Sanvya Health LogoSanvyaHealth
Regulation

ABDM Compliance Guide for Hospitals: NHA Sandbox & Interoperability

June 06, 202610 min readCompliance Specialist

Introduction: Understanding the National Health Stack

The digitalization of Indian healthcare is entering a transformative era driven by the National Health Stack, an ambitious digital infrastructure initiative launched by the Government of India. At the core of this transformation is the Ayushman Bharat Digital Mission (ABDM), managed by the National Health Authority (NHA). ABDM aims to bridge the existing gap amongst different stakeholders of the healthcare ecosystem through digital highways. Prior to ABDM, the Indian healthcare system operated in siloed pockets. A patient's medical history was locked within the physical paper folders of individual clinics or the localized databases of specific hospitals. When a patient transitioned from a primary care clinic to a tertiary hospital, their diagnostic reports, medication histories, and surgical records had to be printed, carried physically, or repeated entirely. This fragmentation not only leads to administrative delays and increased out-of-pocket expenditure for patients but also hampers clinical decision-making during emergencies.

To resolve this, the government introduced ABDM as an interoperable digital network. The goal is to establish state-of-the-art digital health systems, manage core digital health data, and build the infrastructure required for the seamless exchange of health records. For healthcare providers—ranging from single-doctor clinics to large multi-specialty corporate hospitals—ABDM compliance is no longer a futuristic option but a present-day operational necessity. In the near future, empanelment with government health schemes such as the Ayushman Bharat Pradhan Mantri Jan Arogya Yojana (AB-PMJAY), private insurance panels, and corporate healthcare networks will require hospitals to be fully integrated with the ABDM network. Understanding this ecosystem is the first step toward building a modern, compliant, and efficient healthcare facility that aligns with national standards.

ABDM compliance requires hospitals to implement certified software solutions, known as Health Locker or Health Information Provider (HIP) and Health Information User (HIU) applications. These systems connect to the national health registry, allowing doctors to view verified histories, issue digital prescriptions, and share diagnostic reports securely. In this comprehensive guide, we will break down the step-by-step process of achieving ABDM compliance. We will cover registering in the NHA Developer Sandbox, implementing the client credentials, integrating the Ayushman Bharat Health Account (ABHA) registration flows, structuring clinical data to meet international Fast Healthcare Interoperability Resources (FHIR) standards, and establishing secure consent management workflows under the Digital Personal Data Protection (DPDPA) Act of 2023.

What is Ayushman Bharat Digital Mission (ABDM)? Core Entities Defined

To integrate with the ABDM framework, hospital administrators and IT directors must familiarize themselves with the core entities and definitions that form the backbone of the National Health Stack. The first entity is the Ayushman Bharat Health Account (ABHA) ID. The ABHA ID is a unique 14-digit number that serves as the citizen's single identity across the entire digital healthcare ecosystem. It acts as a master identifier, linking all of a patient's health records, prescriptions, and lab reports across different clinics, hospitals, and diagnostic centers. The ABHA address, similar to a UPI ID for financial transactions (e.g., patientname@abdm), is a user-friendly alias that allows citizens to share their health data without revealing their full 14-digit ID, providing an extra layer of privacy.

The second set of entities includes Health Information Providers (HIP) and Health Information Users (HIU). A Health Information Provider (HIP) is any healthcare institution that generates medical data. This includes clinics, hospitals, diagnostic laboratories, and pharmacies. When a doctor writes a prescription or a lab technician uploads a pathology report, the hospital acts as an HIP. Conversely, a Health Information User (HIU) is an institution that requests access to a patient's health records to provide medical care. For instance, when a cardiologist at a tertiary hospital requests access to a patient's past diabetic prescriptions generated at a primary care clinic, the tertiary hospital acts as an HIU. A single Hospital Management System (HMS) typically functions as both an HIP and an HIU.

