India is on the cusp of digital revolution and as part of its Digital India Mission, the Indian government recognises the issue of cyber security and the need for robust laws to protect digital data. An important step in this direction is the proposed Digital lnformation Security in Healthcare Act (DISHA), which seeks to provide for electronic health data privacy; confidentiality, security and standardisation; and establishment of National Digital Health Authority and Health Information Exchanges.
Various jurisdictions have enacted specific laws to protect personal data. One such example is the US law, Health Insurance Portability and Accountability Act, 1996 (HIPAA) which establishes the legal framework for privacy and protection of health information and gives patients substantial control over their protected health information. The scope of sensitive personal data under the EU General Data Protection Regulation also includes health data. DISHA is the Indian counterpart to HIPAA.
Overview of regulatory framework in India
In India, the current legal framework pertaining to e-health protection is governed by the provisions of the Information Technology Act, 2000, read with, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which offers some degree of protection to the collection, disclosure and transfer of sensitive personal data, which covers within its ambit medical records and history.
Further, clinical establishments and health care providers in India are increasingly using electronic medical records (EMRs) and electronic health records (EHRs) as the preferred method of storing patient information. In fact, the rules of Clinical Establishments (Registration and Regulation) Act 2010, notified on May 23, 2012, mandate the “maintenance and provision of EMR or EHR for every patient” for the registration and continuation of every clinical establishment. Additionally, the Ministry of Health and Family Welfare first introduced the EHR Standards, which was a uniform standard-based system for creation and maintenance of EHRs by the healthcare providers, in 2013 which was subsequently revised and notified on December 30, 2016.
DISHA — Salient features
DISHA lays down provisions that regulate the generation, collection, access, storage, transmission and use of Digital Health Data (DHD) and associated personally identifiable information (PII). DISHA states that health data including physical, physiological, mental health condition, sexual orientation, medical records, medical history and biometric data is information that can only be the property of the person it pertains to.
The salient features of DISHA are:
- DHD is an electronic record of health-related information about an individual and includes information relating to an individual’s physical or mental health; donation by the individual of any body part or any bodily substance, etc.
- PII is defined as any information that can be used to uniquely identify, contact or locate an individual specifically or along with other sources. This includes information such as name, address, date of birth, vehicle number, financial information etc.
- The legislation creates a central regulator called the National Electronic Health Authority (NeHA), and various State Electronic Health Authorities (SeHA) to give effect to the provisions of DISHA.
- It covers within its ambit clinical establishments (which includes hospitals, nursing homes, dispensaries, clinics, sanatoriums and pathology labs) and any other entity that collects DHD.
- DISHA has proposed stringent penalties for defaulters in the nature of fine and/or imprisonment.
Challenges to implementation of DISHA
The most serious issue with data collection and sharing will be how to obtain informed consent from a data owner. Another concern will be effective enforcement of the provisions of DISHA, given that the costs involved in implementing security solutions may become a drain on resources for clinical establishments.
Electronically stored data is vulnerable to security breaches and therefore comprehensive and technology driven data security measures would need to be adopted. Sensitisation and protection of people’s right to privacy and security of their data will be the bedrock of DISHA.
T: (91) 11 4213 0000
F: (91) 11 4213 0099
Kroll’s Ramon Ghosh explains why a culture of corporate compliance is now likely to become vital when doing business in India.