health care management and governance more broadly; it understands “a strong health system as inconceivable without a resilient digital backbone.”[31] The National Health Stack will provide a shared digital infrastructure for use across central and state governments and by public and private actors, as well as the services required to manage the data for all programs. Private players can build cloud-based applications and tools that will sit atop this shared infrastructure to fill the gaps in the delivery of health services by the public sector. A close comparator of the National Health Stack is the India Stack, with its four-pronged consent layer, cashless layer, paperless layer, and presence-less layer (removal of barriers to participation through remote authentication mechanisms). The National Health Stack document also envisages a key role for the India Stack, which will support the digital health ecosystem by enabling the linkage of bank accounts and phone numbers.[32] The government’s primary role vis-à-vis the National Health Stack is to create the necessary digital, rather than health, infrastructure that can foster a “more robust private sector ecosystem.”[33]

This digital health ecosystem is predicated on issuing a health ID to every individual. The health IDs, which are being created based on an existing national ID and mediate interactions with the National Health Stack, are expected to reduce the risk of preventable medical error, limit costs and inefficiencies, increase quality of care, and provide users with a longitudinal view of health care records.

The consultation document identifies the lack of accessible master data on health as the core problem of India’s health care system, impeding the development of a holistic picture of care, and the health ID is only a part of the solution. The base layer contemplated for the National Health Stack will include information on patients, health care providers, doctors, insurers, accredited social health workers, pharmacies, clinics, labs, and beneficiaries, collectively called the National Health Registries. The document lays out the principles that would define the registries, such as self-maintainability (listed entities should be able to view and update information), flexible schemes that can incorporate feedback, consented data sharing, non-repudiable data (viewers should be able to tell who has edited or added data), and data provenance (audit trail for changes). Other services such as insurance coverage and claim processing will be built on top of this layer and will interact with the health registries through simple open APIs that are compatible with global standards.[34] While APIs can enable and provide authorization for sharing data between different actors in the National Health Stack based on predetermined standards or permissions, they cannot fully restrict how the data are used once an entity gains access, which would once again have to be defined by law. Therefore, the use and sharing of data are in turn guided by the National Health Data Management Policy mentioned above. But in effect, the National Health Stack enables private actors to access vast amounts of data for a variety of purposes.

In 2019, this digital health ecosystem was formally presented by the Ministry of Health and Family Welfare through the National Digital Health Blueprint.[35] As a document produced by the ministry, this blueprint is significant for defining the country’s health agenda. The fundamental goal of the National Digital Health Blueprint is universal health coverage, primarily through insurance. The document notes that the government seeks to achieve the highest possible level of health and provide universal access to good quality-health care services for all without imposing financial hardships. Digital tools are offered as the most promising method to achieve these goals by ensuring citizen empowerment, improving public health care delivery, and addressing the fragmentation of health care data.

In 2020, the NDHM’s strategy overview was released. It identifies the citizen as the owner of the data and claims that the integrated data system will help patients securely store and access their medical records; gain accurate information on health facilities and service providers; and achieve faster processing of insurance claims. Under the NDHM, health information providers such as hospitals will create a personal record linked to a user’s health ID, which will be anonymized for the data feed forming part of the national health analytics architecture. Here, the strategy overview distinguishes between personal data and nonpersonal, or anonymized, health data that are likely to be used in health planning.[36] In terms of personal data, a user will be able to give consent, using their health ID, to anyone who requests permission to view and use their data. This process will be coordinated by a consent manager, and every individual can choose the consent manager to whom their health ID will be linked.

The precise intended or expected benefits of the NDHM as outlined in the National Health Stack consultation document uses the language of international human rights law on the right to health—it identifies availability, accessibility, affordability, and acceptability as the four major challenges of health care delivery in India and as the corresponding benefits of the National Health Stack.[37] With regard to the first two challenges, health care will be made more accessible and available since individuals will be able to avail insurance at any point in the year and have more options for service providers enabled by faster claims processing. With regard to the third, technology will improve affordability due to the increased participation of service providers on account of justified pricing and the instantaneous and cashless adjudication of claims. Finally, the National Health Stack is expected to improve acceptability by encouraging hospitals to improve quality of care through reward programs using information generated by the National Health Stack. An associated benefit for the government will be the ability to reach migrants and provide health care and protection to anyone, anywhere in India due to the feature of portability.

