The proposed Digital Health Information Security Act seeks to regulate the generation, collection, storage, transmission, access and use of all digital health data. This legislation covers within its ambit clinical establishments, insurance companies and employers that collect health information, and IoT, manufacturers of wearables and other entities that deal with digital health data. The draft legislation is open for comments until 21 April 2018.
The Ministry of Health and Family Welfare has, by notification dated 21 March 2018, published the draft Digital Information Security in Healthcare, Act (DISHA), inviting public comments. The DISHA lays down provisions that regulate the generation, collection, access, storage, transmission and use of Digital Health Data (DHD) and associated personally identifiable information (PII).
DHD is an electronic record of health-related information about an individual and includes information relating to:
(a) an individual's physical or mental health;
(b) any health service provided to such individual;
(c) donation by the individual of any body part or any bodily substance;
(d) testing or examination of a body part or bodily substance of the individual or information that is collected while providing health services to the individual; or
(e) details of the clinical establishment accessed by the individual.
Further, PII is defined as any information that can be used to uniquely identify, contact or locate an individual specifically or along with other sources. An illustrative list of such information has been specified in Schedule I to the DISHA. This list includes information such as name, address, date of birth, vehicle number, financial information etc.
The legislation creates a central regulator called the National Electronic Health Authority (NeHA), and various State Electronic Health Authorities (SeHA) to give effect to the provisions of the DISHA.
A brief overview of the salient provisions of this legislation is given below.
Regulated Entities under the DISHA
The DISHA primarily regulates Clinical Establishments (which include clinics and pathology labs, but excludes pharmacies, insurers and other data controllers/processers in the healthcare sector) as well as any other entities that generate, collect, access, transmit or use DHD or associated personal health information. The DISHA also empowers the Central Government to establish entities called Health Information Exchanges that allow Clinical Establishments to exchange DHD with each other.
Ownership of Data and the Rights of the Data Subject
The DISHA states that all DHD is owned by the individual providing such data (the Owner). The DISHA confers various affirmative rights that the Owner may exercise with respect to this DHD. These rights include:
(a) The right to privacy, confidentiality and security of this data;
(b) The right to give or refuse consent for the generation, collection, storage, transmission, access or disclosure of this data. The owner may not be refused a health service if they exercise the right to refuse consent;
(c) The right to access their DHD and the right to rectify inaccurate or incomplete DHD;
(d) The right to require the Owner's explicit permission for each instance of transmission or use of their DHD; and
(e) The right to seek compensation for damages caused by a breach of DHD.
The Collection and Processing of DHD
The entities that collect and process DHD are required to meet certain obligations specified under the DISHA while carrying out these activities. For a brief summary of these obligations please click here.
Further the DISHA provides that any DHD, stored or transmitted by a Clinical Establishment, may be accessed on a 'need to know basis' i.e. by a specific person for a specific and lawful purpose, where such access of digital health data is necessary for that purpose or to carry out that function. Clinical Establishments and Health Information Exchanges may also use PII for purposes related to the treatment of the patient provided they are able to demonstrate that such use was necessary for that purpose. While entities other than Clinical Establishments or Health Information Exchanges may generate, collect and store this data for purposes related to the treatment of the patient, they can only use this information with the consent of the patient.
The DISHA allows anonymised or de-identified data to be used for specific public health purposes. These include early identification and prevention of diseases and research for public health, clinical and academic purposes. However, it strictly prohibits access, use or disclosure of DHD (whether in identifiable or anonymised form) by any other entity for a commercial purpose. It also prohibits the use, access or disclosure of DHD by employers, insurance companies, human resource consultants and pharmaceutical companies under any circumstances. Insurance companies can access an Owner's DHD from the Clinical Establishment to which an insurance claim relates but only for the purpose of processing that claim.
The blanket prohibition on the use of DHD by insurance companies seems to imply a restriction on the use of this data more broadly for actuarial purposes. Similarly, while the DISHA allows the use of DHD for academic, clinical and public health research, it expressly prohibits the access, use or disclosure of DHD, whether identifiable or anonymised, by pharmaceutical companies.
Currently, employers can process health data for employee benefits, office records and insurance purposes under labour legislations like Maternity Benefits Act, Employee Compensation Act and Employee State Insurance Corporation Act and as part of their internal policies. In line with this, the DISHA allows the use of DHD by employers to the extent required by law. However, access, use or disclosure of DHD to employers or human resource consultants for any other purpose is prohibited under the DISHA.
While the DISHA allows healthcare businesses to use DHD to advance patient centred medical care and other core functions, the use of DHD for any 'commercial purpose' is expressly barred. The term 'commercial purpose' is however not defined. It is therefore unclear whether marketing of treatments, appointments or referrals by hospitals or other business to their clients may be struck by this prohibition.
Data Breach Notification
The DISHA casts an obligation upon Clinical Establishments and Health Information Exchanges to provide notice to the Owner in case of any breach or serious breach of DHD within 3 days.
A breach of DHD can either be a breach or a serious breach of data. A breach of DHD is defined to mean the collection and otherwise handling of this data (a) in contravention of the Act, (b) in a manner that violates the rights of the Owner, or (c) that results in the damage, deletion or alteration of data. A breach of DHD gives rise to a claim for compensation from the person who breached the data.
A serious breach of DHD on the other hand, is:
(a) any breach of data that is carried out intentionally, dishonestly, fraudulently or negligently;
(b) a breach of data that relates to data that is not de-identified or anonymised;
(c) the use of DHD for commercial purposes or commercial gain; or
(d) a repeated breach of DHD by any entity, Clinical Establishment or Health Information Exchange.
A serious breach of data is punishable with an imprisonment which may extend from three to five years, or a fine. It can be grounds for a claim for compensation from the person who breached the data. No cap has been prescribed for the compensation that may be granted.
In addition, the DISHA creates various other offences including the unauthorised access of another person's DHD and data theft. These offences are punishable with imprisonment which may extend up to five years.
Adjudication and Enforcement
The DISHA sets up adjudicatory bodies at the state level as well as one at the central level. Appeals from orders of the state adjudicatory authorities can be heard by the central adjudicatory body. Appeals from the central adjudicatory authority lie with the Delhi High Court.
Offences that carry criminal consequences are to be tried before a Court that is not inferior to that of a Court of Sessions. A complaint for these offences may be made by the Central Government, the State Government, the NeHA, the SeHA, or an affected person.
The draft is open to comments by the public till 21 April 2018. Comments may be submitted by email to firstname.lastname@example.org.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.