Introduction:
In India, there has always been a demand for improved security of digital patient data. Maintaining a single, secure, and up-to-date digital data storage for each person, especially considering our population may be quite challenging. To address this long-standing data security issue, the Indian government has enacted the DISHA[1] Act.
The Information Technology Rules 2011 (Reasonable security practices and procedures and sensitive personal data or information – the ‘Data Protection Rules’) govern the collection, receipt, storage, handling, and transfer of sensitive personal data or information (‘SPDI’) in electronic form. The Data Protection Rules define SPDI as a specific set of data. This includes information about physical, physiological, and mental health issues, sexual orientation, and medical records and history from a healthcare standpoint[2].
Along with data security, interoperability of healthcare data was a key roadblock. The capacity to communicate data across healthcare settings, diagnostic facilities, and other organizations. If this information can be shared, it would not only make things easier for patients but will also save them time and money. A doctor does not have to ask a patient to repeat a scan that was performed recently. The government attempted to facilitate this in late 2016 with a new Electronic Health Records Standard of India. The industry, on the other hand, did not take well to this. As a result, DISHA was created in the hopes of resolving all of the previously proposed standard’s flaws.
The Indian government launched DISHA in March 2019 to preserve and regulate digital healthcare data. DISHA’s goal is to control the collection, storage, analysis, transfer, and ownership of patient health data and personally identifiable information. It proposes the establishment of a national regulator, the National Electronic Health Authority, as well as state-level regulators, the State Electronic Health Authorities. It also demands on the government to establish Health Information Exchanges[3].
Key Points of DISHA
The Data Subject’s Rights, Ownership, and Consent
The act included a clause that stated that the individual who owns the digital health data is the only owner of the data. It grants the owner several affirmative rights to his records, including:
- The right to view his or her digital health records, as well as the right to update or repair them if they are wrong or incomplete;
- His or her right to privacy, secrecy, and security of his or her records;
- The right to sue for damages or compensation if his personal and sensitive digital health data is breached;
- The right to get his or her consent for each use or transmission of his or her digital health records; and
- The data owner has the option to reject or consent to the generation, collection, storage, transport, access, or disclosure of his personal digital health information. He or she may not be denied health care if he or she used his or her right to reject permission[4].
The patient in question is the single owner of his digital health data, and any healthcare establishment wishing to access or use it must first obtain permission from the patient, as well as the owner’s written agreement. Every time an institution wants to access the owner’s data, this consent or permission will have to be obtained[5].
Digital Health Data Collection and Processing
According to DISHA, any digital records of a patient held or transferred by clinical institutions may be accessed on a “need to know basis” by a specified individual for a legitimate reason if such access is required to perform that duty. These businesses and the Health Care Exchange can use a person’s personally identifiable information for treatment purposes if they can show that the information was needed for that reason. Other entities, on the other hand, can only access the person’s information with his or her permission and written agreement each time. DISHA severely bans any entity seeking to utilize digital health data for a commercial purpose, such as insurance firms, pharmaceutical companies, human resource consultants, or employers, from using, accessing, or disclosing it under any circumstances.
It has, however, given insurance companies access to the clinical facility only for processing claims. It permits the use of de-identified and anonymized data for public health reasons, such as public health research, illness early detection and prevention, and clinical and academic purposes. While the DISHA enables healthcare organizations to utilize DHD to improve patient-centered medical care and other fundamental activities, it prohibits the use of DHD for any ‘commercial purpose.’ However, the word “commercial purpose” is not defined. As a result, it’s unclear if this rule applies to hospitals or other organizations selling treatments, appointments, or recommendations to their clientele. DISHA has also imposed various obligations[6] on organizations that engage in operations such as data gathering, transmission, generation, and so on[7].
Adjudication
DISHA created adjudicatory bodies both at the national and state levels. State adjudicatory bodies will consider any disputes that arise inside the state, and appeals from these state adjudicatory authorities’ orders will be handled by the central level adjudicatory authority. The Delhi High Court has been given the power to consider appeals from central level adjudicatory authority rulings. Any criminal offense must be prosecuted in a court that is at least as good as a session court, and complaints about these offenses may be filed by the union government, the state government, the National Electronic Health Authority, the State Electronic Health Authorities, or an affected individual[8].
Notice of a Data Breach
A data breach involving digital health information might be either minor or major. The former is defined as the gathering and processing of digital health data in any way –
- In violation of the DISHA guidelines,
- Which results in the destruction, deletion, or alteration of digital data, or
- In a manner that violates the owner’s rights as outlined in the act, and the breach of digital health data gives rise to one of the owner’s rights to seek compensation from the person or entity that breached the data.
