Cognizant of fact that the data breach incidents have deluged various sectors, including highly personal and sensitive data on individual’s health profile, the Union government is all set to create a new narrative in the health sector by unveiling its plan for digital health security act.
The draft act has been placed in open for stakeholders’ take on that. The proposed legislation is harsh on prowling data poachers with stringent punishment that entails five years imprisonment and a fine of Rs. five lakhs.
The purpose of the Act is to provide for electronic health data privacy, confidentiality, security and standardization and provide for the establishment of National Digital Health Authority and health information exchanges and such other matters.
Digital Information Security in Healthcare Act will be an Act to provide for establishment of National and State eHealth Authorities and Health Information Exchanges; to standardize and regulate the processes related to collection, storing, transmission and use of digital health data; and to ensure reliability, data privacy, confidentiality and security of digital health data and such other matters related and incidental thereto. This Act may be called Digital Information Security in Healthcare Act (DISHA) and it extends to the whole of India except the State of Jammu and Kashmir.
The Act shall come into force on such date as the Central Government may, by notification, appoint; and different dates may be appointed for different States and for different provisions of this Act.
The draft Digital Information in Healthcare Security Act (DISHA) makes it clear that any health data including physiological, physical & medical records, sexual orientation, history and biometric information are the property of the person who it pertains to.
The Act also talks about a health information exchange, a National eHealth Authority and a State Electronic Health Authority. These three authorities shall be duty-bound to protect the privacy, security, and confidentiality of the owner’s digital health data.
It says the owners have the right to privacy, security, and confidentiality of their digital health data. The owners have the right to give or refuse consent for generation and collection of such data. Under the proposed Act, the National eHealth Authority of India (NeHA) will be established by the union government. It will have a full-time Chairperson; a member secretary; equivalent to the rank of Joint Secretary to the Government of India. Four full-time members will be appointed by the union government. And these will be from health informatics, public health, law and public policy.
Four ex-officio members, not less than the rank of Joint Secretary will also be there.
The NeHA or its representative shall have the right to inspect all such records or access the premises, including virtual premises of the health information exchange or exchanges at any time.
The draft specifically says the rights of the owner of digital health data: an owner shall have the right to privacy, confidentiality, and security of their digital health data, which may be collected, stored and transmitted in such form and manner as may be prescribed under this Act. An owner shall have the right to give or refuse consent for the generation and collection of digital health data by clinical establishments and entities, subject to the exceptions provided in Section 29 of the Act.
Digital health data, whether identifiable or anonymized, shall not be accessed, used or disclosed to any person for a commercial purpose and in no circumstances be accessed, used or disclosed to insurance companies, employers, human resource consultants and pharmaceutical companies, or any other entity as may be specified by the central government.
The draft says that the insurance companies shall not insist on accessing the digital health data of persons who seek to purchase health insurance policies or during the processing of an insurance claim.
The Act is clear on the ownership of digital health data. The digital health data generated, collected, stored or transmitted shall be owned by the individual whose health data has been digitized. A clinical establishment or Health Information Exchange shall hold such digital healthcare data referred to in sub-section (1) in trust for the owner.
A health information exchange shall maintain a register in such form and manner as may be prescribed by the central government, containing all details of the transmission of the digital health data between a clinical establishment and health information exchange, and between health information exchanges inter se.
In cases, where access to digital health data is necessary for investigation into cognizable offenses, or for the administration of justice, such access may be granted to an investigating authority only with the order of the competent court.
All clinical establishments and health information exchanges shall maintain a register in a digital form to record the purposes and usage of digital health data accessed within the meaning of this section, in such form and manner, as may be specified by the NeHA.
A clinical establishment, health information exchange, State Electronic Health Authority and NeHA, shall be duty bound to protect the privacy, confidentiality, and security of the digital health data of the owner.
Any other entity, which has generated and collected digital health data, shall be duty bound to protect the privacy, confidentiality, and security of the digital health data of the owner.
The Central Adjudicatory Authority shall sit at New Delhi and the State Adjudicating Authorities shall ordinarily sit at the State Capitals.
The Adjudicating Authority shall not be bound by the procedure laid down by the Code of Civil Procedure, 1908 (5 of 1908) but shall be guided by the principles of natural justice and, subject to the other provisions of this Act, the Adjudicating Authority shall have powers to regulate its own procedure.
