The Ministry of Health and Family Welfare issued a draft of the Digital Information Security in Healthcare Act in November 2017. The draft was released for the purpose of bringing a healthcare security law. On 21st March 2018, the Ministry of Health and Family Welfare published the Digital Information Security in Healthcare Act. The Government had introduced the Digital Information Security in Healthcare Act in March 2019. The main aim was to ensure the privacy, confidentiality, standardization and security of the healthcare data. The Digital Information Security in Healthcare Act (DISHA) will enable the digital sharing of an individual’s health records with the hospitals/clinics and between the hospitals and clinics. To overcome incidents such as data breach, cybersecurity, etc. occurring in the healthcare industries, there is a dire need for this law.
The Digital Information Security in Healthcare Act lays down the provisions relating to the generation, collection, accession, transmission and storage of the digital health data of an individual. The DISHA will consist of the data that is related to a clinical establishment that is used by the individual, any information pertaining to the physical or mental health of an individual, any information that is related to the organ/blood which has been donated by an individual, any information that is related to the individual’s health service provider, any information that has been found out from examining a body part of an individual, etc.
The DISHA lays down the provisions relating to the Digital health data. Itis considered as an electronic record of an individual which will include the information regarding the age of the patient, his contact number, his lab reports, medical history of the patient, information relating to the medications, information relating to the allergies, etc. The Act also lays down the provisions relating to the personally identifiable information. It is defined as any information which can be used to identify, locate, or contact an individual. It also includes necessary information such as the name, address, date of birth, etc.
The Act shall consist of a central regulator known as the National Electronic Health Authority and various other State Electronic Health Authorities. There is an adjudicatory body that has been set up by the Digital Information Security in Healthcare Act. The adjudicatory bodies are at the State level and also at a National level. The orders of the State adjudicatory can be appealed before the National adjudicatory. However, the orders passed by the National adjudicatory can be appealed before the High Court.
Following are the rights which are available to the owner of the digital health data:
- He has a right to either allow or refuse the clinical establishments to generate and collect his data.
- He has a right to access his data.
- He has a right to get compensation, in case if there is any breach of his data.
- He has a right to be known where his data is being transmitted and to whom it is being transmitted.
- He has a right to allow, refuse or even withdraw his consent from both storing and sharing his data.
- Based on the purpose of the data, he also has a right to choose the data that has to be collected or not.
- He has a right to get notified by the clinical establishment at the time whenever a clinical establishment has accessed his data.
- His data will be shared with the family members whenever there is any medical emergency.
- He can also refuse any clinical establishment from either exposing or accessing his data.
Duties of Healthcare Organizations
Following are the responsibilities of the Healthcare Organizations in India:
- It is the duty of the Healthcare Organizations to inform (take consent) the owner before collecting his data.
- It is the duty of the Healthcare Organizations to inform the owner about sharing his data with the entities. It must be notified within a period of three working days.
- It is the duty of the Healthcare Organizations to inform the owner about the purpose for which his data is being collected.
- It is the duty of the Healthcare Organizations to share the identity of the people that can access the data.
- It is the duty of the Healthcare Organizations to ensure that all the records are secure, private and confidential.
- It is the duty of the Healthcare Organizations to hold and store the data of an individual on behalf of the National Electronic Health Authority.
There is an obligation upon the Health Information Exchange and Clinical Establishments to give notice to the owner of the data within a period of three days for any breach of his data. In case if there is any breach of the Act, then the person/organization involved in the breach of the data would be liable to pay compensation to the owner of the data. The minimum penalty amounts to Rs. One lakh and addition of Rs. Ten thousand per day, during which the breach continues. However, the maximum penalty shall be of Rs. One crore/ten million. In case if there is any data theft, then there is a punishment of imprisonment which may extend to a period of five years.
We can conclude that the present data protection law in India is facing many issues, so in order to overcome these issues; there is a need for a proper framework to regulate the Activity. It will be considered as a foundation for creating digital health records in India. If the personal and confidential information of the patients is exposed, then it may result in discrimination, embarrassment, and also cause harm to an individual. Hence, the Digital Information Security in Healthcare Act would ensure that the healthcare data will be secured and kept private and confidential. It would also help in regulating the exchange of electronic records between an individual and the hospitals/clinics.