Storage of patient’s electronic medical records (EMRs) has predisposed them to the risk of identification at countless stages of data collection and data processing. Data-miners have two options available to averse this risk, i.e. anonymising the information carrying a risk of identification or making such information available only to the physicians. However, the latter option is no longer feasible in today’s world with a complicated relationship between physicians and their patients, as a result of presence of other stakeholders like insurers and pharmaceutical manufacturers. Therefore, choosing a well-thought middle path is the only solution for this ethical dilemma caused by the misuse of patient information for fulfilling marketing objectives.
It is increasingly becoming important for healthcare providers to consider patient privacy and data security, concerning utilisation of those data, especially when such information may have deprecating consequences. As India continues to face the heat on issues of data protection and data privacy, the Government of India has recently rolled out the ‘Digital Information Security in Healthcare Act’ (DISHA) primarily to facilitate promotion/adoption of standards for e-Health information as well as to warrant privacy and security measures for electronic health data, regulation of storage, and exchange of electronic health records (EHRs). DISHA will also ensure protection of health data, thus making any breach punishable by up to five years imprisonment and a fine of Rs. 5-lakh. This act further states that any health data including physical, physiological and mental health condition, sexual orientation, medical records and history and biometric information are the property of the person who it pertains to. The principal objective of this act is to ensure electronic health data privacy, confidentiality, security and standardisation, and to provide for establishment of ‘National Digital Health Authority’, Health Information Exchanges, and related matters. According to DISHA, you (the patient) have the right to privacy, confidentiality, and security of their digital health data and the right to give or refuse consent for generation and collection of such data. Additionally, you shall hold the rights to- i) give/refuse/withdraw consent for using this data, ii) data collection, iii) transparency, iv) rectification, v) sharing, vi) not to be refused health service in the absence of consent for data use, and vii) protection.
Overall, the first public draft of DISHA has been received well owing to its clear emphasis on healthcare data privacy, protection and confidentiality, as well as on interoperability. However, a few issues raised with the first draft are being actively addressed before the legislation is finalised. Also, it is expected that the revisions made on the feedback will result in a more refined version of the legislation. Finally, it is evident that the Government is certainly taking efforts to provide additional security, privacy and confidentiality for your digital health data.
Furthermore, the Indian primary IT industry bodies such as NASSCOM and Data Security Council of India (DSCI) have been encouraging for stringent data privacy and protection since quite some time, particularly since India is rapidly entering the global digital market. In addition, government is also considering several other recommendations to put forth by many stakeholders and organizations. For instance, the report outlining the data privacy framework submitted by the Srikrishna Committee consists of jurisdiction of processing personal data, setting up an independent regulatory body for enforcing the law for data protection as well as substantial prices for violating this law, among other clauses. This draft bill shall apply to the data collected by both private as well as government entities in India and also those collected by foreign companies. Moreover, Niti Aayog is also suggesting for adoption of middle-path for data protection policies and has supported the report submitted by the Srikrishna Committee. Additionally, the National Health Portal has also enlisted ways to incorporate data privacy and security tools to maintain data privacy standards.
In order to establish an effective framework, there is still a need for the government to engage both the private and public domains across multiple sectors, such as insurance companies, online servers to efficiently implement the laws pertaining to the privacy of your health information. But, fret not, India is expected to become one of the leading nations in the world to have iron-clad regulatory framework to protect its patient healthcare data.