This article is written by Harshit Bhimrajka currently pursuing B.A.LLB (Hons) from the Rajiv Gandhi National University of Law, Patiala. This article analyses Digital Information Security in Healthcare Act, 2018.

Introduction

Every country should have proper and adequate records of every single patient, either in a tangible form (hard copy) or an intangible form (soft copy). Nowadays paperwork has become minimal, as we have moved to a digital era. So everyone tries to keep the records in a digital form as technology has its own benefits. But when it comes to the internet and technology the concern for the security of data arises. There should be proper and efficacious security of sensitive and important data. 

India has a huge population, so it has always been a problem to maintain a single unified data for each person and there has always been a need for proper security of digital patient data. The Central government cognizant of these facts and the incidents of data breaches including high personal and sensitive data created a new narrative in the health sector by providing a solution to these issues in a form of a public welfare act i.e. Digital Information Security in Healthcare Act, 2018. In this article, we will discuss the Digital Information Security in Healthcare Act, 2018 (hereinafter DISHA) in detail. 

Background

Previously the collection, storage, and handling of sensitive data in electronic form were subject to the Information Technology Rules 2011 i.e. Data Protection Rules which are prescribed in the Information Technology Act 2000. These rules considered a selective set of information to be sensitive data or information. These rules, from a healthcare perspective, include information of a patient relating to physical, mental, physiological conditions, and sexual orientation as well as medical records and history. The government of India in the year 2016 tried to enable the Electronic Health Record Standards of India which had the ability to share patient’s information between diagnostic centres and clinical establishment and protection of the digital health information but it was not accepted by the industries. Hence in 2018, DISHA was formulated with a zeal to resolve the pitfalls and make a stronger system for the healthcare system of India. 

On 21st March 2018, the Ministry of Health and Family Affairs released a draft of DISHA soliciting public comments, and views of concerned stakeholders. The draft was open for feedback for a period of one month i.e. until 21 April 2018. This was a first attempt by the Indian Government to bring in measures for information security of patients of the country and securing the right to privacy of those seeking medical assistance. 

DISHA seeks to regulate the generation, collection, storage, transmission, access, and use of each person’s digital health record. This enactment covers clinical establishments, IoT, and manufacturing companies of wearables products, insurance companies, and employees that collect their clients’ health information, and other entities dealing with the digital health data. 

Objective

The main intent of the act was to provide for digital health data privacy, security, standardization, and confidentiality. The act seeks to regulate the generation, collection, storage, transmission, and access to the digital health data associated with personally identifiable information. It led to the establishment of the National Digital Health Authority and Health Information Exchanges. It records all the health-related information relating to physical and mental health, and health services provided to the person, donation of any body part or any bodily substance, information of testing or examination of a body part or bodily substance, information collected while providing health services, and details of any clinical establishment accessed by the person. The objective behind using personally identifiable information is to uniquely identify, contact, or locate any person specifically. The information includes name, address, vehicle number, date of birth, financial information, etc. DISHA created regulators to give effect to the provisions- National Electronic Health Authority at the central level, and State Electronic Health Authorities at state levels. 

Key Provisions of DISHA 2018

• Rights of the Data Subject, Ownership and Consent.

The act had a provision by which the digital health data is completely owned by the individual to whom the data is concerned. It confers various affirmative rights that the owner may exercise with respect to his records such as:

1. The right to access his/her digital health records and right to alter or rectify it if there is any inaccurate or incomplete digital health data;
2. The right to confidentiality, privacy, and security of his/her records;
3. The right to seek damages or compensation caused by a breach of his personal and sensitive digital health data;
4. The right to require his/her permission for each instance of use or transmission of his digital health records; and
5. The owner of the data has the right to refuse or give consent for the generation, collection, storage, transmission, access, or disclosure of his personal digital health data. In case he/she exercised the right to refuse consent then he/she may not be refused a health service.

The concerned patient is the sole owner of his digital health data, and if any clinical establishment wishes to access or use his/her digital health data then it must seek permission along with the written consent of the owner. This consent or permission will have to be sought every time an establishment wants to access the owner’s data. 

• The Collection and Processing of Digital Health Data.

DISHA provides that any digital records of a patient stored or transmitted by clinical establishments may be accessed on a “need to know basis” by a specific person for a lawful purpose, where such access is necessary to carry out that particular function. These establishments and Health Care Exchange can use personally identifiable information of the person for the purpose related to the treatment provided that they are able to demonstrate that such use of information was necessary for that purpose. While other entities can only access this information of the person with his/her permission and written consent each time. DISHA strictly prohibits the use, access, or disclosure of digital health data by any entity intending to use for a commercial purpose such as insurance companies, pharmaceutical companies, human resource consultants, employers under any circumstances. 