The third core component is the Consent Manager. Under ABDM, health records cannot be shared without the patient's explicit consent. The Consent Manager is a digital platform (often integrated into patient-facing Personal Health Record or PHR apps) that handles these requests. When a doctor (acting through an HIU) requests past records, the request goes to the patient's Consent Manager app. The patient receives a notification detailing who is requesting the data, what specific records are being requested, for what purpose (e.g., consultation, emergency), and for how long the access will last. The patient can approve, deny, or revoke this access at any time. Data exchange is encrypted end-to-end, meaning the Consent Manager facilitates the consent flow but cannot read the clinical data passing between the HIP and the HIU.

Step 1: NHA Sandbox Registration & Developer Access

The journey to ABDM integration begins in the Developer Sandbox maintained by the National Health Authority (NHA). The NHA Sandbox is a secure testing environment that allows software developers and hospital IT teams to test their integrations against the official ABDM APIs. To start, you must visit the official ABDM Sandbox portal and register your organization. You will need to provide details about your software product, the type of facility (hospital, clinic, lab), and contact information for your technical lead. Once the registration is approved, the NHA issues a set of Client Credentials, consisting of a Client ID and a Client Secret. These credentials are used to generate bearer tokens for authenticating all API requests made to the sandbox gateways.

The sandbox integration is divided into three progressive milestones, commonly referred to as M1, M2, and M3. Milestone 1 (M1) focuses on ABHA ID creation and capture. In this phase, your software must demonstrate the ability to register patients, verify their identities via Aadhaar OTP or mobile numbers, and generate ABHA cards. Milestone 2 (M2) covers the integration of the Health Professional Registry (HPR) and the Health Facility Registry (HFR). Your system must allow doctors and nurses to link their national license registrations to the system, and verify that the facility itself is registered under the HFR. Milestone 3 (M3) is the most complex phase, requiring the implementation of actual health document sharing. Here, your system must function as an HIP and HIU, successfully initiating consent requests, receiving approvals, and securely transferring encrypted clinical data.

During sandbox testing, developers must execute a series of test cases defined by the NHA. These cases simulate various clinical scenarios, such as emergency access requests, patient consent revocations, and data encryption handshakes. Each API call must be logged, and the payload structures must conform to the strict JSON schemas provided in the ABDM developer documentation. Once all test cases in a milestone are completed and verified, you must submit the integration logs to the NHA for evaluation. After the NHA technical team audits and approves your logs, they issue a Milestone Completion Certificate. Upon completing all three milestones, your software is eligible for the final security audit and production deployment, moving your Client Credentials from the test gateway to the live national production gateway.

Step 2: Creating and Verifying Ayushman Bharat Health Accounts (ABHA)

The first user-facing feature of an ABDM-compliant HMS is the ABHA ID Creation and Verification module at the hospital registration desk. When a patient arrives at the reception, the receptionist asks if they have an ABHA ID. If the patient already has an ABHA, the receptionist can retrieve their profile by entering their 14-digit ID or ABHA address. The system then initiates a verification request. The patient can verify their identity using one of three methods: Aadhaar OTP (sent to their Aadhaar-linked mobile number), Mobile OTP (sent to the mobile number registered in their ABHA profile), or Biometrics (using a fingerprint scanner connected to the reception computer). Upon successful verification, the patient's demographics—such as name, gender, age, photo, and address—are populated in the hospital's local database, reducing manual registration errors to zero.

If the patient does not have an ABHA ID, the receptionist can assist them in creating one in less than two minutes. The creation process is initiated through the NHA API endpoint `/v1/accounts/generateOtp`. The receptionist enters the patient's 12-digit Aadhaar number, which triggers a secure OTP request to the Unique Identification Authority of India (UIDAI) gateway. The patient receives the OTP on their registered phone and provides it to the receptionist. Once verified via `/v1/accounts/verifyOtp`, the system retrieves the authenticated demographics from the UIDAI database. The receptionist then prompts the patient to choose a preferred ABHA address (e.g., sunil.kumar@abdm). Finally, the system calls `/v1/accounts/createAccount` to generate the 14-digit ABHA ID and compiles a digital ABHA card that can be printed or shared via WhatsApp.