The following is an example of a significant compromise of digital health data:
- Any data breach that is carried out on purpose, maliciously, dishonestly, or carelessly;
- A transgression committed for the aim of commercial benefit or profit;
- A breach of digital health data by a company, entity, or Health Information Exchange regularly; or
- A data breach in which the data has not been de-identified or anonymized;
Health Information Exchanges and clinical facilities are required under DISHA to notify the Owner within 3 days of any breach or significant breach. A severe data breach is punished by imprisonment for three to five years or monetary punishment. The owner has the right to seek compensation from the person who is responsible for the offense, but there is no limit on the amount of compensation that can be awarded to the owner. The legislation also established several other offenses, including unlawful access to another person’s digital health records and data theft, both of which are punished by up to five years in jail[9].
Entities that are Regulated
DISHA regulates clinical establishments (which includes clinics and pathology labs but excludes insurers, pharmacies, and other data processors in the healthcare sector) as well as other businesses that generate, collect, access, transmit, or use a person’s digital health records or other health-related data. It also developed Health Information Exchanges, which enable various institutions and facilities to share records. Only the government can create Health Information Exchanges, and each exchange is obliged to have a Chief Health Information Executive who is responsible for the exchange’s operation, digital health security, breach reporting, and other duties. It doesn’t explain what a Health Information Exchange’s powers and functions are, or what standards must be met to be recognized as an exchange[10].
DISHA amidst COVID
Many underdeveloped nations, including India, are on the verge of a digital revolution as a result of the COVID-19 epidemic. Furthermore, the Indian government understands the issue of cyber security and the necessity for strong legislation to protect digital data as part of its Digital India Mission. The proposed Digital Information Security in Healthcare Act (“DISHA”), which seeks to ensure electronic health data privacy, confidentiality, security, and standardization, as well as the establishment of a National Digital Health Authority and Health Information Exchanges, is a significant step in this direction. DISHA was created to examine the privacy and confidentiality of digital health data. DISHA, on the other hand, was absorbed into the PDPB[11], which is meant to be a comprehensive privacy law that applies to all ministries and situations. Medical records, as defined by the Rules announced under the IT Act in April 2011, would be considered “sensitive personal data” under the PDPB[12], and such data may not be shared without the specific authorization of the provider[13].
Challenges to DISHA
How to gain informed consent from a data owner will be the most critical issue with data collecting and dissemination. Another problem would be the effective enforcement of DISHA’s regulations, given that the price of deploying security solutions might constitute a drain on clinical institutions’ resources.
Electronically stored data is prone to security breaches, necessitating the implementation of comprehensive and technology-driven data protection procedures. DISHA’s foundation will be sensitization and preservation of people’s right to privacy and data security[14].
Conclusion
In this digital age, every nation must prioritize the protection of an individual and his data. The National Health Policy of 2017 called for the establishment of a digital health technology ecosystem in India to maximize the value of digital health data. Although there are several benefits to digitization, there is always the issue of a lack of privacy and security protection in India, which policymakers have focused on. In 2018, the government made two big moves toward protecting individuals and their data by introducing DISHA and the Personal Data Protection Bill.
References:
[1] Digital Information Security in Healthcare Act, 2019 (hereinafter DISHA)
[2] Trilegal, India: Digital Information Security In Healthcare Act, (Oct 23, 2021, 9:00 AM), https://www.mondaq.com/india/healthcare/691686/digital-information-security-in-healthcare-act
[3] Ikigai Law, Overview: Digital Information Security in Healthcare Act (DISHA), (Oct 23, 2021, 5:00 PM), https://www.ikigailaw.com/overview-digital-information-security-in-healthcare-act-disha/
[4] Digital Information Security in Healthcare Act on Cards, (Oct 24, 2021, 11:00 AM), https://innohealthmagazine.com/2018/newscope/digital-information-security-healthcare-act/
[5] Saumya, Critical Analysis Of Digital Information Security In Health Care Act (DISHA), 2018, (Oct 24, 2021, 12:00 PM), https://judicateme.com/critical-analysis-of-digital-information-security-in-health-care-act-disha-2018/
[6] SUMMARY OF OBLIGATIONS, (Oct 24, 2021, 1:00 PM), https://gallery.mailchimp.com/f5446e0d77a0923b9d5eec172/files/28e73874-a24d-488e-8b8e-9915bc57c508/Compilation_of_DISHA_Obligations.pdf
[7] Supra 5
[8] Supra 5
[9] Supra 5
[10] Supra 5
[11] The Personal Data Protection Bill, 2019
[12] Supra 11
[13] Subimal Bhattacharjee, Fighting Fake news amidst Covid-19, (Oct 25, 2021, 10:00 AM), https://www.thehindubusinessline.com/opinion/fighting-fake-news-during-covid-19/article31233348.ece
[14] Abanti Bose, Electronic health records in India, (Oct 25, 2021, 5:00 PM), https://blog.ipleaders.in/electronic-health-records-india/
0 Comments