There has always been a need for better security of digital patient data in India. Especially given our population it can be very difficult to maintain a single unified digital data store for each person that is secure and updated. The Indian government in an attempt to resolve this long pending data security requirement has come up with an act called DISHA (Digital Information Security in Healthcare Act). A draft of the act was introduced for the public to comment and share their feedback on it, and here’s what we, at AIndra Systems, think about it.
Currently, The collection, receipt, storage, handling and transfer of sensitive personal data or information (‘SPDI’) in electronic form is subject to the Information Technology Rules 2011 (Reasonable security practices and procedures and sensitive personal data or information – the ‘Data Protection Rules’), a set of rules prescribed under the Information Technology Act 2000 – India’s principal legislation governing information technology. The Data Protection Rules consider a select set of information to be SPDI. From a healthcare perspective, this includes information relating to physical, physiological and mental health conditions, sexual orientation as well as medical records and history.
Along with data protection, another major hurdle was the interoperability of healthcare data. The ability to share data between clinical establishments, diagnostic centres, etc. If this data can be shared it will not only make things seamless for a patient but also save time and money. A physician does not have to ask a patient to re-do a scan that he did in the recent past. In late 2016, the government tried to enable this by a revised Electronic Health Records Standard of India. This, however, did not have very good acceptance from the industry. Hence, DISHA was formulated with a hope to resolve all pitfalls and drawbacks of the previously proposed standard.
DISHA was introduced in March 2019 by the Indian government to protect and regulate digital healthcare data. The purpose of DISHA is to regulate the generation, collection, storage, analysis, transmission and ownership of patient health data and personally identifiable information. It calls for the creation of a central regulator called the National Electronic Health Authority, and of state regulators called State Electronic Health Authorities. It also calls for the setting up of Health Information Exchanges by the government.
Some Key points on access and sharing of data from the Act:
Ownership of data and consent: The patient is the sole owner of all digital data that belongs to him/her. Any establishment that is wishing to use or access this data must seek permission and written consent from the data owner. This consent will have to be sought every time an establishment wants to access this data.
The purpose for access to data: There are about 8 instances listed down when data can be accessed. Among these are to advance the delivery of patient-centred medical care, to facilitate health and clinical research and health care quality, To promote early detection, prevention, and management of chronic diseases, to improve coordination of care among different medical establishments, etc.
Storing of Digital data: No digital health data shall be stored by any clinical establishment or entity or health information exchange in any manner
While DISHA is successful in bringing out the importance of regulation around Data security and privacy, it seems to be suffering from a deficit of some important points for friction-less implementation.
The patient seems to be the focal point of DISHA. Throughout the act, there is much power given to the patient over his/her medical data and very rightfully so. However, it is unclear of how will a nation having over a billion people be educated about a) rights over the data b) need for consent c) how and when to decide to provide or reject consent d) what is the mode for receiving and actioning on a consent request and many more such important aspects. These decisions might be a deterrent in the patients well being if not taken appropriately. Education will be at a huge cost and the right kind of education and understanding of the act can be challenging given the extent of rural dwellings in India.
There is no mention of how exactly the act will ensure that there is one central data store that is updated at all times for each individual. Though this central data store will be great for research establishments and cross-collaboration there is no process specified on how this can be an enabler and not a time-consuming activity.
Though the act specifies that data can be anonymized and shared or used by establishments to facilitate health and clinical research, it also specifies that the patient consent needs to be sought for every access which makes it an arduous process for startups who work in an agile manner. Also, there is no indication of how does an establishment seeks this consent.
Medical research institutes and corporate establishments might be generating a lot of clinical data that can or may be used in research that can lead to better patient outcomes. The clinical data(anonymized), though easily accessible by the establishment will be made more difficult and time-consuming. Moreover, technologies like AI that are solely dependant on data for better results will have a steeper development and iteration time. Such companies will not only need to access but also store this data which DISHA does not permit.
Another very common solution being used every day by millions of users is healthcare apps and wearables. Daily there are millions of records that are created and shared across these platforms. The PDP(Personal data protection) bill published in 2018 allowed for such transactions to happen. However, DISHA does not permit the use of this data. Data collected and analyzed through such sources can be beneficial to the patient for a customized experience and better health outcomes. Nevertheless, it is true that since such apps are never regulated, data security is a huge risk. But ignoring the benefits of such solutions and putting an abrupt stop to these is also not an ideal solution for patients or technology and healthcare providers.
The PDP bill in some ways fulfils the lacunae in DISHA. More work needs to be done in refining and making the act friendly to both patient security and for usage by different medical entities. Both are equally important for progression in the healthcare industry.
It would be helpful if DISHA is more holistic in nature. While the crux of DISHA has patient data security at its core, there are a lot of ripple effects forgotten about in the act.
Access to data that is purely clinical in nature: A lot of research and development of better solutions for numerous ailments and diseases can be made difficult if this data is made difficult to access by the healthcare companies/establishments. While the act specifies that such institutions can gain access to anonymised data, it does not specify how does one seek that access and how will records of such access be maintained.
Infrastructure readiness to support DISHA should be assessed before it is put into effect or various stakeholders will have to bear the brunt of process delays.
Blog by: Evelyn Immanuel (Product Manager)