For pediatric patients or individuals without an active Aadhaar card, the ABDM framework supports alternative creation pathways. The system can generate an ABHA ID using a verified mobile number, or link child profiles under a parent's primary account (often called Child ABHA). In these flows, the parent's consent is captured digitally and logged in the system. The local HMS database must store the patient's ABHA ID, ABHA address, and the UIDAI-provided metadata in a secure, encrypted format. It is important to note that the raw Aadhaar number should never be stored in the hospital's database to comply with UIDAI security guidelines; only the reference token and the generated ABHA details are retained. This registration workflow is crucial for establishing the patient's digital record foundation.

Step 3: FHIR Interoperability & Medical Data Standards

The core technical challenge of ABDM compliance is data interoperability. To ensure that medical records can be interpreted by any certified software in the country, the NHA mandates the use of Fast Healthcare Interoperability Resources (FHIR) Release 4 (R4) standards. FHIR, developed by the HL7 organization, uses modern web technologies—specifically JSON and RESTful APIs—to represent clinical concepts. Under the ABDM guidelines, hospitals cannot share raw text files or custom database tables. Instead, all clinical records must be formatted as FHIR Document Bundles. A bundle is a structured container that groups related resources, such as patient demographics, practitioner details, organizations, encounters, and the specific clinical observations or treatments.

There are four primary FHIR document types utilized under the ABDM specifications. The first is the e-Prescription (OPD Prescription) bundle, which contains a `MedicationRequest` resource detailing the drug names, dosages, frequencies, and durations, along with practitioner details. The second is the Diagnostic Report bundle, containing `DiagnosticReport` and `Observation` resources that structure laboratory results, pathology findings, and radiology interpretations. The third is the Discharge Summary bundle, which is compiled upon IPD discharge and contains summaries of the hospital course, surgical procedures, active medications, and follow-up advice. The fourth is the Health Document/Immunization certificate, detailing vaccination records and preventive care details.

To structure these FHIR resources correctly, hospital software must implement standardized medical terminologies. For example, clinical diagnoses must be coded using ICD-10 (International Classification of Diseases, 10th Revision) codes. Laboratory tests and observations must use LOINC (Logical Observation Identifiers Names and Codes) identifiers. Medications and drug names must align with national registries or SNOMED-CT (Systematized Nomenclature of Medicine—Clinical Terms) coordinates. Implementing these terminologies requires the HMS to have built-in mappings. When a doctor selects 'Type 2 Diabetes Mellitus' from a dropdown, the system automatically tags it with the ICD-10 code 'E11.9' and maps it to the appropriate FHIR condition resource. This rigorous standardization ensures that the digital record can be consumed by other hospitals, pharmacies, and diagnostic tools seamlessly.

Step 4: Health Information Provider (HIP) & Health Information User (HIU) Nodes

To participate in the ABDM network, the hospital's HMS must act as an active node on the national health gateway. When acting as a Health Information Provider (HIP), the hospital is responsible for making clinical data discoverable and transferrable. The process begins with 'Care Context Linkage'. When a clinical record is generated (such as an OPD prescription), the HMS associates it with the patient's ABHA ID. The system then publishes this relationship to the national gateway via the `/v1/care-contexts/discover` API. This registry entry does not contain the actual medical record; it simply announces to the network that the hospital holds a record for patient ABHA 'X' under a specific care context ID (e.g., 'OPD-10293').

When another healthcare provider (acting as an HIU) wants to view this patient's records, they must initiate a request through the national gateway. The HIU calls the `/v1/consent/requests/init` API, passing the patient's ABHA ID, the requested data types (e.g., prescriptions, reports), the purpose of the request, and the access duration. The patient receives a notification on their Consent Manager app. Once the patient approves the request, the Consent Manager generates a digital signature package and pushes it to the gateway. The gateway then notifies the HIP hospital that consent has been granted. The HIP verifies the digital signature of the consent artifact to ensure its authenticity, checking that the requested data types match the approved criteria.

