The Indian Government’s Ministry of Health and Family
Welfare (MoHFW) has released
a draft “Digital Information Security in Healthcare Act”.
Through the Act, the Ministry plans to set up a nodal body
in form of "National Digital Health Authority", as a statutory body
for promotion/ adoption of e-Health standards, to enforce privacy &
security measures for electronic health data, and to regulate storage &
exchange of Electronic Health Records. The Government also plans to establish State
eHealth Authorities and Health Information Exchanges.
The Government is seeking feedback on the draft Act till 21
April, 2018.
The National Electronic Health Authority of India will formulate
standards, operational guidelines and protocols for the generation, collection,
storage and transmission of the digital health data. These will be applicable
to clinical establishments generating and collecting digital health data for
their own use or for further transmission to the health information exchanges
and to health information exchanges storing and transmitting digital health
data to clinical establishments, or to other exchanges, or to State or National
Electronic Health Authorities. The State and National Authorities themselves, as
well as any entity having custody of any digital health data will be subject to
the requirements.
To ensure data protection and prevent breach or theft of
digital health data, the National Authroity will establish data security
measures for all stages of the data chain, which shall at the minimum include
access controls, encrypting and audit trails. It will also create protocols for
exchange of digital health data with other countries.
The National and State Authorities shall have the right to
inspect all records; or access the premises, including virtual premises of the
health information exchange or exchanges at any time to carry out the functions
in the Act.
Digital health data maybe be collected, stored and
transmitted by health information exchanges for the following purposes: 1) To
advance the delivery of patient centered medical care; 2) To provide
appropriate information to help guide medical decisions at the time and place
of treatment; 3) To improve the coordination of care and information among
hospitals, laboratories, medical professionals, and other entities through an
effective infrastructure for the secure and authorized exchange of digital
health data; 4) Improve public health activities and facilitate the early
identification and rapid response to public health threats and emergencies,
including bioterror events and infectious disease outbreaks; 5) facilitate
health and clinical research and health care quality; 6) promote early
detection, prevention, and management of chronic diseases; 7) carry out public
health research, review and analysis, and policy formulation; 8) undertake
academic research and other related purposes.
Government departments can submit requests for digital
health data in deidentified/anonymised form to the National Electronic Health
Authority for the purposes numbered 4 to 8 in the above list.
According to the Act, the digital health data shall be owned
by the individual whose health data has been digitised. A clinical
establishment or exchange holds the data in trust for the owner.
An owner shall have the right to privacy, confidentiality,
and security of their digital health data. Digital health data, whether
identifiable or anonymised, would not be accessed, used or disclosed to any
person for a commercial purpose and to insurance companies, employers, human
resource consultants and pharmaceutical companies, or any other entity as may
be specified by the Central Government.
It is specified that insurance companies shall not insist on
accessing the digital health data of persons who seek to purchase health
insurance policies or during the processing of any insurance claim.
The digital health data shall be transmitted by a clinical
establishment or entity or health information exchange only upon the consent of
the owner, after being informed of the rights of the owner. A health
information exchange shall maintain a register containing all details of the
transmission of the digital health data between a clinical establishment and
health information exchange, and between exchanges.
In the event of an emergency, certain digital health data can
immediately be made accessible to a clinical establishment, upon a request,
including information related to allergies, drug interactions etc.
The Act also lays out penalties for breaches of digital
health data. Any person who breaches
digital health data shall be liable to pay damages by way of compensation to
the owner of the data.
Any person who commits a serious breach of health care data
shall be punished with imprisonment, which shall extend from three years and up
to five years; or fine, which shall not be less than 500,000 rupees (US$ 7675).
A serious breach is defined as occurring when a breach is
committed intentionally, dishonestly, fraudulently or negligently, it occurs in
relation to data which is not anonymised or de-identified, where the person
failed to secure the data, the data was used for commercial gain, or in the
case of repeated breaches.
The Central Government and the State Governments will
appoint a Central and State Adjudication Authorities respectively, to exercise
jurisdiction, powers and authority conferred by or under this Act.
In September 2013,
MoHFW notified the Electronic Health Record (EHR) Standards for India to
introduce a uniform standard-based system for creation and maintenance of EHRs
by healthcare providers. The standards were revised in line with developments,
as seen from this December 2016 release, Standards Set Recommendations v2.0.
Read the draft Act here.