Overview: Digital Information Security in Healthcare Act (#DISHA)

The Ministry of Health and Family Welfare released the draft of the Digital Information Security in Healthcare Act (DISHA) (hereinafter ‘the Draft’) on 21^st March, 2018 soliciting comments from the general public and concerned stakeholders. The Draft is the first legislative attempt in India to bring in measures for information security specifically in the healthcare sector and securing the right to privacy of those seeking any medical assistance. The Draft is open for comments until 21^st of April, 2018.

Following is an overview of some of the key provisions of the Draft.

1. What is objective of the Draft?

The purposeof the Draft is to provide for digital health data privacy, confidentiality, standardization and security.[1] It seeks to do so by regulating the collection, storage and transmission of digital health data, and the establishment of the National Digital Health Authority and Health Information Exchanges.

2. What information is to be secured?

The Draft seeks to protect an individual’s Digital Healthcare Data (DHD) , that is, an electronic record of health related information about an individual, which includes the information pertaining to the individual’s physical or mental health, health services availed, examination conducted, clinical establishment accessed, and donation of body part/substance.[2]

The Draft further designates certain information as ‘Personally Identifiable Information’ (PII) that can be used to uniquely identify, contact or locate an individual.[3] Examples set out in Schedule I of the Draft include name, contact details, financial and biometric information, etc.

Yet another category of information is that of ‘sensitive health-related information’ which refers to such information, the loss or disclosure of which, could result in substantial harm, or discrimination against an individual[4]. For example, sexual orientation, alcohol consumption and substance use, sexual practices, HIV status, etc.[5]

3. Who has duty to secure the information?

The Draft regulates ‘clinical establishments’ which means any hospital, maternity home, nursing home, dispensary, clinic, sanatorium, as well as pathological labs. These institutions could be public or private as well as entities run by a single doctor.[6]

The clinical establishments are responsible for ‘data security’ which refers directly to protection of DHD, and specifically to the means used to protect the privacy of health information contained in DHD that supports professionals in holding that information in confidence.[7] They are also mandated to maintain the confidentiality, privacy and security of the DHD.[8] The same obligations apply to Health Information Exchanges established under the Draft.[9]

4. Who does the secured information belong to?

The individual whose DHD is generated and processed is recognised as the owner of the same under the Draft.[10] A clinical establishment or Health Information Exchange can merely hold the DHD in trust for the owner,[11] and has no ownership rights over the same.

5. What rights does the owner of the information have over the same?

The owner enjoys a host of rights including the right to privacy, confidentiality, and security of their DHD,[12] the right to give or refuse consent for the generation and collection of the same, including the right to refuse disclosure of sensitive health related information[13] and the right to refuse or withdraw consent for storage and transmission of such data.[14] It is important to note that an owner cannot be denied health care if they refuse to share their DHD. The owner further has the right to know the limited purposes for which the data may be used,[15] and the right to know which establishments have their data[16] and each time their data is accessed and used.[17] Additionally the owner of DHD has the right to access[18] and rectify the same,[19] and can claim compensation for damages in case of any breach of DHD.[20]

6. For what purposes can an individual’s DHD be processed?

The Draft  provides for a variety of purposes for which the DHD of an individual may be collected, stored and transmitted. These include the advancement of delivery of medical care, provision of appropriate information for decision making, coordination between healthcare providers, improvement of healthcare activities and prevention of outbreaks, academic research and policy formulation.[21]

7. What is the procedure for collection of an individual’s data?

Any establishment seeking to collect DHD of an individual can only do so with their written consent and after informing them of their aforementioned rights.[22] The owner must further be furnished with a copy of the consent form.[23] In the event the concerned individual is unable to give consent on account of incapacity or minority, consent must be obtained from their representative or guardian as the case may be. [24]

8. What are the requirements to be satisfied for the transmission of data?

Transmission of an individual’s DHD can only be undertaken by clinical establishments on obtaining the individual’s consent after informing them of their rights, and the purposes of collection of their data.[25] Further the data can only be transmitted in encrypted form.[26] A register has to be maintained by the health information exchanges to record all the data transfers that they’re involved in.[27]

The Draft also lays open for comments the issue of disallowing the direct sharing of identifiable data for direct patient care between two hospitals. Notably, ‘direct patient care’ has not been defined in the Draft.

