Digital Healthcare 2024 Comparisons

Last Updated June 27, 2024

Contributed By ANA Law Group

Law and Practice

Authors



ANA Law Group is a full-service law firm based in Mumbai. Its team of experienced and committed professionals has broad industry knowledge and specialises in a wide spectrum of the law. Founded on traditional values and with prominent cross-border exposure, the firm has significant experience in counselling international clients on data protection and privacy in India, acting for many businesses in complex transactions. ANA Law Group has in-depth knowledge of all sectors of industry, such as banking and insurance, financial institutions, luxury goods, consumer goods and healthcare. The firm assists international companies on global privacy law involving Indian projects, drafting and negotiating contracts with their Indian counterparts, and preparing data protection and privacy policies for those companies’ Indian subsidiaries, compliant with major international privacy laws. Specifically, the firm advises clients on data processing and all aspects of data security, including handling cross-border data flows, security breaches and compliance with all regulatory requirements.

“Digital health” and “digital medicine” have been gaining traction in India over the past few years, and were heavily promoted since the COVID-19 pandemic; however, from a legal and regulatory standpoint, they remain undefined under existing Indian laws. Digital health, as defined by the World Health Organization, is understood as a broad umbrella term encompassing eHealth, as well as emerging areas, such as the use of advanced sciences in big data, genomics and artificial intelligence. The digital health platforms include the information and communication tools (digital medicine products) used for improving and enhancing healthcare services.

Existing Indian laws do not define the terms “digital health” or “digital medicine”. However, the earlier issued Draft Digital Information Security in Healthcare Act 2018 defined “digital health data” as an electronic record of health-related information about an individual, including information regarding:

  • an individual’s physical and mental health condition;
  • health service provided to an individual;
  • the donation by an individual of any body part or any bodily substance;
  • testing and examination data of an individual’s body part or bodily substance;
  • data collected in the course of providing health service to an individual; or
  • details of the clinical establishment accessed by an individual.

The Ministry of Health and Family Welfare (MoHFW) released the revised Draft Digital Information Security in Healthcare Act 2022 (the “DISHA Bill”), which removed the definition of the expression “digital health data”.

Further, the Telemedicine Practice Guidelines (TPG), issued by the Indian government in March 2020, adopted the World Health Organization’s definition of telemedicine as “The delivery of healthcare services, where distance is a critical factor, by all healthcare professionals using information and communication technologies for the exchange of valid information for diagnosis, treatment and prevention of disease and injuries, research and evaluation, and for the continuing education of healthcare providers, all in the interests of advancing the health of individuals and their communities.”

The following are some of the key emerging technologies in India in the field of digital healthcare.

Telemedicine

There has been significant growth and advancement in the field of telemedicine and teleconsultation in India. This includes the use of information and communications tools for healthcare services with the virtual presence of both the patient and the healthcare provider. The tools are used for carrying out technology-based patient consultation communication via video, audio and text. Under the existing legal framework, the telemedicine practices in India are primarily governed by the TPG and the Information Technology Act 2000 (the “IT Act”).

Wearable Devices

India has witnessed a tremendous increase in the use of wearable devices for health monitoring. Although these digital technologies have existed and have been used for several years, their use for more specific purposes and also as an alternative to conventional physical health monitoring, has increased since the COVID-19 pandemic. The preliminary screening of one’s health data without having to visit a hospital or a diagnostic centre has bolstered the growth and prominence of digital technologies. Several wearable devices are now available in India, featuring heart-rate trackers, blood oxygen-level trackers and other devices including water consumption, weight, sleep and diet monitors. Wearable devices that are capable of being utilised for diagnosing, preventing, monitoring or treating any disease or disorder are categorised as “drugs” from time to time by the Central Government by notification in the Official Gazette under the Drugs & Cosmetics Act, 1940 (the “D&C Act”).

Online Pharmacies

There has been a significant rise in the number of online pharmacies delivering medicines to patients’ homes in India, more so since the pandemic. While the D&C Act and its allied rules, and the Pharmacy Act, 1948 (the Pharmacy Act) govern the manufacture, sale and distribution of pharmaceutical and cosmetic products in India, there are currently no specific laws that regulate online pharmacies. The MoHFW issued a draft amendment to the Drugs and Cosmetics Rules 1945 (D&C Rules) to regulate e-pharmacies under the D&C Act, which is yet to be enacted.

Artificial Intelligence

AI-based systems have witnessed significant growth in India for the diagnosis of diseases and for treatment purposes.

One of the major emerging issues is that the increasing number of digital and other new technologies in the healthcare industry is giving rise to concerns about data protection and the privacy of patients.

Although most of the data collection, storage and usage by healthcare providers complies with India’s applicable data privacy laws, there are critical issues with the misuse of this data for other commercial purposes and the breaching of privacy obligations. The absence of adequate training and awareness building concerning the aspects of data privacy among the people collecting, processing and handling such data on the digital health platform also aggravates the situation.

Additionally, the absence of a specific law to regulate these aspects is a major concern. Although the MoHFW has issued the DISHA Bill, it has not yet become law. Further, the MoHFW has issued a Health Data Management Policy to promote the National Digital Health Mission, which lays down principles for the protection of an individual’s digital health data privacy.

The MoHFW

The MoHFW is the apex authority in the organisational structure of the healthcare system in India. The MoHFW is comprised of two departments, (i) the Department of Health and Family Welfare (DoHFW), which is responsible for organising and delivering all national health programmes; and (ii) the Department of Health Research, which is responsible for the promotion of health and clinical research, development of health research and ethics guidelines, grants for research training, etc, in India.

The Ministry of AYUSH

The Ministry of Ayurveda, Yoga and Naturopathy, Unani, Siddha and Homeopathy (AYUSH) develops and promotes research in alternative medicine practices. The central government’s responsibilities include policy making, planning, guiding, assisting, evaluating and co-ordinating the work of the various state-level health authorities, and providing funding to implement national health programmes.

The Central Drugs Standard Control Organisation (CDSCO)

The CDSCO is the National Regulatory Authority of India and is responsible for the approval of drugs, conducting clinical trials, laying down the standards for drugs and control over the quality of imported drugs in India. The Drug Controller General of India (DCGI) is the head of the CDSCO and is responsible for licensing and controlling the functions of the CDSCO.

The National Medical Commission and the National Health Authority

The recently constituted National Medical Commission (NMC) regulates and governs medical practice in India, including the promotion of equitable and universal healthcare, enforcement of ethical standards, and the establishment of a grievance redressal system, among others. Besides this, the MoHFW recently established the National Health Authority (NHA), which acts as the apex body responsible for implementing public health assurance schemes, developing strategy, building healthcare technological infrastructure and implementing the “National Digital Health Mission” in India.

