Summary: Digital Information Security in Healthcare Act (DISHA) to enable electronic health records

DISHA (Digital Information Security in Healthcare Act) will enable the digital sharing of personal health records with hospitals and clinics, and between hospitals and clinics; it will be the basis for the creation of digital health records in India. As we’ve reported earlier, the National Health Policy has green-lit the creation of a National Health Information Network, for sharing of Aadhaar linked Electronic Health Records. DISHA appears to lay the groundwork for many health exchanges.

The Ministry of Health and Family Welfare is taking inputs on DISHA till the 21st of April 2018. Submit your comments to egov-mohfw@nic.in.

Summary: Digital Information Security in Healthcare Act (DISHA) (download)

1. Ownership of digital health data and rights of the data owner

The digital health data generated, collected, stored or transmitted shall be owned by the individual whose health data has been digitised;

A clinical establishment or Health Information Exchange shall hold such digital health care data, and any other entity who is in the custody of any digital health data shall remain the custodian of such data, and “shall be duty bound to protect the privacy, confidentiality and security of such data”

The owner of digital health data can shall have the following rights:

1. Consent:
   • “the right to privacy, confidentiality, and security of their digital health data” and the right to refuse consent “for the generation and collection of digital health data by clinical establishments and entities,” subject to certain exceptions.
   • The right to give, refuse or withdraw consent for the storage and transmission of digital health data, as well as to refuse consent to access and disclosure, with certain exceptions (defined under ‘Purpose’ below)
   • The right to require their explicit prior permission for each instance of transmission or use of their digital health data in an identifiable form
   • The right to prevent any transmission or disclosure of any sensitive health related data that is likely to cause damage or distress to the owner;
2. Data collection: The right that the digital health data collected must be specific, relevant and not excessive
3. Transparency: An owner of the digital health data shall have the right to
   • know the clinical establishments or entities which may have or has access to the digital health data, and the recipients to whom the data is transmitted or disclosed;
   • The owner of the digital health data shall have a right to access their digital health data with details of consent given and data accessed by any Clinical Establishment/Entity;
   • The right to be notified every time their digital health data is accessed by any clinical establishment
4. Rectification: The right to rectify without delay, from the respective clinical establishment or health information exchange or entity, any inaccurate or incomplete digital health data
5. Sharing: The right to ensure that in case of health emergency, the digital health data of the owner may be shared with their family members;
6. The right not to be refused health service, if they refuse to consent to generation, collection, storage, transmission and disclosure of their health data;
7. Protection: The right to seek compensation for damages caused by a breach of digital health data.

2. Data collection and defining personally identifiable information

Sensitive health-related information’ means information, that if lost, compromised, or disclosed, could result in substantial harm, embarrassment, inconvenience, violence, discrimination or unfairness to an individual, including but not limited to, one’s physical or mental health condition, sexual orientation, use of narcotic or psychotropic substances, consumption of alcohol, sexual practices, Human Immunodeficiency Virus status, Sexually Transmitted Infections treatment, and abortion.

Personally Identifiable Information

(iv) Name; (v) Address; (vi) Date of Birth; (vii) Telephone Number; (viii) Email Address; (ix) Password (x) Financial information such as bank account or credit card or debit card or other payment instrument details; (xi) Physical, physiological and mental health condition; (xii) Sexual orientation; (xiii) Medical records and history; (xiv) Biometric Information; (xv) Vehicle number; (xvi) Any government number, including Aadhar, Voter’s Identity, Permanent Account Number (‘PAN’), Passport, Ration Card, Below Poverty Line (‘BPL’).

The last sentence, in Schedule 1 says, and I quote:

“New Issue – we should not disallow direct sharing of identifiable data for direct patient care between two hospitals.”