The Central Adjudicating Authority and State Adjudicatory Authorities shall, for the purposes of this Act, have the same powers as are vested Volume 3 | Issue 3 | July-September 2018 65 in a civil court under the Code of Civil Procedure, 1908 (5 of 1908) while trying a complaint in respect of the following matters, namely:
(a) Discovery and inspection
(b) Enforcing the attendance of any person, including any officer of a Clinical establishment or a health information exchange and examining him on oath
(c) Compelling the production of records
(d) Receiving evidence on affidavits
(e) Issuing commissions for examination of witnesses and documents
(f) Any other matter which may be prescribed by the Central Government
All persons so summoned shall be bound to attend in person or through authorized agents, as the Adjudicating Authority may direct, and shall be bound to state the truth upon any subject respecting which they are examined or make statements and produce such documents as may be required.
Every proceeding under this section shall be deemed to be a judicial proceeding within the meaning of Section 193 and Section 228 of the Indian Penal Code (45 of 1860).
No civil court shall have jurisdiction to entertain any suit or proceeding in respect of any matter which the Central Adjudicatory Authority or the State Adjudicatory Authority is empowered by or under this Act to determine and no injunction shall be granted by any court or other authority in respect of any action taken or to be taken in pursuance of any power conferred by or under this Act.
Any person aggrieved by any decision or order of the Central Adjudicatory Authority may file an appeal to the High Court within sixty days from the date of communication of the decision or order of the Adjudicatory Authority to him on any question of law or fact arising out of such order.
Provided that the High Court may if it is satisfied that the appellant was prevented by sufficient cause from filing the appeal within the said period, allow it to be filed within a further period not exceeding sixty days.
“Any person who commits a serious breach of healthcare data shall be punished with imprisonment, which shall extend from three years and up to five years; or fine, which shall not be less than Rs 5 lakhs. Provided that, any fine imposed as part of sub-section (2) may be provided to the individual whose data is breached, by the court, as it deems fit as compensation,” the draft says.
It has proposed to set up a nodal body in the form of “National Digital Health Authority” through an Act of Parliament as a statutory body for promotion/adoption of eHealth standards, to enforce privacy & security measures for electronic health data, and to regulate storage & exchange of electronic health records. The terms “dishonesty” and “fraudulently” shall have the same meaning as assigned to them under the Indian Penal Code, 1860. Any person who commits a serious breach of healthcare data shall be punished with imprisonment, which shall extend from three years and up to five years; or fine, which shall not be less than Rs. 5 lakhs. Provided that, any fine imposed as part of sub-section (2) may be provided to the individual whose data is breached, by the Court, as it deems fit as compensation.
Compensation for serious breach of digital health information (1) a person or an entity committing a serious breach of digital health information shall be liable to pay damages by way of compensation to the owner of the digital health data in relation to which the breach took place. (2) Where any compensation has been awarded under sub-section (2) of section 37, it shall be taken into account when determining the claim made by the person affected. The penalty for failure to furnish information, return or failure to observe rules and directions, etc.
Like if any person required under this Act or any rules made thereunder, fails to furnish any information or document or books or returns or reports etc., within the time specified, to NeHA, or the State Electronic Health Authority, as the case may be, shall be liable to a penalty of minimum Rs. 1 lakh and Rs. 10,000 for each day during which such failure continues subject to a maximum of one crore rupees.
Obtaining the digital health information of another person: Whoever, fraudulently or dishonestly, obtains the digital health information of another person, which he is not entitled to obtain under the Act from a person or entity storing such information shall be punished with imprisonment for a term which shall extend up to one year or fine, which shall be not less than Rs. 1 lakh; or both.
Data theft: Whoever intentionally and without authorization acquires or accesses any digital health data shall be punished with imprisonment for a term, which shall extend from three years up to five years or fine, which shall be not less than Rs. 5 lakhs; or both.
No court shall take cognizance of any offense punishable under this Act or any rules or regulations made thereunder, save on complaint made by the central government, State Government, the NeHA, State Electronic Health Authority, or a person affected. No court inferior to that of a Court of Sessions shall try any offense punishable under sections 38, 41 and 42 of this Act.
The draft says where a person committing a contravention of any of the provisions of this Act or of any rule, direction or order made thereunder is a company, every person who, at the time when the contravention was committed, was in charge of and was responsible to the company, for the conduct of the business of the company, as well as the company shall be deemed to be guilty of the contravention, and shall be liable to be proceeded against and punished accordingly. Provided that nothing contained in this sub-section shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent the commission of such contravention.
Notwithstanding anything contained in sub-section (1), where a contravention of any of the provisions of this Act or of any rule, direction or order made thereunder has been committed by a company and it is proved that the contravention has taken place with the consent or connivance of, or is attributable to any neglect on the part of any director, manager, secretary or other officers of the company, such director, manager, secretary or other officers of the company shall also be deemed to be guilty of the contravention and shall be liable to be proceeded against and punished accordingly.
Note: There are many other rules and provisions in the draft and details have been posted by the Health Ministry in public domain for reactions. This article has touched a few points to highlight basic features.