DEV Community

Manu Shukla
Manu Shukla

Posted on • Originally published at ecorpit.com

Healthcare app development in India: 4 ABDM milestones, 100 crore records

Healthcare app development in India: 4 ABDM milestones, 100 crore records

Summary. On 22 May 2026 the National Health Authority announced that over 100 crore health records are now linked to Ayushman Bharat Health Accounts, doubled from 50 crore in February 2025 in just 15 months. More than 450 public and private health technology solutions have integrated with the Ayushman Bharat Digital Mission. Uttar Pradesh alone accounts for over 15.03 crore linked records, Andhra Pradesh 11.95 crore. Roughly 10 crore records are now linked every two to three months. That changes what "healthcare app" means commercially in India: ABDM certification across milestones M1 to M4 is the entry ticket to the network, not a feature you add in year two. The technical bar is HL7 FHIR R4 with India-specific profiles, consent artefacts, encrypted record transfer, and a CERT-In or STQC empanelled security audit before the NHA grants production access. The compliance bar is the DPDP Act, where failure to maintain reasonable security safeguards carries a penalty of up to ₹250 crore. Vendor estimates put a lean healthcare MVP at ₹20 lakh to ₹50 lakh, with Indian engineering at ₹1,500 to ₹3,000 per hour. Here is what actually drives that number.

Why ABDM stopped being optional

Dr. Sunil Kumar Barnwal, CEO of the National Health Authority, framed the milestone in citizen terms:

"The linking of over 100 crore health records with ABHA is an important milestone in the journey of Ayushman Bharat Digital Mission. It reflects the increasing adoption of digital health services across Government programmes, States, health facilities and private technology partners."

The commercial reading is different from the policy reading. A network with 100 crore records and 450 integrated solutions has crossed the point where sitting outside it is a product decision with a cost. If a patient's prescriptions, lab reports and discharge summaries live in ABHA-linked records at every other facility they visit, an app that cannot read or write to that network is asking them to maintain a parallel medical history by hand.

The growth curve is the part worth planning against. ABDM went from fewer than 1,000 linked records in its initial phase to over 100 crore, doubling in the last 15 months. State-level distribution as of 22 May 2026:

State ABHA-linked health records Note
Uttar Pradesh Over 15.03 crore Leading contributor; eKavach platform
Andhra Pradesh Over 11.95 crore State health programmes
Bihar Over 7.37 crore Substantial progress recorded
Rajasthan Over 6.32 crore iHMS platform
Gujarat Over 4.77 crore TeCHO platform

If your addressable market is UP, Andhra Pradesh or Bihar, the network effect has already arrived. Building a non-ABDM app for those states in 2026 is building for a market that has moved.

The six building blocks you are integrating with

ABDM is not one API. It is digital public infrastructure with distinct components, and most scoping errors come from treating them as interchangeable.

Building block What it does When your app needs it
ABHA Unique digital health identity for citizens Any app that identifies a patient
HPR (Healthcare Professionals Registry) Registry of verified practitioners Apps with clinician accounts or e-prescribing
HFR (Health Facility Registry) Registry of health facilities Multi-facility or network apps
HIE-CM (Health Information Exchange and Consent Manager) Consent-based record exchange Any app reading or writing records
UHI (Unified Health Interface) Open network for health services Discovery and booking use cases
NHCX (National Health Claims Exchange) Digital insurance claims Payer integration and claims

The consent manager is the one teams underestimate. ABDM's model is consent-based exchange by design, which means consent artefacts are not a checkbox in your UI. They are objects with lifecycles that your data layer has to honour.

The four milestones, and which one is hard

NHA certification runs through progressive milestones. They are not difficulty tiers of the same work; they are different systems.

Milestone Role your system takes Core capability Relative difficulty
M1 Identity provider ABHA creation, OTP or QR verification, patient discovery and linking Foundational
M2 Health Information Provider (HIP) Create care contexts, respond to discovery, handle consent artefacts, transfer encrypted FHIR records Hardest
M3 Health Information User (HIU) Request consent, aggregate records across facilities, present clinical data Moderate
M4 Claims participant Digital insurance claims via NHCX Payer-dependent

M1 flatters everyone. Creating an ABHA number and verifying a patient by OTP is a week of work, and it produces a demo that looks like ABDM compliance. It is not.

