KIIT SCHOOL OF LAW

Informational Digital Health Privacy Protection

Interpretation of Statutes

(LW 4013)
Submitted to: Submitted by:
Prof. Sundar H Athreya Bhabani Sankar
Assistant Professor Mallick
KIIT School of Law 2083163
Kalinga Institute of Industrial Technology BA LLB (B)
Session:2020-25
 Informational Digital Health Privacy Protection Act, 2022
ACT NO. _ OF 2022

[24th September, 2022.]

SECTIONS

1. Short title, extent, commencement and application of the act

2. Definitions
3. Consent for Data Processing and security safe guard

An act for the protection of privacy and security of digital health information,
which acknowledges the need for confidential nature of health-related data and
ensuring accountability in the handling of such information.

Be it enacted by Parliament in the Seventy-third Year of the Republic of India as

follows: —

CHAPTER I

PRELIMINARY

Short Title:

The Digital Health Information Privacy Protection Act, 2022 (DHIPA)

Long Title:

An Act to Regulate the Collection, Use, Disclosure, and Protection of Personal

Health Information in Digital Health Systems

1. Title and Commencement

(1) This Act may be cited as the "Digital Health Information Privacy Protection
Act, 2022."
(2) It shall come into force on a date to be notified by the appropriate authority.

(3) This Act is to protect the informational privacy of individuals in digital health
by regulating the collection, use, disclosure, and protection of personal health
information.

(4) This Act shall apply to all entities that collect, use, or disclose personal health
information in digital health systems, whether public or private.

2. Definitions

In this Act, unless the context otherwise requires:

(a) "Digital Health System" refers to any electronic system, network, or platform
used for the collection, storage, processing, or transmission of personal health
information.

(b) "Personal Health Information" includes any data related to an individual's

health, medical history, treatment, or diagnosis.

(c) "Data Controller" means an entity responsible for determining the purposes and
means of processing personal health information.

(d) "Data Processor" refers to an entity that processes personal health information
on behalf of the data controller.

(e) "Consent" means the informed and voluntary agreement of an individual to the
collection, use, or disclosure of their personal health information.

(f) "Health IT Entity" Encompasses organizations or systems responsible for the

storage, management, or transmission of digital health information, including
electronic health record (EHR) systems, health information exchanges (HIEs), and
telemedicine platforms.

(g) "[Appropriate Regulatory Body]" Specifies the governmental or regulatory

authority responsible for overseeing and enforcing the provisions of this Act, as
determined by the relevant jurisdiction.
 CHAPTER II

3. Consent for Data Processing and security safeguard

(1) Personal health information shall not be collected, used, or disclosed without
the explicit consent of the individual, except as otherwise provided in this Act.

(2) Consent shall be obtained in a clear and comprehensible manner, and

individuals shall be informed about the purposes of data processing.

Illustration:
If a healthcare provider wishes to share a patient's medical records with a specialist, they must
obtain the patient's explicit consent for the disclosure.

Security Safeguards

Personal health information should be secured against unauthorized disclosure,

alteration, destruction and access by using appropriate technical and organizational
measures with data controllers and processors.

Illustration:

For a hospital, it will be paramount to ensure that data is stored in an encrypted form and update
security systems to protect against hacking attacks of data.