Indian Government plans to set up National and State Digital Health Authorities
Through the Act, the Ministry plans to set up a nodal body in form of "National Digital Health Authority", as a statutory body for promotion/ adoption of e-Health standards, to enforce privacy & security measures for electronic health data, and to regulate storage & exchange of Electronic Health Records. The Government also plans to establish State eHealth Authorities and Health Information Exchanges.
The Government is seeking feedback on the draft Act till 21 April, 2018.
The National Electronic Health Authority of India will formulate standards, operational guidelines and protocols for the generation, collection, storage and transmission of the digital health data. These will be applicable to clinical establishments generating and collecting digital health data for their own use or for further transmission to the health information exchanges and to health information exchanges storing and transmitting digital health data to clinical establishments, or to other exchanges, or to State or National Electronic Health Authorities. The State and National Authorities themselves, as well as any entity having custody of any digital health data will be subject to the requirements.
To ensure data protection and prevent breach or theft of digital health data, the National Authroity will establish data security measures for all stages of the data chain, which shall at the minimum include access controls, encrypting and audit trails. It will also create protocols for exchange of digital health data with other countries.
The National and State Authorities shall have the right to inspect all records; or access the premises, including virtual premises of the health information exchange or exchanges at any time to carry out the functions in the Act.
Digital health data maybe be collected, stored and transmitted by health information exchanges for the following purposes: 1) To advance the delivery of patient centered medical care; 2) To provide appropriate information to help guide medical decisions at the time and place of treatment; 3) To improve the coordination of care and information among hospitals, laboratories, medical professionals, and other entities through an effective infrastructure for the secure and authorized exchange of digital health data; 4) Improve public health activities and facilitate the early identification and rapid response to public health threats and emergencies, including bioterror events and infectious disease outbreaks; 5) facilitate health and clinical research and health care quality; 6) promote early detection, prevention, and management of chronic diseases; 7) carry out public health research, review and analysis, and policy formulation; 8) undertake academic research and other related purposes.
Government departments can submit requests for digital health data in deidentified/anonymised form to the National Electronic Health Authority for the purposes numbered 4 to 8 in the above list.
According to the Act, the digital health data shall be owned by the individual whose health data has been digitised. A clinical establishment or exchange holds the data in trust for the owner.
An owner shall have the right to privacy, confidentiality, and security of their digital health data. Digital health data, whether identifiable or anonymised, would not be accessed, used or disclosed to any person for a commercial purpose and to insurance companies, employers, human resource consultants and pharmaceutical companies, or any other entity as may be specified by the Central Government.
It is specified that insurance companies shall not insist on accessing the digital health data of persons who seek to purchase health insurance policies or during the processing of any insurance claim.
The digital health data shall be transmitted by a clinical establishment or entity or health information exchange only upon the consent of the owner, after being informed of the rights of the owner. A health information exchange shall maintain a register containing all details of the transmission of the digital health data between a clinical establishment and health information exchange, and between exchanges.
In the event of an emergency, certain digital health data can immediately be made accessible to a clinical establishment, upon a request, including information related to allergies, drug interactions etc.
The Act also lays out penalties for breaches of digital health data. Any person who breaches digital health data shall be liable to pay damages by way of compensation to the owner of the data.
Any person who commits a serious breach of health care data shall be punished with imprisonment, which shall extend from three years and up to five years; or fine, which shall not be less than 500,000 rupees (US$ 7675).
A serious breach is defined as occurring when a breach is committed intentionally, dishonestly, fraudulently or negligently, it occurs in relation to data which is not anonymised or de-identified, where the person failed to secure the data, the data was used for commercial gain, or in the case of repeated breaches.
The Central Government and the State Governments will appoint a Central and State Adjudication Authorities respectively, to exercise jurisdiction, powers and authority conferred by or under this Act.
In September 2013, MoHFW notified the Electronic Health Record (EHR) Standards for India to introduce a uniform standard-based system for creation and maintenance of EHRs by healthcare providers. The standards were revised in line with developments, as seen from this December 2016 release, Standards Set Recommendations v2.0.
Read the draft Act here.