DISHA and HIPAA, How Do They Compare?
The Digital Information Security in Healthcare Act (DISHA) of India seeks to establish a National Digital Health Authority and Health Information Exchanges. The purpose behind the potential law is to facilitate electronic health data privacy, confidentiality, security, and standardization. There are many similarities between DISHA and HIPAA which are discussed in detail below.
What is DISHA?
The Digital Information Security in Healthcare Act (DISHA) is an, “Act to provide for establishment of National and State eHealth Authorities and Health Information Exchanges; to standardize and regulate the processes related to collection, storing, transmission and use of digital health data; and to ensure reliability, data privacy, confidentiality and security of digital health data and such other matters related and incidental thereto.”
The proposed health information law is set to regulate two types of information, Digital Health Data (DHD) and associated personally identifiable information (PII). If enacted, DISHA will regulate the generation, collection, access, storage, transmission and use of DHD and associated PII.
DISHA and HIPAA, Protected Information
The information regulated by DISHA is similar to that of HIPAA, as they both regulate personal health data. DISHA makes two distinctions between the types of data they regulate known as Digital Health Data (DHD) and associated personally identifiable information (PII), while HIPAA regulates protected health information (PHI) and PHI stored electronically (ePHI).
Digital Health Data
Digital Health Data is defined by DISHA as, “an electronic record of health related information about an individual and shall include the following:
- Information concerning the physical or mental health of the individual;
- Information concerning any health service provided to the individual;
- Information concerning the donation by the individual of any body part or any bodily substance;
- Information derived from the testing or examination of a body part or bodily substance of the individual;
- Information that is collected in the course of providing health services to the individual; or
- Information relating to details of the clinical establishment accessed by the individual.”
Personally Identifiable Information
Personally Identifiable Information is defined by DISHA as ,“any information that can be used to uniquely identify, contact or locate an individual, or can be used with other sources to uniquely identify a person.”
Under DISHA, PII includes:
- Name
- Address
- Date of Birth
- Telephone Number
- Email Address
- Password
- Financial information such as bank account or credit card or debit card or other payment instrument details
- Physical, physiological and mental health condition
- Sexual orientation
- Medical records and history
- Biometric Information
- Vehicle number
- Any government number, including Aadhar, Voter’s Identity, Permanent Account Number (‘PAN’), Passport, Ration Card, Below Poverty Line (‘BPL’).
Protected Health Information
HIPAA regulates the use and disclosure of “individually identifiable” health information, known as protected health information (PHI), including electronic PHI (ePHI).
PHI includes:
- Name
- Address
- Any dates (except years) that are directly related to an individual, including birth date, date of admission or discharge, date of death, or the exact age of individuals older than 89
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers, serial numbers, or license plate numbers
- Device identifiers or serial numbers
- Web URLs
- IP address
- Biometric identifiers such as fingerprints or voice prints
- Full-face photos
- Any other unique identifying numbers, characteristics, or codes
