The Ministry of Health, Family and Welfare, Government of India has released a completed draft of the Digital Information Security in Health Care Act for public comments.
The purpose of this Act is to protect digital health data, maintain confidentiality, security and standardization of personally identifiable patient information, and provide for establishment of National Digital Health Authority and Health information Exchanges.
The sections below elaborate further on the individual elements outlined in the Act.
Digital Health Data’ and ‘Personally identifiable information’
Firstly, it is important to investigate what the Act constitutes as ‘Digital Health Data’ and ‘Personally identifiable information’, in order to fully understand the scope of the Act.
According to the Act, ‘Digital Health Data’ is defined as:
· Information concerning the physical or mental health of the individual;
· Information concerning any health service provided to the individual;
· Information concerning the donation by the individual of any body part or any bodily substance;
· Information derived from the testing or examination of a body part or bodily substance of the individual;
· Information that is collected in the course of providing health services to the individual; or
· Information relating to details of the clinical establishment accessed by the individual
‘Personally Identifiable Information’ means any information that can be used to uniquely identify, contact or locate an individual, or can be used with other sources to uniquely identify a person. This includes (and is not limited to) the information stated below:
· Date of Birth
· Telephone Number
· Email Address
· Financial information such as bank account or credit card or debit card or other payment instrument details;
· Physical, physiological and mental health condition;
· Sexual orientation;
· Medical records and history;
· Biometric Information;
· Vehicle number
· Any government number, including Aadhar, Voter’s Identity, Permanent Account Number (‘PAN’)
· Passport, Ration Card, Below Poverty Line (‘BPL’).
The DISH Act would be applicable to all clinical establishments managed by either a single doctor, a corporation, a trust, a local authority or the government. The Act would also be applicable to any health information exchanges (storing and transmitting data), all entities having custody of health information data and personally identifiable information including the national and state electronic health authorities.
National and State Electronic Health Authorities
The Act proposes creation of National and State health authorities that will:
· Develop guidelines for the generation, collection, storage and transmission of the digital health data.
· Ensure data protection, prevent of theft of data and establish data security measures
· Conduct periodical investigations
· Notify and mandate health information exchanges if failure to comply
· Developing protocols for international transmission of health data
· Collaborate and work with standardization testing and quality certification of digital health care systems
Data Ownership, Security and Standardization
‘Owner’ means an individual whose digital health data is generated and processed. The owner has the absolute right to his/her digital health data and can be used by clinical establishments for specific purposes only with the consent of the owner.
A clinical establishment, health information exchange, State Electronic Health Authority and the National Electronic Health Authority, shall be duty bound to protect the privacy, confidentiality, and security of the digital health data of the owner.
Offenses and Penalties
A serious breach of health care data shall be punished with imprisonment, which shall extend from three years and up to five years; or fine, which shall not be less than five lakh of rupees.
In addition, a person or an entity committing a serious breach of digital health information shall be liable to pay damages by way of compensation to the owner of the digital health data in relation to which the breach took place.
Penalty for failure to furnish information, return or failure to observe rules and directions can lead to a penalty of a minimum of one lakh rupees to a maximum of one crore rupees.
Obtaining the digital health information of another person, fraudulently or dishonestly shall be punished with imprisonment for a term which shall extend up to one year or fine, which shall be not less than one lakh rupees; or both.
Public comments have been invited up to 21st April 2018 which may be sent to firstname.lastname@example.org.
A copy of the draft is available at the following link: https://mohfw.gov.in/newshighlights/comments-draft-digital-information-security-health-care-actdisha