Digital health security law: Rs 5 lakh fine, five-year jail term for data breach

According to the draft Digital Information Security in Healthcare Act (DISHA) prepared by the Health Ministry, serious breaches of health care data should be punishable by up to five years in jail and a fine of up to Rs 5 lakhs


  • The central government has drafted the digital health security law.
  • The Health Ministry’s draft Digital Information Security in Healthcare Act enables people to have the right to privacy, confidentiality and security of their digital health data.
  • According to the proposed Digital Information in Healthcare Security Act (DISHA), those making any breach will face punishment up to five years imprisonment and Rs 5-lakh fine.

The draft Digital Information in Healthcare Security Act (DISHA) categorically states that any health data including physiological, physical and medical records, sexual orientation and history and biometric information are the property of the person who it pertains to.

According to the draft:

  • Digital health data means an electronic record of health-related information including an individual’s physical or mental health, health service provided to the individual, information derived from the testing or examination of a body part or bodily substance of the individual.
  • If any person uses the digital health data for commercial purposes or commercial gain, or clinical establishment or health information exchange commits breach of digital health data repeatedly, the person will be liable for punishment.
  • It states that an owner has the right to privacy, confidentiality, and security of their digital health data and have the right to give or refuse consent for the generation and collection of digital health data by clinical establishments and entities.
  • The owner also has the right to give, refuse or withdraw consent for the storage and transmission of digital health, to refuse consent to the access or disclosure of his or her digital health data, and if refused it shall not be disclosed.
  • The draft legislation also aims to protect ‘Sensitive health-related information’ which means information, that if lost, compromised, or disclosed, could result in substantial harm, embarrassment, inconvenience, violence, discrimination or unfairness to an individual.
  • The information including but not limited to, one’s physical or mental health condition, sexual orientation, use of narcotic or psychotropic substances, consumption of alcohol, sexual practices, Human Immunodeficiency Virus status, Sexually Transmitted Infections treatment, and abortion will be considered as sensitive information to be protected.
  • Making the health data security laws more stringent, any person or entity charged with data breach will not be able to challenge the punishment in court. The Central and state adjudicating authorities formed under the Act will have powers of a civil court, according to the draft.
  • No court shall take cognizance of any offence punishable under the Act except on a complaint made by the Central Government, State Government, the National Electronic Health Authority of India, State Electronic Health Authority, or a person affected.
  • However, digital health data may be generated, collected, stored, and transmitted by a clinical establishment and by health information exchanges for various purposes including advancing the delivery of patient-centred medical care, to provide appropriate information to help guide medical decisions and to improve coordination of care and information among hospitals, laboratories, medical professionals, and other entities through an effective infrastructure for secure and authorized exchange of digital health data.
  • The draft legislation prepared by the ministry of health and family welfare has also proposed to constitute a national electronic health authority (NeHA) which would function as an independent regulator. The NeHA will formulate rules, standards and processes for developing and managing electric health records (EHR).
  • Any person who breaches digital health data is liable to pay compensation to the person in case of breach of data.

Speaking to My Medical Mantra, Dr Vinay Aggarwal, Past National President-IMA and coordinator of the mahapanchayat, said, “In the present scenario, it is very difficult to maintain secrecy. If it becomes a source of litigation then patient care will be hampered. As, the patients and the attendants many not have the adequate knowledge about the disease and so on. There will be no compliance of the treatment. So, secrecy should be maintained. But under present circumstances it seems difficult.”