National Health Stack: iSPIRT’s Attempt To Replicate India Stack (Deja Vu Anyone?)

In India, as in most developing economies, policy leads and innovation follows. And as we saw in our previous article, healthcare policy has not exactly been the strong point of India’s government despite high profile schemes such as Ayushman Bharat. Even where the policymakers have shown the gumption to forge forward-thinking policy, there has been some hesitation. And now the Dissecting India’s Healthtech Playbook turns to the one policy decision that will have the biggest impact on healthtech.

The National Health Stack, which is a set of essential APIs, recently went live for testing. When implemented in the right manner, it will make telemedicine and other healthtech possibilities a reality with safety, interoperability, security and reliability being the primary pillars. If that sounds familiar, it’s because India has already reaped the benefits of something like this in the past.

We have seen it in how India Stack — Aadhaar, UPI, Digilocker, digital banking and now account aggregator — has transformed fintech, digital payments, commerce in India. Envisioning a similar cohesive future for healthcare, dozens organisations and companies — National Cancer Grid, Swasth Alliance, LiveHealth, DRiefcase and others — have begun testing the newly built National Health Stack APIs in the past few weeks. But there’s still a long way to go before there’s full-fledged innovation built on the health stack.

“It will take a few months before all the APIs get authenticated and certified by an empanelled ecosystem of certification agencies,” iSPIRT Foundation’s core volunteer Siddharth Shetty, who has closely worked on the National Health Stack project, told Inc42.

The government has approved telemedicine guidelines and that would work as oxygen for the National Health Stack ecosystem. Among the policies catching up with the times are the age-old pending privacy and data protection bills, the framework for the National eHealth Authority which is supposed to regulate remote healthcare in India.

And as usual, there’s plenty of appetite from startups and the private sector in adopting the latest technology to tap the opportunity. But the question is whether they should be allowed to just yet? Even though there exists the will to change things, Indian healthcare is simply not data-ready for the tech revolution. Speaking to Inc42, Justice BN Srikrishna, chairman of Financial Sector Legislative Reforms Commission and the man behind Personal Data Protection Bill, indicated that India may not be ready. Not yet at least.

“The Personal Data Protection Bill has not been passed through the parliament. There is no law that currently governs it except the fact the Supreme Court of India has recognised Right to Privacy as our fundamental right. In the case of new developments, we have to check if it compromises any fundamental rights or does it comply with the three core directive principles with regards to the fundamental rights.”

With consent managers responsible for linking the patients’ personal health records from one entity to another, there is definitely greater emphasis on data safety and security in the virtual healthcare ecosystem. So can the Indian government and the healthcare ministry win the trust of people amid lack of privacy laws, a Data Protection Authority and a National eHealth Authority? And with no oversight in place, should India even be accelerating its healthtech efforts?

From India Stack To The National Health Stack

The development of the last brick of India Stack layers — Data Empowerment and Protection Architecture (DEPA) completed earlier this year. Consent managers along with API bridges have unleashed a huge potential not only in BFSI but also in other sectors like healthcare.

At the core of these developments has been the iSPIRT Foundation, a pro-bono partner in the development of India Stack APIs. The volunteers who worked for the Aadhaar development —  the presenceless layer, as they call it — a decade back have since then successfully worked on a slew of other open API projects forming other layers — paperless layers (Aadhaar-enabled eKYC, eSign and DigiLocker), cashless layers (UPI, AePS etc) and consent layer (DEPA) of India Stack.

These layers or APIs have not only made transactions seamless anytime, anywhere but also have reduced the cost of transactions by manifold — for providers and consumers. The much-acclaimed JAM (acronymized from Jan Dhan Yojana bank account, Aadhaar and mobile number) model has opened up huge scope for BFSI players and fintech startups.

The entire architecture has unleashed a huge potential of its replicability in other sectors as well. For instance, a transaction can be of any type — payments, data and hence these building blocks such as consent layer, presenceless layer, paperless layer and cashless layer would equally be useful in building digital healthcare architecture too.

