Digital Healthcare 2022

Last Updated June 30, 2022

India

Law and Practice

Authors



ANA Law Group is a full-service law firm based in Mumbai. Its team of experienced and committed professionals has broad industry knowledge and specialises in a wide spectrum of the law. Founded on traditional values and with prominent cross-border exposure, the firm has significant experience in counselling international clients on data protection and privacy in India, acting for many businesses in complex transactions. ANA Law Group has in-depth knowledge of all sectors of industry, such as banking and insurance, financial institutions, luxury goods, consumer goods and healthcare. The firm assists international companies on global privacy law involving Indian projects, drafting and negotiating contracts with their Indian counterparts, preparing data protection and privacy policies for those companies' Indian subsidiaries, compliant with major international privacy laws. Specifically, the firm advises clients on data processing and all aspects of data security, including handling cross-border data flows, security breaches and compliance with all regulatory requirements.

Although the concepts of “digital health” and “digital medicine” have been operational in India for some time and their growth has been increasing in the past couple of years due to the COVID-19 pandemic, from a legal and regulatory perspective, these concepts are not defined under the existing Indian laws. Digital health is understood as defined by the World Health Organization as a broad umbrella term encompassing eHealth, as well as emerging areas, such as the use of advanced sciences in big data, genomics and artificial intelligence. The digital health platforms include the information and communication tools (digital medicine products) used for improving and enhancing healthcare services.

Existing Indian laws do not define the terms “digital health” or “digital medicine”. However, the proposed law in this regard, which is the Digital Information Security in Healthcare Act 2018 (the DISHA Bill) defines “digital health data” as an electronic record of health-related information about an individual, including information regarding:

  • an individual’s physical and mental health condition;
  • health service provided to an individual;
  • the donation by an individual of any body part or any bodily substance;
  • testing and examination data of an individual’s body part or bodily substance;
  • data collected in the course of providing health service to an individual; or
  • details of the clinical establishment accessed by an individual.

Further, the Telemedicine Practice Guidelines (TPG), issued by the Government of India in March 2020, has adopted the World Health Organization’s definition of telemedicine as “The delivery of healthcare services, where distance is a critical factor, by all healthcare professionals using information and communication technologies for the exchange of valid information for diagnosis, treatment and prevention of disease and injuries, research and evaluation, and for the continuing education of healthcare providers, all in the interests of advancing the health of individuals and their communities.”

The following are some of the key emerging technologies in India in the field of digital healthcare.

Telemedicine

There has been significant growth and advancement in the field of telemedicine in India. This includes the use of information and communications tools for healthcare services with the virtual presence of both the patient and the healthcare provider. The tools are used for carrying out technology-based patient consultation communication via video, audio and text. The Ministry of Health and Family Welfare of India (MoHFW) issued the TPG in March 2020.

Wearable Devices

India has witnessed a tremendous increase in the use of wearable devices for health monitoring. Although these digital technologies have existed and have been used for several years, their use for more specific purposes, and also as an alternative to the conventional physical health monitoring, has increased because of the COVID-19 pandemic. The preliminary screening of one's health data without having to visit a hospital or a diagnostic centre has been a major support and growth for digital technologies. Several wearable devices are now available in India, featuring heart-rate trackers, blood oxygen-level trackers, and other devices including water consumption, weight, sleep, and diet monitors.

Online Pharmacies

There has been a significant rise in the number of online pharmacies delivering medicines to patients' homes in India, more so during the pandemic.

Artificial Intelligence

AI-based systems have witnessed significant growth in India for the diagnosis of disease and also for treatment purposes.

One of the major emerging issues is that the increasing number of digital and other new technologies in the health care industry is giving rise to concerns on data protection and the privacy of patients.

Although most of the data collection, storage and usage by healthcare providers will comply with India's applicable data privacy laws, there are critical issues on the misuse of this data for other commercial purposes and also the breach of privacy obligations. The absence of adequate training and awareness-building with regard to aspects of data privacy among the people collecting, processing and handling such data on the digital health platform also aggravates the situation.

Additionally, the absence of a specific law to regulate these aspects is a major concern. Although the MoHFW has issued the DISHA Bill, it has not as yet become the law. The DISHA Bill proposes to establish national and state health authorities to enforce privacy and security measures for health-related data. Further, the MoHFW has issued a Health Data Management Policy to promote National Digital Health Mission, which lays down principles for the protection of an individual’s digital health data privacy.

COVID-19 has led to a significant rise in the adoption and use of digital healthcare technologies in India, especially in the area of telemedicine. As non-COVID-19 patients were forced to stay at home during the nationwide or state-specific lockdowns, healthcare practitioners provided remote consultations with the help of video/audio calls and text messages.

Technology-based consultations and remote monitoring and treatments were also extended to COVID-19 patients with mild symptoms and where hospitalisation was not required. As one of the measures to support telemedicine, the MoHFW issued the TPG in March 2020 as a temporary measure and allowed home delivery of medicines. The Government of India also developed a mobile application, Aarogya Setu, to trace COVID-19 hotspots in India and the number of people affected with COVID-19 in a particular user’s geographical area. The government has also recently introduced another digital application, the CO-WIN portal, to carry out the COVID-19 vaccination drive in India.

The MoHFW

The MoHFW is the apex authority in the organisational structure of the healthcare system in India. The MoHFW is comprised of two departments, (i) the Department of Health and Family Welfare (DoHFW), which is responsible for organising and delivering all national health programmes; and (ii) the Department of Health Research, which is responsible for the promotion of health and clinical research, development of health research and ethics guidelines, grants for research training, etc, in India.

The AYUSH

The Ministry of Ayurveda, Yoga and Naturopathy, Unani, Siddha and Homeopathy (AYUSH) develops and promotes research in alternative medicine practices. The central government’s responsibilities include policy making, planning, guiding, assisting, evaluating and co-ordinating the work of the various state-level health authorities, and providing funding to implement national health programmes.

The Central Drugs Standard Control Organisation (CDSCO)

The CDSCO is the National Regulatory Authority of India and is responsible for the approval of drugs, conducting clinical trials, laying down the standards for drugs and control over the quality of imported drugs in India. The Drug Controller General of India (DCGI) is the head of the CDSCO and is responsible for licensing and controlling the functions of the CDSCO. The National Medical Commission and the National Health Authority.