The Ayushman Bharat Digital Mission (ABDM)

MoHFW introduced the National Digital Health Mission (NDHM) on 15 August 2020 to create a digital health ecosystem, and recently renamed it as Ayushman Bharat Digital Mission (ABDM). ABDM aims to develop the backbone necessary to support the integrated digital health infrastructure of the country.

Under ABDM, every citizen gets a unique health account (Ayushman Bharat Health Account), which acts as a digital repository of all health-related data of an individual. The ABHA ID is voluntary and free of cost and enables access and exchange of health records of citizens with their consent. It also enables interaction with participating healthcare providers and allows the participants to receive their digital lab reports, prescriptions and diagnoses from verified healthcare professionals and health service providers. It has been reported that, as of December 2023, over 50 crore ABHA IDs have been created and 33 crore health records digitally linked under ABDM.

The Healthcare Professionals Registry (HPR) under ABDM is a comprehensive repository of all healthcare professionals involved in the delivery of healthcare services across both modern and traditional systems of medicine. Enrolling in the HPR enables them to connect with India’s digital health ecosystem.

The Health Facility Registry (HFR) is a repository of health facilities across different systems of medicine. Participating entities of the ABDM must register as healthcare providers. It includes both public and private health facilities, such as hospitals, clinics, diagnostic laboratories and imaging centres, pharmacies, etc.

The ABHA mobile app will have electronic records of health-related information that conform to nationally recognised interoperability standards and that can be drawn from multiple sources while being managed, shared and controlled by the individual. Such information can be fully controlled by the individual.

Unified Health Interface (UHI)

The UHI is a network of open protocols under the NHA that facilitate interoperability in health services. Through UHI-enabled applications, patients can search for, book and pay for services offered by a variety of participating providers from any application of their choice.

The services under UHI will include teleconsultation to book an online consultation with any doctor; booking physical appointments; discovering the availability of critical care beds; booking home visits for lab sample collections; and booking an ambulance.

The ABDM has recently launched a new initiative that has revolutionised the way patients register for Outpatient Department (OPD) services at hospitals in India. The new initiative enables patients to use their smartphones to scan a QR code and share their verified demographic data with hospitals’ Health Management Information Systems (HMIS) with just one click. This has drastically reduced the waiting time for patients and ensured accurate data entry into the HMIS, doing away with the need for patients to stand in long queues.

The National Pharmaceuticals Pricing Authority

The National Pharmaceuticals Pricing Authority is the authority for controlling and monitoring the prices and availability of medicines.

State-Level Authorities

At the state level, each state has a separate MoHFW, Directorate of Healthcare Services and DoHFW, which are responsible for organising and delivering healthcare services, consisting of participants from both the public and private sectors. The State Drug Standard Control Organisation (SDSCO) is responsible for the regulation of the manufacture, sale and marketing of drugs in each Indian state.

The organisational structure consists of administrative subordinate offices at regional/zonal, district and sub-district levels. The public healthcare system consists of primary (community health centres), secondary (sub-district hospitals), and tertiary (district hospitals and medical colleges) care centres. Primary and secondary care hospitals are in the public sector, whereas tertiary care hospitals are in either the public or private sector. Apart from these, there are several clinics and diagnostic centres set up by individual medical practitioners.

The services provided by the private sector are registered and regulated under national/state councils constituted under the Clinical Establishment (Registration and Regulation) Act 2010, while the public sector comes under the authority of the MoHFW and state health ministries. At the district level, local self-government institutions (Panchayati Raj) are responsible for establishing primary health centres in rural areas.

The following are the key regulatory developments pursuant to the rise of digital healthcare in India and which are expected to have the biggest impact on the governance and growth of digital healthcare.

  • The DISHA Bill 2022 was proposed to regulate the collection, storing, transmission and use of digital health data, and to ensure the reliability, data privacy, confidentiality as well as security of digital health data.
  • The TPG was introduced in March 2020, which covers the norms and standards of registered medicine practitioners to consult patients via telemedicine. Telemedicine includes all channels of communication with the patient that leverage information technology platforms, including voice, audio, text and digital data exchange.
  • The government also issued the Health Data Management Policy in October 2020 to impose standards for data privacy protection in India.
  • In April 2022, after receiving the public comments, the NHA released a Draft Health Data Retention Policy (HDR Policy) for further consultation. The HDR Policy aims to create a uniform system governing the operation of data fiduciaries, data processors, health information providers/users and data repositories within the National Digital Health Ecosystem.
  • The Digital Personal Data Protection Act 2023 (the DPDP Act) was enacted in August 2023 and aims to govern the handling of personal data in India by establishing a framework of data accountability and governance. The DPDP Act will supersede the provisions of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules 2011 (SPDI Rules) and Section 43A of the IT Act that currently regulates the protection of data.

These regulations will address many ambiguities from the legal, regulatory and compliance perspectives, for service providers as well as consumers. More accountability, governance and grievance-redressal mechanisms, which have comparable speed, ease and efficiency to that of digital healthcare services, are some other primary needs for this sector.

The MoHFW enforces laws relating to healthcare in India. The National Medical Commission enforces the provisions related to medical education and practice under the National Medical Commission Act 2019.

The CDSCO and the SDSCO enforce regulations relating to the manufacture, distribution and sale of drugs and cosmetics under the Drugs and Cosmetics Act 1940 (D&C Act). The central government can confiscate, regulate, restrict or prohibit the manufacture, sale or distribution of some drugs and impose a ban on certain drugs. The court can further impose penalties and imprisonment for offences under the D&C Act.

Currently, there are no digital healthcare-specific non-healthcare regulatory agencies.

The new healthcare technologies, while providing fast and convenient services to consumers, also pose several questions and concerns. In addition to the protection under consumer protection laws, more specific regulatory regimes for data privacy and an expert regulatory body in each state, as well as at the national level for grievance redressal, are some of the immediate requirements.

Preventative and Diagnostic Care Systems

Preventative care includes services such as routine health screenings and check-ups that detect health issues at an early stage. Preventive health check-up tests help to ascertain the measures to be taken to prevent any disease.

The diagnostic care system includes services that diagnose a disease based on already existing symptoms, such as ultrasound, radiology and laboratory tests.

Regulatory Regimes Applicable to Preventative and Diagnostic Healthcare

India does not have a specific law on preventative or diagnostic health check-ups. The existing Indian laws also do not describe the terms “preventive healthcare” or “diagnostic healthcare”.