What Does National Health Stack Mean For Indian Healthcare?

Like account aggregators coined by the RBI in the case of banking and finance, iSPIRT has coined a new term for consent managers in the health stack called Health Data Consent Manager (HDCM). The consent management architecture based on DEPA is again complying with the Electronic Consent Framework published by the Ministry of Electronics and Information Technology, claimed Shetty.

This along with other standards which iSPIRT recently published set the pretext of the consented sharing of health information between health information providers (HIPs) – like hospitals, pathology labs, and clinics –  and health information users (HIUs) like pharmacies, medical consultants, doctors and so on.

In the conventional healthcare system, a patient has to physically visit the hospitals/clinics and labs and then carry PHR print copies everywhere he/she goes for consultancy/medication. The consent management is usually irreversible and in case a patient loses any document and forget to carry, it takes a huge effort and time to recover the same particularly if the patient is going to a new hospital/lab. The onus of maintaining the record remains on patients.

In the latest National Health Stack architecture, according to iSPIRT, “a user is able to generate a longitudinal view of their health data across providers. The interoperability and security of the PHR architecture allow users to securely discover, share, and manage their health data in a safe, convenient, and universally acceptable manner. For instance, a user could use an HDCM to discover their account at one hospital or diagnostic lab, and then select certain electronic reports to share with a doctor from another hospital or clinic. The flow of data would be safe, and the user would have granular control over who can access their data and for how long.”

Similar to DigiLocker, the concept of a Health Locker has also been introduced which allows individuals to store copies of their personal health records and share with the health information users.

Can National Health Stack Meet The Needs Of Ayushman Bharat?  

Right after announcing Ayushman Bharat, the largest healthcare insurance programme which aims to benefit over 50 Cr poor Indians, in 2018, the Indian government had tasked its public policy think tank NITI Aayog to come up with a detailed outline on National Health Stack in order to meet the needs of Ayushman Bharat public insurance implementation.

As announced in the Budget 2018-19, Ayushman Bharat intended to set up 1.5 Lakh health and wellness centres for comprehensive primary healthcare and a flagship scheme Pradhan Mantri-Rashtriya Swasthya Suraksha Mission (PM-RSSM) which will cover over 10 Cr poor and vulnerable families providing coverage up to INR 5 Lakh per family per year for secondary and tertiary care hospitalisation.

It’s worth noting that over 300 hospitals were later served show-cause notices and de-empanelled, and penalties of over INR 3 Cr were levied on them for submitting forged claims under the Ayushman Bharat Health Insurance Scheme.

The NITI Aayog in July, 2018 had submitted its draft on National Health Stack. The key components as defined in the draft were:

• National Health Electronic Registries to create a single source of truth for and manage master health data of the nation
• A coverage and claims platform as building blocks to support large health protection schemes, enable horizontal and vertical expansion and robust fraud detection
• A Federated Personal Health Records (PHR) Framework to solve twin challenges of access to their own health data by patients and availability of health data for medical research, critical for advancing our understanding of human health
• A National Health Analytics Platform to bring a holistic view combining information on multiple health initiatives and feed into smart policymaking, for instance, through improved predictive analytics
• Other horizontal components including unique digital health ID, health data dictionaries and supply chain management for drugs, payment gateways and more

iSPIRT Foundation has been said to be working on the ideation since 2016. Explaining the idea behind National Health Stack, Nita Tyagi one of the core volunteers at iSPIRT, said, “I belong to Uttarakhand. In the rural, semi-urban places, it’s mostly doctors’ clinics that a patient visits in the case of an emergency. Now, even if the patient has his/her health insured, and the doctor is willing to treat the patient, insurers don’t extend the cover due to the fear factor of forged claims. This is where the National Health Stack comes in by making the entire process transparent, efficient.”

With the help of consent managers, insurers thus can examine the patient’s past records and their claims or claims made by hospitals on their behalf.

