Grave breaches of healthcare data should be punishable by up to five years in jail and a fine of up to Rs 5 lakh, according to the draft Digital Information Security in Healthcare Act (DISHA) prepared by the Health Ministry.
The draft enables the owners to have the right to privacy, confidentiality, and security of their digital health data and the right to give or refuse consent for generation and collection of such data.
It will be considered a serious digital health data breach if a person commits a breach of digital health data intentionally, dishonestly, fraudulently or negligently, sharing information which is not anonymised or de-identified and where a person failed to secure the data as per the standards prescribed by the Act or any rules.
If any person uses the digital health data for commercial purposes or commercial gain, or clinical establishment or health information exchange commits breach of digital health data repeatedly, the person will be liable for punishment.
The draft legislation also aims to protect ‘Sensitive health-related information’ which means information, that if lost, compromised, or disclosed, could result in substantial harm, embarrassment, inconvenience, violence, discrimination or unfairness to an individual.
The information including but not limited to, one’s physical or mental health condition, sexual orientation, use of narcotic or psychotropic substances, consumption of alcohol, sexual practices, Human Immunodeficiency Virus (HIV) status, Sexually Transmitted Infections treatment, and abortion will be considered as sensitive information to be protected.
Making the health data security laws more stringent, any person or entity charged with data breach will not be able to challenge the punishment in court. The Central and state adjudicating authorities formed under the Act will have powers of a civil court, according to the draft.
“No court shall take cognizance of any offence punishable under the Act except on a complaint made by the Central Government, State Government, the National Electronic Health Authority of India, State Electronic Health Authority, or a person affected,” the draft legislation says.
According to the draft, however, digital health data may be generated, collected, stored, and transmitted by a clinical establishment and by health information exchanges for various purposes including advancing the delivery of patient-centred medical care, to provide appropriate information to help guide medical decisions and to improve coordination of care and information among hospitals, laboratories, medical professionals, and other entities through an effective infrastructure for secure and authorized exchange of digital health data.
The draft legislation prepared by the ministry of health and family welfare has also proposed to constitute a national electronic health authority (NeHA) which would function as an independent regulator. The NeHA will formulate rules, standards and processes for developing and managing electric health records (EHR).
Medical Reporter Opinion – Though the Bill stops persons and private institutions to use or misuse the private information of the patients, one cannot deny the fact that Government “may” have all access to this data. Though one cannot doubt the intention of government but the leak of such data through the sources coming under government structures can’t be denied either. The law should have provisions in for such rare cases also.