However, the following regulations contain provisions relating to preventive and diagnostic healthcare in India:

  • The Occupational Safety, Health and Working Conditions Code 2020 mandates every employer to provide an annual health examination or free tests to employees in specific types of work, such as factories, mines, construction work, dock work, cigar manufacturers and any other establishments prescribed by the government. The code also mandates employers to conduct free medical examinations and investigations to detect occupational diseases.
  • The Income Tax Act 1961 allows individuals to claim the benefit of tax deductions on the health insurance premium, including on Preventative Health Check-ups. 
  • The TPG prescribes rules on healthcare services provided for diagnosis, treatment and prevention of disease and injuries using telecommunications and digital communication technologies.
  • In 2015, the Indian government established the Free Diagnosis Service Initiative directing States to:
    1. ensure availability of a minimum set of diagnostics;
    2. reduce high expenditure on diagnostics;
    3. enable initiation and continuation of appropriate treatment based on accurate diagnosis and use of appropriate diagnostics to screen patients; and
    4. improve the quality of healthcare and patients’ experience.
  • The Indian government has also launched a few initiatives to promote preventative healthcare, such as “Ayushman Bharat: Focus on Preventive and Promotive Health”, the “Fit India Movement” and “Eat Right India”. 
    1. The Ayushman Bharat guidelines, launched in 2018, are a framework for health and wellness centres to provide healthcare services. The guidelines require these centres to have the capacity to provide basic diagnostics and screening capacities and are in accordance with the Free Diagnosis Service Initiative.
    2. The Fit India Movement was launched in 2019 to promote fitness. The Fit India mobile app was released under this initiative to track fitness levels, steps, sleep and calorie intake, as well as offering diet plans.
    3. The Eat Right India Initiative was launched in 2019 to ensure the availability of safe and wholesome food for people in India.
  • The Insurance Regulatory and Development Authority of India issued Guidelines on Wellness and Preventative Benefits in September 2020 which apply to all life, general and health insurance companies. These guidelines suggest that insurance companies include wellness provisions in their policies, such as discounts on health check-ups, diagnostics, vouchers for memberships in yoga centres, gyms, sports clubs and fitness centres.

The following factors have resulted in the increased use of preventative healthcare in India.

  • COVID-19 pandemic - the pandemic was a wake-up call for people to get their health under control. The pandemic led to a high death rate across the country due to shortage of hospital beds, oxygen and doctors. This pushed people to take preventative measures at home, such as adopting healthy eating habits to build their immune system and periodically tracking and monitoring their health using wearable and medical devices such as oximeters, blood pressure monitors, blood glucose monitors and nebulisers.
  • Telemedicine and telehealth - the adoption and increase in teleconsultation services in India has led to an increase in preventative healthcare. As people could not physically visit health practitioners during the pandemic, they availed themselves of remote consultations on preventative measures with the help of video/audio calls and text messages. Telehealth proved to be a cost-effective and faster way to use preventative measures. The country also experienced a tremendous increase in telecounselling services for patients suffering from mental health issues. An increase in online/live fitness (yoga or workout) programmes and platforms has also helped people to control their health and fitness from the comfort of their homes.
  • Government initiatives - as stated previously, the Government of India has launched a few initiatives to promote preventive healthcare, such as “Ayushman Bharat: Focus on Preventive and Promotive Health”, the “Fit India Movement” and “Eat Right India” (see 4.1 Preventative Versus Diagnostic Health).
  • Social trends - social media influencers have increased the awareness of preventative measures and have played a great role in encouraging people to adopt healthy lifestyles and regular fitness regimes.

The terms “fitness and wellness information” are not separately regulated or defined under Indian law.

However, organisations and companies are given a compliance period until the Data Protection Board is set up, as the DPDP Act still serves as “regulatory guidance” pending notification. It is anticipated that the Central Government will pass a notification to make the DPDP Act effective by the end of 2024. Any information relating to a medical health condition is categorised as sensitive personal data and continues to be regulated by the SPDI Rules.

As explained in 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information, the SPDI Rules prescribe mandatory principles for handling and processing sensitive personal data by the body corporate handling such information. There is no separate law in India to regulate health data. The DISHA Bill proposes to regulate privacy and security measures for health-related data. The Health Digital Management Policy issued by the MoHFW also lays down principles for health data protection. The DISHA Bill and the Health Digital Management Policy are mainly based on the principles of the SPDI Rules.

Further, the right to privacy of all citizens is a part of the fundamental right to life and personal liberty under Articles 19 and 21 of the Constitution of India. The Supreme Court of India has recognised the right to privacy as a fundamental right in the landmark judgment of Justice K S Puttaswamy (Rtd) and Another v Union of India and Others (2017) 10 SCC 1.

Pursuant to the aforementioned judgment, the Ministry of Electronics and Information Technology (MeitY) formed the Justice BN Srikrishna Committee, which introduced the Draft Personal Data Protection Bill 2019 in the lower house of the Indian Parliament (the Lok Sabha) on 11 December 2019. After consulting various stakeholders, including government agencies, regulatory bodies, companies, law firms and academics experts, the Ministry of Electronics and Information Technology introduced a revised Digital Personal Data Protection Bill 2022 (PDP Bill) in November 2022. The gazetted DPDP Act was based on the 2022 Bill, but also certain new provisions were introduced.

Currently, the SPDI Rules provide the security practices and procedures that a body corporate or any person collecting, receiving, possessing, storing, dealing or handling information on behalf of the body corporate is required to observe for protect the personal data of users.

Provisions related to Protected Health Information (PHI) are governed by the IT Act, along with the SPDI Rules, while the provisions of the DPDP Act are fully notified. The patient data is treated as sensitive personal data or information. Before the DPDP Act, the Government had introduced the DISHA Bill to provide healthcare data privacy, security, confidentiality and establishment of the National Electronic Health Authority (NeHA) and Health Information Exchanges.

The DPDP Act has removed the concept of deemed consent and specified that consent should be specific, free, unconditional, unambiguous and informed. Withdrawal of consent should also be permitted. The Consent Manager should be managing the data principles. A notice must be given to the data principal before seeking consent for processing of their personal data. The notice should contain details about the personal data to be collected, the purpose of processing, as well as the manner in which the data principal may withdraw its consent, avail the grievance redressal mechanism, and make a complaint to the Data Protection Board.

When the DPDP Act is made effective by notification, health data can be processed by the data fiduciary as a legitimate use, in case there is a medical emergency that involves a threat to life or an immediate threat to the health of a data principal or any other person or in there is a situation like an epidemic, outbreak of a disease or any other threat to public health.

The MoHFW released the draft Public Health (Prevention, Control and Management of Epidemics, Bioterrorism and Disasters) Act in 2017. The MoHFW is in the process of finalising the provisions of the bill and it is expected to be introduced in the Parliament soon. This bill will replace the existing Epidemic Disease Act 1897, which was implemented to control the bubonic plague. There have been no amendments or regulations made under the Epidemic Disease Act since its implementation.