M2 is where budgets die. To act as a Health Information Provider you build a full FHIR R4 record-sharing system: care contexts created after each consultation, discovery requests answered from the Consent Manager, consent artefacts validated and honoured, records serialised and encrypted, and every access logged. Each of those is a distinct subsystem with its own failure modes.

Our experience of these builds is blunt: teams that scope M1 and M2 as one line item are usually off by a factor of three on M2 alone.

What FHIR R4 actually demands

ABDM uses HL7 FHIR R4 with India-specific profiles. Every ABDM-compliant facility must serialise clinical documents as FHIR resources so that any other compliant system can parse them. The resources you will implement, at minimum:

Patient              // demographics, ABHA linkage
Practitioner         // HPR-verified clinician
Organization         // HFR-registered facility
Encounter            // the visit
Observation          // vitals, lab results
Condition            // diagnoses
MedicationRequest    // prescriptions
DiagnosticReport     // lab and imaging reports
DocumentReference    // discharge summaries, scanned docs
AllergyIntolerance   // allergies
Procedure            // procedures performed
Enter fullscreen mode Exit fullscreen mode

The trap here is not the resource list. It is that most Indian hospital systems store clinical data as free text or PDFs, and FHIR wants structure. A discharge summary that exists as a scanned image satisfies nobody: it can be wrapped in a DocumentReference, but the Condition and MedicationRequest resources inside it stay invisible to the network. Retrofitting structure onto years of unstructured records is the single largest hidden cost in ABDM projects, and it is a data problem, not an API problem.

The real cost is usually the migration, not the integration.

Certification is a security audit with an API attached

Before the NHA grants production access, your web application needs a security audit from a CERT-In or STQC empanelled agency. Certification agencies then review your M1, M2 and M3 workflows against NHA's official test case templates, covering ABHA creation, verification, discovery, consent handling and data transfer.

Two scheduling consequences follow, and they are why ABDM projects slip.

First, the audit is a dependency you do not control. Empanelled agencies have queues, and a failed audit means a remediation cycle plus a re-audit, not a same-week fix.

Second, sandbox success does not predict production success. The sandbox validates your workflows. The audit validates your security posture. Teams routinely pass one and fail the other, because they were built by different people to different standards.

Budget the audit at project start, not at the end. It is the item most likely to be discovered late and cost a quarter.

Where the money actually goes

Published Indian cost estimates vary widely enough that any single number should be treated with suspicion. Vendor guides put a lean healthcare MVP at roughly ₹20 lakh to ₹50 lakh, a telemedicine or patient portal platform at ₹1.25 crore to ₹2.5 crore, and a full custom EHR or hospital management system at ₹1.65 crore to ₹4.15 crore. Other India-focused guides quote materially lower domestic ranges for equivalent scope. Indian engineering rates cluster more consistently at ₹1,500 to ₹3,000 per hour.

The spread tells you something useful: these figures price feature lists, and feature lists are not what drives healthcare app cost. The drivers are:

Cost driver Why it dominates Typical underestimate
Unstructured data migration FHIR needs structure; legacy records are PDFs and free text Largest single overrun
M2 HIP subsystems Consent, encryption, audit, care contexts are four systems Scoped as one
CERT-In / STQC audit cycle External queue plus remediation and re-audit Scoped at zero
DPDP alignment Consent architecture touches every data path Retrofitted, not designed
Clinical workflow fidelity An app clinicians route around has failed regardless of certification Treated as UI polish

Compliance and data architecture are the major cost drivers in Indian healthcare builds, and retrofitting compliance later adds substantial cost. That is the one point on which the vendor guides agree with our own experience.

The consent artefact is a lifecycle, not a checkbox

Worth its own section, because it is where most M2 implementations go wrong.

In ABDM's model, a patient grants consent through the Health Information Exchange and Consent Manager, and your system receives a consent artefact. Teams tend to read that artefact once, decide the request is authorised, and serve the data. That is the bug.

A consent artefact carries scope and time boundaries. It names which care contexts are covered, what data types are permitted, and for how long. It can be revoked. It expires. Your data layer has to check it at the moment of access rather than at the moment of receipt, which means consent state has to be queryable from wherever records are served, not cached in the session that first saw it.