The recently constituted National Medical Commission (NMC) regulates and governs medical practice in India. Besides these, the MoHFW has recently established the National Health Authority (NHA), which is the apex body responsible for implementing public health assurance schemes, to design strategy, build healthcare technological infrastructure and implement the "National Digital Health Mission" in India. Additionally, the MOHFW proposes to establish the National Digital Health Authority (NDHA), which will be responsible for developing a health-data system for telemedicine and other digital healthcare mechanisms in India. The NDHA will also be primarily responsible for regulating and maintaining eHealth and patient health-data privacy and security in India. Also, the Department of Telecommunications governs the applications of service providers, including telemedicine service , in India.

In addition, the MOHFW proposes to establish the National Digital Health Authority (NDHA), which will be responsible for developing a health-data system for telemedicine and other digital healthcare mechanisms in India. The NDHA will also be primarily responsible for regulating and maintaining eHealth and patient health-data privacy and security in India. The Department of Telecommunications governs the applications of service providers, including telemedicine service, in India.

The National Pharmaceuticals Pricing Authority

The National Pharmaceuticals Pricing Authority is the authority for controlling and monitoring the prices and availability of medicines.

State-Level Authorities

At the state level, each state has a separate MoHFW, Directorate of Healthcare Services and DoHFW, which are responsible for organising and delivering healthcare services, consisting of participants from both the public and private sectors. The State Drug Standard Control Organisation (SDSCO) is responsible for regulation of the manufacture, sale and marketing of drugs in each Indian state.

The organisational structure consists of administrative subordinate offices at regional/zonal, district and sub-district level. The public healthcare system consists of primary (community health centres), secondary (sub-district hospitals), and tertiary (district hospitals and medical colleges) care centres. Primary and secondary care hospitals are in the public sector, whereas the tertiary care hospitals are in either the public or private sector. Apart from these, there are several clinics and diagnostic centres set up by individual medical practitioners.

The services provided by the private sector are registered and regulated under national/state councils constituted under the Clinical Establishment (Registration and Regulation) Act 2010, while the public sector comes under the authority of the MoHFW and state health ministries. At the district level, local self-government institutions (Panchayati Raj) are responsible for establishing primary health centres in rural areas.

The following are the key regulatory developments pursuant to the rise of digital healthcare in India and which are expected to create the most impact for the governance and growth of digital healthcare.

  • The Government of India issued the Telemedicine Practice Guidelines (TPG) in March 2020, which cover the norms and standards of registered medicine practitioners to consult patients via telemedicine. Telemedicine includes all channels of communication with the patient that leverage information technology platforms, including voice, audio, text, and digital data exchange.
  • The proposed the DISHA Bill in 2018 is to standardise and regulate the processes related to the collection, storing, transmission and use of digital health data, and to ensure the reliability, data privacy, confidentiality and security of that digital health data.
  • The government also issued the Health Data Management Policy in October 2020 to impose standards for data privacy protection in India.

These regulations will address many ambiguities from the legal, regulatory and compliance perspectives, for service providers as well as consumers. More accountability, governance and grievance-redressal mechanisms, which have comparable speed, ease and efficiency to that of the digital healthcare services, are some other primary needs for this sector.

The MoHFW enforces laws relating to healthcare in India. The National Medical Commission enforces the provisions related to medical education and practice under the National Medical Commission Act 2019.

The CDSCO and the SDSCO enforce regulations relating to the manufacture, distribution and sale of drugs and cosmetics under the Drugs and Cosmetics Act 1940 (D&C Act). The central government can confiscate, regulate, restrict or prohibit the manufacture, sale or distribution of some drugs and impose a ban on certain drugs. The court can further impose penalties and imprisonment for offences under the D&C Act.

Currently, there are no digital healthcare-specific non-healthcare regulatory agencies.

The new healthcare technologies, while providing fast and convenient services to the consumers, also pose several questions and concerns. In addition to the protection under consumer protection laws, more specific regulatory regimes with respect to data privacy and an expert regulatory body in each state, as well as at the national level for grievance redressal, are some of the immediate requirements.

Preventative and Diagnostic Care Systems

Preventative care includes services such as routine health screenings and check-ups which detect health issues at an early stage. Preventive health check-up tests help to ascertain the measures to be taken to prevent any disease.

The diagnostic care system includes services which diagnose a disease based on already existing symptoms, such as ultrasound, radiology and laboratory tests.

Regulatory Regimes Applicable to Preventative and Diagnostic Healthcare

India does not have a specific law on preventative or diagnostic health check-ups. The existing Indian laws also do not describe the terms “preventive healthcare” or “diagnostic healthcare”.

However, the following regulations contain provisions relating to preventive and diagnostic healthcare in India.

  • The Occupational Safety, Health and Working Conditions Code 2020 mandates every employer to provide an annual health examination or free tests to employees in specific types of work, such as factories, mines, construction work, dock work, cigar manufacturers and any other establishments prescribed by the Government. The code also mandates employers to conduct free medical examinations and investigations to detect occupational diseases.The Income Tax Act 1961 allows individuals to claim the benefit of tax deductions on the health insurance premium, including the expenses of Preventative Health Check-ups.
  • The Income Tax Act 1961 allows individuals to claim the benefit of tax deductions on the health insurance premium, including on Preventative Health Check-ups. 
  • The Telemedicine Guidelines 2020 prescribe rules on healthcare services provided for diagnosis, treatment and prevention of disease and injuries using telecommunications and digital communication technologies.
  • In 2015, the Government of India established the Free Diagnosis Service Initiative directing States to:

a) ensure availability of a minimum set of diagnostics;

b) reduce high expenditure on diagnostics;

c) enable initiation and continuation of appropriate treatment based on accurate diagnosis and use of appropriate diagnostics to screen patients; and

d) improve the quality of healthcare and patients' experience.

