DISHA (Digital Information Security in Healthcare Act) 2018 is the proposed law for India applicable to the Privacy and Data Protection related to the Health Care sector in India.
With right to privacy having been made a fundamental right and several instances of breach and misuse of medical data becoming “breaking news” in the media, Ministry of Health and Family Welfare (MoHFW) has decided to roll out the draft legislation called Digital Information Security in Healthcare Act (DISHA). MoHFW proposes to constitute a nodal body called “National Digital Health Authority” to promote and adopt electronic health (e-health) standards, enforce privacy and security safeguards for e-health data and regulate the storage and exchange of e-health records.
The legislation ensures protection of digital health data of a data owner at every step, including at the time of generation, collection, storage and transmission of such e-health data.
Data & its importance:
Data, obtained from any source, in the quantities it is available today is, in fact, an entirely new commodity, and the rules around how it is stored, treated and used are still not clear.
What is Data Security?
Data security or Data protection means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyber attack or a data breach
Summary of the Act:
Here are the key aspects of the draft on data security.
Ownership of digital health data and rights of the data owner
The digital health data generated, collected, stored or transmitted shall be owned by the individual whose health data has been digitised;
A clinical establishment or Health Information Exchange shall hold such digital health care data, and any other entity who is in the custody of any digital health data shall remain the custodian of such data, and “shall be duty bound to protect the privacy, confidentiality and security of such data”
Data collection and defining personally identifiable information
Sensitive health-related information means information, that if lost, compromised, or disclosed, could result in substantial harm, embarrassment, inconvenience, violence, discrimination or unfairness to an individual, including but not limited to, one’s physical or mental health condition, sexual orientation, use of narcotic or psychotropic substances, consumption of alcohol, sexual practices, Human Immunodeficiency Virus status, Sexually Transmitted Infections treatment, and abortion.
Purpose of collection, storage, transmission and use of the digital health data
This clause explains who can use the information in what form. Records are classified into two parts:
identifiable information and de-identifiable information
Storage of digital health data
The clinical establishment or health information exchange, shall hold all digital health data, on behalf of NationalElectronic Health Authority.
Transmission of data
- Who can transmit: A clinical establishment may transmit the digital health data to the health information exchange.
- Permissions: Transmission shall be only upon the consent of the owner, after being informed of his/her rights.
- How can they transmit: in an encrypted form, securely, after retaining a copy for reasonable use by the clinical establishment. National Electronic Health Authority of India shall prescribe appropriate standards for physical, administrative and technical measures.
- Monitoring: A health information exchange shall maintain a register containing all details of the transmission of the digital health data between a clinical establishment and health information exchange,and between heath information exchanges
Rectification of digital health data
An owner of the digital health data can rectify the data by making an application as prescribed under this act. On receipt of the application, the data shall be rectified within 3 working days of receipt.
Accessing digital health data
- Commercial purpose: Digital health data, whether identifiable or anonymized, shall not be accessed, used or disclosed to any person for a commercial purpose and in no circumstances be accessed, used or disclosed to insurance companies, employers, human resource consultants and pharmaceutical companies, or any other entity as may be specified by the Central Government.Explanation: Insurance companies shall not insist on accessing the digital health data of persons who seek to purchase health insurance policies or during the processing of any insurance claim. Provided that for the purpose of processing of insurance claims, the insurance company shall seek consent from the owner to seek access his or her digital health data from the clinical establishment to which the claim relates.
Breach & Serious Breach, and penalties
The Chief Health Information Executive of a Health Information Exchange is supposed to notify the data breach to the owner and such other concerned.
Offences by companies
Liabilities of the management are mentioned in the offences by companies clause.
Creation of Information exchanges and their regulation
“Health Information Exchanges” will be set up by the Central Government for sharing of electronic health records, as well as the National Electronic Health Authority of India (NeHA) and State Electronic Health Authorities (SeHA’s).