Healthcare Data Protection Law in India
Healthcare Data Protection Law in India
Healthcare Data Protection Law in India
The Ministry of Health and Family Welfare placed the draft for Digital Information Security in
Healthcare Act (DISHA) with an aim to secure the healthcare sector data in India, giving people
complete ownership of their health data.
For example, if you go for a medical check-up at your doctor, and the doctor places the results into an
electronic health record (EHR), that information is completely protected by DISHA as it is placed
within the healthcare system.
The draft further also provides details on the establishment of National and State Electronic
Health Authorities (NeHA and SeHA).
In effect, it would provide extensive data protection to Indian subjects, as well as govern the data
portability.
So, overall, DISHA mostly prevents healthcare providers from sharing any piece of sensitive
information. Thus, it makes it too hard to share information.
Given the size of the population in the country, it is pertinent to have a strong data protection law in
India.
As of now, the enterprises in India are not bound to inform their end customers, or other individuals of
a data breach as that happens, excluding banks that are compelled to inform the Reserve Bank of India
(RBI) within six hours of a data breach.
In the Indian healthcare industry, the need to implement data security is recognized to not reveal the
information of patients and to be only revealed if it is required by the law.
According to the Indian Medical Council Regulations, 2002, physicians must maintain confidentiality
related to individual or domestic life that is entrusted by patients during various stages of their medical
attendance and procedures.
However, this law purely fails to outline the limit for accessing information of patients.
Further, it also fails to count the IP addresses and other online personally identifiable information as
sensitive personal information, which is of utmost importance in an internet-driven world.
The patients, on the other hand, don’t have ownership of their medical information. Plus,
there are various third-party administrators involved throughout the whole ecosystem.
The technologies these providers use to let the healthcare providers share data is making
the data prone to various forms of malware, cyberattacks, and ultimately, leading to severe
data breaches.
Current state of health information exchange in India
The Indian healthcare ecosystem consists of seven key stakeholders – patient, provider, payer, pharma,
medical technology, technology vendors and suppliers, and the government and healthcare regulator.
These stakeholders interact with each other through a complex network of interdependent and data-
intensive workflows to generate meaningful health information. Technology has helped the healthcare
ecosystem to optimise these complex workflows by connecting the various stakeholders and providing
real-time information to deliver enhanced patient care. As a result, the entire ecosystem moved from
manual to digital media for the capture and storage of health information (e.g., medical records).
Further, various platforms such as telemedicine and mobile health applications were developed to
enhance connectivity between its stakeholders. The industry is currently transitioning from a manual
to a digital care model which allows remote monitoring.
India has begun its journey towards achieving UHC by 2022 and has aligned NHP 2017 with this goal.
The ambitious Pradhan Mantri Jan Arogya Yojana (PMJAY), which was launched during Union
Budget 2018–19, is a part of NHP 2017. It envisages two key components – establishing Health and
Wellness Centres (HWCs) and a national health insurance programme under the National Health
Protection Scheme, recently renamed as Pradhan Mantri Rastriya Swasthya Suraksha Mission
(PMRSSM). UHC aims to increase access to quality healthcare services at an affordable cost for all
people,while the PMRSSM aims to increase accessibility, availability and affordability of primary,
secondary, and tertiary care health services in India. National healthcare initiatives of this scale would
need a technology solution that enables all stakeholders to generate and exchange meaningful health
information in a secure and timely manner. Implementation of PMJAY and attaining the goal of UHC
will require technology that links together the various HWCs spread across the country. Technology
will also serve as the backbone for building a national level IT platform and facilitating beneficiary
identification, strategic purchase of care services, disbursal of provider payments, fraud detection and
monitoring of the scheme. NHP 2017 has identified the goals for health information management,
such as ensuring a district-level health system information database and establishing federated
integrated health information architecture, health information exchange and developing a national
health information network by 2025.
(3) A clinical establishment or any other entity, shall furnish a copy of the
consent form to the owner.
(4) Any other entity that collects any digital health data shall remain the
custodian of such data, and shall be duty bound to protect the privacy,
confidentiality and security of such data.
Provided that where the individual has regained his or her capacity to
give or refuse consent for the collection of his or her health data by the
clinical establishment, he or she shall have the option to seek
withdrawal of proxy consent and obtaining his or her own consent for
collection of such health data, in such form and manner as may be
prescribed by the National Electronic Health Authority of India.
(6) Where a person is a minor and it is in the best interest of the minor,
proxy consent can be obtained by the minor’s legal guardian, or
representative.
Provided that upon attaining majority, the minor shall have a right to
withdraw or modify his/her consent for the further collection, storage,
transmission of his/her digital health data.
(1) The digital health data generated, collected, stored or transmitted shall
be owned by the individual whose health data has been digitised;
(2) A clinical establishment or Health Information Exchange shall hold
such digital health care data referred to in sub-section (1) above in trust
for the owner;
(3) Any other entity who is in custody of any digital health data shall
remain the custodian of such data, and shall be duty bound to protect
the privacy, confidentiality and security of such data;
4. Transmission of data
(1) No digital health data shall be transmitted by a clinical establishment
or health information exchange, or any other entity, as the case may be,
in any manner, except in accordance with the provisions of this Act.
(2) A clinical establishment may transmit the digital health data to the
health information exchange securely, in an encrypted form, after
retaining a copy for reasonable use by the clinical establishment.
In case where access to digital health data is necessary for the purpose of
investigation into cognizable offences, or for administration of justice, such access
may be granted to an investigating authority only with the order of the competent
court;
The owner of the digital health data shall have a right to access his or her data in such
form and manner, as may be specified by the National Electronic Health Authority of
India.
In case of an emergency, certain digital health data shall be immediately made
accessible to a clinical establishment, upon a request, including information related to
allergies, drug interactions and such other information as may be specified;
In case of an emergency, the relatives of the owner may have access to such data for
the purpose of correct treatment of the owner, subject to such conditions as may be
prescribed under this Act.
In case of death of the owner of digital health data, the legal heirs or representative of
such owner may have access to such data, only upon the application of such heirs
or representatives in such form and manner as may be specified by the National
Electronic Health Authority of India.
Provided that no access shall be given to legal heirs or legal representatives, if it was
expressly barred by the owner.
Provided further that in case of death of the owner, the National Electronic Health
Authority, shall use the digital health data only in anonymized form.
All clinical establishments and health information exchanges shall maintain a register
in a digital form to record the purposes and usage of digital health data accessed
within the meaning of this Section, in such form and manner, as may be specified by
the National Electronic Health Authority.
References: -
https://www.pwc.in/assets/pdfs/consulting/technology/it-function-
transformation/insights/reimagining-health-information-exchange-in-india-using-
blockchain.pdf
https://www.nhp.gov.in/sites/default/files/pdf/concept-note-on-national-e-health-authority-on-
public-domain-for-comments-views-reg.pdf
https://www.nhp.gov.in/NHPfiles/R_4179_1521627488625_0.pdf
Lahariya, C. (June 2018). ‘Ayushman Bharat’ Program and Universal Health Coverage in India.
Indian Pediatrics, 55:495-506. Retrieved from
https://www.indianpediatrics.net/june2018/june-495-506.htm
World Health Organization. (24 January 2019). Universal health coverage (UHC). Retrieved
from https://www.who.int/news-room/factsheets/detail/universal-health-coverage-(uhc)
Lahariya, C. (June 2018). ‘Ayushman Bharat’ Program and Universal Health Coverage in India.
Indian Paediatrics, 55:495-506. Retrieved from
https://www.indianpediatrics.net/june2018/june-495-506