The Digital Information Security in Healthcare Act (DISHA) is an, “Act to provide for establishment of National and State eHealth Authorities and Health Information Exchanges; to standardize and regulate the processes related to collection, storing, transmission and use of digital health data; and to ensure reliability, data privacy, confidentiality and security of digital health data and such other matters related and incidental thereto.”
The proposed health information law is set to regulate two types of information, Digital Health Data (DHD) and associated personally identifiable information (PII). If enacted, DISHA will regulate the generation, collection, access, storage, transmission and use of DHD and associated PII.
Digital Health Data is defined by DISHA as, “an electronic record of health related information about an individual and shall include the following:
- Information concerning the physical or mental health of the individual;
- Information concerning any health service provided to the individual;
- Information concerning the donation by the individual of any body part or any bodily substance;
- Information derived from the testing or examination of a body part or bodily substance of the individual;
- Information that is collected in the course of providing health services to the individual; or
- Information relating to details of the clinical establishment accessed by the individual.”
Personally Identifiable Information is defined by DISHA as ,“any information that can be used to uniquely identify, contact or locate an individual, or can be used with other sources to uniquely identify a person.”
Under DISHA, PII includes: Name, Address, Date of Birth, Telephone Number, Email Address, Password, Financial information such as bank account or credit card or debit card or other payment instrument details, Physical, physiological and mental health condition, Sexual orientation, Medical records and history, Biometric Information, Vehicle number,Any government number, including Aadhar, Voter’s Identity, Permanent Account Number (‘PAN’), Passport, Ration Card, Below Poverty Line (‘BPL’).
DISHA provides owners of digital health data with rights in regards to their information.
Under DISHA, owners of digital health data have the right:
- to privacy, confidentiality, and security of their digital health data, which may be collected, stored and transmitted;
- to give or refuse consent for the generation and collection of digital health data by clinical establishments and entities;
- to give, refuse or withdraw consent for the storage and transmission of digital health data;
- to refuse consent to the access or disclosure of his or her digital health data, and if refused it shall not be disclosed;
- that the digital health data collected must be specific, relevant and not excessive in relation to the purpose or purposes for which it is sought;
- to know the clinical establishments or entities which may have or has access to the digital health data, and the recipients to whom the data is transmitted or disclosed;
- to access their digital health data with details of consent given and data accessed by any Clinical Establishment/Entity;
- to rectify without delay, from the respective clinical establishment or health information exchange or entity, any inaccurate or incomplete digital health data, in the prescribed form as may be notified by the National Electronic Health Authority;
- to require their explicit prior permission for each instance of transmission or use of their digital health data in an identifiable form, through such means as may be prescribed by the Central Government;
- to be notified every time their digital health data is accessed by any clinical establishment;
- to ensure that in case of health emergency, the digital health data of the owner may be shared with their family members;
- to prevent any transmission or disclosure of any sensitive health related data that is likely to cause damage or distress to the owner;
- to be refused health service, if they refuse to consent to generation, collection, storage, transmission and disclosure of their health data; and
- to seek compensation for damages caused by a breach of digital health data.
DISHA regulates how DHD can be generated, collected, stored, and transmitted by a clinical establishment or health information exchange.
Permitted purposes for data use include:
- To advance the delivery of patient centered medical care;
- To provide appropriate information to help guide medical decisions at the time and place of treatment;
- To improve the coordination of care and information among hospitals, laboratories, medical professionals, and other entities through an effective infrastructure for the secure and authorized exchange of digital health data;
- To improve public health activities and facilitate the early identification and rapid response to public health threats and emergencies, including bioterror events and infectious disease outbreaks;
- To facilitate health and clinical research and health care quality;
- To promote early detection, prevention, and management of chronic diseases;
- To carry out public health research, review and analysis, and policy formulation; and
- To undertake academic research and other related purposes.
DISHA requires organizations to, “ensure data protection and prevent breach or theft of digital health data, establish data security measures for all stages of generation, collection, storage and transmission of digital health data, which shall at the minimum include access controls, encrypting and audit trails.”
Under DISHA a breach of digital health data occurs when:
- any person generates, collects, stores, transmits or discloses digital health information in contravention to the provisions of Chapter II of DISHA;
- any person does anything in contravention of the exclusive right conferred upon the owner of the digital health data;
- digital health data collected, stored or transmitted by any person is not secured as per the standards prescribed by the Act or any rules thereunder; or
- any person damages, destroys, deletes, affects injuriously by any means or tampers with any digital health data.
At GHO, we uphold the principles of the Digital Information Security in Healthcare Act (DISHA) to ensure the privacy, security, and ethical use of Digital Health Data (DHD) and Personally Identifiable Information (PII). Our commitment to these principles enhances patient trust while advancing healthcare innovation.
1. Safeguarding Digital Health Data
GHO strictly adheres to DISHA’s guidelines for managing Digital Health Data, which includes sensitive information such as medical history, diagnostic results, and health services provided. We ensure the secure generation, collection, storage, transmission, and usage of this data, aligning our processes with DISHA’s standards to protect patient confidentiality and data integrity.
2. Protection of Personally Identifiable Information (PII)
GHO recognizes the sensitivity of PII as defined by DISHA, encompassing identifiers like names, contact details, financial information, and biometric data. Our systems are designed to safeguard this information through advanced encryption, access controls, and compliance with data security standards, ensuring that PII remains secure at all times.
3. Respecting Patient Rights
GHO fully supports the rights granted to data owners under DISHA. Patients have the right to:
- Privacy and Consent: We obtain explicit consent before generating or accessing digital health data and respect users' decisions to refuse or withdraw consent at any stage.
- Data Access and Rectification: Patients can access and correct their health data through user-friendly platforms, ensuring accuracy and reliability.
- Transparency: Patients are notified whenever their data is accessed or shared, ensuring they remain informed and in control.
- Compensation for Breach: GHO has robust mechanisms to address breaches, offering appropriate remedies as outlined in DISHA.
4. Purpose-Limited Data Usage
In alignment with DISHA, GHO uses DHD strictly for permitted purposes, including improving patient care, enhancing public health initiatives, and supporting clinical research. Data is never used for purposes beyond the scope of user consent, ensuring ethical and responsible handling.
5. Information Security and Breach Management
GHO employs state-of-the-art security measures to protect digital health data at all stages, as mandated by DISHA. These include:
- Access Controls: Ensuring only authorized personnel can interact with sensitive data.
- Encryption: Protecting data during transmission and at rest.
- Audit Trails: Tracking data access and changes to ensure accountability.
In the event of a breach, GHO follows DISHA’s protocols to address incidents promptly, mitigate risks, and notify affected individuals and authorities in accordance with legal requirements.
6. Compliance with Data Usage Purposes
GHO uses digital health data to:
- Deliver patient-centered care through telemedicine and second opinions.
- Enhance coordination among healthcare providers using secure health information exchanges.
- Facilitate research aimed at improving healthcare quality and addressing public health challenges.
By adhering to these purposes, GHO supports the advancement of healthcare while protecting individual rights.
7. Proactive Approach to Data Security
GHO integrates DISHA’s data protection standards into its operational framework, establishing preventive measures against data breaches or theft. Regular audits, staff training, and the adoption of advanced technology ensure compliance and reinforce our commitment to safeguarding digital health data.
By aligning with DISHA, GHO ensures that patient data is handled responsibly, securely, and transparently. This commitment builds trust among users, supports public health goals, and strengthens the ethical foundation of our healthcare solutions. Our proactive approach to DISHA compliance underscores GHO’s role as a leader in providing secure, patient-centered healthcare services.