Thus, on paper, the NDHM appears to be a comprehensive plan to boost the health care system and address its considerable weaknesses. Yet medical professionals and digital rights activists in India have expressed misgivings about its many promises, which have assumed prominence since the onset of the pandemic.[38]

Why create a digital health ID?

The obvious question to ask of the NDHM is the need for a new health ID when there is near universal coverage under Aadhaar. The reason for this may lie in the prominent role envisaged for private enterprises by the NDHM. By 2018, the Supreme Court of India had recognized a fundamental right to privacy, and a decision on the constitutionality of the Aadhaar project was imminent. In October 2018, it held that the Aadhaar project was constitutional but added that it could not be made the sole basis for accessing welfare schemes and that private players could not use it for authentication.[39] While the latter ban has been slowly eroded in practice, one reason for developing the health ID may be to sidestep any similar potential objections on its use by private players.[40]

Despite the health ID, Aadhaar is still likely to play an important role in the NDHM. As one of the proofs of identification for creation of the health ID and as an element of the India Stack mentioned above, it will enable linkages between different databases that also operate using Aadhaar. Although the various strategy documents claim that failure to provide one’s Aadhaar for the creation of the health ID and the denial of permission to share one’s health ID would reportedly not result in denials of service, once the Aadhaar is integrated into the NDHM, individuals will find it difficult to refuse to provide their details.[41]

The similarities in at least some of the goals of the health ID and Aadhaar as mechanisms to enable unique identification, prevent fraud, and plug leakages should alert us to common concerns. For one, in the past, Aadhaar numbers have been leaked despite the government’s claims that the information was stored securely.[42] With the health ID, a number of private actors—such as medical practitioners, clinicians, labs, insurance companies, private hospitals, and tech start-ups—that build applications atop the National Health Stack will have access to the data contained in the health registries. Moreover, the National Health Data Management Policy also contemplates that sensitive personal data such as sexual orientation, financial information, mental health conditions, and biometric information is likely to be collected under the NDHM.[43] Leaks and misuse of personal health data and other sensitive information such as sexual orientation are serious and could have grave implications for individuals.

Second, if obtaining the health ID and registration with the NDHM are not compulsory for individuals or health care service providers, as the government has claimed, it is unclear how the NDHM will bridge the data gap. Health data for the analytics engine of the NDHM are valuable only if they are available in the aggregate, which requires different actors in the health care system to participate and generate sufficient data.[44] But the creation of a health ID and digitalization will present major challenges for health care providers. While the NDHM may offer incentives for insurance companies and large private hospitals, health care in India is still substantially provided by independent medical practitioners in local clinics and primary health centers. The NDHM’s administrative and cost burdens of digitalization and converting from a legacy system to a digital health model will undoubtedly require a significant shift in practices. The transition is likely to take away important time and resources from the caregiving duties of medical professionals who are not provided with adequate financial and administrative support to ensure accurate data entry that can guarantee robust data for the NDHM and mitigate the serious repercussions of incorrect entries for patients.[45]

The guarantee of universal health coverage

India’s insurance market comprises a few state-run players and a host of private insurance providers that cater to a large proportion of the middle class. While the central government recently introduced a state-funded insurance scheme for rural and poor families with the aim of reducing high out-of-pocket expenditures on health, the majority of enlisted hospitals that provide health care are private and account for a substantial part of the claim value. Since the program was implemented, there have been reports of individuals having to incur out-of-pocket expenses and of hospitals threatening to or in fact pulling out of the scheme on account of the nonpayment of claims by insurance companies.[46]

This is essential context for the issue of insurance coverage, since an important goal of the NDHM is universal health coverage and since all of the strategy documents refer to the ease of processing insurance claims and identify benefits for private insurance providers. The National Health Stack is intended to be the primary coverage and claims platform, and the government claims that it will solve the problem of a lack of health data; enable the standardization of processes such as preauthorization and claims processing; facilitate on-time payments for service providers; prevent fraud by service providers by rewarding honest claims through instant adjudication; and filter poor-quality service providers through the interplay of strong data sets and market-based mechanisms.[47]