  • The Government of India has also launched a few initiatives to promote preventative healthcare, such as “Ayushman Bharat: Focus on Preventive and Promotive Health”, the “Fit India Movement” and “Eat Right India”. 

a) The Ayushman Bharat guidelines, launched in 2018, are a framework for health and wellness centres to provide healthcare services. The guidelines require these centres to have the capacity to provide basic diagnostics and screening capacities and are in accordance with Free Diagnosis Service Initiative.

b) The Fit India Movement was launched in 2019 to promote fitness. The Fit India mobile app was released under this initiative to track fitness levels, steps, sleep and calorie intake, as well as offering diet plans.

c) The Eat Right India Initiative was launched in 2019 to ensure availability of safe and wholesome food for people in India.

  • The Insurance Regulatory and Development Authority of India issued Guidelines on Wellness and Preventative Benefits in September 2020 which are applicable to all life, general and health insurance companies. These guidelines suggest that insurance companies include wellness provisions in their policies, such as discounts on health check-ups, diagnostics, vouchers for memberships in yoga centres, gyms, sports club and fitness centres.
  • The Indian healthcare system is slowly moving towards the preventative approach from the treatment approach. The COVID-19 pandemic led to shortage of hospital beds, oxygen, and doctors, which led the healthcare industry to realise the importance of preventative care. The pandemic enabled people to access technology including wearable gadgets, online platforms, home-based test kits, etc, to monitor their health status.

The following factors have resulted in an increased use of preventative healthcare in India.

  • COVID-19 pandemic: the pandemic was a wake-up call for people to get their health under control. The pandemic led to a high death rate across the country due to shortage of hospital beds, oxygen and doctors. This pushed people to take preventative measures at home, such as adopting healthy eating habits to build their immune system; periodically tracking and monitoring their health using wearable and medical devices such as oximeters, blood pressure monitors, blood glucose monitors and nebulisers.
  • Telemedicine and telehealth: the adoption and increase in teleconsultation services in India has led to an increase in preventative healthcare. As people could not physically visit health practitioners during the pandemic, they availed themselves of remote consultations on preventative measures with the help of video/audio calls and text messages. Telehealth proved to be a cost effective and faster way to use preventative measures. The country also experienced a tremendous increase in telecounselling services for patients suffering from mental health issues. An increase in online/live fitness (yoga or workout) programmes and platforms have also helped people to control their health and fitness from the comfort of their home.
  • Government initiatives: as stated previously, the Government of India has launched a few initiatives to promote preventive healthcare, such as “Ayushman Bharat: Focus on Preventive and Promotive Health”, the “Fit India Movement” and “Eat Right India” (see 4.1. Preventative Versus Diagnostic Health).
  • Social trends: social media influencers have increased the awareness of preventative measures and have played a great role in encouraging people to adopt healthy lifestyles and regular fitness regimes. 

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (the Privacy Rules) describe physical, physiological and mental health conditions, medical records and medical history as “sensitive personal data or information”.

The terms “fitness and wellness information” are not separately regulated or defined under Indian law.

Broadly, any information relating to a medical health condition is categorised as sensitive personal data and is currently regulated by the Privacy Rules.

As explained in 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information, the Privacy Rules prescribe mandatory principles for handling and processing sensitive personal data by the body corporates handling such information. There is no separate law in India to regulate health data. The DISH Bill proposes to regulate privacy and security measures for health-related data. The Health Digital Management Policy issued by the MoHFW also lays down principles for health data protection. The DISH Bill and the Health Digital Management Policy are mainly based on the principles of the Privacy Rules.

The right to privacy of all citizens is a part of the fundamental right to life and personal liberty under Articles 19 and 21 of the Constitution of India. The Supreme Court of India has recognised the right to privacy as a fundamental right in the landmark judgment of Justice K S Puttaswamy (Rtd) and Another v Union of India and Others (2017) 10 SCC 1.

Pursuant to the aforementioned judgment, the Ministry of Electronics and Information Technology had formed the Justice BN Srikrishna Committee, which had introduced the Draft Personal Data Protection Bill 2019 (the “PDP Bill”) in the lower house of the Indian Parliament (the Lok Sabha) on 11 December 2019 and was immediately referred to a Joint Parliamentary Committee (JPC) for further discussion. The JPC presented a revised version of the PDP Bill in Parliament in December 2021 after consulting various stakeholders including Government agencies, regulatory bodies, companies, law firms and academics experts.

The PDP Bill aims to become a comprehensive data protection law in India, applicable to government and companies incorporated in and outside India.

The MoHFW had released the draft Public Health (Prevention, Control and Management of Epidemics, Bioterrorism and Disasters) Act in 2017. The MoHFW is in the process of finalisng the provisions of the bill and it is expected to be introduced in Parliament this year. This bill will replace the existing Epidemic Disease Act 1897 which was implemented to control the bubonic plague. There have been no amendments or regulations made under the Epidemic Disease Act since its implementation.

The Bill empowers central, state, district and local authorities to adopt several procedures to control the spread of epidemic prone diseases. The Bill empowers the states to conduct medical examinations as well as provide treatment to persons suffering from such diseases.

Further, as explained in 4.1 Preventative Versus Diagnostic Healthcare, the Occupational Safety, Health and Working Conditions Code, Income Tax, Telemedicine Guidelines, Guidelines on Wellness and Preventive Benefits and various Government initiatives currently address preventative healthcare in India.

In recent years, several technology companies in India have developed solutions to issues in the healthcare industry, such as the following:

  • Qure.ai provides AI products to healthcare professionals to conduct preventiatve screenings, early detection, emergency care, and treatment adherence, etc;
  • Niramai Health Analytix developed an AI-based sensing device to detect breast cancer;
  • Healthyfy Me provides AI-based virtual assistance which helps users to track calorie intake and answer queries relating to fitness and nutrition;
  • Artelus developed an AI-based diabetic retinopathy screening system; and
  • Tricog has developed products that interpret and analyse ECG reports and echocardiograms. 

The main challenge created by these companies is data protection and patient privacy. Although the Privacy Rules are applicable to health data, the increase in these new technologies in India requires a robust comprehensive data protection regime.

The internet of medical things (IoMT) has transformed tremendously the healthcare sector in India and enabled healthcare practitioners to connect faster with patients, even in the remote areas and to deliver better services. Further, the use of internet and mobile devices has exponentially increased in India and connectivity is available even in most of the rural areas of the country.

