According to the draft Digital Information Security in Healthcare Act (DISHA), serious breaches of health care data should be punishable by up to five years in jail and a fine of up to Rs5 lakh.

The draft enables the owners to have the right to privacy, confidentiality, and security of their digital health data and the right to give or refuse consent for generation and collection of such data.

It will be considered a serious digital health data breach if a person commits a breach of digital health data intentionally, dishonestly, fraudulently or negligently, sharing information which is not anonymised or de-identified and where a person failed to secure the data as per the standards prescribed by the Act or any rules.

If any person uses the digital health data for commercial purposes or commercial gain, or clinical establishment or health information exchange commits breach of digital health data repeatedly, the person will be liable for punishment.

The information including but not limited to, one’s physical or mental health condition, sexual orientation, use of narcotic or psychotropic substances, consumption of alcohol, sexual practices, Human Immunodeficiency Virus status, Sexually Transmitted Infections treatment, and abortion will be considered as sensitive information to be protected. 

Making the health data security laws more stringent, any person or entity charged with data breach will not be able to challenge the punishment in court.

The Central and state adjudicating authorities formed under the Act will have powers of a civil court, according to the draft.

As per the draft, digital health data may be generated, collected, stored, and transmitted by a clinical establishment and by health information exchanges for various purposes including advancing the delivery of patient-centred medical care, to provide appropriate information to help guide medical decisions and to improve coordination of care and information among hospitals, laboratories, medical professionals, and other entities through an effective infrastructure for secure and authorized exchange of digital health data. 

The draft legislation prepared by the ministry of health and family welfare has also proposed to constitute a national electronic health authority (NeHA) which would function as an independent regulator.

The NeHA will formulate rules, standards and processes for developing and managing electric health records (EHR).