While India is yet to get the legalities on a strong data protection law in place, the government has gone ahead and issued in the public domain a draft of a law meant to ensure the protection of health data. According to this draft, any breach of an individual's digital health data can be punishable by up to five years of imprisonment and a Rs 5 lakh fine.

The draft called Digital Health Information in Healthcare Security Act (DISHA) states that health data including physical, physiological, mental health condition, sexual orientation, medical records, medical history and biometric data is information that can only be the property of the person it pertains to. The draft DISHA has invited comments from the public by 21 April.

According to a report in the Indian Express, a ten-member National Electronic Health Authority of India will be the foundation of the National Health Protection Mission which expects to cover over 10.74 lakh crore families against annual medical expenses of up to Rs 5 lakh.

As part of DISHA, there will be a state level — State Electronic Health Authority — and a national level — National Electronic Health Authority. These authorities are tasked with the objective to protect the privacy, confidentiality and the security of the owner's digital health data. Owners of this digital health information also have the right to give or refuse consent for generation and collection of their health data.

According to the draft, the digital health data may be generated, collected, stored and transmitted by clinical institutions as well as by health information exchanges.

The draft says that a serious breach of this digital data can be said to have occurred if the breach is intentional or repeated or if the security is not conforming to the standards in the DISHA Act or even if it is used for commercial gains.

In case there is any misuse of data by any company or individual, then they are expected to pay compensation to the owner of that digital health data.

"Any person who commits a serious breach of healthcare data shall be punished with imprisonment, which shall extend from three years and up to five years; or fine, which shall not be less than Rs 5 lakh. Provided that, any fine imposed as part of sub-section (2) may be provided to the individual whose data is breached, by the Court, as it deems fit as compensation," says the draft.

As for the legal matters, only complaints made by the central government, state government, National Electronic Health Authority, State Electronic Health Authority or the person affected by the data breach will be accepted.