DISHA and HIPAA, How Do They Compare?

DISHA and HIPAA

The Digital Information Security in Healthcare Act (DISHA) of India seeks to establish a National Digital Health Authority and Health Information Exchanges. The purpose behind the potential law is to facilitate electronic health data privacy, confidentiality, security, and standardization. There are many similarities between DISHA and HIPAA which are discussed in detail below.

What is DISHA?

The Digital Information Security in Healthcare Act (DISHA) is an, “Act to provide for establishment of National and State eHealth Authorities and Health Information Exchanges; to standardize and regulate the processes related to collection, storing, transmission and use of digital health data; and to ensure reliability, data privacy, confidentiality and security of digital health data and such other matters related and incidental thereto.”

The proposed health information law is set to regulate two types of information, Digital Health Data (DHD) and associated personally identifiable information (PII). If enacted, DISHA will regulate the generation, collection, access, storage, transmission and use of DHD and associated PII.  

DISHA and HIPAA, Protected Information

The information regulated by DISHA is similar to that of HIPAA, as they both regulate personal health data. DISHA makes two distinctions between the types of data they regulate known as Digital Health Data (DHD) and associated personally identifiable information (PII), while HIPAA regulates protected health information (PHI) and PHI stored electronically (ePHI).

Digital Health Data

Digital Health Data is defined by DISHA as, “an electronic record of health related information about an individual and shall include the following:

  • Information concerning the physical or mental health of the individual;
  • Information concerning any health service provided to the individual;
  • Information concerning the donation by the individual of any body part or any bodily substance;
  • Information derived from the testing or examination of a body part or bodily substance of the individual;
  • Information that is collected in the course of providing health services to the individual; or
  • Information relating to details of the clinical establishment accessed by the individual.”

Personally Identifiable Information

Personally Identifiable Information is defined by DISHA as ,“any information that can be used to uniquely identify, contact or locate an individual, or can be used with other sources to uniquely identify a person.” 

Under DISHA, PII includes:

  1. Name
  2. Address
  3. Date of Birth
  4. Telephone Number
  5. Email Address
  6. Password
  7. Financial information such as bank account or credit card or debit card or other payment instrument details
  8. Physical, physiological and mental health condition
  9. Sexual orientation
  10. Medical records and history
  11. Biometric Information
  12. Vehicle number
  13. Any government number, including Aadhar, Voter’s Identity, Permanent Account Number (‘PAN’), Passport, Ration Card, Below Poverty Line (‘BPL’).

Protected Health Information

HIPAA regulates the use and disclosure of “individually identifiable” health information, known as protected health information (PHI), including electronic PHI (ePHI). 

PHI includes:

  1. Name
  2. Address
  3. Any dates (except years) that are directly related to an individual, including birth date, date of admission or discharge, date of death, or the exact age of individuals older than 89
  4. Telephone number
  5. Fax number
  6. Email address
  7. Social Security number
  8. Medical record number
  9. Health plan beneficiary number
  10. Account number
  11. Certificate/license number
  12. Vehicle identifiers, serial numbers, or license plate numbers
  13. Device identifiers or serial numbers
  14. Web URLs
  15. IP address
  16. Biometric identifiers such as fingerprints or voice prints
  17. Full-face photos
  18. Any other unique identifying numbers, characteristics, or codes

Schedule a Demo

See the software that makes tracking compliance a breeze!

Healthcare Compliance Software - CG

DISHA and HIPAA, Patient Rights

Both DISHA and HIPAA provide patients rights in regards to regulated information.

DISHA Patient Rights

DISHA provides owners of digital health data with rights in regards to their information. 

Under DISHA, owners of digital health data have the right:

  • to privacy, confidentiality, and security of their digital health data, which may be collected, stored and transmitted;
  • to give or refuse consent for the generation and collection of digital health data by clinical establishments and entities;
  • to give, refuse or withdraw consent for the storage and transmission of digital health data;
  • to refuse consent to the access or disclosure of his or her digital health data, and if refused it shall not be disclosed;
  • that the digital health data collected must be specific, relevant and not excessive in relation to the purpose or purposes for which it is sought;
  • to know the clinical establishments or entities which may have or has access to the digital health data, and the recipients to whom the data is transmitted or disclosed; 
  • to access their digital health data with details of consent given and data accessed by any Clinical Establishment/Entity;
  • to rectify without delay, from the respective clinical establishment or health information exchange or entity, any inaccurate or incomplete digital health data, in the prescribed form as may be notified by the National Electronic Health Authority;
  • to require their explicit prior permission for each instance of transmission or use of their digital health data in an identifiable form, through such means as may be prescribed by the Central Government;
  • to be notified every time their digital health data is accessed by any clinical establishment;
  • to ensure that in case of health emergency, the digital health data of the owner may be shared with their family members;
  • to prevent any transmission or disclosure of any sensitive health related data that is likely to cause damage or distress to the owner;
  • to be refused health service, if they refuse to consent to generation, collection, storage, transmission and disclosure of their health data; and
  • to seek compensation for damages caused by a breach of digital health data.