Specifically for insurance providers, the National Health Stack document identifies market expansion and “targeted product offering with availability of supply side data” as a benefit. However, the ability of insurance providers to access detailed and highly personalized information on individuals’ health conditions has raised alarms. A major concern is that insurance providers might engage in the suppression of scheme utilization and target product offerings or increase premiums based on geography or income levels or by specifically accounting for preexisting conditions.[48] This is a significant issue because for a substantial portion of India’s population, including its middle class, health care is expensive, requires out-of-pocket spending, and is not always cashless. Therefore, in the absence of a strong public health care system, apprehensions about how insurance companies will respond in terms of health care coverage and its potential impact on achieving the goal of universal health coverage are not misplaced.

Is informed consent sufficient to protect health data?

Informed consent is offered at multiple points as the primary method of ensuring the confidentiality of personal information. The National Health Data Management Policy identifies consent as valid only if it is free, informed, specific, clearly given, and capable of being withdrawn at any time.[49] However, the presence of informed consent as the primary safeguard may not be sufficient.

First, there are already numerous reports of health IDs having been generated automatically for individuals who registered for vaccinations on the CoWIN platform using their Aadhaar numbers and of instances where registration to obtain a health ID was made mandatory.[50] Officials who were operating the system at many of the vaccination centers did not explicitly seek consent and assumed that one’s sharing of their Aadhaar equaled authorization to create a health ID.[51] Recently, the government claimed that nearly 96% of the health IDs issued so far are linked with Aadhaar.[52]

Second, to safeguard personal data, the policy attempts to instill a “privacy by design” approach among the NDHM’s different actors through consent managers, but this is unlikely to protect personal health information to the extent necessary. Consent managers are electronic systems that will interact with the data principal and obtain consent for access to personal data but will not be able to access the information themselves. Fresh consent is required from the data principal through the consent managers only if data are used for a previously unidentified purpose—in other words, it does not appear that individuals can object to specific data points being digitized; consent to be part of the NDHM and for processing personal data applies to all kinds of personal information.[53]

Through consent managers, the NDHM seeks to solve the problem of loss of health records or poor maintenance at the hospital level and address the coercive conditions around informed consent at the point of care. However, the ability to provide informed consent presupposes that an individual has all the relevant information to make a rational determination and that this information was communicated to them in an understandable language; and in the case of the NDHM, it also presupposes that an individual has easy access to a screen and internet. Considering that the NDHM will be catering to individuals of varying educational backgrounds, the requirements of free, informed, and explicit consent are unlikely to be fulfilled if the process of securing consent is standardized and highly technical.[54] Consent fatigue as a result of repeatedly encountering complex documents is an additional well-documented challenge and, in the case of NDHM, could impede comprehensive protection of personal data by leading to automatic consent decisions.[55] Further, given the gaps in digital literacy, access to the internet, and access to smartphones, the process of obtaining informed consent for many is likely to take place in the presence of medical staff, which does not address the coercive conditions around which consent is typically sought in India. When the alternative to refusing consent to share information is the possibility of being refused medical care or the settlement of claims, informed consent becomes a mere formality.[56]

Should health data be treated as a public good?

The National Health Registries characterize the idea of data as a public good. At least some kinds of data are considered public goods if they have two essential characteristics—they are non-rivalrous (not a limited resource) and non-excludable (accessible by all).[57] In the context of health, anonymized disaggregated data collected by the government can have these qualities, although personal data that are de-anonymized are not completely non-excludable.

