Digital Information Security in Healthcare Act (DISHA): Ensuring Privacy & Security in the Digitalization Era

The privacy of personal health information has become a critical concern in a time when digital technologies are revolutionising the delivery of healthcare. A legislative framework that protects sensitive health data, upholds patient privacy, and fosters trust throughout the health ecosystem is desperately needed, given the growth of telemedicine, electronic health records (EHRs), mobile health apps, and health data exchanges.

The Digital Information Security in Healthcare Act (DISHA) is India’s proposed answer to this need. Originally introduced by the Ministry of Health & Family Welfare, it aims to regulate digital health data and provide robust data protection specifically tailored to healthcare.

Although DISHA has not yet been enacted into law and remains at the draft stage, its objectives reflect a critical response to gaps in existing data protection regimes.

Overview & Purpose

The need for a dedicated legal framework for digital health data protection in India was first recognised in 2017, leading to the drafting of the Digital Information Security in Healthcare Act (DISHA). Before this, data privacy and cybersecurity in healthcare were governed mainly by the Information Technology Act, 2000, which offers general protections but lacks provisions tailored to the sensitive and complex nature of healthcare data. Despite its early formulation, DISHA has not yet been enacted and remains pending.

In parallel, the launch of the Ayushman Bharat Digital Mission (ABDM) has accelerated the creation of an interoperable digital health ecosystem, increasing the volume and exchange of electronic health records. Against this backdrop, DISHA is envisioned as a comprehensive, healthcare-specific data protection law that defines digital health data and recognises individuals as the owners of their health information, reinforcing patient-centric data governance and strengthening privacy, consent, and security safeguards.

The primary objectives of DISHA include:

• Protecting the confidentiality, privacy, and security of digital health information.
• Standardizing and regulating the generation, collection, storage, transmission, and use of digital health data.
• Establishing dedicated regulatory bodies, including National and State Electronic Health Authorities, to oversee compliance and enforcement.
• Enabling secure health information exchange and promoting interoperability within the digital health ecosystem.

Overall, DISHA is positioned as a critical missing link in India’s digital health architecture, intended to complement initiatives such as ABDM by providing a clear legal foundation for trust, accountability, and responsible use of health data.

The Need for Healthcare Data Security

Health data is now a vital national and personal asset due to the rapid digitisation of healthcare, necessitating strict legal and regulatory protections such as the Digital Information Security in Healthcare Act (DISHA) to preserve patient privacy, uphold public confidence, and promote responsible innovation in digital health. Some of the key reasons why DISHA is important include-

1.Rise of Digital Platforms: With the proliferation of telemedicine, patient portals, EHR systems, health apps, wearable devices, and AI tools in healthcare, enormous volumes of personal health data are being created and shared. This digital transformation enhances care delivery but also exposes sensitive information to risks such as cyberattacks and unauthorized disclosure.

2. Gaps in Existing Legal Framework: The existing IT Act, 2000, and its rules offer general cybercrime and data protection provisions, but do not specifically tailor protections for healthcare data. Important aspects such as consent for data use, strict data sharing norms, and sector-specific oversight mechanisms are absent.

3 . Patient Trust & Ethical Imperatives: Healthcare data breaches can have profound consequences, from stigmatization to discrimination, insurance profiling, and loss of patient trust. Public confidence in digital health systems depends on strong privacy safeguards and transparent regulatory rules.

4.Strengthening governance & oversight: The Act proposes dedicated national and state-level health data authorities to monitor compliance, enforce standards, and ensure ethical handling of digital health information

Key Features of DISHA

The DISHA draft proposes a range of features designed to strengthen protection for digital health data:

1 Legal Recognition of Digital Health Data and Consent

“Digital health data” is defined comprehensively to include all electronic health information related to an individual.

Health records can only be stored, accessed, or transmitted with explicit written consent from the data owner (patient)

2 Establishment of Regulatory Authorities

National Electronic Health Authority (NeHA) and State Electronic Health Authorities (SeHA) will be created to enforce compliance.

These authorities are equipped with powers similar to quasi-judicial bodies to adjudicate disputes.

3 Prohibition on Commercial Use

DISHA explicitly forbids the commercial exploitation of health data including disclosure to insurers, employers, or pharmaceutical companies, even if anonymized.

4 Health Information Exchanges and Standards

Health Information Exchanges will be established to facilitate the secure flow of data between clinical establishments.

The Act proposes standards for interoperability and transmission safeguards.

5 Penalties for Breaches

Stringent penalties are proposed for non-compliance, including fines and imprisonment, especially for serious breaches involving dishonest use or unauthorized sharing of data.

Benefits of DISHA

The Digital Information Security in Healthcare Act (DISHA) offers wide-ranging benefits across stakeholders by establishing a secure, transparent, and patient-centric framework for the governance of digital health data. Its key benefits include:

1 For Citizens / Patients, the Act ensures enhanced privacy and control over their personal health data, with ownership rights and consent requirements.

2. The Act strengthens public trust in digital health services by reducing risks of identity theft, discrimination, or misuse of health records.

leading to greater acceptance of digital health innovations.

3. For Healthcare Providers, it provides A standardized legal framework encourages trust and transparency, reducing legal uncertainties and sets clear guidance on data handling reduces liability risks while enhancing compliance efforts.

5. The Act also facilitates interoperability and more seamless data sharing between providers.

6. For the Healthcare System, the DISHA promotes secure and ethical data exchange, supporting research, public health planning, and system efficiency, and encourages responsible use of health information while balancing privacy with clinical needs.

Despite its intent to strengthen healthcare data protection, DISHA faces several challenges related to implementation and enforcement, particularly for smaller and resource-limited healthcare facilities that may struggle with compliance costs and technical requirements. Its unenacted status, coupled with uneven digital infrastructure, evolving cybersecurity threats, and complexities around informed consent, continues to limit uniform and effective adoption across India’s healthcare ecosystem.

Conclusion

The Digital Information Security in Healthcare Act (DISHA) represents a landmark attempt to tailor data protection law specifically for the sensitive context of healthcare. By framing comprehensive rules for digital health data privacy, consent, regulatory oversight, and breach penalties, DISHA aims to strike a balance between digital innovation and patient rights.

While its implementation is pending, the principles and structure of DISHA hold significant value in informing future healthcare data governance, ensuring that digitization in the healthcare sector enhances care delivery without compromising privacy, security, and trust. Its eventual enactment could pave the way for safer, more transparent, and patient-centric digital healthcare in India. As healthcare systems increasingly rely on data-driven technologies, a sector-specific law such as DISHA could provide the regulatory clarity needed to protect patient rights while enabling responsible innovation.

Stay tuned for more such updates on Digital Health News