“As was in the case of the KYC process, earlier the claim-verification process conducted by insurance companies used to cost at INR 600-INR 1,000 per claim. The National Health Stack would reduce the same to a few bucks. This is significant for insurance companies,” added Tyagi.

However, meeting Ayushman Bharat’s requirements has its own challenges. Ayushman Bharat is designed to meet the health requirements of transient workers such as domestic help, washermen, ragpickers, sweepers and even unemployed and homeless people who may not have a steady income.

Telemedicine benefits would take decades to reach out to them since a very small number of these Ayushman Bharat beneficiaries are believed to have smartphones. In such cases, even if the health information providers digitise their health data, getting consent from them via mobiles may not be feasible as has been conceptualised by NITI Aayog.

iSPIRT cofounder Sharad Sharma, however, claimed, “Once implemented, the National Health Stack will significantly bring down the costs of health protection, converge disparate systems to ensure a cashless and seamlessly integrated experience for the poorest beneficiaries, and promote wellness across the population.”

The Making Of IndEA And National Digital Health Blueprint

National Health Stack proposed by NITI Aayog is merely the draft discussing the technology, strategy and adoption of the APIs pertaining to health stack. However, at the governance level, the government wanted it to see how it would fit with the India Enterprise Architecture (IndEA) an e-governance standard with a set of reusable building blocks which could be fit in all the priority sectors. Also, there needs to be more clarity on the regulatory side of the health stack.

As a result, the Ministry of Health and Family Welfare, in July 2018, constituted a committee under the chairmanship of former UIDAI chairman and MeitY secretary J Satyanarayana to create a framework and implementation plan for National Health Stack. The J Satyanarayana Committee submitted the National Digital Health Blueprint 2019 in July 2019 and the same has now been approved by the standing finance committee of the government.

Speaking to Inc42, Dr Pallab Saha, chief architect, The Open Group, who has contributed in IndEA framework as well as in the NDHB, said, “The version of IndEA which was released and notified back in October 2018 actually talks about a holistic approach to e-governance solutions. Certain priority areas were identified such as agriculture and healthcare as part of the architecture to make the services more affordable, accessible.”

That’s how NDHB was conceptualised too. The National Health Stack can be considered as a precursor to the National Digital Health Blueprint 2019, said Dr Saha. The NHS seems to cover most of the technology infrastructure while the Indian enterprise architecture is a common platform to be utilised for digital health, digital agriculture or digital education platform and many other things that need to be captured.

“The 24 building blocks and one more, which will be added in order to meet the agritech demands, are very similar to Lego blocks which are reusable and the same set of blocks could be used to make different stuff. That’s the concept with NDHB and IndEA,” – Dr Pallab Saha

The Unanswered Questions: Data Privacy 

While work is going full-steam in creating the data and tech framework for healthcare, it seems that the government hasn’t fully learnt from the Aadhaar fiasco where over 49K Aadhaar centres were blacklisted for alleged digital theft, data leaks and innumerable other cases where Aadhaar data was allegedly hacked through various other government websites and portals. Just recently, Cyble, a third party intelligence platform has acquired 100 Gb of data belonging to Indian users including their Aadhaar cards from the dark web for just $4,800.

The personal health data is much more sensitive in nature. The National Digital Health Blueprint seeks to create a single repository of medical records of all citizens. Yet, once again as the NHS is just a few months away from being opened to the market, there is no adequate law to ensure data privacy. There is no stringent authority to regulate national digital health access and consent. The National Digital Health Mission, as proposed by the NDHB, is yet to see the light of the day. The proposed data privacy drafts, the Digital lnformation Security in Healthcare, Act (DISHA) and the Personal Data Protection Bill are still pending approval at various stages.

While DISHA is more likely to be dropped in its current format due to the hard-line approach towards data protection, the personal data protection bill once cleared by the joint parliamentary committee will be moved further, said a government official from the ministry of Electronics and Information Technology on the condition of anonymity.

In such a situation, is the National Health Stack also set to attract controversy as happened in Aadhaar?

