India: DISHA: The First Step Towards Securing Patient Health Data In India

"A journey of a thousand miles begins with a single step." The Digital Information Security in Healthcare Act ('DISHA') is that firm first step taken by the Indian Government in the long journey to securing the healthcare data of patients in India. In a country with more than one billion people, data is bound to be scattered, even more so when it comes to healthcare data. It is common practice for a doctor to have to write up a repeat diagnostic test because they have no way of accessing the patient's medical records. This is despite the fact that the law requires doctors to maintain the medical records of their in-patients for at least three years. In a move to drastically improve healthcare delivery in India and protect patient data, DISHA proposes to change all of that. Dr Milind Antani, Darren Punnen and Anay Shukla of Nishith Desai Associates discuss the aims of DISHA, the positive response to the first public draft and the concerns raised that are likely to be addressed before the legislation is finalised.

'DISHA' in Hindi means 'direction' and the word was chosen with the purpose and objective of showing direction and putting the important data of patients on the right path. Almost two years in the making, DISHA has three primary objectives - setting up a central and state level digital health authority, enforcing privacy and security measures for digital health data, and regulating the storage and exchange of electronic health data. Before deep diving into each of these aspects, it is also important for readers to understand the current legal framework for data privacy in India.

The current legal framework

The collection, receipt, storage, handling and transfer of sensitive personal data or information ('SPDI') in electronic form is subject to the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 (the 'Data Protection Rules'), a set of rules prescribed under the Information Technology Act 2000 - India's principal legislation governing information technology. The Data Protection Rules consider a select set of information to be SPDI. From a healthcare perspective, this includes information relating to physical, physiological and mental health conditions, sexual orientation as well as medical records and history.

The Data Protection Rules apply to any corporate entity that in some way deals with the SPDI of a person. The compliance requirements under the Data Protection Rules were largely limited to obtaining consent prior to collection or transfer, publishing a privacy policy, and maintaining 'reasonable' security practices and procedures to protect SPDI. While there is a requirement for entities to meet ISO standards for data protection, it is also possible for them to have a user agree that their existing data protection practices, irrespective of whether they match ISO standards or not, are reasonable. This workaround would, in effect, satisfy the compliance requirements under the Data Protection Rules.

While the Data Protection Rules were a welcome step at a time when protection of electronic data was not regulated at all, the need for higher standards of protection has been felt increasingly over the years, especially when it comes to sensitive health information. The other major problem that the country has been facing is with respect to the lack of interoperability of health records between hospitals, clinics and diagnostic centres, and in extreme cases, even between two departments of the same institute. The Government did, at various instances, nudge the industry into adopting a more uniform health information system, the last attempt being in 2016 when the Government came out with a revised Electronic Health Records Standard of India. Given the non-binding nature of the recommendations, unfortunately, these efforts did not bear much fruit.

DISHA was born, therefore, out of the need to provide for better healthcare information security in a way that the public could claim as a right and to ensure interoperability of electronic health data. When finalised and introduced as law, it will replace the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules of 2011 and thereby usher India into a new regime of protection and regulation of electronic health data.

The detail of DISHA

DISHA aims to be a piece of legislation focused on healthcare data privacy, confidentiality, security and standardisation. DISHA will create regulatory authorities, both at the central and state level, to enforce the rights and duties envisaged under the legislation. At the central level, the setting up of a National Electronic Health Authority ('NeHA') is proposed, which would be the apex authority entrusted with formulating standards and operational guidelines and protocols for the generation, collection, storage, and transfer of digital health data. At the state level, the State Electronic Health Authority ('SeHA') will be responsible for ensuring that the requirements of DISHA are followed on the ground, at the institutional level.

Clinical establishments of all kinds will be obliged to comply with the requirements of DISHA, including diagnostic centres and even individual clinics. DISHA also proposes the setting up of Health Information Exchanges - the backbone of interoperability and access - which would process and transmit data between clinical establishments. From an enforcement perspective, DISHA also establishes central and state adjudicating authorities, which will investigate complaints regarding breach of DISHA by clinical establishments and other entities, health exchanges and even NeHA and SeHA. While all citizens have a fundamental right to privacy enshrined within the Indian Constitution (the Supreme Court, in the recent case of Justice K.S Puttaswamy (Retd.) v. Union of India and Ors, held that the right to privacy is an intrinsic part of the right to life and personal liberty), DISHA specifically lays down the rights of the owners of health data. Informed consent and the right to know are the central themes behind the disclosure, transfer and access to digital health data. DISHA also clearly demarcates ownership of the data. While the actual digital health data is at all times owned by the individual whose health data have been digitised, the medium of storage and transmission of the digital health data is owned by the clinical establishment or the Health Information Exchange, as the case may be.

Additionally, DISHA clearly states that the digital health data of any individual is always held in trust for the owner. Individuals have the right to know exactly when digital health data is accessed or transferred as well as having the right to withdraw any consent provided, at any time. The individual also has the right to rectify mistakes in the digital health data at any time as well.

