In draft digital health security law, 5-year jail term, Rs 5 lakh fine for data breach

Published in Indian Express | By Abantika Ghosh | On March 27, 2018

Even as it continues to face heat on issues of data protection, the Centre has quietly put in the public domain the draft of a law to ensure protection of health data that makes any breach punishable by up to five years imprisonment and a Rs 5-lakh fine.

The draft Digital Information in Healthcare Security Act (DISHA) lays down that any health data including physical, physiological and mental health condition, sexual orientation, medical records and history and biometric information are the property of the person who it pertains to.

The Act envisages a health information exchange, a State Electronic Health Authority and a National Electronic Health Authority. And lays down that a clinical establishment (as defined in the Clinical Establishments (Registration and Regulation) Act, 2010) and these three authorities shall be duty-bound to protect the privacy, confidentiality and security of the owner’s digital health data.

The ten-member National Electronic Health Authority of India is designed in the long run to become the bulwark for the National Health Protection Mission — the ambitious health programme to cover 10.74 crore families against annual medical expenses of upto Rs 5 lakh.

The owners have the right to privacy, confidentiality, and security of their digital health data and the right to give or refuse consent for generation and collection of such data.

As per the draft, digital health data may be generated, collected, stored, and transmitted by a clinical establishment and by health information exchanges for various purposes including advancing the delivery of patient-centred medical care, to provide appropriate information to help guide medical decisions and to improve coordination of care and information among hospitals, laboratories, medical professionals, and other entities through an effective infrastructure for secure and authorized exchange of digital health data.

A serious breach of this data is said to have occurred when the breach is intentional, or repeated or its security not ensured as per the standards in the Act or if it is used for commercial gains.

Any person or company who breaches digital health data, as per the draft Act, is liable to pay compensation to the person whose data has been breached. The draft DISHA, for which the Health Ministry has invited comments by April 21, lays down: “Any person who commits a serious breach of healthcare data shall be punished with imprisonment, which shall extend from three years and up to five years; or fine, which shall not be less than Rs 5 lakh. Provided that, any fine imposed as part of sub-section (2) may be provided to the individual whose data is breached, by the Court, as it deems fit as compensation.”

The draft Act says that no court shall take cognizance of any offence punishable under the Act except on a complaint made by the Central Government, State Government, the National Electronic Health Authority of India, State Electronic Health Authority, or a person affected. In other words, a person or entity charged with data theft or breach does not have the option of challenging the punishment in court. The Central and state adjudicating authorities formed under the Act will have powers of a civil court.