Direct care, apparently, is “the care of an identified patient by an identified clinical professional”, according to Wikipedia, and the information in question is Personally Identifiable Information, which according to the DISHA Act could be the patients

Data Collection

• Notice and consent: A clinical establishment may, by consent from the owner, collect the required health data, after informing the owner of their rights, and the right to refusal to give consent, the purpose of collection, the identity of the recipients to whom the health data may be transmitted or disclosed, the identity of the recipients who may have access to the data on a “need to know” basis. The establishment has to furnish a copy of the consent form. Any other entity that collects any digital health data shall remain the custodian of such data, and shall be duty bound to protect the privacy, confidentiality and security of such data.
• Consent in case of incapacitation/incompetence: When an individual is incapacitated or incompetent to provide consent, proxy consent may be taken from a nominated representative, relative, care giver or such other person. Where the individual has regained capacity to give or refuse consent, he/she can withdraw consent. In case of a minor, the consent may be obtained by the minors legal guardian.

3. Purpose of collection, storage, transmission and use of the digital health data

Personally Identifiable information:
3a. To advance the delivery of patient centered medical care;
3b. To provide appropriate information to help guide medical decisions at the time and place of treatment;
3c. To improve the coordination of care and information among hospitals, laboratories, medical professionals, and other entities through an effective infrastructure for the secure and authorized exchange of digital health data;

De-identified data / anonymised data
3d. To improve public health activities and facilitate the early identification and rapid response to public health threats and emergencies, including bioterror events and infectious disease outbreaks;
3e. To facilitate health and clinical research and health care quality;
3f. To promote early detection, prevention, and management of chronic diseases;
3g. To carry out public health research, review and analysis, and policy formulation;
3h. To undertake academic research and other related purposes

4. Storage of digital health data

The clinical establishment or health information exchange, shall hold all digital health data, on behalf of National
Electronic Health Authority.

For reasons 3a to 3c above, Digital health data may be generated, collected, and stored by any entity, apart from a clinical establishment. However, there shall be no access to, or disclosure of personally identifiable information, except in accordance with the provisions of this Act.

Personally identifiable information may only be used for the purposes of direct care of the owner of the data.

5. Transmission of data

• Who can transmit: A clinical establishment may transmit the digital health data to the health information exchange.
• Permissions: Transmission shall be only upon the consent of the owner, after being informed of his/her rights.
• How can they transmit: in an encrypted form, securely, after retaining a copy for reasonable use by the clinical establishment. National Electronic Health Authority of India shall prescribeapp ropriate standards for physical, administrative and technical measures.
• Monitoring: A health information exchange shall maintain a register containing all details of the transmission of the digital health data between a clinical establishment and health information exchange,and between heath information exchanges.

6. Rectification of digital health data

An owner of the digital health data can rectify the data by making an application as prescribed under this act. On receipt of the application, the data shall be rectified within 3 working days of receipt.

7. Accessing digital health data

• Commercial purpose: Digital health data, whether identifiable or anonymized, shall not be accessed, used or disclosed to any person for a commercial purpose and in no circumstances be accessed, used or disclosed to insurance companies, employers, human resource consultants and pharmaceutical companies, or any other entity as may be specified by the Central Government.Explanation: Insurance companies shall not insist on accessing the digital health data of persons who seek to purchase health insurance policies or during the processing of any insurance claim. Provided that for the purpose of processing of insurance claims, the insurance company shall seek consent from the owner to seek access his or her digital health data from the clinical establishment to which the claim relates.
• Monitoring of access: All clinical establishments and health information exchanges shall maintain a register in a digital form to record the purposes and usage of digital health data accessed
• By clinics: Digital health data may be accessed by the clinical establishment, on a need to know basis.
• By Government departments: Government departments through their respective Secretaries, may submit request for digital health data in deidentified/anonymized form, to the National Electronic Health Authority.
• For purpose of investigation into cognizable offences, or for administration of justice, such access may be granted to an investigating authority only with the order of the competent court;
• By the owner of the data: The owner of the digital health data shall have a right to access his or her data
• In case of an emergency,
  • certain digital health data shall be immediately made accessible to a clinical establishment, including information related to allergies, drug interactions and such other information as may be specified;
  • the relatives of the owner may have access to the data for the purpose of correct treatment of the owner
• In case of death of the owner of digital health data,
  • the legal heirs or representative of such owner may have access to such data, unless expressly barred by the owner.
  • The National Electronic Health Authority, shall use the digital health data only in anonymized form.

