wordpress blog stats
Connect with us

Hi, what are you looking for?

iSpirt demos a key part of Health Stack — the health data consent manager. Some questions.

Indian technology lobby group iSpirt is running a pilot with the National Cancer Grid that lets patients share their health data just as easily as one can make UPI payments. Called a consent manager, the tool is modelled after UPI – which iSpirt evangelised – and is one of the parts of the Health Stack. iSpirt revealed the pilot in a webinar held on May 23; frontman Sharad Sharma, and ‘volunteers’ Kiran Anandampillai and Siddharth Shetty presented the webinar and demo’d the product.

Instrumental to the project is Swasth Alliance, a telemedicine group led by Curefit founder Mukesh Bansal, Shashank ND (Practo), and Prashant Tandon (1mg). Health-tech companies mFine, PharmEasy, the Bill & Melinda Gates Foundation, and iSpirt are among its supporters/partners.

  • Swasth Alliance is piggy-backing on the popularity of Aarogya Setu, which now has 115 million users. Formed weeks after telemedicine was legalised, it is among the five telemedicine providers listed on the Aarogya Setu app. The alliance is “built on the Bharat Health Stack for interoperability and scalability”.
  • The alliance has Amitabh Kant (CEO, NITI Aayog), Indu Bhushan (CEO, Ayushman Bharat and National Health Authority), and Nandan Nilekani (former Infosys, former UIDAI) on its advisory council. NITI Aayog’s Arnab Kumar, who spearheaded Aarogya Setu’s development from the government, had said that the app could be an “initial building block for India Health Stack”, and “everything else apart from COVID-19 which could be linked to telemedicine, tele-consultation” could be part of the app.
  • 1mg’s Tandon himself was among the people who built Aarogya Setu, and at least three 1mg employees were technology contributors.

In fact, apart from NCG convenor Dr Pramesh CS, Shashank ND and Abhinav Lal (Practo), Ajit Narayanan (mFine), Shamik Sharma (Curefit), Gaurav Agarwal (1mg), have actively participated and given feedback in the past few weeks on the Health Stack design, Anandampillai said on the webinar. Anandampillai himself has been a technology advisor at the National Health Authority since July 2018.

“We want to emphasise that a lot of discussion around this [the Health Stack] is around teleconsultation, which is going mainstream due to COVID. The government has also formulated guidelines and our expectation is that it will become big,” Sharad Sharma said on the webinar. Both telemedicine and Aarogya Setu are part of the Health Stack, he said. “Aarogya Setu, for instance, is a public sector consumer app,” Sharma added.

Lalithesh Katragadda, one of the architects of Aarogya Setu, is a ‘core volunteer’ at iSpirt, Sharma said on the webinar. Katragadda, who worked at Google India for over a decade, helped build both IndiaStack and Nilekani-backed Avanti Finance. iSpirt has been instrumental, but largely behind-the-scenes, in the development and deployment of Aadhaar, UPI, Digilocker, eSign, and Account Aggregator. “iSpirt’s mantra or focus is to bring market innovation in place for India 2 and 3, and for that we need public infrastructure,” Sharma said on the webinar. By India 2 and 3, he was referring to the 200th and 300th families. “So far, our startups ecosystem has focused only on the 30 million families,” he said.

“Our startups have to do everything – they have nothing to rely on. Uber would not exist if there was no public infrastructure of GPS. Gmail exists because SMTP existed. Public infrastructure has always come first, and private innovation comes on top of that,” Sharma added.

Advertisement. Scroll to continue reading.

How the health data consent manager will work

The Health Stack will have multiple components, the consent manager will enable data flows between patients, hospitals, doctors, and anybody else who wants to use the health information, such as insurance companies. The consent manager was made possible “because the NCG decided a year ago” that its important to have a full longitudinal health record, because many cancer patients do visit multiple hospitals and wanted data portability, Anadampillai said.

“In UPI, we only unbundled the permission-out from the bank account and placed it into third-party innovators which is what PhonePe, Google Pay, etc do. They are essentially permission collectors, which do it [collect permissions] on your behalf,” Shetty said.

We want to generalize this and apply this to all data,” Shetty said. The Personal Health Records component of Health Stack, which includes the consent manager, “is part of DEPA and has been underway since four years”, Shetty said on the webinar. “It’s important that Indians have control over their data, instead they should be empowered with their data to access better financial and health services,” Shetty said. iSpirt’s Data Empowerment and Protection Architecture (DEPA) is based on the MEITY’s Consent Artefact.

iSpirt’s demo of the consent manager

The health data consent manager is a set of open APIs; iSpirt claims that any third-party can plug into the network and build their own products on top of it. It will let users link health records — lying in different hospitals, clinics, and labs — to one ID. Doctors or other users can send the patient requests for their data, using a unique identifier — much like collect requests in the UPI system, using a VPA. The patient can grant, deny, and edit these requests.