Technologies such as AI, telemedicine, augmented and virtual reality, wearable devices (smart watches and fitness bands) have changed the landscape of the healthcare system in India. IoMT is being significantly used in India for tracking health and symptoms, treatment of disease, telemonitoring patient’s health conditions, tracking medicine dosage, etc.

The COVID-19 pandemic has led to an increase in the need for remote patient monitoring and consultation and reduction in hospital visits. This has been greatly assisted by the IoMT.

There has been an increase in demand for homecare facilities after discharge from the hospitals. Many healthcare service providers and hospitals in India now provide an intensive care unit system that can be set up at home. The system includes electronic medical records, audio visuals, a smart alert system, response tools, 24-7 monitoring and assessment systems.

A healthcare practitioner or a hospital can be held liable for medical negligence in cases of an adverse healthcare outcome. In this regard, there are both civil and criminal liabilities for medical negligence in India.

As regards civil liability, a complaint can be filed in the Consumer Court against the hospital (if the doctor is an employee of a hospital) or a doctor or a healthcare practitioner under the Consumer Protection Act 2019 (CP Act), claiming compensation for damages suffered by the consumer.  The CPA defines the term “deficiency” as “any fault, imperfection, shortcoming or inadequacy in the quality, nature and manner of performance which is required to be maintained by or under any law for the time being in force or has been undertaken to be performed by a person in pursuance of a contract or otherwise in relation to any service and includes any act of negligence or omission or commission by such person which causes loss or injury to the consumer.” 

As regards criminal liability, medical negligence is treated as an offence under the Indian Penal Code 1860 (IPC). The IPC prescribes that if a person commits a rash or negligent act due to which human life or personal safety of others is threatened, the person is punishable with a maximum imprisonment up to two years or maximum fine of up to INR1,000 (USD15 approximately)  or both.

Health practitioners or hospitals have the following defences:

  • anything which occurs because of an accident or misfortune and without criminal intention or knowledge in the doing of a lawful act in a lawful manner by lawful means and with proper care and caution is not an offence;
  • anything done that is likely to cause harm, but without any intention to cause harm and in good faith to avoid other damages to a person;
  • anything done in good faith for the good of other people and does not intend to cause harm even if there is a risk involved and the patient has given implicit or explicit consent.

There are various case laws where the Supreme Court of India has granted compensation to patients in cases of medical negligence.

The Supreme Court has also recognised the Bolam Test in Jacob Mathew v State of Punjab (2005) 6 SCC 1 as a standard of ascertaining whether the act of a person would be an act of an ordinary competent person exercising ordinary skill in that profession.

In the very recent case of Harish Kumar Khurana v Joginder Singh (2021 SCC SC 673), the Supreme Court had observed that every death of a patient cannot, on the face of it, be considered as death due to medical negligence, unless there is material on record to suggest that effect.

In every case where the treatment is not successful or the patient dies during surgery, it cannot be automatically assumed that the medical professional was negligent. The Court further observed that the principle of res ipsa loquitur is only applicable where the negligence is obvious. Mere legal principles and general standard of assessment is not sufficient in present case as there was no clear medical evidence that the patient’s condition was not tolerant for the surgery. 

The IoMT collects and shares a high amount of medical data of users with health practitioners, which makes it vulnerable for misuse. The patient’s medical information is considered as sensitive personal data under the Privacy Rules.

The contracts and healthcare institution policies are governed by the following currently applicable laws in India:

  • the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations 2002 (IMCR) imposes patient confidentiality obligations on medical practitioners; and
  • the principles embedded in the Privacy Rules, such as:
    1. the patient’s consent before collection, storage, transfer or processing of health data;
    2. the body corporate/healthcare institution must have a privacy policy in place as per the Privacy Rules; and
    3. implementation of reasonable security practices and procedure for protecting the patient’s health data).

The principles of Privacy Rules and privacy policy are explained in 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information.

The MoHFW introduced the DISH Bill in 2017 to regulate the generation, collection, storage, transmission, access and use of all digital health data. The DISH Bill also provides for the establishment of a National Digital Health Authority as a statutory body to enforce privacy and security measures for health data and to regulate the storage and exchange of health records. The principles in the DISH Bill are based on the PDP Bill. However, the DISH Bill does not specifically define “internet of medical things” or “internet of things”.

The MoHFW has also approved a Health Data Management Policy based on the PDP Bill to govern data in the National Digital Health Ecosystem. The Health Data Management Policy also does not specifically define internet of medical things or internet of things; however, the policy is applicable to all methods of contact, including via internet or e-mail.

The provisions of the DISH Bill and Health Data Management Policy are explained in 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information.

The MoHFW introduced the DISH Bill in 2017 to regulate the generation, collection, storage, transmission, access and use of all digital health data. The DISH Bill also provides for the establishment of a National Digital Health Authority as a statutory body to enforce privacy and security measures for health data and to regulate the storage and exchange of health records. The principles in the DISH Bill are based on the PDP Bill. However, the DISH Bill does not specifically define “internet of medical things” or “internet of things”.

The MoHFW has also approved a Health Data Management Policy based on the PDP Bill to govern data in the National Digital Health Ecosystem. The Health Data Management Policy also does not specifically define internet of medical things or internet of things, however, the policy is applicable to all methods of contact, including via internet or e-mail.

The provisions of the DISH Bill and Health Data Management Policy are explained in 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information.

The MoHFW issued a notification on 11 February 2020 (the "MoHFW Notification") specifying that medical devices be treated as drugs with effect from 1 April 2020. Therefore, all the regulations and compliances applicable to drugs are also applicable to medical devices. The MoHFW Notification stipulates that a medical device is an instrument, apparatus, appliance, implant, material or other article, including a software or an accessory for the purposes of:

  • diagnosis, prevention, monitoring, treatment or alleviation of any disease or disorder;
  • diagnosis, monitoring, treatment, alleviation or assistance for any injury or disability;
  • investigation, replacement or modification or support of the anatomy or of a physiological process;
  • supporting or sustaining life;
  • disinfection of medical devices; and
  • control of conception.

