DISHA — A hope of reform in healthcare privacy in India

Aditya Gaur
5 min readJul 11, 2020

You must have heard about HIPAA, but do you know anything about DISHA?

DISHA, Digital Information Security in Healthcare Act is an act proposed by the Government of India to provide electronic health data privacy, confidentiality, security, and standardization, somewhat similar to HIPAA of the United States. If this act had come into force then we wouldn’t have seen names and addresses of Corona positive people floating in our WhatsApp inboxes amidst this pandemic.

The acronym DISHA for Digital Information Security in Healthcare Act, if translated to English means ‘Direction’. So, can we build hope upon this DISHA that it might literally give a new direction to privacy in India? Well, the answer to this question lies in the parliament because the law hasn’t been enacted yet. It’s still in the proposal stage like the Personal Data Protection Bill and both of them await a long journey to become acts from bills. With the enactment of this act, the Ministry of Health and Family Welfare proposes the establishment of the National Digital Health Authority. We’ll not go into the legal jargon, let’s simply understand what DISHA is.

The official proposal document released for this act, states its definition as follows;

“An Act to provide for establishment of National and State eHealth Authorities and Health Information Exchanges; to standardize and regulate the processes related to collection, storing, transmission and use of digital health data; and to ensure reliability, data privacy, confidentiality and security of digital health data and such other matters related and incidental thereto.”

To understand the context of this text, you must be aware of some basic terminology related to privacy management like Breach, Consent, Personally Identifiable Information (PII), etc. You can find the definitions of all these terms in the preliminary of the official document of this act. When I was going through the documentation, I found some terms that I think I should share with you all. Those terms were Anonymization and De-Identification. Both the terms revolve around the aspect of deleting or delinking the PII and ultimately lead up to the clarity of the ‘right to erasure’ kind of freedom that the people of the EU enjoy due to GDPR. Before talking about the rights let’s get familiar with these terms with the help of the definitions given in the official document.

‘Anonymization’ means the process of permanently deleting all personally identifiable information from an individual’s digital health data.

‘De-identification’ means the process of removing, obscuring, redacting or delinking all personally identifiable information from an individual’s digital health data in a manner that eliminates the risk of unintended disclosure of the identity of the owner and such that, if necessary, the data may be linked to the owner again.

The law proposes to establish separate supervisory authorities to deal with the management of digital health data both at the national level and state level. The central government and the state government shall be establishing National Electronic Health Authority and State Electronic Health Authority respectively which will be composed of respective chairpersons and other competent staff as required by the law.

This act gives various rights to the owner of digital health data like the right to give or refuse the consent, right to privacy, confidentiality, and security of digital health data, and a lot more. There are in total about 14 rights covering all the possibilities that you could think of.

Just like GDPR, DISHA too follows the principles of storage limitation and purpose limitation, hence contains detailed guidelines regarding the same. The act has nicely given guidelines related to each and every process involved in managing digital health data. It covers almost every process like collection, ownership, storing, the transmission of digital health data, and also the process of accessing it.

In the act, breaches are divided into two categories — breach and serious breach, each of them aptly defined on the nature and extent of the violation. If anyone required under this law fails to comply with the requirements of the act or fails to perform his or her duty for which he’s obliged like fails to provide required information to the supervisory authorities then he shall be liable to pay a minimum penalty of Rs. One Lakh which can be further raised up to Rs. One Crore if the failure continues.

There’s a punishment for data theft of imprisonment that shall be extended from three years up to five years or a minimum fine of Rs. Five Lakh or both. Also, a person committing a breach or serious breach shall be liable to pay the damages in the form of compensation to the owner of the digital health data.

Well, that’s all I can summarise about DISHA. If I go ahead to explain more then I’d end up with the entire act itself. If you want to have a look at the official document, please visit the link given below.

So, I assume that you must have got the basic idea of the act, what do you think till what extent its enactment can change the state of privacy in our nation?

To be honest, this Act opens up a wide horizon of opportunistic possibilities but only if it gets enacted. We shall see that day soon. With the establishment of a separate supervisory authority and health information exchanges, this act can bring a wave benevolent changes to our existing healthcare system. It can be said that this act can be used as a very powerful tool to obliterate the nexus in the healthcare industry which has been operating to fulfill their business requirements and financial appetite. As of now, we all can make assumptions that what might happen or what might not but there’s one thing that we can surely do which is to spread awareness regarding the need for acts like this.

Thanks for giving it a read, I hope you liked my article. Please comment down your reviews, what you think about it, or anything that you’d like to share.

Stay safe, stay home, and stay secure!



Aditya Gaur

CCSK | AWS & Azure Certified Cloud Practitioner | ISO Certified ISMS & PIMS Auditor