9. Under what conditions can data be accessed, and by whom?

The Draft  provides for the procedure for access to any DHD by clinical establishments and health information exchanges on a ‘need to know basis’[28] which means the access to DHD has to be by a specific person for a specific and lawful purpose that is necessary for that purpose or to carry out that function.[29] S. 34 further provides for the procedure to secure access to data by the government departments,[30] the owner.[31] Relatives and legal heirs of the owner can be given access in cases of emergency[32] or death respectively.[33] Data can also be accessed for the investigation and administration of justice by the investigating authority concerned,[34] and in cases of emergencies by clinical establishments on an immediate basis.[35]

10. How can data once collected and stored be rectified?

The owner DHD can apply to the clinical establishment or health information exchange concerned for the rectification data.[36] The entity receiving the application has to rectify the data immediately or within three days of receipt of the application, and inform the owner of the rectification.[37]

11. What constitutes a breach of data? What remedy available to the victim of a breach?

A breach of data is said to occur if data of an individual is collected, stored or transmitted in any manner contravening the Act, or is not processed as per the standards prescribed therein, or if there is a violation of the rights of the owner of data, or any damage, destruction, deletion or tampering of data.[38] Any person who breaches DHD is liable to pay damages by way of compensation to the owner of the data.[39]

A serious breach of data on the other hand, is said to take place if the breach is fraudulent, intentional, dishonest or negligent or is made for commercial gains, or is made repeatedly.[40] This is treated as criminal offence under the Draft punishable with imprisonment from three to five years, or fine of not less than five lakh rupees.[41]

12. What other acts are regarded as offences under the Draft? What is the penalty prescribed for the same?

The punishment for failure to submit information sought by a Health Authority, failure to comply with the directions issued by such authority, and failure to redress the grievances of owners of DHD is a minimum one lakh of rupees and rupees ten thousand for each day during which such failure continues subject to a maximum of one crore rupees each.[42]

The Draft  makes the fraudulent or dishonest obtaining of DHD by a person who is not entitled to the same punishable with imprisonment for a term up to one year or fine, not less than one lakh rupees; or both.[43]

Data theft, which is the intentional and unauthorised access or acquisition of DHD is punishable with imprisonment for a term from three years to five years or fine, not less than five lakh rupees; or both.[44]

13. Which adjudicating authorities can provide redressal against aforesaid offences?

The Draft  provides for the creation of a Central Adjudicating Authority and State Adjudicating Authorities to deal with offences under the statute.[45] They have the powers equivalent to a Civil Court while trying a complaint,[46] and proceedings before them are deemed to be judicial proceedings.[47] The Draft  further ousts the jurisdiction of any other court to deal with matters falling under the exclusive jurisdiction of the Central and State Authorities.[48] An appeal can be made to the High Court against any decision of the said bodies within sixty days of communication of such decision.[49]

14. What nodal agencies are established by the Draft? What are their powers and functions?

The Draft  provides for the establishment of the National Electronic Health Authority of India (NeHA)[50] and State Electronic Health Authorities (SeHA).[51]

The functions of NeHA include the formulation of standards and guidelines to be followed by clinical establishments and health information exchanges in the processing of data, ensuring compliance with such standards, and provision of security measures for all stages of processing of data.[52] It has the powers to issue directions to clinical establishments and other bodies created under the Draft.[53]

The SeHA is responsible for ensuring compliance with the standards and guidelines prescribed, and conducting investigations for ensuring compliance.[54] In the exercise of such investigative powers, it enjoys along with NeHA the powers equivalent to that of a Civil Court.[55]

15. What are the Health Information Exchanges created by the Draft?

Health Information Exchanges can only be established by a Central Govt Notification.[56] Each health information exchange is required to have a Chief Health Information Executive (CHIE) responsible for the running of the exchange, security of DHD, notification for breach, etc.[57] Interestingly, the Draft does not clearly speak of what are the powers and functions of an Health Information Exchange, and what requirements must an entity fulfil in order to be recognised as an Exchange.

[This post has been authored by Veda Handa, a fifth year undergraduate student at National Law University, Delhi. Pushan Dwivedi (Associate, TRA) gave inputs].

Endnotes

[1] Preamble to the Draft.

[2] S. 3(1)(e).

[3] S. 3(1)(k).

[4] S. 3(1)(o).

[5] Ibid.

[6]S. 3(1)(i)

[7]S. 3(1)(n).

[8]S. 35.

[9]Ibid.

[10]S. 3(1)(j).

[11]S. 31(2).

[12]S. 28(1).

[13]S. 28(2).

[14]S. 28(3).

[15]S. 28(5).

[16]S. 28(6).

[17]S. 28(8).

[18]S. 28(7).

[19]S. 28(8).

[20]Ibid.

[21]S. 29(1).

[22]S. 30(2).

[23]S. 30(3)

[24]S. 30(5),(6).

[25]S. 33(3).

[26]S. 33(2).

[27]S. 33(4).

[28]S. 34(2).

[29]S. 3(1)(r).

[30]S. 34(3).

[31]S. 34(5).

[32]S. 34(7).

[33]S. 34(8).

[34]S. 34(4).

[35]S. 34(6).

[36]S. 36(1).

[37]S. 36(2).

[38]S. 37(1).

[39]S. 37(2).

[40]S. 38(1).

[41]S. 38(2).

[42]S. 40.

[43]S. 41.

[44]S. 42.

[45]S. 45.

[46]S. 49(1).

[47]S. 49(3).

[48]S. 50.

[49]S. 51.

[50]S. 4(1).

[51]S. 7(1).

[52]S. 22(1).

[53]S. 27(1).

[54]S. 24.

[55]S. 26.

[56]S. 19.

[57]S. 21.