As far as data privacy is concerned, the PDP Bill once enacted would bring more clarity over the matter. While there is already a level of conscientiousness and clarity, the government must resolve all such issues in time so that people should not have any doubts in their mind,” said Prashant Tandon, cofounder of 1MG, which expanded from online pharmacy to telemedicine during the lockdown. 1mg has also been a part of the NHS project, it has also contributed to the government’s Aarogya Setu contract tracing app and telemedicine portal Aarogya Setu Mitr.

In an ideal situation, it is always good to have everything in place because one starts building any system or any software, but in a pragmatic situation, that is never the case, said Dr Saha. The law always catches up with technology as the latter moves first and faster.

“Be it privacy or else, was there a law about mobile phones before it came into existence? The gaps between technology and policymaking would always be there and the law would eventually catch up. Unlike innovations, the making of law needs to take many factors into consideration and that takes time. If we really want to become a country which is knowledge-driven, which is innovation-driven, we cannot wait for the law before implementing technology,” Dr Saha added.

In such cases, the government should widen the concept of sandbox frameworks across the sectors which will while encouraging the development of emerging technologies, will also allow the lawmakers to study the same and prepare or amend the laws. In India, it will be, however, too much to ask, given the past track record.

Arguing that the NHS offers privacy by design, Shetty said, “Every data flow has to be consented to and that’s the foundational principle. The user has been put at the centre of the data flow and it’s them who choose what aspects of data they want to share for what purpose. The second key part is certification. The entities that are facilitating access to data will have to be certified first, as a part of the certification process. So, there will be a strong ecosystem of data governance certification in place, followed by the regular data audit, as prescribed by the Srikrishna Committee.”

In comparison to the west, the Indian startup ecosystem is very nascent. Ankit Chaudhari, CEO & founder, Aiisma, primarily a health data marketplace offering symptom mapping features, says that there’s not much awareness or sensitisation regarding the essentiality of data privacy in the Indian startup ecosystem.

“We have been talking about this [data privacy] mainly because of Facebooks, Amazons and Googles. The Indian startup ecosystem is not really talking about. This basically implies that either we’re not even worried about it or we don’t see an opportunity huge enough in this particular space,” Chaudhari said.

The Unanswered Questions: Regulatory Authority

The entire health stack architecture is heavily dependent upon consent managers. In the case of fintech space, consent managers or account aggregators are approved, licensed and regulated by the Reserve Bank of India. However, in the case of the NHS which is already live for testing, there is no clarity over which authority is going to approve, license and regulate these consent managers.

To this, iSPIRT’s Sharma responded,

“We are hopeful that the government will soon come up with a regulatory mechanism for the oversight of various processes under the healthtech spectrum. The development of healthtech will need multiple institutions to work in tandem without compromising the integrity of individual systems.”

The J Satyanarayana Committee in its blueprint has recommended the making of National Digital Health Mission as a new organisation and an apex governing body to supervise the entire implementation. The apex body, the committee said, would have the authority to make regulatory policies too. Unlike NPCI, the body structure would be similar to UIDAI, a fully government undertaking.

In June 2020, Preeti Sudan, health ministry secretary, stated that the work on the NDHM has already underway. “We have forwarded a proposal to the finance ministry. We are also working on the sanctioning of posts. This will be a population registry that will have a long-term positive impact on the healthcare ecosystem in India. We are working as per the vision of the finance minister to create a digital health ecosystem.”

Back in 2015 a concept note on the need of a National eHealth Authority was published. The concept note had then suggested, “It is also strongly recommended that NeHA be created at the earliest, as it will give a fillip to all the current and envisaged programs of the government in respect of IT in Health and accelerated adoption of EHR in an orderly manner. It will also help avoid problems arising out of uncoordinated induction of IT systems in hospitals and public health systems which will become inevitable with the passage of time in the absence of a suitable authority to guide and enforce orderly evolution.”