The DCGI is responsible for the administration and approval of manufacturing, importing or marketing of medicinal products and medical devices in India. As a medical device now includes software, the DCGI is also responsible for software as a medical device. The D&C Act and the Drugs and Cosmetics Rules 1945 (DCR Rules), and the Medical Devices Rules 2017 (MDR) govern approvals and define whether a product is categorised as a drug or any other category.

The CDSCO classifies medical devices into four main categories, based on the risk of use.

However, currently, there are no specific regulatory frameworks or guidelines to categorise or classify software as a medical device in India. Therefore, it is difficult to ascertain which computer software/mobile application qualifies to be a medical device. This is a challenge common to application service providers, developers and stakeholders in India.

Similarly, there is no clarity on whether the Prices Control Order, which is applicable to drugs, will also apply to medical software applications and whether they will be able to control the price of their digital health-related software products.

Also, there is currently no specific legal framework in India for software based on AI and machine learning.

It is the common consensus of stakeholders in India that the government should adopt effective regulatory frameworks based on risk of use, and AI/machine learning, similar to the International Medical Device Regulation Forum’s medical software device framework and the US FDA’s Artificial Intelligence and Machine Learning Software as a Medical Device Action Plan.

India uses the New England Journal of Medicine (NEJM) Catalyst definition of “telehealth” which it as the delivery and facilitation of health and health-related services including medical care, provider and patient education, health information services, and selfcare via telecommunications and digital communication technologies. Telehealth is a broad term used for technology for health and health-related services, including telemedicine.

Telehealth is a solution for providing timely and faster access to medical treatment. It also reduces the costs and efforts associated with travel to receive medical treatment, especially for people in rural India. The telecommunication technologies can also maintain patients' medical records and can help patients manage their medication and diseases better. Telehealth has proven to be very beneficial in India, especially during the COVID-19 pandemic.

There have been various efforts made to promote telehealth in India. The India Virtual Hospital, a medical technology service in India, launched the Patient Care App, which enables doctors to track a patient’s health and recovery. Another health-tech company has recently launched an online platform, iCliniq, where users can get medical advice from doctors/medical practitioners, physicians and therapists from the USA, the UK, UAE, India, Singapore, Germany, and other countries, using emails, online chats and video and audio calls. Another Indian company set up a virtual hospital for cancer patients in 2019 for online consultation, treatment planning, and cancer treatment management.

India currently does not have specific legislation that regulates telehealth or the use of online platforms in respect of telehealth.

As a result of the COVID-19 pandemic, the Government of India has issued the Telemedicine Practice Guidelines (TPG) which are intended to enhance healthcare services and enable access to all. The guidelines are meant for registered medical practitioners and prescribe the norms and standards for consulting patients, including all channels of communication with the patient that leverage IT platforms, including voice, audio, text and digital data exchange.

The TPG specifically exclude specifications for hardware or software, infrastructure building and maintenance, data management systems, standards and inter-operability or the use of digital technology to conduct surgical or invasive procedures remotely. Other aspects of telehealth such as research and evaluation and the continuing education of healthcare workers and consultations outside the jurisdiction of India are also included in the guidelines.

The TPG mandates a registered medical practitioner to obtain consent from the patient before a telemedicine consultation. If the patient voluntarily initiates the telemedicine consultation, the consent is implied.

The principles regarding medical ethics, data privacy and confidentiality apply to the registered medical practitioners.

The TPG prescribes that the telemedicine consultations must be treated the same way as in-person consultations, from a fee perspective. The registered medical practitioner must also provide a receipt/invoice for the fee charged for the telemedicine consultation.

The internet of medical things (IoMT) includes digital medical devices and software applications used to provide effective and efficient services to patients and to reduce the cost of healthcare. Recent technologies, such as sensors, wearable devices, health apps, telemedicine, AI, oxygen and heart monitors, are in extensive use in India. The IoMT technologies make it easier for doctors and medical practitioners to track the progress of treatment and recovery in real time.

The rise of COVID-19 has led the medical establishment to urge people to adopt the IoMT for teleconsultations, remote monitoring and treatment, thereby eliminating hospital visits. The Government of India has encouraged hospitals to adopt electronic health records which will contain the patient’s health history and records.     

An increase in IoMT technologies also brings an increase in the data privacy risks and related issues because of the lack of adequate and specific regulations, a lack of awareness among the users and the service-providers’ lack of compliance in the absence of a comprehensive legal framework in the country.

Technological issues, such as the compatibility of hardware and software with cloud services, are also a factor to be taken into consideration.

5G networks are expected to be launched in India in 2022. The higher speed and connectivity and low latency in the 5G network may boost advanced telehealth solutions and improve the healthcare system in India. 5G networks will ensure more effectiveness and efficiency in teleconsultations and remote monitoring of patients as well as the handling of patients' health data.

5G networks can help in the rural areas of the country that has an inadequate telecommunication infrastructure through the following:

  • faster transmission of large health data files;
  • high-quality video/audio telecommunications between the doctors and patients;
  • improved use of augmented and virtual reality; and
  • enhanced use of AI in healthcare devices.

Information relating to a person’s health is categorised as sensitive personal information under the Privacy Rules. The Privacy Rules lay down mandatory principles of data privacy to be followed by the body corporates that handle and process sensitive personal information.

The primary requirement for body corporates under the Privacy Rules is to obtain written consent from the information-provider before collecting and processing the sensitive personal data. Prior consent is also required for sharing sensitive personal data with third parties.

The information-provider must be informed of the fact that sensitive personal data is being collected, the intended purpose of its use and whether it will be transferred to any third parties, along with the contact details of the agency collecting the information. It is also mandatory under the Privacy Rules for the body corporates to have a privacy policy containing the type of sensitive personal information collected, the purpose of collection, disclosure of that information, and the reasonable security practices and procedures to be implemented by the body corporates. India does not yet have a comprehensive data protection law. However, the government has issued the PDP Bill, which is intended to become a comprehensive data protection law in the country.

There is no separate legislation in India to regulate data privacy issues for digital health. However, the proposed DISH Bill aims to address the data privacy issues relating to digital health, which is mostly based on the principles laid down under the PDP Bill. The MoHFW has also issued the Health Data Management Policy, which outlines the principles for the protection of an individual’s personal digital health data privacy.