8. Breach & Serious Breach, and penalties

Breach of digital health data is if:

• any person generates, collects, stores, transmits or discloses digital health information in contravention to access allowed under this act
• Any person does anything in contravention of the exclusive right conferred upon the owner of the digital health data
• Digital health data collected, stored or transmitted by any person is not secured as per the standards prescribed by the Act or any rules thereunder; or
• Any person damages, destroys, deletes, affects injuriously by any means or tampers with any digital health data.
• Any person who breaches digital health data shall be liable to pay damages by way of compensation to the owner of the digital healthcare data in relation to which the breach took place.

Serious breach of digital health data is if:

• A person commits a breach of digital health data intentionally, dishonestly, fraudulently or negligently; or
• Any breach of digital health data occurs, which relates to information which is not anonymised or de-identified; or
• A breach of digital heath data occurs where a person failed to secure the data as per the standards prescribed by the Act or any rules thereunder; or
• Any person uses the digital health data for commercial purposes or commercial gain; or
• An entity, clinical establishment or health information exchange commits breach of digital health data repeatedly;

The Chief Health Information Executive of a Health Information Exchange is supposed to notify the data breach to the owner and such other concerned.

Penalties for breach/serious breach

• Any person who commits a breach shall be liable to pay damages by way of compensation to the owner of the digital healthcare data in relation to which the breach took place.
• Any person who commits a serious breach of health care data shall be punished with imprisonment, of 3 to 5 years; or fine, which shall not be less than five lakh of rupees. Provided that, any fine imposed may be provided to the individual whose data is breached, by the Court, as it deems fit as compensation.
• Whoever, fraudulently or dishonestly, obtains the digital health information of another person, which he is not entitled to obtain shall be punished with imprisonment for a term which shall extend up to one year or fine, which shall be not less than one lakh rupees; or both.
• Whoever intentionally and without authorization acquires or accesses any digital health data shall be punished with imprisonment for 3 to 5 years or fine, which shall be not less than five lakh rupees; or both.

Who can go to court?

The Central Government, State Government, the National Electronic Health Authority of India, State Electronic Health Authority, or a person affected. Note that the UIDAI Act does not allow the person affected to go to court.

No Court inferior to that of a Court of Sessions shall try any offence punishable under sections 38, 41 and 42 of this Act.

8. Offences by companies

Liability of the management:

• Where a company contravenes this act, “every person who, at the time when the contravention was committed, was in charge of and was responsible to the company, for the conduct of the business of the company, as well as the company shall be deemed to be guilty of the contravention, and shall be liable to be proceeded against and punished accordingly”, provided that the contravention took place without his knowledge or he exercised all due diligence to prevent the commission of such contravention.
• When it is with the “consent or connivance of, or is attributable to any neglect on the part of any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer of the company shall also be deemed to be guilty of the contravention and shall be liable to be proceeded against and punished accordingly.”

9. Creation of Information exchanges and their regulation

“Health Information Exchanges” will be set up by the Central Government for sharing of electronic health records, as well as the National Electronic Health Authority of India (NeHA) and State Electronic Health Authorities (SeHA’s).

The Central Government shall, by notification, establish as many Health Information Exchanges, as considered necessary.

Among other things, NeHA will

• Notify and mandate Health Information Exchanges
• Define protocol for transmission of digital health data to and receiving it from other countries
• Formulate standards, operational guidelines and protocols for “the generation, collection, storage and transmission of the digital health data” applicable to Clinical establishments, Health information exchanges and any entity having custody of digital health data, NeHA and SeHA’s.
• Ensure that the clinical establishments and other entities in the state collect, store, transmit and use digital health data as per the provisions of DISHA
• Conduct investigations to ensure compliance with DISHA

SeHA’s have to:

• Ensure that the clinical establishments and other entities in the state collect, store, transmit and use digital health data as per the provisions of this Act and the standards, protocols and operational guidelines issued by the National Electronic Health Authority, from time to time
• Conduct investigations to ensure compliance with the provisions of this Act;
• Notify and mandate the clinical establishments and other entities, in case of failure to comply with the provisions of this Act;
• Shall have the right to inspect all such records; or access the premises including virtual premises, of a Clinical establishment or other entities at any time.

*
If you’ve read this far, submit your comments to egov-mohfw@nic.in by the 21st of April 2018.