Healthcare data protection law in India – under progress

The Ministry of Health and Family Welfare placed the draft for Digital Information Security in
Healthcare Act (DISHA) with an aim to secure the healthcare sector data in India, giving people
complete ownership of their health data.

For example, if you go for a medical check-up at your doctor, and the doctor places the results into an
electronic health record (EHR), that information is completely protected by DISHA as it is placed
within the healthcare system.

Digital Information Security in Healthcare Act Objective

DISHA proposes three main objectives:
1. Setting up digital health authority at national and state levels
2. Enforcing privacy and security measures for electronic health data, and
3. Regulating storage and exchange of electronic health records

The draft further also provides details on the establishment of National and State Electronic
Health Authorities (NeHA and SeHA).

In effect, it would provide extensive data protection to Indian subjects, as well as govern the data
portability.

So, overall, DISHA mostly prevents healthcare providers from sharing any piece of sensitive
information. Thus, it makes it too hard to share information.

However, the setting up of this law is still awaited.

Given the size of the population in the country, it is pertinent to have a strong data protection law in
India.

How health data is regulated in India today?

The data security and privacy are the responsibility of the entity that holds the data. If in case, a data
breach happens, the entity could be penalized for the same.

As of now, the enterprises in India are not bound to inform their end customers, or other individuals of
a data breach as that happens, excluding banks that are compelled to inform the Reserve Bank of India
(RBI) within six hours of a data breach.

In the Indian healthcare industry, the need to implement data security is recognized to not reveal the
information of patients and to be only revealed if it is required by the law.

According to the Indian Medical Council Regulations, 2002, physicians must maintain confidentiality
related to individual or domestic life that is entrusted by patients during various stages of their medical
attendance and procedures.
However, this law purely fails to outline the limit for accessing information of patients.

Further, it also fails to count the IP addresses and other online personally identifiable information as
sensitive personal information, which is of utmost importance in an internet-driven world.

INDIAN HEALTHCARE ECOSYSTEM

The patients, on the other hand, don’t have ownership of their medical information. Plus,
there are various third-party administrators involved throughout the whole ecosystem.

These providers also have control on the health data locally.

The technologies these providers use to let the healthcare providers share data is making
the data prone to various forms of malware, cyberattacks, and ultimately, leading to severe
data breaches.
Current state of health information exchange in India
The Indian healthcare ecosystem consists of seven key stakeholders – patient, provider, payer, pharma,
medical technology, technology vendors and suppliers, and the government and healthcare regulator.
These stakeholders interact with each other through a complex network of interdependent and data-
intensive workflows to generate meaningful health information. Technology has helped the healthcare
ecosystem to optimise these complex workflows by connecting the various stakeholders and providing
real-time information to deliver enhanced patient care. As a result, the entire ecosystem moved from
manual to digital media for the capture and storage of health information (e.g., medical records).
Further, various platforms such as telemedicine and mobile health applications were developed to
enhance connectivity between its stakeholders. The industry is currently transitioning from a manual
to a digital care model which allows remote monitoring.

India has begun its journey towards achieving UHC by 2022 and has aligned NHP 2017 with this goal.
The ambitious Pradhan Mantri Jan Arogya Yojana (PMJAY), which was launched during Union
Budget 2018–19, is a part of NHP 2017. It envisages two key components – establishing Health and
Wellness Centres (HWCs) and a national health insurance programme under the National Health
Protection Scheme, recently renamed as Pradhan Mantri Rastriya Swasthya Suraksha Mission
(PMRSSM). UHC aims to increase access to quality healthcare services at an affordable cost for all
people,while the PMRSSM aims to increase accessibility, availability and affordability of primary,
secondary, and tertiary care health services in India. National healthcare initiatives of this scale would
need a technology solution that enables all stakeholders to generate and exchange meaningful health
information in a secure and timely manner. Implementation of PMJAY and attaining the goal of UHC
will require technology that links together the various HWCs spread across the country. Technology
will also serve as the backbone for building a national level IT platform and facilitating beneficiary
identification, strategic purchase of care services, disbursal of provider payments, fraud detection and
monitoring of the scheme. NHP 2017 has identified the goals for health information management,
such as ensuring a district-level health system information database and establishing federated
integrated health information architecture, health information exchange and developing a national
health information network by 2025.

1. Collection of health data

(1) No health data shall be collected, for the purposes of conversion to

digital health data, by any clinical establishment, or any other entity in
any manner, except in accordance with the provisions of this Act.

(2) A clinical establishment may, by consent from the owner, recorded in

the form and manner as may be prescribed under this Act, lawfully
collect the required health data, after informing the owner of the
following:
 (a) The rights of the owner as laid down in this Act, including the
right to refusal to give consent to the generation and collection
of such data;
(b) The purpose of collection of such health data;
(c) The identity of the recipients to whom the health data may be
transmitted or disclosed, after being converted into a digital
format;
(d) The identity of the recipients who may have access to such digital
health data on a need-to-know basis

(3) A clinical establishment or any other entity, shall furnish a copy of the
consent form to the owner.

(4) Any other entity that collects any digital health data shall remain the
custodian of such data, and shall be duty bound to protect the privacy,
confidentiality and security of such data.

(5) when an individual is incapacitated or incompetent to provide consent,

either due to physical or mental incapacity, the clinical establishment
may collect health data by obtaining proxy consent from a nominated
representative, relative, care giver or such other person, as may be
prescribed under this Act, and who has the legal capacity to consent.