The DISH Bill proposes that a clinical establishment may, by obtaining written (on paper or electronic form) consent (in a prescribed manner) from the owner, and lawfully collect the required health data after informing the owner of the data of the following:

  • the rights of the owner, including the right to refuse to give consent to the generation and collection of their data;
  • the purpose of the collection of their health data;
  • identity of the recipients to whom the health data may be transmitted or disclosed, after being converted into a digital format; and
  • the identity of the recipients who may have access to that digital health data, on a need-to-know basis.

Further, the clinical establishment or any other entity must furnish a copy of the consent form to the owner of the data.

The current regulations do not specifically regulate the sharing of personal health data by a wearable healthcare device.

The Privacy Rules do not prescribe de-identification or anonymisation of data. However, the DISH Bill and Health Data Management Policy defines “anonymisation” as the process of permanently deleting all personally identifiable information from an individual’s digital health data.  “De-identification” is defined as the process of removing, obscuring, redacting or de-linking all personally identifiable information from an individual’s digital health data in a manner that eliminates the risk of unintended disclosure of the identity of the owner and that, if necessary, makes it possible for the data to be linked to the owner again.

The DISH Bill proposes that de-identified or anonymised data must be used only for the following purposes:

  • improve public health activities and facilitate the early identification and rapid response to public health threats and emergencies, including bio-terror events and infectious disease outbreaks;
  • facilitate health and clinical research and healthcare quality;
  • promote the early detection, prevention, and management of chronic diseases;
  • carry out public-health research, review and analysis, and policy formulation; and
  • undertake academic research and other related purposes.

The Health Data Management Policy prescribes that data fiduciaries may make anonymised or de-identified data in an aggregated form available for the following purposes:

  • facilitating health and clinical research, academic research;
  • archiving;
  • statistical analysis;
  • policy formulation;
  • the development and promotion of diagnostic solutions; and
  • any other purposes that may be specified by the National Digital Health Mission (NDHM).

The NDHM must set out a procedure through which any entity seeking access to anonymised or de-identified data will be required to provide relevant information, such as its name, purpose of use and nodal person of contact. Subject to approval being granted under this procedure, the anonymised or de-identified data must be made available to that entity on whatever terms may be stipulated on its behalf.

Any entity which is provided access to de-identified or anonymised data must not, knowingly or unknowingly, take any action which has the effect of re-identifying any data principal or the effect of any such data no longer remaining anonymised.

The data fiduciary that is undertaking to anonymise or de-identify data must be responsible for ensuring compliance with the procedure for the anonymisation or de-identification as set out by the NDHM. The de-identification or anonymisation of data by a data fiduciary must be done in accordance with technical processes and anonymisation protocols that may be specified by the NDHM. The technical processes and anonymisation protocols must be periodically reviewed by the NDHM.

The Information Technology Act 2000 prescribes that a body corporate, possessing sensitive personal data that is negligent in implementing and maintaining reasonable security practices and procedures, will be liable to pay damages by way of compensation. It also prescribes that if a body corporate has obtained sensitive personal data without the consent of the information-provider, and discloses the information to any other person, it will be punishable with a term of imprisonment for a maximum of two years or with a maximum fine of INR100,000 (approximately USD1,400), or both.

New technologies are emerging in the digital health sector in India, including AI and machine learning. Currently, India does not have any legislation to regulate technologies such as AI/machine learning. However, the TPG prescribes that the telemedicine platforms based on AI/machine learning are not permitted to counsel patients or prescribe any medicines to a patient. The technologies such as AI, the Internet of Things and advanced data science-based decision support systems may be used only to assist and support the clinical decisions of a registered medical practitioner. In all cases, the final prescription or counselling must be delivered directly by the registered medical practitioner.

With the growth of AI technologies in India, the Government of India authorised the public policy think-tank, the National Institution for Transforming India commission (NITI Aayog) to address strategy on AI-based technologies/machine learning in the agriculture and health sectors. In June 2018, the NITI Aayog issued a discussion paper on national strategy for artificial intelligence for healthcare, agriculture, education, smart cities and infrastructure and smart mobility and transportation. The discussion paper recognised AI, combined with robotics and IoMT as the new nervous system for healthcare in India, presenting solutions to address healthcare problems. Currently, the NITI Aayog is reportedly working with a large Indian hospital, the Tata Memorial Centre, to launch a digital pathology and imaging bio-bank for cancer detection.

The AI/machine-learning technologies use and share the medical condition of a patient with the doctors/medical institutions, which is considered as sensitive personal data under the Privacy Rules. The Privacy Rules prescribe mandatory compliance with the principles of data protection by body corporates which handle, store and process sensitive personal data.

In February 2021, the NITI Aayog issued principles for the responsible use of AI. The NITI Aayog has stated that the AI solutions must comply with the principles of data protection laid down in the PDP Bill, such as consent, purpose limitation and rights to the information-provider. AI solutions must maintain the privacy and security of medical information/data, which is sensitive personal data, and ensure sufficient safeguards.

Electronic health records (EHR) can ensure the easy accessibility of a patient’s records from anywhere at any time, easy storage, and can help in tracking the patient’s progress. The DISH Bill and Health Data Management Policy also promote EHRs. The Government of India issued recommendations in 2016 on different standards for different purposes in respect of EHRs. For example, ISO/TS 22220:2011 Health Informatics – Identification of Subjects of Health Care, must be undertaken for obtaining basic identity details of patient; ISO/TS 14441:2013 Health Informatics – Security & Privacy Requirements of EHR Systems for Use in Conformity Assessment must be undertaken to maintain basic data security and privacy requirements, and ISO TS 14265:2011 is for the processing of personal health information.

The 2016 EHR standards recommendations stipulate that only those persons, including organisations, duly authorised by the patient may view the recorded data or part thereof. The term “security” refers to all recorded personally identifiable data, which will at all times be protected from any unauthorised access, particularly during transport (eg, from healthcare-provider to provider, healthcare-provider to patient). The term “trust” refers to that person, persons or organisations (doctors, hospitals, and patients). The 2016 EHR standards recommendations are based on the principles of data protection laid down under the Privacy Rules.

Currently, there are no proposed or enacted regulations in India which address the use of AI and machine learning data in healthcare. 