The Bill empowers central, state, district and local authorities to adopt several procedures to control the spread of epidemic-prone diseases. The Bill also empowers the states to conduct medical examinations as well as provide treatment to persons suffering from such diseases.

Further, as explained in 4.1 Preventative Versus Diagnostic Healthcare, the Occupational Safety, Health and Working Conditions Code, Income Tax, Telemedicine Guidelines, Guidelines on Wellness and Preventive Benefits and various government initiatives currently address preventative healthcare in India.

In recent years, several technology companies and start-ups in India have developed solutions to issues in the healthcare industry, such as the following:

  • Qure.ai provides AI products to healthcare professionals to conduct preventative screenings, early detection, emergency care and treatment adherence, etc;
  • Niramai Health Analytix has developed an AI-based sensing device to detect breast cancer;
  • HealthifyMe provides AI-based virtual assistance, which helps users to track calorie intake and answer queries relating to fitness and nutrition;
  • Artelus has developed an AI-based diabetic retinopathy screening system;
  • Tricog has developed products that interpret and analyse ECG reports and echocardiograms; 
  • Aindra Systems is an AI-powered MedTech company that has developed an AI platform “Astra” to provide low-cost point-of-care solutions to identify cervical cancer with minimal human intervention; and
  • Staqu, a start-up developed an AI-based thermal camera to identify body temperatures above 37 degrees.

The main challenge presented by these companies relates to data protection and patient privacy. Although the SPDI Rules apply to health data, the increase in these new technologies in India requires a robust and comprehensive data protection regime. The exact model of regulation can be assessed once the provisions under the DPDP Act are notified.

The internet of medical things (IoMT) has completely transformed the healthcare sector in India and enabled healthcare practitioners to connect faster with patients, even in remote areas and to deliver better services. Further, the use of internet and mobile devices has increased exponentially in India and connectivity is widely available, even in the majority of rural areas.

Technologies such as AI, telemedicine, augmented and virtual reality, wearable devices (smart watches and fitness bands) have changed the landscape of the healthcare system in India. IoMT is being significantly used in India for tracking health and symptoms, treatment of disease, telemonitoring patients’ health conditions, tracking medicine dosage, etc.

The COVID-19 pandemic has led to an increase in the need for remote patient monitoring and consultation and a reduction in hospital visits. This has been greatly assisted by the IoMT.

There has been an increase in demand for homecare facilities following discharge from the hospital. Many healthcare service providers and hospitals in India now provide an intensive care unit system that can be set up at home. The system includes electronic medical records, audiovisuals, a smart alert system, response tools, 24-7 monitoring and assessment systems.

A healthcare practitioner or a hospital can be held liable for medical negligence in cases of an adverse healthcare outcome. In this regard, there are both civil and criminal liabilities for medical negligence in India.

As regards civil liability, a complaint can be filed in the Consumer Court against the hospital (if the doctor is an employee of a hospital) or a doctor or a healthcare practitioner under the Consumer Protection Act 2019 (CP Act), claiming compensation for damages suffered by the consumer. The CPA defines the term “deficiency” as “any fault, imperfection, shortcoming or inadequacy in the quality, nature and manner of performance which is required to be maintained by or under any law for the time being in force or has been undertaken to be performed by a person in pursuance of a contract or otherwise in relation to any service and includes any act of negligence or omission or commission by such person which causes loss or injury to the consumer.” 

As regards criminal liability, medical negligence is treated as an offence under the Indian Penal Code 1860 (IPC). The IPC prescribes that if a person commits a rash or negligent act due to which human life or personal safety of others is threatened, such act is punishable by a maximum two-year prison term or a maximum fine of INR1,000 (USD15 approximately), or both.

Health practitioners or hospitals have the following defences:

  • anything which occurs because of an accident or misfortune and without criminal intention or knowledge in the doing of a lawful act in a lawful manner by lawful means and with proper care and caution is not an offence;
  • anything done that is likely to cause harm, but without any intention to cause harm and in good faith to avoid other damages to a person;
  • anything done in good faith for the good of other people and does not intend to cause harm even if there is a risk involved and the patient has given implicit or explicit consent.

Additionally, when looking at a digital healthcare perspective, the principles of vicarious liability as well as intermediary liability may also be taken into consideration.

There are various case laws where the Supreme Court of India has granted compensation to patients in cases of medical negligence.

The Supreme Court has also recognised the Bolam Test in Jacob Mathew v State of Punjab (2005) 6 SCC 1 as a standard of ascertaining whether the act of a person would be an act of an ordinary competent person exercising ordinary skill in that profession.

In the recent case of Harish Kumar Khurana v Joginder Singh (2021 SCC SC 673), the Supreme Court observed that every death of a patient cannot, on the face of it, be considered as death due to medical negligence, unless there is material on record to that effect.

In every case where the treatment is not successful or the patient dies during surgery, it cannot be automatically assumed that the medical professional was negligent. The Court further observed that the principle of res ipsa loquitur is only applicable where the negligence is obvious. Mere legal principles and a general standard of assessment were not sufficient in the case in question as there was no clear medical evidence that the patient’s condition could not withstand the surgery.

The IoMT collects and shares a high amount of medical data of users with health practitioners, which makes it vulnerable to misuse. The patient’s medical information is considered sensitive personal data under the SPDI Rules and are attributed to the highest level of protection.

Sensitive Data Under DPDP

The contracts and healthcare institution policies are governed by the following currently applicable laws in India:

  • the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations 2002 (IMCR) imposes patient confidentiality obligations on medical practitioners;
  • the Information Technology Act (the IT Act), Section 43A;
  • the principles embedded in the SPDI Rules, such as:
    1. the patient’s consent before the collection, storage, transfer or processing of health data;
    2. the body corporate/healthcare institution must have a privacy policy in place as per the SPDI Rules; and
    3. implementation of reasonable security practices and procedures for protecting the patient’s health data.

The principles of SPDI Rules and privacy policy are explained in 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information.

The MoHFW introduced the DISHA Bill to regulate the generation, collection, storage, transmission, access and use of all digital health data. The DISHA Bill also provides for the establishment of a National Digital Health Authority as a statutory body to enforce privacy and security measures for health data and to regulate the storage and exchange of health records. However, the DISHA Bill does not specifically define “internet of medical things” or “internet of things”.

The MoHFW has also approved a Health Data Management Policy based on the PDP Bill to govern data in the National Digital Health Ecosystem. The Health Data Management Policy also does not specifically define internet of medical things or internet of things; however, the policy applies to all methods of contact, including via internet or email.

The provisions of the DISHA Bill and Health Data Management Policy are explained in 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information.

Currently, there are no specific regulatory frameworks or guidelines to categorise or classify software as a medical device in India.

