Personal health records are among the most private pieces of information that citizens would like to protect. Besides your personal physician, you wouldn’t want other strangers accessing it.
Responding to this requirement, the Government of India has drafted a law that proposes tougher privacy and security measures for digital health data.
In its proposed Digital Information in Healthcare Security Act (DISHA), any breach of digital health data of a citizen could incur a fine of Rs 5 lakh and jail term extending to five years.
“Any person who commits a serious breach of healthcare data shall be punished with imprisonment, which shall extend from three years and up to five years; or fine, which shall not be less than Rs 5 lakh,” the draft law states.
According to the draft law published on the Ministry of Health and Family Welfare’s website, health data includes physical, physiological, mental health condition, sexual orientation, medical records and history, besides biometric data. This information is the sole property of that particular citizen.
The data even extends to information surrounding a donation by a citizen of any body part, bodily substance or details of the particular hospital that he/she has accessed.
“An owner shall have the right to give or refuse consent for the generation and collection of digital health data by clinical establishments and entities,” except if there is a statutory or legal requirement.
More importantly, “insurance companies shall not insist on accessing the digital health data of persons who seek to purchase health insurance policies or during the processing of any insurance claim,” unless they receive their (persons) express consent.
With the draft on its website, the ministry has invited comments from the public by April 21. So, if you have any suggestions, please send them across before the prescribed date.
Another significant announcement in the draft law is the establishment of a National Electronic Health Authority (NEHAI), a State-level counterpart and Health Information Exchange.
As per the draft, the 10-member NEHAI is expected to offer the necessary data infrastructure for the Centre’s landmark National Health Protection Mission, which is expected to cover 10 crore families.
Those charged with data theft or breach have no option to challenge the punishment meted out to them in court, and adjudicating authorities at the State and Central level set up under this Act will possess the powers of a criminal court. Only the Centre, State government, National Electronic Health Authority of India and its State counterpart can issue a complaint in court.
Meanwhile, the Health Information Exchange will function under a Chief Health Information Executive will have “access (to)and process the digital healthcare data transmitted by the Clinical Establishments to further transmit the digital healthcare data as prescribed by the National Digital Health Authority of India.” Also, the CHIE is expected to ensure health data protection, and immediately notify the data breach to the owner.
(Edited by Gayatri Mishra)