Digital Information Security In Healthcare

Articles

Digital Information Security In Healthcare Act…What’s In Store Under The Proposed Legislation?

Authors: Ms. Anumeha Soni, Senior Legal and Compliance Counsel , Boston Scientific India and Mr. Iqbal Tahir Syed & Mr. Gaurav Kapur, Advocates, Dua Associates

BRIEF BACKGROUND Ministry of Health and Family Welfare has introduced a draft legislation called the Digital Information Security in Healthcare Act (“DISHA”). DISHA is being seen as the proposed law which will be applicable to Digital Health Data (DHD)[1] protection and privacy and will be related to the health care sector in India. Lack of focussed regulatory protection to DHD has paved the way for DISHA. DISHA is likely to be named as “Digital Information Security in Health Care Act, 2018”. DISHA, inter alia, provides for (a) constitution of National Electronic Health Authority of India (NeHA); State Electronic Health Authorities (SEHA) and Health Information Exchanges; and (b) provisions relating to DHD ownership, security and standardization. DISHA has defined, inter alia, the following terms namely “breach”; “serious breach”; “consent”; “digital health data (or DHD as has been defined herein)”; “clinical establishment”; “personally identifiable information”; and “sensitive health-related information”.

POWERS & FUNCTIONS OF AUTHORITIES[2] UNDER DISHA

  • NeHA: (a) To formulate standards, operational guidelines and protocols for the generation, collection, storage and transmission of DHD; (b) To ensure DHD protection and prevent breach or theft of DHD, establish DHD security measures for all stages of generation, collection, storage and transmission of DHD; and (c) To lay down protocol for transmission of DHD to and receiving it from other countries. NeHA shall be bound by such directions as the Central Government may give to it.
  • SEHA[3]: (a) To ensure that the clinical establishments[4] and other entities in the State collect, store, transmit and use DHD as per provisions of DISHA; (b) To conduct investigations to ensure compliance with DISHA; and (c) To notify and mandate the clinical establishments and other entities in case of their failure to comply with the provisions of DISHA. SEHA shall be bound by such directions as NeHA or the State Government may give to it.

RIGHTS BESTOWED UPON DATA SUBJECT / OWNER OF DHD

Following are some of the rights which have been granted to the data subject / owner of DHD under DISHA:

  • Right to privacy, confidentiality and security of DHD;
  • Right to give or refuse consent for the generation and collection of DHD by clinical establishments and entities;
  • Right to give, refuse or withdraw consent for the storage and transmission of DHD;
  • Right to refuse consent to the access or disclosure of DHD;
  • Right that DHD which is collected must be specific, relevant and not excessive in relation to the purpose or purposes for which it is sought;
  • Right to know the clinical establishments or entities which may have or have access to the DHD and the recipients to whom the DHD is transmitted or disclosed;
  • Right to access their DHD with details of the consent given and data accessed by clinical establishment / entity;
  • Right not to be refused health service, if they refuse to consent to generation, collection, storage, transmission and disclosure of DHD;
  • Right to seek compensation for damages caused by a breach of DHD; etc.

[1] DHD means an electronic record of health related information about and individual and includes information (A) concerning mental / physical health; (B) concerning any health service provided to the individual; (C) concerning donation by the individual of any body part; (D) derived from testing or examination of a body part; (E) that is collected in the course of providing health services to the individual; (F) relating to details of the clinical establishment accessed by the individual.

[2] As per DISHA, NeHA and SEHA will have the same powers as are vested in a Civil Court under the Code of Civil Procedure, 1908 while trying a suit in respect of the following matters: (a) summoning and enforcing the attendance of witnesses and examining them on oath; (b) discovery and production of any document; (c) receiving evidence on affidavit; (d) requisitioning any public record from any court or office; and (e) issuing commissions for examination of witnesses or document.

[3] Every clinical establishment will be bound by such directions as SEHA may give to it.

[4] Clinical establishments include, inter alia, hospitals, clinics or an institution, by whatever name called, which offer services, facilities requiring diagnosis, treatment or care for illness, injury or pregnancy in any recognised system of medicines established and administered or maintained by any person or body of persons or a place established as an independent entity in connection with diagnosis where pathological, genetic, chemical, biological investigations or other diagnostic of investigative services with the aid of laboratory or medical equipment are usually carried on.

DHD TO BE USED FOR DEFINED PURPOSE ONLY

As per DISHA, DHD can be generated, collected, stored and transmitted by a clinical establishment and collected, stored and transmitted by health information exchange, for the following purposes only:

  • To advance the delivery of patient centred medical data;
  • To provide appropriate information to help guide medical decisions at the time and place of treatment;
  • To improve the coordination and care and information among hospitals, laboratories, medical professionals, and other entities through an effective infrastructure for the secure and authorised exchange of DHD;
  • To improve public health activities and facilitate the early identification and rapid response to public health threats and emergencies;
  • To facilitate health and clinical research and health care quality;
  • To promote early detection, prevention and management of chronic diseases;
  • To carry out public health research, review and analysis and policy formulation; and
  • To undertake academic research and other related purposes.