Companies developing healthcare technologies in India are operating without a specific legislation on digital healthcare and, as a result, many general laws are applicable to such companies, such as the Privacy Rules, CPA, IPC, etc. The healthcare providers must have a privacy policy under the Privacy Rules for collection, storage, processing and transfer of health data (ie, sensitive personal data). The Privacy Rules prescribe additional compliances for such digital healthcare providers, especially if they qualify as an intermediary under the Information Technology Act 2000 (IT Act).

Digital healthcare companies collect huge amounts of sensitive personal data from users; therefore they must adopt reasonable security practices and policies to adhere to the Privacy Rules.

In the absence of specific legal provision governing digital healthcare using virtual assistance and AI, companies using such technologies must comply with the Privacy Rules as well as the TPG.

Further, digital healthcare service providers are required to ensure that a user’s medical prescription is not automatically generated, but each prescription must be thoroughly verified and expressly endorsed by a registered medical practitioner. However, in the absence of a specific legal guidance, the service providers will have to comply with requirements under multiple legislations and regulations.

The D&C Rules mandate that every prescription must be in writing and signed by the registered medical practitioner. However, online service providers are finding it difficult to generate such prescriptions with the practitioner’s signature and companies are now looking to generate prescriptions using the practitioner’s digital signature to be considered as valid under the IT Act provisions. The Delivery Notification issued by the MoHFW also allows medicines to be delivered based on receipt of a prescription physically or by email.

Similarly, there is no specific law to regulate e-pharmacies in India. Currently, e-pharmacies are required to comply with the licence requirements and online prescription requirements under the D&C Act as well as the IT Act. The MoHFW has issued draft rules to regulate e-pharmacies under the D&C Act, which are yet to be enacted. Additionally, e-pharmacies are also required to comply with the Delivery Notification.

As demonstrated in the preceding paragraphs, India is developing and adopting various technologies in the fields of telehealth, AI/machine learning and the IoT in order to adopt the digital healthcare system. India requires high-speed broadband networks, such as 5G, to support such high-end technologies. The IT infrastructure must be able to manage and secure the large amount of health data collected by the devices. Besides this, India requires a comprehensive data privacy and protection law to address the privacy and security risks related to digital health data.

Currently, there are no proposed or enacted regulations in India on implementation of IT upgrades.

The digital healthcare system thrives on novel ideas, inventions, and advancements in software applications and smart devices. Indian intellectual property laws allow for the protection of patents, copyrights, trade marks and designs. From the digital health standpoint, the key areas of development are in the area of software.

Patents Act 1970 (Patents Act)

In India, patents are examined, granted and administered by the Patents Act, which complies with the Trade-Related Aspects of Intellectual Property Rights agreement. India is also a signatory to the Paris Convention, in addition to the Patent Co-operation Treaty. A digital health mechanism is essentially a software/computer program. Although the Patents Act excludes protection for stand-alone computer programs (Section 3(k) of the Patents Act), a piece of software claimed in conjunction with a novel hardware element will be patentable in India (Guidelines for Examination of Computer-Related Inventions 2017). Further, the Delhi High Court recently held that a computer program that demonstrates a technical effect or a technical contribution will be patentable in India. Software patents are subject to other restrictions under the Patents Act, including Section 3(i) of the Patents Act, which excludes patent protection for any process for medicinal, surgical, curative or other treatment of human beings or animals.

The Patent Office has granted several patents for software programs that involve hardware elements. Therefore, digital health mechanisms, including computer software/programs embedded in mobile software applications, wearable devices, etc, may be protected in India, as long as they include a novel hardware element.

Copyright Act 1957 (CRA)

The CRA provides for copyright protection in India. The CRA provides that a copyright subsists in the form of original literary, dramatic, musical or artistic work, cinematographic films and sound recordings. Although copyright registration is not mandatory for protection in India, a copyright registration will serve as evidence of the copyright in the work. The CRA covers computer programs under the purview of literary work, therefore, the literary portions of a computer program, including the source code, are protected under the CRA.

Trade Marks Act 1999 (TM Act)

The TM Act provides for trade mark protection in India. The TM Act not only accords statutory protection for registered trade marks, but also recognises common law protection to unregistered trade marks in India. Trade mark protection in India extends to any device, brand, label, word, shape of goods, packaging or, combination of colours or any combinations thereof. Under Indian law, digital healthcare providers can claim trade mark protection for their brand names, logos, labels, names of devices/software applications, shape of medical goods or wearable devices, packaging, etc.

Designs Act 2000 (Designs Act)

The Designs Act provides for protection of industrial designs in India, and it extends to features of shapes, configurations, patterns, ornaments or composition of lines, or colours that are applied to an article. From the digital health standpoint, the key areas where design protection can avail are with respect to graphical user interface of software applications, mobile applications, or similar computer programs used on medical devices, screen layout of a program, etc, so long as they do not fall within the exceptions under the Designs Act.

Trade Secrets

Currently, there is no legislation or statutory protection for trade secrets in India. However, different courts in India have extended protection for trade secrets and confidential information, provided that the information’s confidentiality is reflected in contractual documents, such as Confidentiality Agreements, Non-Disclosure Agreements, and reasonable and legally enforceable non-compete clauses in the agreements.

There is no specific legislation or statutory protection for databases in India, nor in respect of data and databases used in machine learning. However, the CRA provides protection to a computer database under the purview of literary work. The CRA also provides protection for databases by granting rights associated with the labour involved in compiling and presenting data in a particular form.

Patent Protection

The grant of patent enables the patent owner to prevent others from infringing the invention (ie, manufacturing or selling the invention without the owner’s consent). The protection enables the owner to enjoy a monopoly over the invention and to license the patent to a third-party and gain profits. The patent grant also allows owners to disclose the invention to public, which will appeal the investors, stakeholders and consumers.

One of the key challenges faced by patent applicants in India is the lack of straightforward, broad protection for software patents. A digital health mechanism is essentially a software in the form of a computer program or a mobile software application. The Patents Act excludes protection for stand-alone computer programs (Section 3(k) of the Patents Act), unless the protection for such a program is claimed in conjunction with a novel hardware element. Further, software patents are also subject to other restrictions under the Patents Act, including Section 3(i) of the Patents Act, which excludes patent protection for any process for medicinal, surgical, curative or other treatment of human beings or animals.