The Economic Survey of 2018 released by the Ministry of Finance makes a case for treating data as a public good on account of the difference between the marginal costs of data compared to the benefit they yield.[58] It argues that since the private sector might be hesitant to invest in building data in sectors such as health care due to limited returns, government intervention is required to ensure that an optimum amount of long-term data of a critical mass of persons and firms is harvested and integrated with other databases. In essence, health data gathered in the social interest are claimed to be by the people, of the people, and for the people.[59] Further, the survey states that data as a public good can be monetized and used by private actors to generate profit, claiming that there is “no reason to preclude commercial use of [these] data.” It emphasizes that datasets may be sold to the corporate sector, which can generate insights, tap into markets, develop new products, while also ensuring data privacy and confidentiality.[60]

Under the NDHM, many private enterprises offering services across the digital health ecosystem are likely have access to vast quantities of disaggregated and anonymized patient data through the apps built atop the National Health Stack, and the range of opportunities that such data present to these entities and other private medical and tech firms are yet unknown. Though the NDHM contemplates sharing only nonpersonal health data that are anonymized for the purpose of health data analytics, anonymization is not considered to be sufficiently privacy protective given that re-identification is not impossible or particularly complicated, especially when combined with other datasets.[61] The absence of fool-proof anonymization only reiterates the need for other regulatory frameworks where informed consent is not sufficient to protect personal information. Therefore, handling and making available large amounts of sensitive data requires data management practices that are ethical and equitable, as well as strict accountability under data protection laws, which does not yet exist in India.[62]

Although the latest draft of the Data Protection Bill of 2021, which is likely to be passed into law, now covers nonpersonal data that will come under the remit of the proposed Data Protection Authority, an earlier report of the Committee of Experts on Non-Personal Data Governance Framework provides a window into the discomfort and concerns around treating health data as a public good. The report identified anonymized health data as public nonpersonal data that have the characteristics of a natural resource and proposed a Non-Personal Data Authority whose primary goal would be to unlock the value in nonpersonal data for the economy. While it states that consent for the collection of personal data would not automatically imply consent to anonymize, it contemplates consent as being provided only once, both for anonymization and subsequent use.[63]

An additional level of analysis leads us to the technologies and infrastructures that enable the collection of health data.[64] For example, the government announced that the CoWIN platform is a global public good and has made it available to countries around the world to build on and use for vaccine distribution and management. If a digital technology is a public good, are all data collected and processed through it a public good? As a shared digital infrastructure across different actors, the NDHM too has been described as a digital public good, and, taken together with the Economic Survey’s description of how data as a public good can be leveraged, individuals are likely to have little factual control over their anonymized personal and health information in the absence of any binding regulatory statute or institution.

Digitalization of health in India and implications for the right to health

Under international human rights law, the right to health is indispensable and every person is entitled to the enjoyment of the highest attainable standard of health, guaranteed by article 12 of the International Covenant on Economic, Social and Cultural Rights. General Comment 14 of the Committee on Economic, Social and Cultural Rights identifies two aspects of the right of health—freedom and entitlements—and notes that entitlements include the “right to a system of health protection which provides equality of opportunity for people to enjoy the highest attainable level of health.” Securing the right to health requires ensuring the basic social and economic determinants of health, such as access to a clean environment, housing, nutrition, and sanitation, as well as the provision of health care facilities.[65]

Human rights law does not mandate that all health care be public but requires the presence of four key elements in the provision of public and private health care services and facilities: availability, accessibility, acceptability, and quality.[66] Availability refers to a functioning public health system available in sufficient quantity, including hospitals, clinics, trained professionals, competitive salaries, and other infrastructure. Accessibility covers physical accessibility, including for the most vulnerable groups such as children, persons with disabilities, elderly persons, economic migrants, and Indigenous communities. It must be affordable and available to all irrespective of their identities. Acceptability and quality ensure that health facilities are scientifically, culturally, and medically appropriate. Significantly, while states have an obligation to achieve the progressive realization of the right to health, they must take steps that are concrete, deliberate, and targeted toward full realization in the interim.[67]

The NDHM, however, diverts attention and resources away from making available affordable health facilities and services to strengthening the delivery of private health care, despite the fact that during the pandemic many private hospitals were unable to manage the caseload, charged exorbitant prices for beds and COVID-19 care, or refused to take in patients. Public hospitals undertook the burden of addressing the vast majority of health care needs even as the state stepped in to set caps on private hospital charges.[68] While noting the benefits and advantages of digital health interventions in health care management, the World Health Organization’s recent guidance on the rights-based and ethical use of digital technologies also cautions that digital interventions developed for systems with underlying flaws or inadequacies can replicate inefficiencies and exacerbate inequity.[69] Therefore, the implications of technological solutionism for securing the right to health and the steady erosion of state investment in health infrastructure and health care delivery as a public service are urgent. Even as surveillance and data protection become externalities that can be addressed via a solutionist approach, the impact of rapid digitalization on the right to health will persist.