The discovery step has a matching subtlety. When a Consent Manager sends a discovery request, your system answers whether it holds records for that patient. Answer too loosely and you leak the existence of a care relationship to a request that was never authorised. Patient discovery is an information disclosure surface, and it deserves the same care as the record transfer itself.

None of this is exotic engineering. It is the sort of thing that gets built correctly when someone scopes it as a subsystem and gets built wrong when it appears as a ticket titled "handle consent".

Adoption is the metric that ABDM certification does not measure

A certified app that clinicians route around has consumed a budget and produced a compliance artefact.

The pattern to watch for: an outpatient department where the doctor writes on paper during the consultation and a data-entry operator keys it into the system afterwards. The facility is ABDM-compliant. The records reaching the network are a transcription of a transcription, entered by someone who was not in the room, hours later. The structure is real and the clinical fidelity is not.

This is why we put clinical workflow design alongside the milestone work rather than after it. FHIR resources are only as good as the moment of capture. If your Observation resources are typed in at 6pm from a paper chit, ABDM will accept them and no clinician will trust them.

India-specific considerations: DPDP runs on a separate clock

ABDM certification does not discharge your DPDP obligations. They are different regimes with different deadlines.

Under the Digital Personal Data Protection Act 2023, failure to maintain reasonable security safeguards attracts a penalty of up to ₹250 crore, and breach notification failures up to ₹200 crore. The Data Protection Board of India was established and the penalty framework became active in November 2025. The Consent Manager Framework becomes operational on 13 November 2026, and full compliance for data fiduciaries lands on 13 May 2027.

Health data is the highest-stakes category in that regime, and the timing is awkward in a specific way: teams building ABDM consent flows through 2026 are building consent architecture twice if they do not design for both regimes at once. ABDM's HIE-CM consent artefact and DPDP's Consent Manager obligations are related but not identical, and the sensible engineering call is one consent layer that satisfies both rather than two that argue.

We design applications aligned with DPDP Act and ABDM requirements. We do not claim to certify you; the CERT-In or STQC audit and the NHA review are independent gates, and any vendor promising to guarantee that outcome is telling you something untrue.

For the broader picture see our guides to DPDP compliance costs for Indian startups, healthcare AI deployment mistakes in Indian hospitals, and clinical AI under CDSCO and DPDP.

What eCorpIT builds

eCorpIT is a Gurugram technology consultancy founded in 2021, CMMI Level 5 assessed and MSME certified. Our healthcare engagements are structured around the milestones rather than around screens.

Data readiness first. Before any ABDM work, we assess how much of your clinical data is structured and how much is PDFs and free text. This determines your real timeline more than any other factor, and it is the assessment most vendors skip because the answer is usually unwelcome.

M1 to M3 implementation. ABHA identity and linking, then the HIP subsystems (care contexts, discovery, consent artefacts, encrypted FHIR transfer, audit logging) as separately scoped work, then HIU aggregation.

Audit preparation. Security posture built for the CERT-In or STQC review from the first sprint, not remediated after a failure.

Consent architecture that serves both regimes. One consent layer designed against ABDM's HIE-CM model and the DPDP Consent Manager timeline, ahead of the 13 November 2026 date.

Clinical workflow design. Apps that clinicians use rather than route around. Certification with no adoption is an expensive compliance artefact.

Who should not build this yet

If you run a single clinic with fewer than 20 daily consultations and paper records, ABDM certification is not your first problem. Structure your data first; the network will still be there.

If your product does not read or write clinical records, you may need M1 and nothing else. Do not let a vendor sell you M2.

If you want a fixed-price quote before anyone has looked at your data structure, no honest answer exists. The migration is the project.

FAQ

How many health records are linked to ABHA?

Over 100 crore as of 22 May 2026, per the National Health Authority. The figure doubled from 50 crore in February 2025 in 15 months, and roughly 10 crore new records are now linked every two to three months. More than 450 public and private health technology solutions have integrated with the ABDM ecosystem.

What are the ABDM M1, M2, M3 and M4 milestones?