Once validated, the HIP encrypts the FHIR document bundles using Diffie-Hellman Key Exchange (specifically Curve25519) and the patient's temporary public key. This encryption ensures that the data is secured end-to-end; no intermediate server—including the NHA gateway—can decrypt the package. The HIP then posts the encrypted payload directly to the HIU's data push URL. The HIU, utilizing its private key, decrypts the payload and renders the FHIR document for the doctor. Under the Digital Personal Data Protection (DPDPA) Act of 2023, the local HMS must maintain comprehensive audit logs of these exchanges. Every data request, consent verification, and record transfer must be logged with timestamps, user IDs, and transaction references to prove regulatory compliance.

Operational and Strategic Benefits of ABDM Integration

While achieving ABDM compliance requires initial technical efforts, it offers substantial operational and strategic benefits for private hospitals in India. The most direct benefit is eligibility for government healthcare schemes and empanelments. The Ayushman Bharat PM-JAY scheme provides health cover of ₹5 Lakh per family per year to over 50 crore citizens. To treat PM-JAY beneficiaries and receive direct government payouts, hospitals must have ABDM-compliant software that can verify ABHA accounts, track care contexts, and submit digital claims packages. This opens up a massive patient demographic, driving high outpatient and inpatient volumes to compliant facilities.

Additionally, ABDM integration simplifies corporate insurance claims and cashless billing workflows. The National Health Claims Exchange (NHCX), built on top of the ABDM architecture, standardizes the communication between hospitals and insurance companies. By utilizing the same FHIR data structures and consent managers, hospitals can submit pre-authorization requests and discharge summaries directly to insurers. This eliminates manual claim portals, physical paper packages, and long phone calls, reducing cashless claim settlement periods from 30-45 days down to less than 72 hours. This optimization dramatically improves the hospital's cash flow and reduces administrative overhead.

Furthermore, participating in the national health registry enhances patient trust. Patients are increasingly tech-savvy and prefer facilities where they can access their medical histories digitally. With an ABDM-compliant system like Sanvya Health, patients can view their prescriptions and lab reports directly inside their personal health apps (such as ABHA or Aarogya Setu). This digital convenience increases patient retention and positions the hospital as a modern, forward-thinking institution. Finally, having access to structured historical data allows doctors to deliver safer, more personalized treatments, preventing drug-to-drug interactions and redundant diagnostics.

ABDM Compliance FAQ: Key Interoperability Questions

Q: Is it mandatory for all private clinics and hospitals in India to become ABDM compliant? - A: While the NHA is implementing the rollout in phases, ABDM compliance is rapidly becoming mandatory for empanelment with government schemes (PM-JAY), state-run health programs, and corporate insurance panels. Many states are also linking clinic registrations to ABDM readiness.

Q: What is the role of the National Health Claims Exchange (NHCX) in ABDM? - A: NHCX is a single gateway built on top of the ABDM protocol that coordinates claim processing between hospitals and insurers. It standardizes pre-authorizations and final bill submissions using FHIR resources, speeding up cashless claim cycles and reducing claim rejections.

Q: How does Sanvya Health assist in achieving ABDM certification? - A: Sanvya Health comes with pre-integrated ABDM Milestone 1, 2, and 3 capabilities out of the box. We handle the integration configurations, security audits, and NHA sandbox validation, allowing your hospital to go live on the national health registry in less than 15 days without requiring in-house software developers.

Q: Are electronic signatures required for doctors writing prescriptions under ABDM? - A: Yes. Under the Information Technology Act and NHA guidelines, doctors must sign their e-prescriptions digitally. Sanvya Health integrates digital signature captures and e-sign workflows directly into the doctor's EMR console, ensuring legal compliance for every prescription issued.

SaaS Solutions

Stop revenue leakage and manual administrative chaos

Sanvya Health provides ABDM-compliant, WhatsApp-native tools to optimize your clinical scheduling, lab LIS data sync, and cashier billing counters.

Explore Related Topics

Deepen Your Knowledge

Navigate our comprehensive guides and features to build a complete picture of modern hospital management.

Broader Topics

Related Solutions

Book Demo on WhatsApp