On the other hand are serious concerns of exclusion on account of varying rates of digital access and literacy for many anticipated users of the NDHM, including patients and health care providers.[70] Access to a smartphone or computer and the internet are necessary preconditions for managing patient records and for accessing other tools that are expected to be integrated with the NDHM, such as e-Sanjeevani, the telemedicine platform that has been proposed as a key innovation to connect rural areas with quality health care providers. While India is one of the fastest-growing digital markets in the world, it has far from the kind of universal access to the internet required for the NDHM. Based on 2017–2018 national data, internet penetration in India stands at 42% in urban areas and only 15% in rural areas, while more recent data peg average internet penetration at around 43% of the total population. Only 4.4% of households own a computer in rural areas, compared to 23.4% in urban areas; and average digital literacy is around 38%, with a wide split between urban and rural areas.[71] Given this backdrop, it is unclear how telemedicine, rather than brick-and-mortar hospitals, will address the problem of access to health care in the remotest parts of India and in conflict areas such as Kashmir, where internet shutdowns are routine.[72]

Considering the significant impact of digital inclusion on access to digital health interventions, digital access is rightly being recognized as an emerging social determinant of health.[73] In the context of the NDHM, the role of digital access and literacy as a social determinant of health in facilitating or impeding informed consent is likely to be especially crucial. Informed consent is a key ethical principle both in health care delivery and in the use of personal information. However, for a project as ambitious and large scale as the NDHM, it could well be a nominal or formalistic protection against the unauthorized use of personal health information and the inferences derived from it for which consent has been obtained. As discussed above, this could have significant implications for access to health coverage.[74] A rights-based approach to informed consent would necessarily require taking into account structural inequalities such as economic status, digital access, and relationships with health care providers to truly allow for individuals to make considered decisions on the use of their personal data.[75] Therefore, in addition to its centrality to the right to privacy and autonomy in relation to personal data, in the context of the NDHM, informed consent could be key to realizing the right to health.


The COVID-19 crisis and the extraordinary focus on digital solutions for a public health problem in India betrays a tendency to “manage social problems as they bubble up into crises rather than intervening in their causes.”[76] The Indian government has repeatedly pushed the use of digital tools to drive the economy, plug leakages, and increase the ease of doing business even in the absence of state capacity for dealing with and responding to the consequences of rapid digitalization. In the context of public health governance, these are all untested claims.

The two technologies surveyed in this paper have functioned as embellishments over a weak public health system, and they illustrate the conception of health data as a public good rather than health care as a public good. Public health in India is no doubt a complex space, intensified by a range of documentary-, institutional-, insurance-, and physician-related challenges, and it will be near impossible to provide sufficient state-funded health care at this stage. However, by prioritizing digitalization despite the experience of the second wave of the pandemic, the central government is placing the proverbial cart before the horse. Of the many objectives behind introducing digital tools in public health, universal health coverage and access to health care are key. If the NDHM cannot fulfill this objective, it will once again reveal the limitations of resorting to digital technology as a solution to a crisis with deeper roots at the expense of the people’s right to health.

Deekshitha Ganesan, BA, LLB, LLM, is a human rights lawyer from India.

Please address correspondence to the author. Email:

Competing interests: None declared.

Copyright © 2022 Ganesan. This is an open access article distributed under the terms of the Creative Commons Attribution Non-Commercial License (, which permits unrestricted non-commercial use, distribution, and reproduction.


[1] P. Singh, “Aadhaar: Platform over troubled waters,” in A. Athique and V. Parthasarathi (eds), Platform capitalism in India (Cham: Palgrave Macmillan, 2020), pp. 201–219.