However, the MoHFW issued a notification on 11 February 2020 (the “MoHFW Notification”) specifying that medical devices be treated as drugs with effect from 1 April 2020. Therefore, all the regulations and compliances applicable to drugs are also applicable to medical devices. The MoHFW Notification stipulates that a medical device is an instrument, apparatus, appliance, implant, material or other article, including software or an accessory for:

  • diagnosis, prevention, monitoring, treatment or alleviation of any disease or disorder;
  • diagnosis, monitoring, treatment, alleviation or assistance for any injury or disability;
  • investigation, replacement or modification or support of the anatomy or of a physiological process;
  • supporting or sustaining life;
  • disinfection of medical devices; and
  • control of conception.

On 11 May 2023, the CDSCO released a notification setting up a Clinical Research Organisation (CRO) which will be conducting clinical trials and monitoring the bioavailability and bioequivalence of new drugs; however, they should follow the rules issued by the Central Licensing Authority.

Further, in September 2021, CDSCO released the official guidelines on the classification of the various software as medical devices (SaMD) into four categories based on the intended use and risk factor, as:

  • class A/low risk category consisting of software that does not directly interfere with the patient clinical data;
  • class B/low-moderate risk category consisting of software whose usage is limited to real-time collection and processing of patient data, without any conclusive clinical diagnosis;
  • class C/moderate risk category consisting of software that aids in the diagnosis and analysis of the patient data; and
  • class D/high risk category. The CDSCO has not as yet identified any type of SaMDs in this category.

The MoHFW introduced the DISHA Bill to regulate the generation, collection, storage, transmission, access and use of all digital health data. The DISHA Bill also provides for the establishment of a National Digital Health Authority as a statutory body to enforce privacy and security measures for health data and to regulate the storage and exchange of health records. However, the DISHA Bill does not specifically define “internet of medical things” or “internet of things”.

The MoHFW has also approved a Health Data Management Policy based on the PDP Bill to govern data in the National Digital Health Ecosystem. The Health Data Management Policy also does not specifically define internet of medical things or internet of things, however, the policy is applicable to all methods of contact, including via internet or email.

The provisions of the DISHA Bill and Health Data Management Policy are explained in 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information.

The DCGI is responsible for the administration and approval of manufacturing, importing or marketing of medicinal products and medical devices in India. As a medical device now includes software, the DCGI is also responsible for software as a medical device. The D&C Act and the D&C Rules, and the Medical Devices Rules 2017 (MDR) govern approvals and define whether a product is categorised as a drug or any other category.

The CDSCO recently released Frequently Asked Questions (FAQ) document concerning medical devices provides some guidance regarding some general concerns and challenges in the healthcare industry. For example, the FAQ clarifies that all software qualifying as a “drug” under the D&C Act needs a license under the Medical Device Rules 2017 (MD Rules) and is not exempt from the prescribed labelling requirements. In case of any change (including updates) in the version of the software, the manufacturer shall comply with additional requirements prescribed under the MD Rules.

The legal framework for the regulation of software medical devices is currently at an early development stage in India and the regulatory regime for software medical devices will have to address the medical software industry’s needs as well as the potential challenges.

Therefore, it is difficult to ascertain which computer software/mobile application qualifies to be a medical device. This is a challenge common to application service providers, developers and stakeholders in India.

Similarly, there is no clarity on whether the Prices Control Order, which applies to drugs, will also apply to medical software applications and whether they will be able to control the price of their digital health-related software products.

Also, there is currently no specific legal framework in India for software based on AI and machine learning.

It is the common consensus of stakeholders in India that the government should adopt effective regulatory frameworks based on risk of use, and AI/machine learning, similar to the International Medical Device Regulation Forum’s medical software device framework and the US FDA’s Artificial Intelligence and Machine Learning Software as a Medical Device Action Plan.

India uses the New England Journal of Medicine (NEJM) Catalyst definition of “telehealth”, namely the delivery and facilitation of health and health-related services including medical care, provider and patient education, health information services, and self-care via telecommunications and digital communication technologies. Telehealth is a broad term used for technology for health and health-related services, including telemedicine.

Telehealth is a solution for providing timely and faster access to medical treatment. It also reduces the costs and efforts associated with travel to receive medical treatment, especially for people in rural India. Telecommunication technologies can also maintain patients’ medical records and can help patients manage their medication and diseases better. Telehealth has proven to be very beneficial in India, especially during the COVID-19 pandemic.

There have been various efforts made to promote telehealth in India. The India Virtual Hospital, a medical technology service in India, launched the Patient Care App, which enables doctors to track a patient’s health and recovery. Another health-tech company has recently launched an online platform, iCliniq, where users can get medical advice from doctors/medical practitioners, physicians and therapists from the USA, the UK, UAE, India, Singapore, Germany, and other countries, using emails, online chats and video and audio calls. Another Indian company set up a virtual hospital for cancer patients in 2019 for online consultation, treatment planning and cancer treatment management.

To practice medicine in India, one must be a licensed/registered medical practitioner (RMP) and must provide valid medical prescriptions that comply with the D&C Rules. While these are the basic standards to be upheld in in-person medical treatments, India currently does not have specific legislation that regulates telehealth or the use of online platforms in respect of telehealth.

One of the first steps taken by the Indian government relating to telemedicine was the publication of the “Recommended Guidelines and Standards of Telemedicine Practice in India”, in 2003. However, the non-binding nature of the guidelines made it insufficient to navigate through the various challenges faced. 

However, as a result of the COVID-19 pandemic and the immediate necessity for safe and remote medical consultations, the Indian government issued the TPG in 2020, with an intention to enhance healthcare services and enable access to all. The guidelines are meant for RMPs, and prescribe the norms and standards for consulting patients, including all channels of communication with the patient that leverage IT platforms, including voice, audio, text and digital data exchange. Other aspects of telehealth, such as research and evaluation and the continuing education of healthcare workers and consultations outside the jurisdiction of India, are also included in the guidelines. Further, the TPG mandates a registered medical practitioner to obtain consent from the patient before a telemedicine consultation. If the patient voluntarily initiates the telemedicine consultation, consent is implied.

However, the TPG excludes specifications for hardware or software, infrastructure building and maintenance, data management systems, standards and interoperability or the use of digital technology to conduct surgical or invasive procedures remotely.

The principles regarding medical ethics, data privacy and confidentiality apply to registered medical practitioners.

The TPG prescribes that telemedicine consultations must be treated the same way as in-person consultations, from a fee perspective. The registered medical practitioner must also provide a receipt/invoice for the fee charged for the telemedicine consultation.

The internet of medical things (IoMT) includes digital medical devices and software applications used to provide effective and efficient services to patients and to reduce the cost of healthcare. Recent technologies, such as sensors, wearable devices, health apps, telemedicine, AI, oxygen and heart monitors, are widely used in India. The IoMT technologies make it easier for doctors and medical practitioners to track the progress of treatment and recovery in real time.