Note: It is pertinent to mention that for public health related purposes mentioned in point’s number (d) to (h) above, only de-identified or anonymized data is to be used. Further, DHD, whether identifiable or anonymized, shall not be accessed, used or disclosed for commercial purpose and in no circumstances be accessed, used or disclosed to employers, human resource consultants, insurance companies and pharmaceutical companies.

CONDITIONS TO BE TAKEN CARE OF BEFORE COLLECTING DHD

A clinical establishment may, post obtaining consent from the owner, recorded in the form and manner as per DISHA, lawfully collect the DHD, after informing owner of the following:

  • Rights of the owner, including the right to refusal to give consent to the generation and collection of DHD;
  • Purpose of collection of DHD;
  • Identity of recipients to whom DHD may be transmitted or disclosed; and
  • Identity of the recipients who may have access to DHD on a need to know basis.

Note: A copy of the consent form is required to be provided to the owner by the clinical establishment. Further, as per DISHA, any other entity that collects any DHD shall remain the custodian of such data and shall be duty bound to protect the privacy, confidentiality and security of such data.

DHD: OWNERSHIP, STORAGE, TRANSMISSION AND ACCESS

  1. Ownership: The DHD generated, collected, stored or transmitted shall be owned by the individual whose health data has been digitized. A clinical establishment shall hold the DHD in trust for the owner.
  2. Storage: The form and manner of storage is yet to be prescribed by NeHA.
  3. Transmission: DHD will be transmitted by a clinical establishment or entity only upon the consent of the owner, after being informed of the rights of the owner and the specific purposed of collection of DHD.
  4. Access: DHD collected, stored or transmitted by a clinical establishment may be accessed by a clinical establishment on a need to know basis. In cases where access to DHD is necessary for the purpose of investigation into cognizable offences or for administration of justice, such access may be granted to an investigating authority only with the order of the competent court. Owner of the DHD shall have a right to access his or her data in a manner to be prescribed by NeHA. Clinical establishments are required to maintain a register in a digital form to record the purposes and usage of DHD in a form and manner to be prescribed by NeHA.

Note: A clinical establishment is required to ensure thorough regular training and oversight that their personnel are complying with the security protocols and procedures. It is mandatory for a clinical establishment to provide notice and in all circumstances not later than three (3) working days, to the owner in case of any breach or serious breach of DHD.

CONSEQUENCES OF DHD BREACH; TWO SEPARATE CATEGORIES OF “BREACH” PROVIDED

  • Breach of DHD (Civil Wrong): A person who is responsible for such breach shall be liable to pay damages by way of compensation. This is treated as a civil wrong. DHD is said to be breached when (a) any person generates, collects, stores, transmits or discloses DHD in contravention of the provisions of DISHA; or (b) any person who does anything in contravention of the exclusive right conferred upon the owner of the DHD; or (c) DHD collected, stored or transmitted by any person is not secured as per the standards prescribed by DISHA or any rules thereunder; or (d) any person damages, destroys, deletes, affects injuriously by any means or tampers with any DHD.
  • Serious Breach of DHD (Criminal Offence): This provision is meant to define offences which may be punished with imprisonment and fine and hence should be recognized as a criminal offence. A serious DHD breach shall be said to have taken place, if (a) a person commits a breach of DHD intentionally, dishonestly, fraudulently or negligently; or (b) any breach of DHD occurs, which relates to information which is not anonymized or de-identified; or (c) a breach of DHD occurs where a person failed to secure the data as per the standards prescribed by DISHA or any rules thereunder; or (d) any person uses the DHD for commercial purposes or commercial gain; or (e) an entity, clinical establishment or health information exchange commits breach of DHD repeatedly. Any person who commits a serious breach of DHD will be punished with imprisonment of three (3) years and up to five (5) years; or fine, which shall not be less than INR 5,00,000/-.

Note: Under DISHA, no court can take cognizance of any offence punishable under DISHA except on a complaint made by the Central Government, State Government, NeHA, SEHA or a person affected. In other words, a person or entity charged with DHD theft if breach does not have the option of challenging the punishment in court.

CONCLUDING REMARKS

The introduction of DISHA is a welcome step taken by the Ministry of Health and Family Welfare in relation to putting forth a focussed regulatory protection to health care data of the individuals. It would be interesting to see when the draft rules are also out for public comments. The rights bestowed upon the data subject are wide enough to guarantee protection of DHD from all corners. Clear cut obligations have been imposed on the clinical establishments before collecting any DHD. Requirement of maintaining a register in a digital form and conduct of training of personnel of the clinical establishments will keep clinical establishments, collecting DHD, on their toes. Clear cur demarcation of what constitutes a ‘breach’ and ‘serious breach’ seems to be put forth by the Ministry of Health and Family Welfare after careful thought and consideration and keeping in mind that not all breach should be seen under one umbrella. All and all, DISHA (once it becomes law), along with Information Technology Act, 2000 (and related rules) will serve as a boon for the individuals / data subjects.

Disclaimer: The views expressed in this article are those of the authors’ and do not necessarily reflect the views of the Employers/ INBA. This document is furnished for information purposes only. The information provided herein is not, nor is it intended to be an advice on any matter and should not be relied on as such. For any queries please contact Iqbal Tahir iqbaltahir@duaassociates.com.