However, this was never finalised. And, the question is that will the NHS go live without any watchdog or authority monitoring the developments? To which, Shetty said that it would be the NHA that would be looking at functioning in the beginning. The authority has also been part of this development.

The Data Protection Authority too remains non-existent until the PDP bill gets enacted.

Vested Interests And Uneven Playing Field 

Right from Aadhaar project to UPI, many among those who were involved in the making have been accused of vested interests. For instance, UPI’s early adoption as part of the testing exercise was extended to numerous players including Phonepe and YES Bank but there was no mechanism to invite other players.

As a result, by the time other players like Citrus started building their UPI solutions, Phonepe and YES Bank were already ahead in the race. Thus, people associated with the project development were allegedly the direct beneficiaries of the project.

In National Health Stack too, it is being alleged by some of the healthtech startups that over a dozen companies and organisations are already working on the project and by the time the APIs get certified and are open for market adoption, these companies would already have market-ready products. Among the companies and organisations that are associated with the NHS project are 1mg, Practo, mfine, National Cancer Grid, LiveHealth, DRiefcase etc. A week before the launch, an alliance called Swasth Alliance of 100 private and non-profit companies including 1mg, Acko, Carefit, Dozee and so on was launched which is now working along with iSPIRT on building an Open Health Services Network.

While LiveHealth, a laboratory information management system (LIMS) provider has been working on the API bridges, DRiefcase has built the Health Locker facility, a platform similar to DigiLocker for longitudinal health records.

Is iSPIRT helping create an unequal opportunity in the market with Health Stack?

iSPIRT Cofounder Sharma claimed there have been multiple open houses hosted online where anyone could participate and build their own groups, consortium or even SROs. Till now, five open houses on NHS have been hosted online, where all aspects of how iSPIRT is involved in the National Health Stack development process have been discussed. Several academics, founders, media persons, students among others participate in these open houses. iSPIRT has also released de-facto standards for PHR  available for everyone and anyone to utilize. These standards are available online on iSPIRT’s website.

Can NHS Unleash New Opportunities Like India Stack Did For Fintech?

With India Stack, UPI changed the way payments used to happen in India. On a yearly basis, the card market in India fell by 10% in 2019, in comparison to 2018. Among the cards market too, RuPay held the lion’s share with 58% of market share among the new cards issued in 2019. In September 2019, UPI surpassed cards as the most preferred mode of payment and continues to do so.

With National Health Stack too, some of the building blocks are set to create a whole new market opportunity for tech startups.

According to DataLabs by Inc42+, the overall Indian healthcare market is expected to grow to $638 Bn by 2025, boosted by the increased adoption of digital technologies in healthcare. Preventive healthcare and medical tourism too are set to hit $169 Bn and $54 Bn respectively by 2025.

Once the National Health Stack is in place, it will unleash a slew of new market opportunities for tech startups such as consent managers, API bridges, gamifier players, marketplace, aggregators, for numerous related services, building interfaces, software solutions, apps for health information users and providers as well as patients.

Counting on the new markets with care intermediaries, the democratisation of biomarkers and so on, iSPIRT’s Shetty said the impact that it might create would hold India in good stead for the future and would even help immensely in fighting pandemics such as Covid-19. But it’s no easy task, as unlike banking and financial services, no Indian can afford to be underserved when it comes to healthcare. So achieving the balance of privacy, data security and potential of innovation is paramount for the National Health Stack. It cannot be achieved quickly or rushed in any manner.

“Health is something that affects everyone at every level, hence in terms of the market size, it is the entire population of India. That is the market size that we are trying to address,” – Dr Saha said.

The key feature of National Health Stack is that it is 100% citizen-centric.

iSPIRT’s Sharma added, “The aim and hope is that with the build of the recommended foundational blocks, the frictions in the current health ecosystem — trust and cost — will be addressed which will allow a complete redesign of the flow of people, money, and information, as well as a layered approach to providing comprehensive foundational health functions for all states and programmes in an inclusive and interoperable manner.”