After three years of continuous drafting and re-drafting, the ministry of health and family welfare is finally ready with a draft of a legislation intended to regulate growing digitisation in healthcare. The proposed Digital Information Security in Healthcare Act (DISHA) aims to ensure free flow of digital health records of patients from one hospital to another and the safeguarding of data security and privacy, simultaneously.

Health records are private information of an individual. They are referred to as ‘sensitive personal information’ in legal terminology. Democracies world over have statutory provisions to protect an individual’s interest amid growing digitalisation in the healthcare sector.

The ministry is soon expected to post the draft on its portal for public consultation, a health ministry official told Governance Now.  

The legislation proposes to set up a national electronic health authority (NeHA) – referred to as national digital health authority in the National Health Policy 2017 – which would function as an independent regulator and formulate rules, standards and processes for developing and managing electric health records (EHR).

According to the 2017 policy, a national digital health authority (NDHA) will be set up to regulate, develop and deploy digital health across the continuum of care.

EHR can be understood as the digital copy of a patient’s health records – clinical history, doctor’s prescriptions, test reports, radiology films, etc. With the use of advanced software and applications, several tertiary care hospitals now seed all the health records of a patient with a unique patient ID number. The computer systems in the hospitals follow a unique way of data generation, collection and storage. Hence, computer systems of one hospital cannot talk to the computer system of another – restricting the electronic flow of health records between hospitals.

Moreover, the government doesn’t have a proper system in place to seek data on diseases, prescriptions and treatment given at various hospitals across the country.

A uniform EHR, a key objective of the proposed regulation, will provide a clear view to the government about the country’s health profile in real time.

The draft legislation intends to establish national and state e-health authorities and health information exchanges, standardise and regulate the processes related to collection, storing, transmission and use of digital health data and ensure reliability, data privacy, confidentiality and security of digital health data.

The NeHA will cover clinical establishments, health information exchanges, entities having custody of digital data and central and state e-health authorities. It would conduct periodical investigations to ensure compliance.

To implement the national EHR system and facilitate data transmission from one clinical establishment to another, the central government will set up “as many health information exchanges, as considered necessary”. The NeHA will specify norms, standards protocols for the functioning of these exchanges.

The health information exchanges will act as intermediaries between hospitals and clinicians and ensure seamless flow of data. The ministry is carrying out a tendering process to select an IT vendor to set up health information exchanges. But the technical architecture of the exchange is not clear as of now.

The health information exchange will have a CEO – the draft bill terms the CEO as chief health information executive (CHIE) – who will also act as the data controlling authority of the exchange.

Among other responsibilities, as enlisted in the bill, the CHIE will access and process the digital healthcare data transmitted by one hospital to another. The CHIE will “store digital healthcare data”, “maintain, secure and protect” it, and notify data breach, if any, to the owner.

The draft bill provides for transmission of data in an encrypted form.
The draft bill confers NeHA with the power of a civil court. When notified, the authority will have the power to summon and enforce attendance of witnesses and examine them. It would have the power to seek evidence or any public record.

Patient’s rights

According to the draft legislation, a patient or owner of data, will have the right to privacy, confidentiality and security of their digital health data.

It empowers an individual to refuse consent for the “generation and collection of digital health data” by the hospitals and other entities.

This right to refuse, however, is subject to some exceptions (‘restrictions’) provided in section 29 of the draft bill, some being too expansive and unclear, says Nivedita Saksena of Vidhi Centre for Legal Policy.

The exceptions include, first, data collection and sharing for the purpose of “delivery of patient centred medical care”. The bill doesn’t elaborate further on what it means by delivery of patient centric care.

Second, for the purpose of treatment and, third, for improving “coordination of care and information among hospitals, laboratories and medical professionals”.      

The “personally identifiable information”, says the draft bill, can be used only for these three purposes. The sub-section 2 of section 29 states, digital health data can be generated, collected and stored by any other entity for these purposes. 
For other purposes including containing disease outbreak or public health threat, or health, clinical and academic research, only “de-identified or anonymised data shall be used”.

The draft bill, under section 28(6), gives the patient the right to know about the hospitals or entities having access to its data.
“The owner of data shall have the right to rectify any form of inaccurate or incomplete digital health data, in the prescribed form as may be notified by the NeHA.”

It also recognises a citizen’s right to require their explicit prior permission every time their data is transmitted or used in an “identifiable form”. This may cause “consent fatigue”, says Saksena, as going by the rules a patient will be asked for consent countless times.