[2] “The night the oxygen ran out,” New York Times (June 28, 2021). Available at

[3] S. Biswas, “Why India’s real COVID toll may never be known,” BBC News (5 May 2022). Available at; S. Nolen and K. D. Singh, “India is stalling the W.H.O.’s efforts to make global COVID death toll public,” New York Times (April 16, 2022). Available at

[4] T. Sundararaman, D. Parmar, and S. Krithi, “Public health and health services as global public goods,” in Three Essays Collective and Centre for Equity Studies (eds), India exclusion report 2019–20 (2020), p. 57.

[5] “Factbox: State of play of India’s healthcare sector exposed by COVID-19,” Reuters (November 17, 2021). Available at; M. Bhatia and D. P. Singh, “Health sector allocation in India’s budget (2021–22): A trick or treat?,” International Journal of Community and Social Development 3/2 (2021), p. 177.

[6] R. Radhakrishnan, “Experiments with social good: Feminist critiques of artificial intelligence in healthcare in India,” Catalyst: Feminism, Theory, Technoscience 7/2 (2021), p. 7.

[7] “India, ‘pharmacy of the world’, starts exporting COVID vaccines,” Al Jazeera (January 20, 2021). Available at

[8] Ministry of Health and Family Welfare, Revised guidelines for implementation of national COVID vaccination program (New Delhi: Ministry of Health and Family Welfare, 2021).

[9] Ibid.

[10] S. Sircar, “CoWIN app: No specific privacy policy, no info on developer, cost,” Quint (January 24, 2021). Available at

[11] Ministry of Health and Family Welfare, Citizen: Dos and don’ts (New Delhi: Ministry of Health and Family Welfare, 2021). Available at

[12] Ministry of Health and Family Welfare, Revised guidelines (see note 8).

[13] See K. Breckenridge, “Documentary government and mathematical identification,” in S. A. Dalberto and R. Banégas (eds), Identification and citizenship in Africa: Biometrics, the documentary state and bureaucratic writings of the self (London: Routledge, 2021), pp. 54–55.

[14] S. V. Subramanian, “India faces a challenge with its mass vaccination,” Lancet 9/9 (2021).

[15] B. Mukherji, “India’s reliance on a vaccine app is hindering its push for herd immunity,” Fortune (July 14, 2021). Available at

[16] M. Gupta, A. Goel, and P. Bhardwaj, “The COWIN portal: Current update, personal experience and future possibilities,” Indian Journal of Community Health 33/2 (2021), p. 432.

[17] Mukherji (see note 15).

[18] D. Mukherjee, U. Maskey, A. Ishak, et al., “Fake COVID-19 vaccination in India: An emerging dilemma?,” Postgraduate Medical Journal 1–2 (2021).

[19] T. O’Reilly, “Government as platform,” Innovations 6/1 (2010), pp. 27–30; P. Mukul, “Explained: Will CoWin API make it easier to get vaccine appointments?,” Indian Express (May 11, 2021). Available at

[20] Ministry of Health and Family Welfare, Guidelines for integration of Co-WIN with third-party applications developed by ecosystem partners (New Delhi: Ministry of Health and Family Welfare, 2021).

[21] Ibid.

[22] In Re: Distribution of Essential Supplies and Services During Pandemic, Suo Motu Writ Petition Civil No. 3 of 2021. Available at

[23] Committee on Economic, Social and Cultural Rights, General Comment No. 14, The Right to the Highest Attainable Standard of Health, UN Doc. E/C.12/2000/4 (2000).