In the wake of the COVID-19 pandemic, the medical establishment began urging people to adopt the IoMT for teleconsultations, remote monitoring and treatment, thereby eliminating hospital visits. The Indian government has encouraged hospitals to adopt electronic health records containing patients’ health history and records.     

An increase in IoMT technologies also brings an increase in data privacy risks and related issues because of the lack of adequate and specific regulations, a lack of awareness among the users and the service providers’ lack of compliance in the absence of a comprehensive legal framework in the country.

Technological issues, such as the compatibility of hardware and software with cloud services, are also the factors to be taken into consideration.

5G networks were launched in India in 2022. The higher speed and connectivity and low latency in the 5G network have boosted advanced telehealth solutions and improved the healthcare system in India. 5G networks ensure more effectiveness and efficiency in teleconsultations and remote monitoring of patients as well as the handling of patients’ health data.

5G networks are also helpful in the country’s rural areas, which lack adequate telecommunication infrastructure, through the following:

  • faster transmission of large health data files;
  • high-quality video/audio telecommunications between doctors and patients;
  • improved use of augmented and virtual reality; and
  • enhanced use of AI in healthcare devices.

Information relating to a person’s health is categorised as sensitive personal information under the SPDI Rules. The SPDI Rules lay down mandatory principles of data privacy to be followed by the body corporates that handle and process sensitive personal information.

The primary requirement for body corporates under the SPDI Rules is to obtain written consent from the information provider before collecting and processing the sensitive personal data. Prior consent is also required for sharing sensitive personal data with third parties.

The information provider must be informed of the fact that sensitive personal data is being collected, the intended purpose of its use and whether it will be transferred to any third parties, along with the contact details of the agency collecting the information. It is also mandatory under the SPDI Rules for the body corporates to have a privacy policy containing the type of sensitive personal information collected, the purpose of collection, disclosure of that information, and the reasonable security practices and procedures to be implemented by the body corporates. India does not yet have a comprehensive data protection law. However, the government has issued the PDP Bill, which is intended to become a comprehensive data protection law in the country.

There is no separate legislation in India regulating data privacy issues for digital health. However, the proposed DISHA Bill aims to address the data privacy issues relating to digital health and is primarily based on the principles laid down under the PDP Bill. The MoHFW has also issued the Health Data Management Policy, which outlines the principles for the protection of an individual’s personal digital health data privacy.

The DISHA Bill proposes that a clinical establishment may, by duly obtaining written consent (on paper or electronically) from the owner, lawfully collect the required health data after informing the owner of the data of the following:

  • the rights of the owner, including the right to refuse to give consent to the generation and collection of their data;
  • the purpose of the collection of their health data;
  • identity of the recipients to whom the health data may be transmitted or disclosed, after being converted into a digital format; and
  • the identity of the recipients who may have access to that digital health data, on a need-to-know basis.

Further, the clinical establishment or any other entity must furnish a copy of the consent form to the owner of the data.

The current regulations do not specifically regulate the sharing of personal health data by a wearable healthcare device.

The SPDI Rules do not prescribe de-identification or anonymisation of data. However, the DISHA Bill and Health Data Management Policy defines “anonymisation” as the process of permanently deleting all personally identifiable information from an individual’s digital health data. “De-identification” is defined as the process of removing, obscuring, redacting or de-linking all personally identifiable information from an individual’s digital health data in a manner that eliminates the risk of unintended disclosure of the identity of the owner and that, if necessary, makes it possible for the data to be linked to the owner again.

The DISHA Bill proposes that de-identified or anonymised data must be used only for the following purposes:

  • improving public health activities and facilitating the early identification and rapid response to public health threats and emergencies, including bio-terror events and infectious disease outbreaks;
  • facilitating health and clinical research and healthcare quality;
  • promoting the early detection, prevention, and management of chronic diseases;
  • carrying out public-health research, review and analysis, and policy formulation; and
  • undertaking academic research and other related purposes.

The Health Data Management Policy prescribes that data fiduciaries may make anonymised or de-identified data in an aggregated form available for the following purposes:

  • facilitating health and clinical research, academic research;
  • archiving;
  • statistical analysis;
  • policy formulation;
  • the development and promotion of diagnostic solutions; and
  • any other purposes that may be specified by the National Digital Health Mission (NDHM).

The NDHM must set out a procedure through which any entity seeking access to anonymised or de-identified data will be required to provide relevant information, such as its name, purpose of use and nodal person of contact. Subject to approval being granted under this procedure, the anonymised or de-identified data must be made available to that entity on whatever terms may be stipulated on its behalf.

Any entity provided access to de-identified or anonymised data must not, knowingly or unknowingly, take any action that has the effect of re-identifying any data principal or the effect of any such data no longer remaining anonymised.

The data fiduciary that is undertaking to anonymise or de-identify data must be responsible for ensuring compliance with the procedure for the anonymisation or de-identification as set out by the NDHM. The de-identification or anonymisation of data by a data fiduciary must be done in accordance with technical processes and anonymisation protocols that may be specified by the NDHM. The technical processes and anonymisation protocols must be periodically reviewed by the NDHM.

The Information Technology Act 2000 prescribes that a body corporate, possessing sensitive personal data that is negligent in implementing and maintaining reasonable security practices and procedures, will be liable to pay damages by way of compensation. It also prescribes that if a body corporate has obtained sensitive personal data without the consent of the information provider, and discloses the information to any other person, this is punishable by a maximum two-year prison term or a maximum fine of INR100,000 (approximately USD1,400), or both.

New technologies are emerging in the digital health sector in India, including AI and machine learning. Currently, India does not have any legislation to regulate technologies such as AI/machine learning. However, the TPG prescribes that telemedicine platforms based on AI/machine learning are not permitted to counsel patients or prescribe any medicines to a patient. Technologies such as AI, the Internet of Things and advanced data science-based decision support systems may be used only to assist and support the clinical decisions of a registered medical practitioner. In all cases, the final prescription or counselling must be delivered directly by a registered medical practitioner.

With the growth of AI technologies in India, the Indian government authorised the public policy think tank, the National Institution for Transforming India Commission (NITI Aayog) to address strategy on AI-based technologies/machine learning in the agriculture and health sectors. In June 2018, the NITI Aayog issued a discussion paper on national strategy for artificial intelligence for healthcare, agriculture, education, smart cities and infrastructure and smart mobility and transportation. The discussion paper recognised AI, combined with robotics and IoMT, as the new nervous system for healthcare in India, presenting solutions to address healthcare problems. Currently, the NITI Aayog has worked with a large Indian hospital, the Tata Memorial Centre, to launch a digital pathology and imaging bio-bank for cancer detection. The Tata Memorial Hospital is teaching AI to help detect cancer at its early stages.