A users goes to different healthcare provider, where they have used service, using different identifier, such as a PMJAY ID, a mobile number, and say Aadhaar. “We have defined a protocol” in which a user registers with a health locker of their choice (there will be multiple), because their data is already out there linked to different IDS. The health locker can be used to aggregate all their information without the need for a unique identifier. This will create a longitudinal view of their health record.

In the video, Siddarth Shetty describes how the manager will work. Here is a step-by-step account of it:

Advertisement. Scroll to continue reading.
  1. The user self-registers with a health data consent manager, via mobile number and OTP
  2. The user creates an account, using username and password, with the consent manager. In this demo, the account is being hosted by the National Cancer Grid. The user creates a consent manager ID (hinapatel12@ncg) much like a UPI ID, which they can give to any hospital, lab, doctor, insurance provider, or any other user of health information.
  3. After registering, the user has to link their health information with the manager. In the demo, she in linking her health information with Max Healthcare Bangalore to her consent manager, The health data does not move from Max Healthcare to her consent manager, but “a long-term session has been created between the two”. “It means that when she has to share it later on, she does not have to authenticate each provider all over again,” Shetty explained. To establish this linkage, Max Hospital needs to verify the user, which it does via OTP.
  4. Now, for a doctor to access to the user’s health information, they have to raise a consent request by inputting: the patient Identifier (health data consent manager ID), Purpose of Request (such as remote consultation), Time period for which they want access, Request Type (condition, observation, diagnostic report, and medication request), Consent Expiry, etc. After all this, the doctor has raised a consent request to the user’s health information provider, which in this case, is the National Cancer Grid.
  5. The user receives the doctor’s request on her consent manager, along with all its outlines, such as type of information, period, expiry – all of which she can modify. The user can finally grant their consent using a 4-digit consent PIN. The consent manager now generates the consent artefact, and sends it to the NCG, who will now return data directly to the doctor. “The data does not even flow through the consent manager, but just flows from the HIP to the HIU,” Shetty said.
  6. The doctor receives the patient’s health information in “near real-time”, and can proceed with their diagnosis

The concerns that still remain

Indu Bhushan, CEO of Ayushman Bharat and National Health Authority, told The Ken that iSpirt is acting as an advisor and design architect, but vendors will be invited to build the infrastructure. He also said that the ownership and strategic management would be with the government.

However, while iSpirt is claiming to only be building the public infrastructure for digital health in India, there are indications that it has a significant part to play in its roadmap and rollout.

A case in point is that iSpirt released the source code for the consent manager on May 23. Apart from developing the code, iSpirt has also, on its call, laid down dates for when the test environment for the Personal Health Records will go live (June 30), and said that certifications will begin on July 27. It’s unclear at this stage what these certifications would imply, who will be granting them, and based on what criteria. In another instance, when asked about whether blockchain will be used in the consent manager, Sharma categorically stated that he did not see it being a part of the system within the next 2-3 years, since it is not scalable at the moment.

If iSpirt is the “advisor and design architect” for Health Stack, there is no information on the nature of the relationship and how it emerged. Is this an formal or informal partnership? If it is formal, how was iSpirt chosen? Is there a tender that invited bids for people to develop the design architecture for the project? In simpler words, did other organisations also have an opportunity to become the “design architect” for the project?

Is the relationship informal? If so, what is iSpirt’s exact role, as defined by the government? Will it be involved in any measure/activity apart from design architecture? What aspects of the project will it advise on? How will this be possible (or fair) with their membership in the Swasth Alliance? Will the Swasth Alliance get beneficial/preferential/early access to information and/or opportunities? To what extent will iSpirt have a role in kickstarting the project? Will it have any role, advisory or otherwise, in certifying companies to start commercial operations around Health Stack? How will that play out, given that venture capital firms such as Sequoia Capital, Kalaari Capital, and Accel are part of the Swasth Alliance?

These are some of the questions that need to be answered.


Advertisement. Scroll to continue reading.

iSpirt will be holding webinars for the next couple of Saturdays on the Health Stack, you can register to attend the next one, on June 6, here.

Written By

I cover health, policy issues such as intermediary liability, data governance, internet shutdowns, and more. Hit me up for tips.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