Five years jail, Rs5 lakh fine for digital health data breach, says govt’s draft law
New Delhi:Serious breaches of health care data should be punishable by up to five years in jail and a fine of up to Rs5 lakh, according to the draft Digital Information Security in Healthcare Act (DISHA) prepared by the Health Ministry.
The draft enables the owners to have the right to privacy, confidentiality, and security of their digital health data and the right to give or refuse consent for generation and collection of such data.
It will be considered a serious digital health data breach if a person commits a breach of digital health data intentionally, dishonestly, fraudulently or negligently, sharing information which is not anonymised or de-identified and where a person failed to secure the data as per the standards prescribed by the Act or any rules.
If any person uses the digital health data for commercial purposes or commercial gain, or clinical establishment or health information exchange commits breach of digital health data repeatedly, the person will be liable for punishment.
“Any person who commits a serious breach of health care data shall be punished with imprisonment, which shall extend from three years and up to five years; or fine, which shall not be less than five lakh of rupees,” the draft prepared under government eHealth policy aiming to ensure privacy and confidentiality of the patient health records says.
The draft legislation also aims to protect ‘Sensitive health-related information’ which means information, that if lost, compromised, or disclosed, could result in substantial harm, embarrassment, inconvenience, violence, discrimination or unfairness to an individual.
The information including but not limited to, one’s physical or mental health condition, sexual orientation, use of narcotic or psychotropic substances, consumption of alcohol, sexual practices, Human Immunodeficiency Virus status, Sexually Transmitted Infections treatment, and abortion will be considered as sensitive information to be protected.
Making the health data security laws more stringent, any person or entity charged with data breach will not be able to challenge the punishment in court. The Central and state adjudicating authorities formed under the Act will have powers of a civil court, according to the draft.
“No court shall take cognizance of any offence punishable under the Act except on a complaint made by the Central Government, State Government, the National Electronic Health Authority of India, State Electronic Health Authority, or a person affected,” the draft legislation says.
According to the draft, however, digital health data may be generated, collected, stored, and transmitted by a clinical establishment and by health information exchanges for various purposes including advancing the delivery of patient-centred medical care, to provide appropriate information to help guide medical decisions and to improve coordination of care and information among hospitals, laboratories, medical professionals, and other entities through an effective infrastructure for secure and authorized exchange of digital health data.
The draft legislation prepared by the ministry of health and family welfare has also proposed to constitute a national electronic health authority (NeHA) which would function as an independent regulator. The NeHA will formulate rules, standards and processes for developing and managing electric health records (EHR).