Interoperability is a crucial aspect covered by DISHA. NeHA, once established, will be required to come up with operating guidelines and standards which are to be uniformly followed by any person or entity that is involved in the generation, collection, transmission or disclosure of digital health data. Health Information Exchanges will facilitate the flow of data between entities, with the Chief Health Information Executive of each Health Information Exchange being required under DISHA to ensure the smooth day-to-day operations of the Exchange. The flow of digital health data unhindered by compatibility issues between entities would go a long way to providing better healthcare delivery for patients and improving coordination between different functions, especially in times of emergency.

While a wide set of rights are provided to owners of data, DISHA will also impose duties on collectors, generators and processors of digital health data. Maintaining privacy and confidentiality is the foremost responsibility of all stakeholders - from the clinical establishment to NeHA. DISHA also specifies the purposes for which digital health data can be collected, stored, transmitted or used by a person or entity. The owner of the data must be informed of any breach of the privacy or confidentiality of their digital health data immediately.

Breaches of digital health data and non-compliance with the requirements of DISHA will be treated very seriously under the legislation. DISHA distinguishes between a breach and a serious breach of digital health data. A breach involves a contravention of the collection or processing norms, the destruction or unauthorised modification of data, or not securing the data as required under DISHA. A serious breach, on the other hand, involves a person intentionally, fraudulently or negligently breaching digital health data, using the data for commercial purposes and breaches involving data that is not de-identified or anonymised. In case of a serious breach, the person or entity responsible for the breach may be liable to imprisonment of up to five years, and a minimum fine of INR 500,000 (approximately $7,525). In case of a breach, the owner of the data may be entitled to compensation from the person or entity responsible for the breach.

A portion of the fine payable in case of a serious breach may also be paid as compensation to the individual whose data was breached, at the discretion of the court adjudicating on the matter.

The response to the first draft

Overall, the first public draft of DISHA was received well, thanks to its clear emphasis on healthcare data privacy, protection and confidentiality, as well as the push towards interoperability. There were, however, a few issues raised that are sure to be addressed before the legislation is finalised.

A point of concern with the current version of DISHA relates to access to digital health data. The Chief Health Information Executive of a Health Information Exchange is permitted under law to access digital health data. As an Exchange that is responsible for the processing and transfer of digital health data, it may not be necessary for any person working within the Health Information Exchange to be provided with access to any of the digital health data, as the Exchange is merely an intermediary between the clinical establishment and the owner of the data. Limiting access to digital health data would go a long way to minimising the risk of an inadvertent data breach.

Similarly, all digital health data - be it from the clinical establishment or the Health Information Exchange - is held on behalf of NeHA, according to DISHA. DISHA also permits NeHA to use the information for certain limited purposes such as public health research, provided the privacy and confidentiality of the owner of the data is not compromised. While the intent of permitting NeHA to have unbridled access to the nation's digital health data is in the wider interest of trying to facilitate research and promote early detection of diseases, a breach in this situation is a matter of concern, especially considering that national databases of identifiable information have been subject to breaches in the past.

Something that remains unclear in the draft version of DISHA is the extent of interoperability envisaged for digital health data. Considering that there would be multiple Health Information Exchanges set up for the purpose of allowing interoperability, the seamlessness and interoperability between these Exchanges is something that remains to be seen.

For example, if a clinical establishment in one part of the country transferred digital health data to a Health Information Exchange, and another clinical establishment in another part of the country requested the same information, but from a different Health Information Exchange, the draft is not very clear on how digital health data would flow between exchanges. This may, however, become clear once the rules relating to DISHA are notified.

Another point that may be a major concern to industry relates to the absolute prohibition that DISHA places on access to digital health data, whether anonymised or otherwise, by pharmaceutical companies and insurance companies as well as access for any commercial purpose. This appears to be an impediment to the clinical research activities of pharmaceutical companies, as health related data is required to be submitted to the drug regulator for marketing approvals of new drugs. Given that India is currently promoting clinical research in the country, it appears that this limitation may not have been intentional, and an exception allowing pharmaceutical companies to access digital health data for this limited purpose, as well as further clarity defining the scope of commercial purposes, may find its way into the final draft of DISHA.

There also seems to be some overlap in terms of what instances of noncompliance amount to a breach or a serious breach. For instance, failure to secure data in accordance with prescribed standards is mentioned in what constitutes a breach and a serious breach under DISHA. This may be clarified or further fleshed out before the legislation is finalised. Last but not the least, it is also difficult to understand why the scope of a new piece of legislation such as DISHA, which grants important rights to citizens relating to their own healthcare data, limits those rights to healthcare data in electronic form only.

Given that DISHA has only completed its first round of comments from the public and stakeholders, it is expected that the revisions made based on the feedback will churn out a more refined version of the legislation. In any case, it is evident from the draft that the Government has really pushed to provide additional security, privacy and confidentiality for individuals, with respect to their digital health data.

A lot of thought and effort has gone into the draft - right from the clever use of the acronym DISHA to the fine distinctions made between the kinds of digital health data (de-identified and anonymised data, for example) - which is proof that when it comes to protecting privacy and confidentiality, India is definitely moving in the right 'disha.'

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions