Digital Information Security Health Care Act (DISHA) Compliance Assessment

DISHA (Digital Information Security in Healthcare Act) will enable the digital sharing of personal health records with hospitals and clinics, and between hospitals and clinics; it will be the basis for the creation of digital health records in India. 

Sharing of health records

Health and clinical research

Undertake academic research

Digital Information Security Health Care Act (DISHA) Compliance Assessment

DISHA (Digital Information Security in Healthcare Act) will enable the digital sharing of personal health records with hospitals and clinics, and between hospitals and clinics; it will be the basis for the creation of digital health records in India. The National Health Policy has green-lit the creation of a National Health Information Network, for sharing of Aadhaar linked Electronic Health Records. DISHA appears to lay the groundwork for many health exchanges.
DISHA imposes significant restrictions on the use of health data and places an individual squarely in control of his data. DISHA clearly offers stronger protection to an individual vis-à-vis his data. In fact, DISHA clearly specifies the purposes and processing that health data can be put to, and disallows processing under any other grounds, including consent. If a purpose or processing is specified under DISHA, then additionally, there is a requirement of either the individual’s consent or a law requiring such use.
Data governance under DISHA takes an entirely consent-based approach, giving the individual significant rights and putting him squarely as the owner of his data.  Under DISHA, an individual has been given an actual say in what happens with his data.

Under DISHA, access to health data is restricted to permitting governmental departments to seek access from the National Electronic Health Authority established under the Act for the following purpose:

  • For public health activities or to deal with public health threats
  • To facilitate health and clinical research.
  • To promote detection, prevention and management of chronic diseases.
  • To carry out public health research and analysis, and
  • To undertake academic research.

Apart from this, DISHA permits access for an investigation via a court order.

Firstly, he has been given explicit rights to give or refuse consent at every stage of processing- generation, collection, storage, transmission, access and disclosure. He also has the right to withdraw consent for storage and transmission of his data. Two very significant consent-related rights in addition to these are the need for explicit, prior permission for every use of his data in an identifiable form, and the right not to be refused health care if he refuses consent at any stage.