Digital Information Security in Healthcare Act (DISHA) is proposed by the Indian government to secure e-Health data.
The Act mandates the clinical establishments to secure the digital health data and defines functions of the new regulatory bodies at the center and state level except the State of Jammu and Kashmir. Clinical establishments here means, any hospital, clinic, dispensary, etc., be it public or private.
National Electronic Health Authority (NEHA) and State Electronic Health Authority (SEHA) will be setup as the governing bodies to formulate standards, operational guidelines and protocols for the generation, collection, storage and transmission of the digital health data for this Act. It will also ensure data protection and prevent breach or theft of digital health data. It will establish data security measures for all stages of generation, collection, storage and transmission of digital health data, which will at least include access controls, encrypting and audit trails.
Digital Health Data:
Digital health data comprises of one’s physical or mental health condition, sexual orientation, use of narcotic or psychotropic substances, consumption of alcohol, sexual practices, Human Immunodeficiency Virus (HIV) status, Sexually Transmitted Infections treatment, and abortion etc;
The required health data can be obtained by consent from the owner, thus informing them the purpose of collection, identity of the recipients to whom the health data may be transmitted or disclosed, identity of the recipients who may have access to the data on a “need to know” basis.
As per the draft, the owners have the right to privacy, confidentiality, and security of their digital health data and the right to give or refuse consent for generation and collection of such data.
The Act also lists down factors affecting data transmission as to who can transmit, how they can transmit and monitoring data transmission. The Act further lists down the guidelines on accessing this data, with regards to who can access, how they can access and purpose of data access by various entities.
Penalties in contravention of serious breach of healthcare data shall be punishable with imprisonment, which shall extend from three to five years; or fine, which shall not be less than five lakh of rupees.
There are many debatable points that arise from this Act such as the technical measures a clinical establishment should take, standardization of data security, measures to be taken in times of breach, training and capacity building of the clinical establishment, best practices of data collection and storages.
The clinical establishments might be worried on implementing the Act, as they might lack the technical resources to bring the robust solutions. On the other hand the security industry in the country might be looking to engage clinical establishments and respond to this situation by providing cost effective solutions and safeguarding the privacy of the patient.
To implement the Act, clinical establishment might need hand holding. However, we appreciate the efforts of the government to propose this Act and safeguard the interest of patients and citizens.
Would you be interested in joining a workshop on discussing, opportunities and challenges in implementing DISHA, send us your interest on [email protected]