Why Consent is Central to ABDM

India's ABDM is built on a fundamental principle: patients own their health data. No health record can be shared without the patient's explicit, informed consent. This consent-first architecture is what makes ABDM both powerful and trustworthy.

For healthcare providers and health-tech platforms, understanding ABDM's consent framework is essential — not just for compliance, but for building systems that patients will actually trust and use.

What is a Consent Artefact?

In ABDM, a consent artefact is a digitally signed, tamper-proof document that records:

  • Who is requesting access (HIU — the Health Information User)
  • What records are being requested (record types, date range)
  • For what purpose (care, research, insurance)
  • For how long (expiry date of consent)
  • Patient's digital signature confirming approval

When a patient approves a consent request in their ABHA app, the system generates a consent artefact. This artefact is the key that unlocks the requested health records from the relevant HIPs (Health Information Providers).

The Consent Flow in ABDM

  1. HIU sends consent request — A hospital or insurance company sends a consent request specifying what records they need and why
  2. Patient receives notification — The patient gets a notification in their ABHA app (or linked PHR app)
  3. Patient reviews request — The patient can see exactly what is being requested, by whom, and for how long
  4. Patient approves or denies — One tap to approve or deny. Partial consent (approving some record types but not others) is also supported
  5. Consent artefact generated — On approval, a signed consent artefact is created and sent to the HIU
  6. Records fetched — The HIU uses the consent artefact to request records from relevant HIPs
  7. Records delivered encrypted — Records are encrypted with the consent artefact keys and delivered to the HIU

What Can Patients Control?

ABDM's consent management gives patients granular control:

  • Grant access — Allow a specific entity to access specific record types
  • Set expiry — Consent can be time-limited (e.g., valid for 30 days only)
  • Revoke consent — Patients can revoke any consent at any time; further access is immediately blocked
  • View consent history — Patients can see a full audit trail of who accessed their data and when
  • Control per record type — A patient can allow a doctor to see prescriptions but not lab reports

Types of Consent in ABDM

  • One-time consent: Access granted for a single data fetch — expires immediately after use
  • Recurring consent: Access granted for a period — valid for ongoing care relationships (e.g., a chronic care doctor accessing records over 6 months)
  • Emergency consent: In emergency situations, limited access without prior consent may be permitted under specific NHA guidelines

How Healthcare Platforms Must Implement Consent

For platforms building ABDM integration, consent handling is one of the most complex parts. Key implementation requirements:

  • Register as a consent manager or integrate with NHA's consent manager
  • Implement callback webhooks to receive consent approval/denial notifications
  • Store consent artefacts securely and use them for data requests
  • Handle consent expiry and revocation in real time
  • Build UI for clinical staff to initiate consent requests and view status
  • Implement retry logic for failed consent requests
  • Log all consent events for audit trails

Conclusion

ABDM's consent management framework puts patients firmly in control of their health data — a critical feature for building trust in India's digital health ecosystem. For healthcare platforms, getting consent handling right is non-negotiable. Medi4u builds robust, production-grade consent management modules as part of our ABDM integration services. Contact us to learn more.