Data is a Property owned by the Data subject under DISHA 2018

DISHA 2018 is the proposed law for India applicable to the Privacy and Data Protection related to the Health Care sector in India. At a time there is discussion on GDPR all around the industry and anticipation of the Justice Srikrishna Committee’s recommendation on the General Data Protection Act for India, DISHA 2018 has been proposed by the Health Ministry in a draft form for public comments. The Act is likely to be named as “Digital Information Security in Health care Act 2018”. Public comments are expected to be provided before April 21, 2018 to be sent to egov-mohfw@nic.in .

In order to enable stake holders to form their views and forward to the ministry, Naavi is providing here his own views. I suppose this would be helpful in triggering thoughts in others to send their own comments.

…..Naavi

This is the continuation of the earlier article on this subject


DISHA 2018 brings in an important concept to the Data Protection legislation for the first time by declaring that “Data is the Property of the Data Subject”.

Under the proposed Clause 31 of the Act, it is stated:

(1) The digital health data generated, collected, stored or transmitted shall be owned by the individual whose health data has been digitised;
(2) A clinical establishment or Health Information Exchange shall hold such digital health care data referred to in sub-section (1) above in trust for the owner;
(3) Any other entity who is in custody of any digital health data shall remain the custodian of such data, and shall be duty bound to protect the privacy,confidentiality and security of such data;
(4) Notwithstanding anything stated in the above sub-sections (1) to (3), the medium of storage and transmission of digital health data shall be owned by the clinical establishment or health information exchange, as the case may be.

Under Section 3(e) Digital Health Data is defined as follows:

(e) ‘Digital Health Data’ means an electronic record of health related information about an individual and shall include the following:

(i) Information concerning the physical or mental health of the individual;
(ii) Information concerning any health service provided to the individual;
(iii) Information concerning the donation by the individual of any body part or any bodily substance;
(iv) Information derived from the testing or examination of a body part or bodily substance of the individual;
(v) Information that is collected in the course of providing health services to the individual; or
(vi) Information relating to details of the clinical establishment accessed by the individual.

It is interesting to note that the “Ownership” is limited to the Digital Health Data and may not extend to the “Personal Data”.

The implication of this provision is that a patient can demand that any health data collected about himself is his property and must be handed over to him. Being a “Property”, the legal heirs will also have a right if the patient is not alive.

This definition should have effect on cases such as J Jayalalitha’s health records which now become the property of the legal heirs of jayalalitha. The Hospitals cannot hide the data under non existent “privacy” considerations of a deceased individual.

The rights of the owner of digital health data is defined under Section 28 as under:

(1) An owner shall have the right to privacy, confidentiality, and security of their digital health data, which may be collected, stored and transmitted in such form and manner as may be prescribed under this Act.

(2) An owner shall have the right to give or refuse consent for the generation and collection of digital health data by clinical establishments and entities, subject to the exceptions provided in Section 29 of this Act.

(3) An owner shall have the right to give, refuse or withdraw consent for the storage and transmission of digital health data.

(4) An owner shall have the right to refuse consent to the access or disclosure of his or her digital health data, and if refused it shall not be disclosed, subject to the exceptions provided in Section 33 of the Act.

(5) An owner of the digital health data shall have the right that the digital health data collected must be specific, relevant and not excessive in relation to the purpose or purposes for which it is sought;

(6) An owner of the digital health data shall have the right to know the clinical establishments or entities which may have or has access to the digital health data, and the recipients to whom the data is transmitted or disclosed;

(7) The owner of the digital health data shall have a right to access their digital health data with details of consent given and data accessed by any Clinical Establishment/Entity;

(8) The owner of the digital health data shall have, subject to sub-section (1) to (3) above:

(a) The right to rectify without delay, from the respective clinical establishment or health information exchange or entity, any inaccurate or incomplete digital health data, in the prescribed form as may be notified by the National Electronic Health Authority;

(b) The right to require their explicit prior permission for each instance of transmission or use of their digital health data in an identifiable form, through such means as may be prescribed by the Central Government;

(c) The right to be notified every time their digital health data is accessed by any clinical establishment within the meaning of Section 34 of the Act;

(d) The right to ensure that in case of health emergency, the digital health data of the owner may be shared with their family members;

(e) The right to prevent any transmission or disclosure of any sensitive health related data that is likely to cause damage or distress to the owner;

(f) The right not to be refused health service, if they refuse to consent to generation, collection, storage, transmission and disclosure of their health data;

(g) The right to seek compensation for damages caused by a breach of digital health data.

There is a streak of GDPR in the above provisions. What attracts notice is Section 28(f) which states that a person has the right not to be refused health service if they refuse to consent to generation, collection, storage or transmission or disclosure of their health data.

How is it possible for a health establishment to provide health service without say conducting a blood examination is a matter that will be intriguing for the hospitals if the consent is refused.

In order to protect the rights of the Digital Health Data Subject, the principles of purposeful collection (Section 29), Lawful collection (Section 30), Secured storage (Section 32), Secured Transmission (Section 33), Access provision (Section 34), Recitification option (Section 36) etc.

Section 35 imposes all the liabilities under Information Security Management because it states

35. Duty to maintain privacy and confidentiality of digital health data

(1) A clinical establishment, health information exchange, State Electronic Health Authority and the National Electronic Health Authority, shall be duty bound to protect the privacy, confidentiality, and security of the digital health data of the owner;

(2) Any other entity, which has generated and collected digital health data, shall be duty bound to protect the privacy, confidentiality, and security of the digital health data of the owner.

(3) The privacy, confidentiality and security of digital health data shall be ensured by taking all necessary physical, administrative and technical measures, that may be prescribed or specified, to ensure that the digital health data, collected, stored and transmitted by them, is secured and protected against access, use or disclosure not permitted under this Act or regulations made thereunder, and against accidental or intentional destruction, loss or damage.
(4) Without prejudice to the above provisions, a clinical establishment or health information exchange shall ensure through regular training and oversight that their personnel comply with the security protocols and procedures as may be prescribed or specified under this act.
(5) A clinical establishment, or a health information exchange, shall provide notice immediately, and in all circumstances not later than three working days to the owner, in such manner as may be prescribed under this Act, in case of any breach or serious breach of such digital health data.

It is clear from the above that the Clinical establishments will have a tough time for complying with DISHA 2018 almost on the lines of GDPR.

Since DISHA is applicable to “Clinical Establishments” which definition [Section 3(i)] includes

-a hospital, maternity home, nursing home,

-dispensary, clinic, sanatorium or an institution by whatever name called offers services, facilities requiring diagnosis, treatment or care for illness, injury, deformity, abnormality or pregnancy in any recognised system of medicines  or

-a place established  in connection with the diagnosis where pathological, bacteriological, genetic, radiological, chemical, biological investigations or other diagnostic or investigative services with the aid of laboratory or other medical equipment are usually carried on

the impact of what it proposes as security is far reaching.

(Discussions will continue)

Naavi

This entry was posted in Uncategorized and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *