With India’s healthcare sector rapidly embracing digital technologies including electronic medical records (EMRs), nationwide health ID systems, telehealth services and AI-assisted clinical tools concerns around privacy, data security and ethical use of personal health information have come into sharper focus. In response, policymakers have drafted the Digital Information Security in Healthcare Act (DISHA)  a comprehensive legal framework designed to protect sensitive health data while supporting responsible innovation.

DISHA aims to establish clear obligations for how healthcare organisations collect, store, process and share digital health information. Under the proposed model, entities handling personal health data would be subject to strict privacy safeguards, security controls, consent norms and breach-response requirements. The Act would define roles and responsibilities for data fiduciaries, processors and intermediaries, mandating measures such as encryption, access logging and risk assessments to prevent unauthorised access and misuse.

A central tenet of the legislation is patient autonomy and consent. Individuals would retain control over how their health data is accessed and used, with mechanisms to grant, review or revoke consent for specific purposes. The proposed framework emphasises transparency, requiring providers to clearly communicate data usage terms and obtain explicit, informed consent before sharing sensitive information.

At the same time, DISHA recognises the importance of interoperability and secure data exchange in modern healthcare. It proposes standards for safe interoperable systems that allow patients’ records to move across providers for purposes such as referrals, emergency care or longitudinal health tracking while preserving confidentiality and integrity. These standards would support both public initiatives and private digital health platforms.

The draft legislation also anticipates the need for regulatory oversight and enforcement. It calls for a governing authority to oversee compliance, conduct audits, issue guidelines, and adjudicate disputes. Penalties for non-compliance, including fines or corrective action mandates, are envisioned to ensure accountability among stakeholders who manage health data at scale.

Supporters of DISHA argue that a strong legal foundation is essential to uphold trust in digital health systems, protect vulnerable populations, and enable ethical use of predictive analytics, AI and machine learning in care delivery. They follow broader global trends where privacy laws such as GDPR in Europe and HIPAA in the United States set benchmarks for data security in sensitive sectors.

Critics caution that overly rigid rules could hinder innovation if not balanced with practical implementation pathways, especially for startups and small providers. As a result, ongoing consultations seek to refine the bill’s provisions to balance privacy protection with innovation incentives and operational feasibility.

Ultimately, DISHA reflects a strategic effort to ensure that India’s digital health revolution is underpinned by strong privacy safeguards, secure data practices and patient control essential elements for equitable, trustworthy healthcare in the digital era.