The draft bill confers on citizens (data owners) the “right to seek composition” for damages caused by a breach of digital health data.

Although on one hand sub-section 5 of section 29 prohibits sharing of digital health data, whether identifiable or anonymised, for commercial purposes, on the other it allows access to insurance companies, which will seek consent from the owner, in case of processing of insurance claims.

Section 34 of the draft bill elaborates on law enforcement agencies’ access to digital health data. Sub-section 4 of section 34 states that the law enforcement agencies will be able to access digital health records in case of investigation in cognisable offences or for administration of justice only “with the order of the competent court”.

Sub-section 6 gives sweeping access to digital health record in case of an “emergency”. However, it doesn’t define what constitutes an emergency. “In case of an emergency, certain digital health data shall be immediately made accessible to a clinical establishment, upon a request…”.

Another key lacuna in the draft bill is that it terms biometric information, as personally identifiable information and not as “sensitive personal information”.  

Breach, serious breach and compensation

Under chapter 5, on offences and penalties, sections 37 and 38 define “breach” and “serious breach” of digital health data, respectively.

Generation, collection, storage and transmission or disclosure of digital health information in contravention to the provisions of the law is termed as “breach”. The person involved in the breach would be liable to pay damages to the owner. However, it doesn’t define the compensation amount.

“Serious breach” is when a person compromises data intentionally, dishonestly, fraudulently or negligently. Or when a person uses the digital data for commercial purposes or commercial gain. Serious breach attracts, as stated in the draft bill, imprisonment from three to five years or fines not less than Rs 5 lakh. The amount will be provided to the owner.

The draft bill also spells out penalty for non-compliance of the orders of the national and state e-health authorities. In case of non-compliance, a person would be penalised Rs 1 lakh and then Rs 10,000 each day subject to a maximum of Rs 1 crore. A similar penalty is imposed on any person who fails to comply with the order of the national and state e-health authorities in case of redressing grievances of the owner of digital health data.

Obtaining data fraudulently or dishonestly would attract imprisonment up to one year or fine not less than Rs 1 lakh, or both. For data theft, the draft bill provides for three to five years of imprisonment and a minimum penalty of Rs 5 lakh.

For cognisance of offences by a court, the draft bill says that no court inferior to a sessions court shall try offence punishable under sections 38, 41 and 42. The legislation bars court to take cognisance of offences punishable under it, except on a complaint filed by the central and state governments, central and state e-health authorities or the person affected.

The draft bill provides for establishing central and state adjudicating authorities wherein citizens can go and seek monetary compensation for data breach at any hospital or entity. A person aggrieved with adjudicatory authority’s order may approach a high court within 60 days of the pronouncement of the order.

The health ministry has sought views of the ministry of electronics and IT in a letter dated December 21, 2017, on the draft Digital Information Security in Healthcare Act (DISHA). It could not be confirmed whether the IT ministry had provided its comments to the health ministry.

It is important to note here that the IT ministry is working separately to finalise a wider legislative framework on data protection.
Given the content of the November 2017 draft of DISHA, it doesn’t appear to be in coherence with the data protection framework in the works at the IT ministry, says Saksena of Vidhi Centre for Legal Policy. 

Chapter 7, section 52, of the draft bill states that the law will supersede “any other law for the time being in force with respect to digital medical record, digital health record or digital personal/protected health information”. It is not clear that when the two proposed laws come in force, which one will prevail in case of an anomaly.      

The data protection framework being developed by the IT ministry, under the justice BN Srikrishna committee, takes a wider view of data privacy and citizens rights, Saksena says. The two proposed laws are being made in complete ignorance of the other.
Meanwhile, NITI Aayog, the government’s policy think tank, is working separately on developing national EHR system and an architecture for national digital health infrastructure to execute national health protection scheme (NHPS), as proposed in the 2018 budget.

The NHPS, as proposed in the budget, would provide an insurance cover of Rs 5 lakh per household, catering to 10 crore lower-income families. The IT architecture, says a NITI Aayog official, would be vertically and horizontally scalable. It would cater to a wide range of insurance packages (vertical expansion) and then go on to cover the entire population (horizontal expansion).     
As of now the IT infrastructure would cover secondary and tertiary care hospitals where NHPS beneficiaries would get medical care. Eventually, the primary healthcare facilities too will be covered under the EHR, says the NITI Aayog official.
However, whether and how these initiatives will be developed in cohesion remains to be seen.

pratap@governancenow.com

(The article appears in the March 15, 2018 issue)