But, with the debate around data security heating up in the absence of an overarching data protection law, the government on Tuesday released a draft Bill termed Digital Information Security in Healthcare (DISHA) Bill, which seeks to give powers to citizens about their health data and pushes for penalties on breach and misuse of this information.
The Bill proposes rights such as mandatory consent for collection, storage, and sharing their health data, including the right to withdraw consent at any time. Following this, the data will be deleted or made anonymous after removing personal identifiers.
“An owner shall have the right to give, refuse or withdraw consent for the storage and transmission of digital health data,” the Bill states.
“An owner shall have the right to refuse consent to the access or disclosure of his or her digital health data, and if refused it shall not be disclosed, subject to the exceptions provided in Section 33 of the Act.”
The Bill is an initiative to introduce data security and set standards for sharing data, which is expected to help the government in many ways such as research, easier transfers of patients between healthcare facilities, storing medical records, and an early detection of public health emergencies.
The government has started creating Health Management Information Systems with state governments as part of the National Rural Health Mission of 2005.
Digitising health records
Information technology analysts suggest that the Bill is a good step to advance the rights of citizens and bring in coherence in managing health data, which is scattered across paper files and digital formats at various facilities.
“The Bill is in the right direction when it comes to putting citizens’ ownership of their data on paper but it is likely to be diluted since it could be restrictive if continuous editing or deleting data is allowed, based on people’s consent,” said a data security expert with a health start-up.
The government has proposed creating health information exchanges, which will be responsible for storing health data, apart from clinical establishments. These exchanges will supply information to hospitals, insurance companies and the government.
The rationale behind the move is to track diseases better and also make sure that outbreaks are controlled, said Srinath Reddy, president, Public Health Foundation of India.
“The National Health Policy of 2017 envisaged a regulatory authority for managing health data and this Bill is a move to make that a reality. The government is looking to integrate eHealth better into its systems and also give a little bit of data protection,” he said.
The government has also proposed setting up the National Electronic Health Authority, which will be the overarching body to set standards on storage, transmission and encryption of information. Clinical establishments will conform to these standards to transmit health data to information exchanges and they will be allowed to keep a copy of their data for “reasonable use”, according to the draft Bill.
A member secretary (in charge of health) to the erstwhile Planning Commission said the government was looking to set up regulators and information exchanges for using the data but it was unclear how effective they would prove in enforcing standards in smaller establishments. “Do we have a list of all big and small medical facilities, labs and research institutes? How will they know if the data is being made anonymous before being released or not?”
The government’s intention seems to be right but they have bitten off more than they can chew,” the former Planning Commission member said.