India: DISHA – India's Probable Response To The Law On Protection Of Digital Health Data

With the outbreak of the COVID-19 pandemic, many developing countries including India are on the cusp of a digital revolution. Further, as part of its Digital India Mission, the Indian Government recognizes the issue of cyber security and the need for robust laws to protect digital data. An important step in this direction is the proposed Digital Information Security in Healthcare Act ("DISHA"), which seeks to provide for electronic health data privacy; confidentiality, security and standardization; and establishment of National Digital Health Authority and Health Information Exchanges.

Various jurisdictions have enacted specific laws to protect personal health information related data. One such example is the U.S. law - Health Insurance Portability and Accountability Act, 1996 ("HIPAA") which establishes the legal framework for privacy and protection of health information and gives patients substantial control over their protected health information. The scope of sensitive personal data under the EU General Data Protection Regulation also includes health data. DISHA is the Indian counterpart to HIPAA.

Overview of regulatory framework pertaining to digital - health data in India

In India, the current legal framework pertaining to e-health protection is governed by the provisions of the Information Technology Act, 2000, read with, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which offers some degree of protection to the collection, disclosure and transfer of sensitive personal data, which covers within its ambit medical records and history.

However, the legislations not been updated with regards to rapid development in technology and leaves many aspects unaddressed. In light of this, the Government has introduced DISHA and the Personal Data Protection Bill, 2019 ("PDP Bill"). The PDP Bill applies to processing of personal data where such data has been collected, disclosed, shared or otherwise processed in India and processing of personal data by the State, any Indian company, any Indian citizen or any person or body of persons incorporated or created under Indian law. The scope is wide enough to also apply to foreign companies processing personal data in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India, or in connection with any activity which involves profiling of data principals within the territory of India.

Further, clinical establishments and health care providers in India are increasingly using electronic medical records ("EMRs") and electronic health records ("EHRs") as the preferred method of storing patient information. In fact, the rules of Clinical Establishments (Registration and Regulation) Act 2010, mandate the "maintenance and provision of EMR for every patient" for the registration and continuation of every clinical establishment. Additionally, the MoHFW first introduced the EHR Standards, which was a uniform standard-based system for creation and maintenance of EHRs by the healthcare providers, in 2013 which was subsequently revised and notified in December 2016.

DISHA – Salient features

DISHA lays down provisions that regulate the generation, collection, access, storage, transmission and use of Digital Health Data ("DHD") and associated personally identifiable information ("PII"). DISHA states that health data including physical, physiological, mental health condition, sexual orientation, medical records, medical history and biometric data is information that can only be the property of the person it pertains to.

The salient features of DISHA are:

• DHD is an electronic record of health-related information about an individual and includes information relating to an individual's physical or mental health; donation by the individual of any body part or any bodily substance, etc.
• PII is defined as any information that can be used to uniquely identify, contact or locate an individual specifically or along with other sources. This includes information such as name, address, date of birth, vehicle number, financial information etc.
• The legislation creates a central regulator called the National Electronic Health Authority (NeHA), and various State Electronic Health Authorities (SeHA) to give effect to the provisions of DISHA.
• It covers within its ambit clinical establishments (which includes hospitals, nursing homes, dispensaries, clinics, sanatoriums and pathology labs) and any other entity that collects DHD.
• DISHA has proposed stringent penalties for defaulters in the nature of fine and/or imprisonment.

Challenges to implementation of DISHA

The most serious issue with data collection and sharing will be how to obtain informed consent from a data owner. Another concern will be effective enforcement of the provisions of DISHA, given that the costs involved in implementing security solutions may become a drain on resources for clinical establishments.

Electronically stored data is vulnerable to security breaches and therefore comprehensive and technology driven data security measures would need to be adopted. Sensitization and protection of people's right to privacy and security of their data will be the bedrock of DISHA.

Link between DISHA and PDP Bill

In terms of the PDP Bill, health data being sensitive personal data requires the express consent of the individual for the data to be processed, whereas in terms of DISHA any use of DHD for commercial purposes has been prohibited. This creates ambiguity amongst the two laws and which law will apply in terms of collection / use / processing of DHD.

It is interesting to note that both the PDP Bill and DISHA have overriding clauses (Section 96 and Section 52, respectively). Thus, if any conflicting provisions of any other law exist, then that conflicting provision would not be applicable. One can conclude from past precedents that in case of inconsistency between a special law (such as DISHA on the subject of DHD) and general law (such as PDP Bill on the subject of DHD), the provisions of the special law shall override that is the provisions of DISHA shall override.

Conclusion

While both the bills that is DISHA and the PDP Bill have not been passed by the Parliament and await enactment, it shall be interesting to see the shape and form in which they are both enacted. These bills will change the shape of data protection (personal or health data) in India making it more in tune with global standards. While the present law in terms of protection of health or personal data is more generic in nature, the bills bring out additional responsibilities on the data collector with stringent fines and penalties for non-compliance of such responsibilities which need to be properly assessed once these bills become law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.