India’s rapid digital health rollout under the Ayushman Bharat Digital Mission has created one of the world’s largest federated health data ecosystems, with over 420 million ABHA-linked records as of early 2026. Consent remains the primary legal safeguard: patients must explicitly agree before their data is shared across providers, researchers, or apps. Yet a growing number of studies and expert commentaries are highlighting a fundamental tension consent is not the same as ownership, and most patients do not realise this distinction.

Research published in late 2025 and early 2026 consistently shows that 70–80% of surveyed patients are comfortable sharing health data when it directly improves their care (e.g., sharing records with a specialist or during hospitalisation). However, willingness drops sharply often to 25–35% when questions shift to secondary uses: sharing with pharmaceutical companies for research, insurers for risk profiling, or government for population analytics. Patients frequently assume that giving consent for treatment also means they retain full control over their data forever. In reality, once consent is granted, data can be retained, de-identified, or repurposed under certain conditions, with limited ongoing patient influence.

The DPDP Act provides important rights access, correction, erasure, and withdrawal of consent but enforcement mechanisms are still evolving, and most patients lack practical tools to exercise these rights. There is no standardised “data vault” or portable ownership model that lets individuals easily track, revoke, or benefit from secondary use of their health information. Experts argue this creates a power imbalance: patients consent to immediate care needs but unknowingly surrender long-term control to institutions, tech companies, or researchers.

The gap is particularly concerning in India, where digital literacy varies widely, rural populations rely on intermediaries (ASHA workers, family members), and trust in institutions is uneven. Vulnerable groups low-income families, elderly patients, and those with limited education are least likely to understand fine print or revoke consent effectively, risking exploitation or discrimination (e.g., higher insurance premiums based on genetic data).

Industry voices acknowledge the issue. Some healthtech platforms have started offering clearer consent dashboards and “data control centres” in apps, but adoption remains patchy. Regulators are under pressure to issue detailed rules on consent withdrawal, data portability, and compensation for secondary use. Meanwhile, patient advocacy groups are calling for mandatory “data ownership literacy” campaigns and stronger independent oversight of health data marketplaces.

The DPDP Act and ABDM have laid a strong legal and technical foundation for secure health data sharing. But as the volume of digital records grows, the consent-vs-ownership gap threatens to erode public trust unless addressed through better education, user-friendly control tools, and clearer rules around long-term data stewardship.