[24] See generally S. Dharmadhikari, “India’s vaccination policy goes against rights of poor and marginalized: SC shows how,” News Minute (June 5, 2021). Available at

[25] S. Ojha, “Persons without digital access can take help of families, NGOs, common service centres for CoWIN registration: Centre tells SC,” LiveLaw (May 10, 2021). Available at

[26] “Government says it has alternatives to CoWin for rural vaccinations,” Economic Times (May 21, 2021). Available at; “COVID-19 vaccination: Here’s how you can book slot with a call,” Indian Express (May 28, 2021). Available at

[27] A. Gupta and A. Narayan, “Moving to offline and on-spot CoWIN registration: Away from the not-so-common service centres,” Dvara Research (May 26, 2021). Available at; A. Aryan, “Missing in vaccination: Rural service centres switch off, see tiny fraction of CoWin logins,” Indian Express (May 14, 2021). Available at

[28] Ministry of Health and Family Welfare, Ministry of Electronics and Information Technology, and National Health Authority, National digital health mission: Strategy and overview, cl. 1.2 (New Delhi: Ministry of Health and Family Welfare, 2020).

[29] “Use Aadhaar numbers to create health database: Nandan Nilekani,” Economic Times (December 1, 2011). Available at

[30] Ministry of Health and Family Welfare, National health policy (New Delhi: Ministry of Health and Family Welfare, 2017), p. 25.

[31] NITI Aayog, National health stack: Strategy and approach (New Delhi: NITI Aayog, 2018), p. 5.

[32] Ibid., p. 18.

[33] See O’Reilly (see note 19), p. 16.

[34] For an illustration of the kind of discussions around the standards for APIs and security protocols in the European Union, see Joint Research Centre, Web application programming interfaces (APIs): General purpose standards, terms and European Commission initiatives (Petten: European Commission, 2019).

[35] Ministry of Health and Family Welfare, National digital health blueprint (New Delhi: Ministry of Health and Family Welfare, 2019).

[36] Ministry of Health and Family Welfare et al. (see note 28), cl 2.2.

[37] NITI Aayog (see note 31), pp. 37–38.

[38] See, for example, S. Karpagam, “Why the new Ayushman Bharat digital mission does not bode well,” Wire Science (October 10, 2021). Available at; “Move fast, break things? Not when sensitive health data is at stake,” Internet Freedom Foundation (September 23, 2020). Available at

[39] Justice K.S. Puttaswamy & Anr v Union of India & Ors. (2019) 1 SCC 1.

[40] A. Mathew, “Modi government issuing national health ID stealthily without informed consent,” National Herald (June 5, 2021). Available at; S. Kodali, “How private sector slowly regained access to Aadhaar post SC judgment,” Wire (June 14, 2019). Available at

[41] Ministry of Health and Family Welfare and National Health Authority, Health data management policy (New Delhi: Ministry of Health and Family Welfare, 2020), cl. 16.4.

[42] K. Pratap, “Exclusive: Millions of Airtel numbers with Aadhaar details and user data likely leaked were accessible on web,” India Today (February 2, 2021); A. Deep, “Tamil Nadu PDS system breached, 50 lakh people’s Aadhaar details leaked: Report,” MediaNama (June 30, 2021). Available at

[43] Ministry of Health and Family Welfare and National Health Authority (see note 41), cl. 4(ee).

[44] World Health Organization, Pre-read: Health data as a global public good (2021). Available at; see also Ministry of Health and Family Welfare et al. (see note 28), cl. 2.6.

[45] See generally N. Khurana, “Issue analysis: A use-driven approach to data governance can promote the quality of routine health data in India,” Global Health: Science and Practice 9/2 (2021), p. 238.

[46] S. Bhasin, “Non-payment of claims: Private hospitals in Punjab suspend Ayushman Bharat Scheme,” TribuneIndia (October 23, 2021). Available at; G. Nandan, “Explained: Why India’s public health insurance doesn’t work as well as it should,” IndiaSpend (August 17, 2021). Available at

[47] NITI Aayog (see note 31), p. 40.

[48] M. K. Mithun, “How the health ID may impact insurance for patients with pre-existing conditions,” News Minute (October 9, 2021). Available at; Internet Freedom Foundation, Analysing the NDHM’s health data management policy: Part 2 (New Delhi: Internet Freedom Foundation, 2021). Available at <; D. Banot, “Revisiting Ayushman Bharat scheme: Win-win or win-lose?,” Forbes India (July 18. 2021). Available at

[49] Ministry of Health and Family Welfare and National Health Authority (see note 41), cl. 9.2.