However, it has provided access to insurance companies from the clinical establishment only for the purpose of processing the claim. It allows de-identified and anonymized data to be used for public health purposes that includes research for public health, early identification and prevention of disease, and clinical and academic purposes. While the DISHA allows healthcare businesses to use DHD to advance patient-centred medical care and other core functions, the use of DHD for any ‘commercial purpose’ is expressly barred. The term ‘commercial purpose’ is however not defined. It is therefore unclear whether marketing of treatments, appointments, or referrals by hospitals or other businesses to their clients may be struck by this prohibition.

DISHA has also specified certain obligations on the entities which carry out activities like collection, transmission, generation, etc. 

• Adjudication

DISHA established adjudicatory bodies at Central Level as well as at the state level. Any dispute arising within the state will be heard by the state adjudicatory bodies and appeals from orders of these state adjudicatory authorities will be heard by the central level adjudicatory authority. Delhi High Court has given the authority to hear the appeals from orders of the central level adjudicatory authority. Any offence which carries criminal consequences is to be tried before a court that should not be inferior to that of a session court, and complaints regarding these offences may be made by the union government or the state government, or National Electronic Health Authority or State Electronic Health Authorities or by an affected person. 

• Data Breach Notification

A breach of digital health data can be either a simple breach or a serious breach of data. The former is defined to mean the collection and otherwise handling of the digital health data – 

• in contravention of the DISHA guidelines,
• That results in the destruction, delete or alteration of the digital data, or
• In a manner that violates the rights of the owner as prescribed in the act, and the breach of the digital health data gives rise to one of the rights of the owner to claim compensation from the person or entity who has breached the data.

A serious breach of digital health data is –

• Any breach of the data that is done intentionally, fraudulently, dishonestly, and negligently;
• A breach carried out for the purpose of commercial use or commercial gain;
• A repeated breach of digital health data by an establishment, entity, or Health Information Exchange; or
• A breach that relates to data that is not de-identified or anonymized;

DISHA casts an obligation upon Health Information Exchanges and clinical establishments that in case of any breach or a serious breach, they have to provide notice to the Owner within 3 days of that breach. 

A serious breach of data is punishable with imprisonment which may extend from three to five years, or a fine. The owner also has the right to claim compensation from the person liable for such offence, but there is no cap prescribed for the compensation that may be granted to the owner. The act also defined various other offences such as the unauthorized access of another person’s digital health records and the data theft that are punishable with imprisonment which may extend up to five years.

• Regulated Entities

DISHA regulates the clinical establishment (that includes clinics and pathology labs but doesn’t include insurers, pharmacies, and other data processors in the healthcare sector), and other establishments that generate, collect, access, transmits, or use the digital health records or any other health-related information of a person. It also established Health Information Exchanges that allow these entities and establishments to exchange the records with each other. The Health Information Exchanges can only be established by the government’s notification, it is specified that each exchange is required to have a Chief Health Information Executive who is responsible for running the exchange, security of digital health, notification of the breach, etc. it doesn’t specify the powers and function of a Health Information Exchange, and what requirements are needed in order to be recognized as an exchange. 

Conclusion

In this digital world, protecting an individual and his data must be of the utmost priority in every nation. The National Health Policy 2017 envisaged the creation of a digital health technology ecosystem in India, aiming to leverage the potential of digital health data. Such digitalization has many advantages but there is always an issue of lack of privacy and security protection in India which the policy-focused on. The government took two significant steps towards the protection of the individual and his personal data by releasing DISHA and Personal Data Protection Bill in the year 2018. In this article, we have analyzed the DISHA which imposes significant restrictions on the use of the digital health data and places the person squarely in control of his data. It has a very different approach to protect the health-related data of the patients, not only in terms of the position of the concerned person but also in terms of the fundamental concepts, the uses envisaged the definitions, and the offences and their punishment. 

“At the end of the day, the goals should be simple: safety and security.”

References

• Digital Information Security in Healthcare Act on Cards, InnoHEALTH Magazine, 28 August 2018.

https://innohealthmagazine.com/2018/newscope/digital-information-security-healthcare-act/

• Nikhil Pahwa, Summary: Digital Information Security in Healthcare Act (DISHA) to enable electronic health records, Medianama, 29 March 2018.

https://www.medianama.com/2018/03/223-disha-electronic-health-records/

• Trilegal, India: Digital Information Security in Healthcare Act, Mondaq, 13 April 2018.

https://www.mondaq.com/india/healthcare/691686/digital-information-security-in-healthcare-act

• Overview: Digital Information Security in Healthcare Act (#DISHA), Ikigai Law, 7 May 2018.

https://www.ikigailaw.com/overview-digital-information-security-in-healthcare-act-disha/#acceptLicense

• Evelyn Immanuel, Insight on “DISHA-Digital Information Security in Healthcare Act”, AINDRA.

https://aindrasystems.wordpress.com/2019/07/16/insight-on-disha-digital-information-security-in-healthcare-act/