Ministry Of Health Issues Draft For Healthcare Security Act; Warns Of Five Year Jail, $6,164 Fine On Healthcare Data Breach

In a silent yet tough stance towards data breach, the Ministry of Health and Family Welfare has released a draft of Healthcare Security Law under Digital Information in Healthcare Security Act (DISHA) and has invited comments from stakeholders and readers on the same before April 21.

In the draft document shared, the Ministry of Health and Family Welfare has announced plans to set up a nodal body and the “purpose of the act is to provide for electronic health data privacy, confidentiality, security and standardisation and provide for the establishment of the National Digital Health Authority and Health lnformation Exchanges and such other matters related and incidental thereto”.

Key Points Highlighted In The Healhcare Security Act Draft

• “Any health data including physical, physiological and mental health condition, sexual orientation, medical records and history, and biometric information are the property of the person who it pertains to.”

Thus, the owners have the right to privacy, confidentiality, and security of their digital health data and can also give or refuse generation and collection of such data.

• “Digital health data may be generated, collected, stored and transmitted by a clinical establishment and by health information exchanges for various purposes including advancing the delivery of patient-centred medical care, to provide appropriate information to help guide medical decisions and to improve coordination of care and information among hospitals, laboratories, medical professionals, and other entities through an effective infrastructure for secure and authorised exchange of digital health data.”

Under the draft by Ministry of Health, the serious breach of this data is defined as the breach which is intentional,  repeated or its security not ensured as per the standards mentioned in the draft or if it is used for commercial gains.

• As per the draft DISHA, “Any person who commits a serious breach of healthcare data shall be punished with imprisonment, which shall extend from three years and up to five years or fine, which shall not be less than $6,164 (INR 5 Lakh).”

• The draft Act mentions that “no court shall take cognizance of any offence punishable under the Act except on a complaint made by the Central Government, State Government, the National Electronic Health Authority of India, State Electronic Health Authority, or a person affected.”

This essentially means that a person or entity charged with data breach cannot challenge the punishment in court. The central and state adjudicating authorities formed under the Act will have powers of a civil court.

• The draft envisages a health information exchange, a State Electronic Health Authority and a National Electronic Health Authority along with a clinical establishment [as defined in the Clinical Establishments (Registration and Regulation) Act, 2010] to protect the privacy, confidentiality and security of the owner’s digital health data.

The ten-member National Electronic Health Authority of India is expected to look after the National Health Protection Mission which aims to cover 107.4 Mn families against annual medical expenses of up to $6,164 (INR 5 Lakh).

The latest addition to the initiatives to boost the healthcare system in India is the National Health Protection Mission, which was introduced by the government in the Union Budget 2018. The government had emphasised on the capabilities and scalability of the new age technologies in the healthcare sector, which is a clear indication of the government’s reliance on the latest technologies in different domains.

However, addressal of the data breach is coming at a critical point where the government is fighting off privacy hurdles over the  Aadhaar Act while issuing warnings to Facebook and Cambridge Analytica over Facebook data breach of 50 Mn people.

For quite some time, reports like some unidentified groups were found selling the Aadhaar data of over one billion people at just $7.88 (INR 500)  have been increasingly taken to notice by the people. Also, recently reports surfaced that the data of NaMo app users is being sent to the US company Clever Tap. The French security researcher Elliot Alderson, who revealed the NaMo data leak, has been continuously highlighting the major issues and lack of data privacy under Aadhaar.

As data breach continues to make headlines with the leaks, it will be seen if the draft of healthcare security act DISHA by the Ministry of Health and Family Welfare is able to help the Indian government bring the focus of the people back to its development issues or it become another of the much called-out hypes.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.