Digital Information Security in Healthcare Act (DISHA) 2018 Explained

Digital Information Security in Healthcare Act (DISHA) 2018

In today’s digital era, paperwork has become minimal. Every data is now stored in digital form due to its own benefits. This applies to the medical data of patients and their sensitive information too. But with the digitisation of data and storage has its own security concerns. Data breach and need for security of digital patient data have been a critical issue in India.

Previously the collection, storage and handling of sensitive data in electronic form were governed by the Information Technology Rules 2011 i.e. Data Protection Rules which are prescribed in the Information Technology Act 2000. These rules lay down selective information to be sensitive data and information. These rules in the medical perspective include information of a patient relating to physical, mental, physiological conditions as well as all medical history and records. In 2016, the government of India tried to enable the Electronic Health Record Standards of India. But these standards have many flaws and was not accepted by the industries. Hence, in 2018 Digital Information Security in Healthcare Act, 2018 (DISHA) was formulated as a first attempt to bring measures for information security of patients of the country and to secure the right to privacy of those seeking medical assistance. 


Objective

The main objective of the act is to provide privacy, security, standardisation, and confidentiality for health-related data. The act regulates the generation, collection, storage, transmission, and access to the digital health data associated. It led to the establishment of the National Digital Health Authority and Health Information Exchanges. It collects and records all health-related information relating to physical and mental health, donation of any body part or any bodily substance, and health services provided to the person, information collected while providing health services, information of testing or examination of a body part or bodily substance, and details of any clinical establishment accessed by the person. DISHA created regulators to give effect to the provisions- National Electronic Health Authority at the central level, and State Electronic Health Authorities at state levels. 



Key Provisions


Rights of the Data Subject, Ownership and Consent- The act provides provisions by which the data is completely owned y the individual to whom the data is concerned. It gives various rights that the owner of data may exercise with respect to his records, such as:

1. Right to access his or her own digital health records and alter if there is any inaccurate digital health data;

2. The right to confidentiality, privacy, and security of his/her records;

3. In case of breach of his or her personal and sensitive health data right of seeking damage or compensation;

4. The right to require the owner’s permission for each instance of use or transmission of his digital health records; and

5. The owner of the data has the right to refuse or give consent for the generation, collection, storage, transmission, access, or disclosure of his personal digital health data.


The Collection and Processing of Digital Health Data-The act provide that any digital data of a patient stored or transmitted by medical establishments may be accessed on a “need to know basis” by a specific person for a lawful purpose. While other entities can only access the data with the owner’s consent and written permission each time.


Adjudication- Under DISHA adjudication bodies has been established both on the central and state level. Any dispute arising within the state will be heard by the state adjudicatory bodies and appeals from orders of these state adjudicatory authorities will be heard by the central level adjudicatory authority. Any offence of criminal nature is to be tried before a court that should not be inferior to that of a session court, and complaints regarding these offences may be made by the union government or the state government, or National Electronic Health Authority or State Electronic Health Authorities or by an affected person. 


Data Breach Notification- A data breach can be a simple or serious breach of data. The former is defined to mean the collection and otherwise handling of the digital health data – 

l  in contravention of the DISHA guidelines,

l  That results in the destruction, delete or alteration of the digital data, or

l  In a manner that violates the rights of the owner as prescribed in the act and the breach of the digital health data gives rise to one of the rights of the owner to claim compensation from the person or entity who has breached the data.


A serious breach of digital health data is –

l  Any breach of the data that is done intentionally, fraudulently, dishonestly, and negligently;

l  A breach carried out for the purpose of commercial use or commercial gain;

l  A repeated breach of digital health data by an establishment, entity, or Health Information Exchange; or

l  A breach that relates to data that is not de-identified or anonymised;