Provided that where the individual has regained his or her capacity to
give or refuse consent for the collection of his or her health data by the
clinical establishment, he or she shall have the option to seek
withdrawal of proxy consent and obtaining his or her own consent for
collection of such health data, in such form and manner as may be
prescribed by the National Electronic Health Authority of India.

(6) Where a person is a minor and it is in the best interest of the minor,
proxy consent can be obtained by the minor’s legal guardian, or
representative.

Provided that upon attaining majority, the minor shall have a right to
withdraw or modify his/her consent for the further collection, storage,
transmission of his/her digital health data.

2. Ownership of digital health data

(1) The digital health data generated, collected, stored or transmitted shall
be owned by the individual whose health data has been digitised;
(2) A clinical establishment or Health Information Exchange shall hold
such digital health care data referred to in sub-section (1) above in trust
for the owner;
(3) Any other entity who is in custody of any digital health data shall
remain the custodian of such data, and shall be duty bound to protect
the privacy, confidentiality and security of such data;

3. Storing of digital health data

 (1) No digital health data shall be stored by any clinical establishment or
entity or health information exchange in any manner, except in
accordance with the provisions of this Act.
(2) The clinical establishment or health information exchange, as the case
may be, shall hold all digital health data, on behalf of National
Electronic Health Authority, without compromising the privacy or
confidentiality of the owner, and security of such data.
(3) The digital health data vested with the National Electronic Health
Authority ,shall be stored and may be transmitted or used in such form
and manner as may be prescribed by the National Electronic Health
Authority.

4. Transmission of data
(1) No digital health data shall be transmitted by a clinical establishment
or health information exchange, or any other entity, as the case may be,
in any manner, except in accordance with the provisions of this Act.

(2) A clinical establishment may transmit the digital health data to the
health information exchange securely, in an encrypted form, after
retaining a copy for reasonable use by the clinical establishment.

Provided that for such secure, encrypted and instantaneous

transmission of digital health data ,the National Electronic Health
Authority of India shall prescribe appropriate standards for physical,
administrative and technical measures, keeping in mind the privacy
and confidentiality of the owner, by notification.

(3) The digital health data shall be transmitted by a clinical establishment

or entity or health information exchange only upon the consent of the
owner, after being informed of the rights of the owner under Section
28, and the specific purposes of collection of such data under Section
29.

(4) A health information exchange shall maintain a register in such form

and manner as may be prescribed by the Central Government,
containing all details of the transmission of the digital health data
between a clinical establishment and health information exchange, and
between heath information exchanges inter se.

5.Access to digital health data

 No digital health data collected, stored or transmitted by a clinical establishment or

health information exchange, as the case may be, shall be accessed by any person,
except in accordance with the provisions of this Act.
 The digital health data collected or stored or transmitted by a clinical establishment or
health information exchange, as the case may be, may be accessed by the clinical
establishment, on a need-to-know basis, in such form and manner as may be
prescribed under this Act.
 The government departments through their respective Secretaries, may submit request
for digital health data in de- identified/anonymized form, to the National Electronic
Health Authority. Provided that the National Electronic Health Authority of India may
 prescribe any other class of persons who may access digital health data, which is anonymized.

 In case where access to digital health data is necessary for the purpose of
investigation into cognizable offences, or for administration of justice, such access
may be granted to an investigating authority only with the order of the competent
court;
 The owner of the digital health data shall have a right to access his or her data in such
form and manner, as may be specified by the National Electronic Health Authority of
India.
 In case of an emergency, certain digital health data shall be immediately made
accessible to a clinical establishment, upon a request, including information related to
allergies, drug interactions and such other information as may be specified;
 In case of an emergency, the relatives of the owner may have access to such data for
the purpose of correct treatment of the owner, subject to such conditions as may be
prescribed under this Act.
 In case of death of the owner of digital health data, the legal heirs or representative of
such owner may have access to such data, only upon the application of such heirs
or representatives in such form and manner as may be specified by the National
Electronic Health Authority of India.
 Provided that no access shall be given to legal heirs or legal representatives, if it was
expressly barred by the owner.
 Provided further that in case of death of the owner, the National Electronic Health
Authority, shall use the digital health data only in anonymized form.
 All clinical establishments and health information exchanges shall maintain a register
in a digital form to record the purposes and usage of digital health data accessed
within the meaning of this Section, in such form and manner, as may be specified by
the National Electronic Health Authority.
References: -
 https://www.pwc.in/assets/pdfs/consulting/technology/it-function-
transformation/insights/reimagining-health-information-exchange-in-india-using-
blockchain.pdf
 https://www.nhp.gov.in/sites/default/files/pdf/concept-note-on-national-e-health-authority-on-
public-domain-for-comments-views-reg.pdf
 https://www.nhp.gov.in/NHPfiles/R_4179_1521627488625_0.pdf
 Lahariya, C. (June 2018). ‘Ayushman Bharat’ Program and Universal Health Coverage in India.
Indian Pediatrics, 55:495-506. Retrieved from
https://www.indianpediatrics.net/june2018/june-495-506.htm
 World Health Organization. (24 January 2019). Universal health coverage (UHC). Retrieved
from https://www.who.int/news-room/factsheets/detail/universal-health-coverage-(uhc)
 Lahariya, C. (June 2018). ‘Ayushman Bharat’ Program and Universal Health Coverage in India.
Indian Paediatrics, 55:495-506. Retrieved from
https://www.indianpediatrics.net/june2018/june-495-506