Here’s my tuppence on DISHA (Draft Digital Information Security in Health Care Act)
I have listed the areas that the CIO would do well to examine the capabilities in the HIS/EMR used at her/his hospital. The dependency for the CIO on the vendor goes up multiple fold because, the ability of the hospital to respond to the Government/Courts with reports and evidence and also provide flexibility to the patient to request and effect changes to their consent are key. I have attempted here to respond with my thoughts on some salient points in the draft legislation.
These sections would require that hospitals are capable of obtaining reports from the HIS/EMR to comply with the authorities who may want to conduct audits.
(a) Ensure that the clinical establishments and other entities in the state collect, store, transmit and use digital health data as per the provisions of this Act and the standards, protocols and operational guidelines issued by the National Electronic Health Authority, from time to time;
(b) Conduct investigations to ensure compliance with the provisions of this Act;
(2) Without prejudice to sub-section (1) above, for the purpose of enabling the State Electronic Health Authority to generally discharge its functions under this Act, it shall direct a clinical establishment or a class of clinical establishments, or all clinical establishments as the case may be, or entities, to submit such records or file such returns within such time and in such manner as specified from time to time.
These points relate to the ability to record and produce evidence that the patient consent was taken and also that the same patient was given the choice to retract prior consent in HIMS. The patient will also have the right to punitive damages for mishandling or otherwise misusing or abusing his/her private data
(2) An owner shall have the right to give or refuse consent for the generation and collection of digital health data by clinical establishments and entities, subject to the exceptions provided in Section 29 of this Act.
(3) An owner shall have the right to give, refuse or withdraw consent for the storage and transmission of digital health data.
(4) An owner shall have the right to refuse consent to the access or disclosure of his or her digital health data, and if refused it shall not be disclosed, subject to the exceptions provided in Section 33 of the Act.
(a) The right to rectify without delay, from the respective clinical establishment or health information exchange or entity, any inaccurate or incomplete digital health data, in the prescribed form as may be notified by the National Electronic Health Authority;
(b) The right to require their explicit prior permission for each instance of transmission or use of their digital health data in an identifiable form, through such means as may be prescribed by the Central Government;
(c) The right to be notified every time their digital health data is accessed by any clinical establishment within the meaning of Section 34 of the Act;
(d) The right to ensure that in case of health emergency, the digital health data of the owner may be shared with their family members;
(e) The right to prevent any transmission or disclosure of any sensitive health related data that is likely to cause damage or distress to the owner;
(f) The right not to be refused health service, if they refuse to consent to generation, collection, storage, transmission and disclosure of their health data;
(g) The right to seek compensation for damages caused by a breach of digital health data.
This section deals with encrypted form of transmission of data. Which means that any investigation results obtained via mobile or website must be encrypted Transmission of data
All these conditions can be met only when and if hospitals have full access to patient data and are capable of producing reports as mandated (5) The owner of the digital health data shall have a right to access his or her data in such form and manner, as may be specified by the National Electronic Health Authority of India.
(6) In case of an emergency, certain digital health data shall be immediately made accessible to a clinical establishment, upon a request, including information related to allergies, drug interactions and such other information as may be specified;
This clause requires hospitals to be able to make corrections within specified times or face penalties
(2) On receipt of such application under sub section (1), the clinical establishment or health information exchange shall rectify such digital health data immediately or within three working days from the date of receipt of such application and the same shall be intimated to the owner in writing.
(2) Any person who commits a serious breach of health care data shall be punished with imprisonment, which shall extend from three years and up to five years; or fine, which shall not be less than five lakh of rupees.
The article was first published on Inder Davalur’s LinkedIn Pulse page here, its been republished here with the Authors’ permission.