MEITY has constituted four committees for promoting AI initiatives and developing a policy framework. The committees have submitted their first reports on platforms and data on AI; leveraging AI for identifying national missions in key sectors; mapping technological capabilities; key policy enablers required across sectors; and on cybersecurity, safety, legal and ethical issues.

AI/machine-learning technologies use and share the medical conditions of patients with doctors/medical institutions, which is considered sensitive personal data under the SPDI Rules. The SPDI Rules prescribe mandatory compliance with the principles of data protection by corporate bodies that handle, store and process sensitive personal data.

Electronic health records (EHR) can ensure the easy accessibility of a patient’s records from anywhere at any time, easy storage, and can help in tracking the patient’s progress. The DISHA Bill and Health Data Management Policy also promote EHRs. The Indian government issued recommendations in 2016 on different standards for different purposes in respect of EHRs. For example, ISO/TS 22220:2011 Health Informatics – Identification of Subjects of Health Care, must be complied with to obtain basic identity details of patients; ISO/TS 14441:2013 Health Informatics – Security & Privacy Requirements of EHR Systems for Use in Conformity Assessment must be complied with to maintain basic data security and privacy requirements, and ISO TS 14265:2011 is for the processing of personal health information.

The 2016 EHR standards recommendations stipulate that only those persons, including organisations, duly authorised by the patient, may view the recorded data or part thereof. The term “security” refers to all recorded personally identifiable data, which will at all times be protected from any unauthorised access, particularly during transport (eg, from healthcare provider to provider, healthcare provider to patient). The term “trust” refers to that person, persons or organisations (doctors, hospitals and patients). The 2016 EHR standards recommendations are based on the principles of data protection laid down under the SPDI Rules.

The Ayush Grid Project

The Ayush Grid Project was developed by the Ministry of Ayush along with the MeitY in 2018, to create a comprehensive information technology backbone for the health sector, which envisages digitisation of service delivery across health services, education, research, drug administration and medicinal plants.

Companies developing healthcare technologies in India are operating without specific legislation on digital healthcare and, as a result, many general laws apply to such companies, such as the SPDI Rules, CPA, IPC, etc. The healthcare providers must have a privacy policy under the SPDI Rules for the collection, storage, processing and transfer of health data (ie, sensitive personal data). The SPDI Rules prescribe additional compliances for such digital healthcare providers, especially if they qualify as an intermediary under the Information Technology Act 2000 (IT Act).

Digital healthcare companies collect huge amounts of sensitive personal data from users; therefore, they must adopt reasonable security practices and policies to adhere to the SPDI Rules.

In the absence of specific legal provisions governing digital healthcare using virtual assistance and AI, companies using such technologies must comply with the SPDI Rules as well as the TPG.

Further, digital healthcare service providers are required to ensure that a user’s medical prescription is not automatically generated, but each prescription must be thoroughly verified and expressly endorsed by a registered medical practitioner. However, in the absence of specific legal guidance, the service providers will have to comply with requirements under multiple legislations and regulations.

The D&C Rules mandate that every prescription must be in writing and signed by the registered medical practitioner. However, online service providers are finding it difficult to generate such prescriptions with the practitioner’s signature and companies are now looking to generate prescriptions using the practitioner’s digital signature to be considered valid under the IT Act provisions. The Delivery Notification issued by the MoHFW also allows medicines to be delivered based on receipt of a prescription physically or by email.

Similarly, there is no specific law to regulate e-pharmacies in India. Currently, e-pharmacies are required to comply with the licence requirements and online prescription requirements under the D&C Act as well as the IT Act. Additionally, e-pharmacies are also required to comply with the Delivery Notification.

India is developing and adopting various technologies in the fields of telehealth, AI/machine learning, and the IoT to adopt the digital healthcare system. The IT infrastructure must be able to manage and secure the large amount of health data collected by the devices. Besides this, India requires a comprehensive data privacy and protection law to address the privacy and security risks related to digital health data.

India is developing and adopting various technologies in the fields of telehealth, AI/machine learning, and the IoT to adopt the digital healthcare system. The IT infrastructure must be able to manage and secure the large amount of health data collected by the devices. Besides this, India requires a comprehensive data privacy and protection law to address the privacy and security risks related to digital health data.

Currently, there are no proposed or enacted regulations in India on the implementation of IT upgrades.

The digital healthcare system thrives on novel ideas, inventions and advancements in software applications and smart devices. Indian intellectual property laws allow for the protection of patents, copyrights, trade marks and designs. From the digital health standpoint, the key areas of development are in the area of software.

Patents Act 1970 (Patents Act)

In India, patents are examined, granted and administered by the Patents Act, which complies with the Trade-Related Aspects of Intellectual Property Rights agreement. India is also a signatory to the Paris Convention, in addition to the Patent Co-operation Treaty. A digital health mechanism is essentially a software/computer program. Although the Patents Act excludes protection for standalone computer programs (Section 3(k) of the Patents Act), a piece of software claimed in conjunction with a novel hardware element will be patentable in India (Guidelines for Examination of Computer-Related Inventions 2017). Further, the Delhi High Court recently held that a computer program that demonstrates a technical effect or a technical contribution will be patentable in India. Software patents are subject to other restrictions under the Patents Act, including Section 3(i) of the Patents Act, which excludes patent protection for any process for medicinal, surgical, curative or other treatment of human beings or animals.

The Patent Office has granted several patents for software programs that involve hardware elements. Therefore, digital health mechanisms, including computer software/programs embedded in mobile software applications, wearable devices, etc, may be protected in India, as long as they include a novel hardware element.

Copyright Act 1957 (CRA)

The CRA provides for copyright protection in India. The CRA provides that a copyright subsists in the form of original literary, dramatic, musical or artistic work, cinematographic films and sound recordings. Although copyright registration is not mandatory for protection in India, a copyright registration will serve as evidence of the copyright in the work. The CRA covers computer programs under the purview of literary work, therefore, the literary portions of a computer program, including the source code, are protected under the CRA.

Trade Marks Act 1999 (TM Act)

The TM Act provides for trade mark protection in India. The TM Act not only accords statutory protection for registered trade marks, but also recognises common law protection for unregistered trade marks in India. Trade mark protection in India extends to any device, brand, label, word, shape of goods, packaging or combination of colours or any combinations thereof. Under Indian law, digital healthcare providers can claim trade mark protection for their brand names, logos, labels, names of devices/software applications, shape of medical goods or wearable devices, packaging, etc.

Designs Act 2000 (Designs Act)

The Designs Act provides for the protection of industrial designs in India, and it extends to features of shapes, configurations, patterns, ornaments or composition of lines, or colours that are applied to an article. From the digital health standpoint, the key areas where design protection can avail are with respect to graphical user interface of software applications, mobile applications, or similar computer programs used on medical devices, screen layout of a program, etc, so long as they do not fall within the exceptions under the Designs Act.