[50] S. Singh and M. Porecha, “Behind the rush and hush of India’s National Digital Health Mission,” Ken (September 22, 2020). Available at

[51] Mathew (see note 40).

[52] A. Jain, “96% of nearly 14 crore unique health IDs linked with Aadhaar, reveals ABDM mission director,” MediaNama (November 22 2021). Available at

[53] Mithun (see note 48); Ministry of Health and Family Welfare and National Health Authority (see note 41), cl. 10.1.

[54] T. Sarkar, Comments on national health stack: Strategy and approach (Bengaluru: Centre for Internet and Society, 2018).

[55] B. W. Schermer et al., “The crisis of consent: How stronger legal protection may lead to weaker consent in data protection,” Ethics and Information Technology 16 (2014), p. 171.

[56] Radhakrishnan (see note 6), p. 17.

[57] K. Śledziewska and R. Włoch, “Should we treat big data as a public good?,” in M. Taddeo and L. Floridi (eds), The responsibilities of online service providers (Cham: Springer, 2017).

[58] M. Fourcade and J. Gordon, “Learning like a state: Statecraft in the digital age,” Journal of Law and Political Economy 1/1 (2020), p. 80.

[59] Ministry of Finance, Economic Survey 2018–19 Vol 1 (New Delhi: Ministry of Finance, 2019), p. 16.

[60] Ibid., p. 94.

[61] N. Saksena. R. Matthan, A. Bhan, and S. Balsari, “Rebooting consent in the digital age: a governance framework for health data exchange,” BMJ Global Health (2021).

[62] World Health Organization (see note 44), pp. 9–11; L. Taylor, “The ethics of big data as a public good: Which public? Whose good?,” Philosophical Transactions A 374 (2016), p. 9.

[63] Ministry of Electronics and Information Technology, Report by the Committee of Experts on Non-Personal Data Governance Framework (New Delhi: Ministry of Electronics and Information Technology, 2020), cl. 4.6, 5.2.

[64] See Fourcade and Gordon (see note 58), p. 97.

[65] Committee on Economic, Social and Cultural Rights (see note 23).

[66] Ibid.; see also National Human Rights Commission, Advisory on right to health in context of COVID-19 (New Delhi: National Human Rights Commission, 2020).

[67] Committee on Economic, Social and Cultural Rights (see note 23).

[68] Sundararaman et al. (see note 4), p. 68.

[69] World Health Organization, Ethics and governance of artificial intelligence for health (Geneva: World Health Organization, 2021).

[70] Ibid.

[71] V. Mothkoor and F. Mumtaz, “The digital dream: Upskilling India for the future,” Ideas for India (March 23, 2021). Available at,just%2025%25%20in%20rural%20areas; World Bank, Individuals using the internet (% of population). Available at

[72] A. Radhakrishnan, “COVID-19: Restricted internet impacts on health in Kashmir,” Health and Human Rights Journal (April 15, 2020). Available at

[73] C. A. Clare, “Telehealth and the digital divide as a social determinant of health during the COVID-19 pandemic,” Network Modeling Analysis in Health Informatics and Bioethics 21 (2021); C. J. Sieck, A. Sheon, J. S. Ancker, et al., “Digital inclusion as a social determinant of health,” npj Digital Medicine 4 (2021).

[74] R. Khosla, “Technology, health and human rights: A cautionary tale for the post-pandemic world,” Health and Human Rights Journal 22/2 (2020), pp. 63–66; United Nations Development Programme, Guidance on the rights-based and ethical use of digital technologies in HIV and health programmes (New York: United Nations Development Programme, 2021).

[75] N. Sun et al., “Human rights and digital health technologies,” Health and Human Rights Journal 22/2 (2020), pp. 21–32; A. Dickens, “From information to valuable asset: The commercialization of health data as a human rights issue,” Health and Human Rights Journal 22/2 (2020), pp. 67–69; UN General Assembly, Report of the Special Rapporteur on the Right of Everyone to the Enjoyment of the Highest Attainable Standard of Physical and Mental Health, UN Doc. A/64/272 (2009).

[76] Fourcade and Gordon (see note 58), p. 96.