DISHA: Proposed Health Security Bill

INTRODUCTION:

India is in dire need of the legal framework for data protection, amid all the plans and talks of an IT framework for government’s new health protection scheme, union ministry released the draft, for upcoming act, to protect health data. In December 2017, the white paper on data protection framework for India was published under the committee of experts, chaired by Justice BN Srikrishna. Intruding the framework of the same, the introduction of draft bill of DISHA, Digital Information Security in Health Act, has been headed in the right direction.

On March 21, 2018, Government of India published a draft bill on the same, through e-health section of ministry of health and family welfare department and has invited the public and stakeholders to comment by Aril 21, 2018.

In nutshell, DISHA will help to share, digitally, personal health records with hospitals and clinics, creating the database of health records in India.

Discussing the mains of the bill:

1. Ownership of digital health data and rights of the owner of data:

The data collected or generated or transmitted or stored, will be owned by the individual whose health data will be digitized. All the establishment or health information exchange, clinics or hospital, holding data of any entity shall have the duty to protect the privacy, confidentiality and security of such data.

2. Clause of consent:

Under the fundamental right “right to privacy”, the confidentiality, security of digital health data and generation and collection of health data, by institutions, are subject to exceptions, mentioned under the bill. Exception to all, righto refuse consent, right to give, right to withdrawal consent for the generation and collection of data are given to the owner of the data. Further, several other clauses have been invoked for the prior permission for each instance, like, transmission, generation, circulating, form the owner. The clause of transmitting or disclosing sensitive health related data which can cause damage or distress to the owner, is prevented.

3. Data collection:

Collection of data must be in a specific limits and should not exceed the required need of collection

4. Transparency:

Owner of the data must know as where his information is being disclosed or transmitted or shall have a right to access his information with details of consent given and right to be informed at every instance related to the access of data by any authority.

5. Rectification:

Right to rectify any inaccurate or incomplete information about the owner should be there without any delay through established institutions.

6. Sharing:

The information created should be shared with the family in case of emergency.

7. Protection:

The right to seek compensation for damages under any breach of data.

8. Data collection and defining personally identifiable information:

Sensitive health-related information’ means information, that if lost, compromised, or disclosed, could result in substantial harm, embarrassment, inconvenience, violence, discrimination or unfairness to an individual, including but not limited to, one’s physical or mental health condition, sexual orientation, sexual practices, abortion, etc. 

9. Data Collection:

• Notice and consent: Consent is required from the owner to collect the health data. Also informing the owner of their rights, right of refusal of giving consent, the purpose of collection, the identity of recipients of collecting health data may be disclosed should be given to owner. The establishment has to furnish a copy of the consent form. Any other entity that collects any digital health data shall remain the custodian of such data, and shall be duty bound to protect the privacy, confidentiality and security of such data.
• Consent in case of incapacitation/incompetence:In case of an individual is incapacitated or incompetent to provide consent, proxy consent can be asked from a nominated representative, relative or caretaker. In case of a minor, the consent may be obtained by the minor legal guardian.

10. Purpose of collection, storage, transmission and use of the digital health data

Personally Identifiable information:

• To advance the delivery of patient centered medical care;
• To provide appropriate information to help guide medical decisions at the time and place of treatment;
• To improve the coordination of care and information among hospitals, laboratories, medical professionals, and other entities through an effective infrastructure for the secure and authorized exchange of digital health data;

De-identified data :

• To improve public health activities and facilitate the early identification and rapid response to public health threats and emergencies;
• To facilitate health and clinical research and health care quality;
• To promote early detection, prevention, and management of chronic diseases;
• To carry out public health research, review and analysis, and policy formulation;
• To undertake academic research and other related purposes

11. Storage of digital health data:

The establishment or any institution or health information exchange holding any data for the purpose of creating data health record or  on the behalf of Electronic Health Authority, personally identifiable information can be collected, and stored by any entity, apart from a clinical establishment. However, there shall be no access to, or disclosure of such information without exceptions. This information may only be used for the purposes of direct care of the owner of the data.

12. Transmission of data:

• Only the clinical establishment can transmit the digital health data to the health information exchange, with the consent of owner, only after being informed about his rights.
• The transmission, in encrypted form, can be used by National electronic exchange, keeping copy of reasonable use by clinical establishment
• Health information exchange will maintain a register of all details of how data has been transmitted between establishment and health information exchanges.

13. Rectification of digital health data:

Owner, to rectify the health data, has to make an application to establishment and the information should be rectified within 3 working days of the application received.

14. Breach:

Breach of digital health data is if:

1. In case any person collects and store any information, specifically mentioned to be prohibited under the act;
2. Any act done in contravention of the rights conferred to the owner of the data;
3. Any digital record is not secured as per the giver security measures under the act;
4. Any person damages or destroys or delete or harm or tamper the data in any manner;

Person breachinhg the data shall be liable to pay damages, in form of compensation, to owner of the digital health record data..

15. Penalties for breach/serious breach

• Any person who committing the offence shall be liable to pay compensation to the owner of the digital healthcare data.
• Any person who committing the breach, shall be punished with 3 to 5 years of imprisonment; or fine of not be less than five lakhs rupees.
• Whoever unauthorized, fraudulently or dishonestly, obtaining the information of another person, shall be punished with imprisonment up to one year or fine, of not less than one lack rupee..
• Unauthorized , intentionally, accessing or storing any digital health data shall be punished for 3 to 5 years or not less than five lack rupees of fine.

The Central Government, State Government, the National Electronic Health Authority of India, State Electronic Health Authority, or a person affected can go to court.

Do read: https://lawyersgyan.com/blog/delhi-hc-lashes-at-media-houses-in-kathua-gang-rape/

Visit our Instagram page @lawyergyan at this link.

For more BLOG/ NEWs, CLICK HERE.

Please Subscribe for more updates.