India could well be on its way to becoming the pioneer in the regulation of healthcare data. According to a newswire, the Union Ministry of Health and Family Welfare has proposed a law called Digital Information Security in Healthcare Act (DISHA), to govern data security in the healthcare sector. This would give individuals complete ownership of their own health-related data.
Under DISHA, citizens would have the right to refuse or allow data to be generated, collected, accessed, transmitted or used. This would include insurance companies, employers, human resource consultants and pharmaceutical companies as well. In fact, hospitals would also be prohibited from refusing treatment to citizens those who do not want their data collected or used.
Trilegal, an Indian law firm posted an analysis on their website, explaining:
“DISHA seeks to regulate the generation, collection, storage, transmission, access and use of all digital health data. This legislation covers within its ambit clinical establishments, insurance companies and employers that collect health information, and the internet of things, manufacturers of wearables and other entities that deal with digital health data.”
The proposed law lays down provisions that regulate the generation, collection, access, storage, transmission and use of Digital Health Data (DHD) and associated personally identifiable information.
DHD is an electronic record of health-related information about an individual and includes information relating to:
- An individual’s physical or mental health;
- Any health service provided to such individual;
- Donation by the individual of any body part or any bodily substance;
- Testing or examination of a body part or bodily substance of the individual or information that is collected while providing health services to the individual
- Details of the clinical establishment accessed by the individual.
Trilegal analysed further:
“Currently, employers can process health data for employee benefits, office records and insurance purposes under labour legislations like Maternity Benefits Act, Employee Compensation Act and Employee State Insurance Corporation Act and as part of their internal policies. In line with this, the DISHA allows the use of DHD by employers to the extent required by law. However, access, use or disclosure of DHD to employers or human resource consultants for any other purpose is prohibited under the DISHA.”
The draft Digital Information Security in Healthcare Act was proposed by the health ministry on 11 March 2018. The period for stakeholder comment ended 21 April 2018, and a bill is currently being finalised.