HIPAA Patient Rights

HIPAA also gives patients rights in regards to their PHI.

These rights include:

  • prohibiting the sale of PHI; the use and disclosure of genetic information for underwriting purposes; and the use or disclosure of psychotherapy notes
  • right to access their PHI upon request
  • amend PHI or a record about the individual in a designated record set, for as long as the PHI is in a designated record set

DISHA and HIPAA, Data Use and Disclosure

DISHA and HIPAA both restrict how data can be used and disclosed.

DISHA Purposes for Data Use

DISHA regulates how DHD can be generated, collected, stored, and transmitted by a clinical establishment or health information exchange.

Permitted purposes for data use include:

  • To advance the delivery of patient centered medical care;
  • To provide appropriate information to help guide medical decisions at the time and place of treatment;
  • To improve the coordination of care and information among hospitals, laboratories, medical professionals, and other entities through an effective infrastructure for the secure and authorized exchange of digital health data;
  • To improve public health activities and facilitate the early identification and rapid response to public health threats and emergencies, including bioterror events and infectious disease outbreaks;
  • To facilitate health and clinical research and health care quality;
  • To promote early detection, prevention, and management of chronic diseases;
  • To carry out public health research, review and analysis, and policy formulation; and
  • To undertake academic research and other related purposes.

HIPAA Use and Disclosure

Under HIPAA, PHI may be used or disclosed for treatment, payment, or healthcare operations. PHI use and disclosure must be limited to only the “minimum necessary” information required to perform a specific job function.

DISHA and HIPAA, Information Security

Both DISHA and HIPAA impose information security requirements.

DISHA Information Security

DISHA requires organizations to, “ensure data protection and prevent breach or theft of digital health data, establish data security measures for all stages of generation, collection, storage and transmission of digital health data, which shall at the minimum include access controls, encrypting and audit trails.”

HIPAA Information Security

HIPAA requires organizations to, “maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the information; protect against reasonably anticipated, impermissible uses or disclosures; and ensure compliance by their workforce.”

DISHA and HIPAA, Breaches

Both DISHA and HIPAA require organizations to notify individuals whose information was subject to a breach.

Under DISHA a breach of digital health data occurs when:

  • any person generates, collects, stores, transmits or discloses digital health information in contravention to the provisions of Chapter II of DISHA;
  • any person does anything in contravention of the exclusive right conferred upon the owner of the digital health data;
  • digital health data collected, stored or transmitted by any person is not secured as per the standards prescribed by the Act or any rules thereunder; or
  • any person damages, destroys, deletes, affects injuriously by any means or tampers with any digital health data.

Under HIPAA a breach of protected health information includes:

  • PHI compromised in a hacking incident;
  • unauthorized access to PHI (whether it be an outside party, or a member of the workforce accessing PHI without cause);
  • theft or loss of an unencrypted device with access to PHI; or 
  • improper disposal of medical records.

DISHA and HIPAA, How is DISHA Similar to HIPAA?

Many of the requirements that would be set forth by DISHA are also requirements of HIPAA. HIPAA requires healthcare organizations to ensure the confidentiality, integrity, and availability of ePHI, while DISHA requires organizations to facilitate electronic health data privacy, confidentiality, security, and standardization. Additionally, what is considered ePHI under HIPAA is similar to what is considered DHD and PII under DISHA.

Both HIPAA and DISHA provide patients rights in regards to regulated information, and require organizations to provide patients with an explanation of how their information will be used. They also both require organizations to secure sensitive data with security protections, and to report breaches affecting that information to affected individuals. 

While DISHA has not officially been adopted, it or a similar health data protection law are likely to pass in the near future. Why not get ahead of the curve and become HIPAA compliant now, to prepare your organization for the impending Indian health data law.

For more information on DISHA, please click here.

Learn How Simple Compliance Can Be

With Healthcare Compliance Software

Get a Demo!