Trade Secrets

Currently, there is no legislation or statutory protection for trade secrets in India. However, different courts in India have extended protection for trade secrets and confidential information, provided that the information’s confidentiality is reflected in contractual documents, such as Confidentiality Agreements, Non-Disclosure Agreements and reasonable and legally enforceable non-compete clauses in the agreements.

There is no specific legislation or statutory protection for databases in India, nor in respect of data and databases used in machine learning. However, the CRA provides protection to a computer database under the purview of literary work. The CRA also provides protection for databases by granting rights associated with the labour involved in compiling and presenting data in a particular form.

Patent Protection

The grant of a patent enables the patent owner to prevent others from infringing the invention (ie, manufacturing or selling the invention without the owner’s consent). The protection enables the owner to enjoy a monopoly over the invention and to license the patent to a third party and gain profits. The patent grant also allows owners to publicly disclose their inventions, potentially attracting investors, stakeholders and consumers.

One of the key challenges faced by patent applicants in India is the lack of straightforward, broad protection for software patents. A digital health mechanism is essentially software in the form of a computer program or a mobile software application. The Patents Act excludes protection for standalone computer programs (Section 3(k) of the Patents Act) unless the protection for such a program is claimed in conjunction with a novel hardware element. Further, software patents are also subject to other restrictions under the Patents Act, including Section 3(i) of the Patents Act, which excludes patent protection for any process for medicinal, surgical, curative or other treatment of human beings or animals.

Additionally, while the term of a trade mark can be extended indefinitely by renewing the registration every ten years, patent protection in India is only valid for 20 years.

Also, patent protection can be expensive for companies as the official fees for filing and periodic maintenance of the patents can run into several thousands of dollars, especially if the applicants choose to protect their inventions in other jurisdictions. Further, initiating a patent infringement suit and defending a patent in Indian courts may also involve significant costs. However, the 2016 amendment to the Patents Rules 2003 offers heavily discounted fees for start-up companies and small enterprises.

Finally, there is a backlog in many departments of the Patent Office’s examination section. However, patent applicants can engage qualified local attorneys who can help expedite the patent prosecution by taking measures, such as carrying out proper freedom to operate searches and understanding the filing requirements beforehand, thereby avoiding objections and consequent delays at the examination stage. An attorney’s personal rapport with the Patent Office officials may also help in understanding the nature of objections and resolving them promptly.

The timeframes of patent prosecution are gradually shortening as a result of the modernisation of patent offices and an increase in the number of examiners.

Copyright Protection

Copyright protection prevents losses arising from piracy. Although copyright registration is not mandatory in India, copyright registration makes it easier to prove copyright ownership in courts.

Trade Mark Protection

One of the key advantages of trade mark protection in India is that the proprietors can continue to extend the life of trade marks indefinitely by renewing the protection every ten years. Moreover, the recent amendments to the Trade Marks Rules 2003 have introduced discounted official fees applicable to start-up companies and small enterprises.

The Indian Courts fully recognise the rights of patent owners and grant protection in infringement matters. In the case of Indoco Remedies Ltd v Bristol Myers Squibb Holdings, 2020 (83) PTC 551 (Del), the Delhi High Court prohibited Indoco from selling the drug “APIXABID”, as Bristol is a patent owner of the drug “APIXABAN” for treating COVID-19 and which was easily available to consumers.

In the case of Microsoft Corporation and Another v Kanhaiya Singh and Another, 5 W.P.(CRL) 558/2016, the Delhi High Court directed the defendant to pay compensation for damages and prohibited them from software piracy and passing off Microsoft’s software. There is also much leading case law in India on various issues of trade mark infringement and passing off, allowing the owners to claim proprietary rights over their trade marks in exclusion of others.

There are multiple types of licensing arrangements used in India, which apply to digital healthcare, such as software, patent, copyright and technology licensing.

Broadly, there are three types of intellectual property licensing arrangements used in India:

  • exclusive licensing, whereby only the licensee is authorised to use the intellectual property;
  • non-exclusive licensing, allowing one party to license the intellectual property to more than one licensee; and
  • sole licensing, whereby only the licensor and licensee may use the intellectual property.

The ownership of IP in India varies under different IP laws. With regard to copyright, the employer (university or healthcare institution) will be the first owner of the copyright, not the physician or the inventor. However, this will not apply in the case of an independent contractor-developed copyright. Regarding the patents, the inventor will be the first owner, irrespective of whether they are an employee or a contractor.

In India, institutions, universities, or employers enter into development agreements with their employees. Standard development agreements normally provide that all the IP developed by the employees/inventors/researchers under the agreement will be assigned to and owned by the employers.

The TPG prescribes that the platforms based on AI/machine learning are not permitted to counsel or prescribe any medicines to a patient. However, technologies such as AI, the IoT and advanced data science-based decision support systems may be used only to assist and support the clinical decisions of a registered medical practitioner. In all cases, the final prescription or counselling has to be delivered directly by the registered medical practitioner. Therefore, the liability falls on the doctors or other medical service providers. Consumers can claim compensation from doctors/hospitals under the CP Act. Criminal liability can be imposed on the doctors, on grounds such as:

  • causing death by negligence;
  • endangering the life or personal safety of others;
  • causing hurt by an act endangering the life or personal safety of others; and
  • causing grievous hurt by an act endangering the life or personal safety of others.

Third parties supplying products and services to healthcare institutions can be subject to civil and criminal liabilities, penalties and actions under the CP Act. They can also be held liable for penalties prescribed under the IT Act for data breaches.

ANA Law Group

7th Floor Keshava
Bandra Kurla Complex
Bandra East
Mumbai
400 051
India

+91 22 6112 8484

+91 22 6112 8485

anoop@anaassociates.com www.anaassociates.com
Author Business Card

Law and Practice in India

Authors



ANA Law Group is a full-service law firm based in Mumbai. Its team of experienced and committed professionals has broad industry knowledge and specialises in a wide spectrum of the law. Founded on traditional values and with prominent cross-border exposure, the firm has significant experience in counselling international clients on data protection and privacy in India, acting for many businesses in complex transactions. ANA Law Group has in-depth knowledge of all sectors of industry, such as banking and insurance, financial institutions, luxury goods, consumer goods and healthcare. The firm assists international companies on global privacy law involving Indian projects, drafting and negotiating contracts with their Indian counterparts, and preparing data protection and privacy policies for those companies’ Indian subsidiaries, compliant with major international privacy laws. Specifically, the firm advises clients on data processing and all aspects of data security, including handling cross-border data flows, security breaches and compliance with all regulatory requirements.