Digital Information Security in Healthcare Act (DISHA) 2018
In today’s digital era, paperwork has become
minimal. Every data is now stored in digital form due to its own benefits. This
applies to the medical data of patients and their sensitive information too.
But with the digitisation of data and storage has its own security concerns.
Data breach and need for security of digital patient data have been a critical
issue in India.
Previously the collection, storage and
handling of sensitive data in electronic form were governed by the Information
Technology Rules 2011 i.e. Data Protection Rules which are prescribed in the
Information Technology Act 2000. These rules lay down selective information to
be sensitive data and information. These rules in the medical perspective
include information of a patient relating to physical, mental, physiological
conditions as well as all medical history and records. In 2016, the government
of India tried to enable the Electronic Health Record Standards of India. But
these standards have many flaws and was not accepted by the industries. Hence,
in 2018 Digital Information Security in Healthcare Act, 2018 (DISHA) was
formulated as a first attempt to bring measures for information security of
patients of the country and to secure the right to privacy of those seeking
medical assistance.
Objective
The main objective of the act is to provide
privacy, security, standardisation, and confidentiality for health-related
data. The act regulates the generation, collection, storage, transmission, and
access to the digital health data associated. It led to the establishment of
the National Digital Health Authority and Health Information Exchanges. It
collects and records all health-related information relating to physical and
mental health, donation of any body part or any bodily substance, and health
services provided to the person, information collected while providing health
services, information of testing or examination of a body part or bodily
substance, and details of any clinical establishment accessed by the person.
DISHA created regulators to give effect to the provisions- National Electronic
Health Authority at the central level, and State Electronic Health Authorities
at state levels.
Key
Provisions
Rights of the Data Subject, Ownership and
Consent- The act
provides provisions by which the data is completely owned y the individual to
whom the data is concerned. It gives various rights that the owner of data may
exercise with respect to his records, such as:
1. Right to access his or her own digital
health records and alter if there is any inaccurate digital health data;
2. The right to confidentiality, privacy, and
security of his/her records;
3. In case of breach of his or her personal
and sensitive health data right of seeking damage or compensation;
4. The right to require the owner’s permission
for each instance of use or transmission of his digital health records; and
5. The owner of the data has the right to
refuse or give consent for the generation, collection, storage, transmission,
access, or disclosure of his personal digital health data.
The Collection and Processing of Digital
Health Data-The act
provide that any digital data of a patient stored or transmitted by medical
establishments may be accessed on a “need to know basis” by a specific person
for a lawful purpose. While other entities can only access the data with the
owner’s consent and written permission each time.
Adjudication- Under DISHA adjudication bodies has been
established both on the central and state level. Any dispute arising within the
state will be heard by the state adjudicatory bodies and appeals from orders of
these state adjudicatory authorities will be heard by the central level
adjudicatory authority. Any offence of criminal nature is to be tried before a
court that should not be inferior to that of a session court, and complaints
regarding these offences may be made by the union government or the state
government, or National Electronic Health Authority or State Electronic Health
Authorities or by an affected person.
Data Breach Notification- A data breach can be a simple or serious
breach of data. The former is defined to mean the collection and otherwise
handling of the digital health data –
l in contravention of the DISHA guidelines,
l That results in the destruction, delete or
alteration of the digital data, or
l In a manner that violates the rights of the
owner as prescribed in the act and the breach of the digital health data gives
rise to one of the rights of the owner to claim compensation from the person or
entity who has breached the data.
A serious breach of digital health data is –
l Any breach of the data that is done
intentionally, fraudulently, dishonestly, and negligently;
l A breach carried out for the purpose of commercial
use or commercial gain;
l A repeated breach of digital health data by an
establishment, entity, or Health Information Exchange; or
l A breach that relates to data that is not
de-identified or anonymised;