M1 makes your system an identity provider handling ABHA creation, verification and patient discovery. M2 makes it a Health Information Provider sharing FHIR records on patient consent. M3 makes it a Health Information User fetching records from other providers. M4 enables digital insurance claims through the National Health Claims Exchange.

Which ABDM milestone is hardest to build?

M2. Acting as a Health Information Provider means building a full FHIR R4 record-sharing system with care contexts, discovery responses, consent artefact handling, encryption and audit logging. Each is a distinct subsystem. Teams that scope M1 and M2 together typically underestimate M2 substantially, because M1 demos deceptively well.

What FHIR version does ABDM use?

HL7 FHIR R4 with India-specific profiles. Core resources include Patient, Practitioner, Organization, Encounter, Observation, Condition, MedicationRequest, DiagnosticReport, DocumentReference, AllergyIntolerance and Procedure. Every compliant facility must serialise discharge summaries, prescriptions and lab reports as FHIR resources so other compliant systems can parse them.

Do I need a security audit for ABDM production access?

Yes. A web application security audit by a CERT-In or STQC empanelled agency is required before the NHA grants production access. Certification agencies separately test your M1, M2 and M3 workflows against NHA's official test case templates. Sandbox success does not predict audit success, so budget both from project start.

What does a healthcare app cost to build in India?

Vendor estimates vary widely and should be treated cautiously. Published guides put a lean MVP at ₹20 lakh to ₹50 lakh and a full custom EHR or hospital management system at ₹1.65 crore to ₹4.15 crore. Indian engineering rates are more consistent at ₹1,500 to ₹3,000 per hour.

Does ABDM certification cover my DPDP obligations?

No. They are separate regimes. Under the DPDP Act 2023, failure to maintain reasonable security safeguards carries a penalty of up to ₹250 crore and breach notification failures up to ₹200 crore. The Consent Manager Framework becomes operational on 13 November 2026, with full compliance for data fiduciaries on 13 May 2027.

What is the biggest hidden cost in an ABDM project?

Unstructured data. FHIR requires structured resources, and most Indian hospital systems hold clinical data as free text or scanned PDFs. A scanned discharge summary can be wrapped in a DocumentReference, but the diagnoses and prescriptions inside stay invisible to the network. Retrofitting structure onto legacy records typically dominates the budget.

How eCorpIT can help

eCorpIT builds clinical and patient applications for Indian hospital groups and healthtech founders, scoped around the ABDM milestones and the state of your existing clinical data rather than around a feature list. Our senior engineering teams handle ABHA identity, HIP and HIU implementation on FHIR R4, and consent architecture designed against both ABDM's HIE-CM model and the DPDP Consent Manager timeline. We design applications aligned with DPDP Act and ABDM requirements, and we will tell you honestly if data structuring should come before certification. Talk to us about a data readiness assessment before you commit to a milestone plan.

References

  1. 100 Crore Health Records Linked with ABHA under ABDM — Press Information Bureau, Ministry of Health and Family Welfare, 22 May 2026.
  2. Health Data Management Policy — Ayushman Bharat Digital Mission, National Health Authority.
  3. Health Data Management Policy of Ayushman Bharat Digital Mission — National Portal of India.
  4. ABDM M1/M2/M3 Certification Guide India 2026: NHA Sandbox to Production — Codingclave.
  5. ABDM Integration Milestones M1 M2 M3 M4 — Nirmitee.
  6. ABDM Certification Process Explained: Sandbox to Production — Nirmitee.
  7. ABDM FHIR Integration Guide 2026 — Adrine.
  8. Building an ABDM HIP from Scratch: M2 Flow Reference Architecture — Nirmitee.
  9. ABDM Sandbox Integration and Exit process — CoronaSafe Network ABDM documentation.
  10. Milestone One (M1): ABHA and Identity Layer — AMRIT, Piramal Swasthya.
  11. The Ayushman Bharat Digital Mission (ABDM) — PubMed Central, National Institutes of Health.
  12. Healthcare App Development Cost: 2026 Guide — Aalpha.
  13. Healthcare App Development Cost in US, India 2026 Guide — Lunar Web Solution.
  14. India's DPDP Timeline: Critical Compliance Deadlines for 2026-27 — India Briefing.

Last updated: 16 July 2026.

Top comments (0)