Protecting patient data: Examining the role of DISHA in safeguarding digital health information

The evolution of privacy rights in the 21st century

Privacy is a reasonable expectation that personal information disclosed in a private place will not be disclosed to third parties when doing so would embarrass a person of ordinary sensitivities. Issues of privacy have become entangled with bioinformatics as reliance is made on technology rather than on human beings to resolve privacy issues. In 21^st century that considers privacy a fundamental right after the judgment in the case of Justice K.S. Puttaswamy vs. Union of India, there exists a scope of change in laws in the country. There is necessity of certain provisions to make sure that the flow of usage of personal data is appropriate.  

The Bureau of Indian Standards made public the previously announced new data protection standards in 2021. The new requirements require enterprises to design, maintain, and deploy a data privacy management system, as well as continue to build on it, giving them a privacy assurance framework. Implementation of the prescriptive component has not been specifically described if they are necessary to maintain appropriate security practices and procedures in the regulations. As a result, it is the responsibility of the organizations to ensure that the prescriptive element is implemented in a way that meets the need.

Significance of the patient data privacy

India’s present legal framework concerning protected health information is governed by the Information Technology Act, 2000, together with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Yet, on account of the rapidly advancing technology, there are potential gaps in data security that could pose a threat to protected health information.

Today, the healthcare system functions differently due to digital health’s quick adoption. This facilitates paperless prescriptions, quicker claim processing and improved service accessibility. Patient data is saved in the cloud and shared with members of the healthcare ecosystem as a result of data liquidity and digital transformation. For patients, the results may be significantly improved by using large healthcare data. E-health data is currently governed by the rules outlined in the IT Act of 2000 and the IT Rules of 2011.

According to the Ministry of Health and Family Welfare, Digital Information Security in Healthcare Act (“DISHA”) is a new law that governs data security in healthcare services. DISHA is considered the counterpart of the Health Insurance Portability and Accountability Act (HIPAA), which was passed in 1996 and controls health data disclosure and usage in the US. 

DISHA is firm first firm step taken by the Indian government in the long journey to secure the healthcare data of patients in India. The Act seeks to establish a national digital health authority and health information exchanges. The purpose behind the law is to facilitate electronic health data privacy, confidentiality, security, and standardization.

The act was drafted for collection, storage, transmission, and use of digital health data to be standardized so that privacy and confidentiality of that data remains in force. Under DISHA, rights are being provided to the citizens to refuse or allow data to be generated to insurance companies, employers, and human resource consultant.

How is the Act helpful?

DISHA elaborates ways to protect the data and has brought in the concept of data ownership which is digital health data. It is explicitly owned by the person of whose digital health data is generated and processed. Some important reasons why this act is helpful are mentioned below:

Data encryption: If the digital health data is being shared or transmitted to health information exchange or other healthcare organizations, then this will need to be done in an encrypted form. Encryption protects the data from being compromised while it reaches from one entity to another.

Data security: To ensure the privacy, confidentiality, and security of digital health data, the healthcare industry in India has implemented all the necessary physical, administrative, and technical measures.

Training: Organizations in healthcare will have to conduct regular trainings for their personnel so that they can maintain compliance with the security protocols mentioned in in the law.

In a nutshell

It is inferred that data related to health issues is a great matter of concern of right to privacy which is considered under Article 21 of Indian Constitution. Data breaches and cyberattacks are increasingly common in the digital age, jeopardizing patient data. As coordinated care becomes a ground reality with the interoperability of healthcare data systems permitting patients to exchange digital health records with various clinicians, healthcare professionals will need to protect patient data diligently. 

While the Act is an important step in developing a privacy ecosystem in India, which is key in healthcare, it is only the beginning. Healthcare facilities and hospitals must begin planning for this situation immediately. Such initiatives will be ineffective, though, if the proper checks and balances are not in place to prevent database abuse or theft. Since healthcare data is by its very nature private, protecting that privacy must always be given priority. One can ascertain this prioritization endures as the country transitions to a digital future by meticulously crafting the right policy mechanisms and complex regulations.