Additionally, while the term of a trade mark can be extended indefinitely by renewing the registration every ten years, patent protection in India is only valid for 20 years.

Also, patent protection can be expensive for companies as the official fees for filing and periodic maintenance of the patents can run into several thousands of dollars, especially if the applicants choose to protect their inventions in other jurisdictions. Further, initiating a patent infringement suit and defending a patent in Indian courts may also involve significant costs. However, the 2016 amendment to the Patents Rules 2003 offers heavily discounted fees for start-up companies and small enterprises.

Finally, there is a significant backlog in many departments of the Patent Office’s examination section. However, patent applicants can engage qualified local attorneys who can help expedite the patent prosecution by taking measures such as, carrying out proper freedom to operate searches, understanding the filing requirements beforehand, thereby avoiding objections and consequent delays at the examination stage. An attorney’s personal rapport with the Patent Office officials also may help in understanding the nature of objections and resolving them in a timely manner.

The timeframes of patent prosecution are gradually shortening as a result of modernisation of Patent Offices and an increase in the number of examiners.

Copyright Protection

Copyright protection prevents losses arising from piracy. Although copyright registration is not mandatory in India, the copyright registration makes it easier to prove copyright ownership in courts.

Trade Mark Protection

One of the key advantages of trade mark protection in India is that the proprietors can continue to extend the life of trade marks indefinitely by renewing the protection every ten years. Moreover, the recent amendments to the Trade Marks Rules 2003 have introduced discounted official fees applicable to start-up companies and small enterprises.

The Indian Courts fully recognise the rights of patent owners and grant protection in infringement matters. In the case of Indoco Remedies Ltd v Bristol Myers Squibb Holdings, 2020 (83) PTC 551 (Del), the Delhi High Court prohibited Indoco from selling the drug “APIXABID”, as Bristol is a patent owner of the drug “APIXABAN” for treating COVID-19 and which was easily available to consumers.

In the case of Microsoft Corporation and Another v Kanhaiya Singh and Another, 5 W.P.(CRL) 558/2016, the Delhi High Court directed the defendant to pay compensation for damages and prohibited them from software piracy and passing off Microsoft’s software. There is also much leading case law in India on various issues of trade mark infringement and passing off, allowing the owners to claim proprietary rights over their trade marks in exclusion of others.

There are multiple types of licensing arrangements used in India, which are applicable to digital healthcare, such as software, patent, copyright and technology licensing.

Broadly, there are three types of intellectual property licensing arrangements used in India:

  • exclusive licensing, whereby only the licensee is authorised to use the intellectual property;
  • non-exclusive licensing, allowing one party to license the intellectual property to more than one licensee; and
  • sole licensing, whereby only the licensor and licensee may use the intellectual property.

The ownership of IP in India varies under different IP laws. With regard to copyright, the employer (university or healthcare institution) will be the first owner of the copyright, not the physician or the inventor. However, this will not apply in the case of an independent contractor-developed copyright. Regarding the patents, the inventor will be the first owner, irrespective of whether they are an employee or a contractor.

In India, the institutions or universities or employers enter into development agreements with their employees. Standard development agreements normally provide that all the IP developed by the employees/inventors/researchers under the agreement will be assigned to and owned by the employers.

The TPG prescribes that the platforms based on AI/machine learning are not permitted to counsel or prescribe any medicines to a patient. However, technologies such as AI, the IoT and advanced data science-based decision support systems may be used only to assist and support the clinical decisions of a registered medical practitioner. In all cases, the final prescription or counselling has to be delivered directly by the registered medical practitioner. Therefore, the liability falls on the doctors or other medical service-providers. Consumers can claim compensation from doctors/hospitals under the CP Act. Criminal liability can be imposed on the doctors, on grounds such as:

  • causing death by negligence;
  • endangering the life or personal safety of others;
  • causing hurt by an act endangering the life or personal safety of others; and
  • causing grievous hurt by an act endangering the life or personal safety of others.

Third parties supplying products and services to healthcare institutions can be subject to civil and criminal liabilities, penalties and actions under the CP Act. They can also be held liable for penalties prescribed under the IT Act for data breaches.

India is currently waiting for Parliament to enact the PDP Bill. After the enactment of this comprehensive data protection law, the government will adopt the principles of data protection from the PDP Bill and enact the DISH Bill and the Health Data Management Policy. These measures will significantly impact the medical and pharmaceutical industries by introducing comprehensive laws on digital healthcare in India.

ANA Law Group

303 Madhava Premises
Bandra Kurla Complex
Bandra East
Mumbai
400 051
India

+91 22 6112 8484

+91 22 6112 8485

anoop@anaassociates.com www.anaassociates.com
Author Business Card

Trends and Developments


Authors



ANA Law Group is a full-service law firm based in Mumbai. Its team of experienced and committed professionals has broad industry knowledge and specialises in a wide spectrum of the law. Founded on traditional values and with prominent cross-border exposure, the firm has significant experience in counselling international clients on data protection and privacy in India, acting for many businesses in complex transactions. ANA Law Group has in-depth knowledge of all sectors of industry, such as banking and insurance, financial institutions, luxury goods, consumer goods and healthcare. The firm assists international companies on global privacy law involving Indian projects, drafting and negotiating contracts with their Indian counterparts, preparing data protection and privacy policies for those companies' Indian subsidiaries, compliant with major international privacy laws. Specifically, the firm advises clients on data processing and all aspects of data security, including handling cross-border data flows, security breaches and compliance with all regulatory requirements.

Introduction

The COVID-19 pandemic threw several challenges at the Indian healthcare system in 2020–21, and in 2022 COVID-19 was still prevalent in many parts of the country. Although India was hit by another wave of the pandemic at the beginning of 2022, the lockdown restrictions have been gradually relaxed as the country has seen a significant reduction in the number of infections.

Some of the key factors that helped reduce the infections were:

  • rapid testing;
  • extensive and affordable vaccination drives carried out by the Government;
  • movement restrictions in busier metropolitan cities;
  • public awareness; and
  • access to digital healthcare mechanisms.

Digitisation of healthcare mechanisms has seen an exponential increase in India in the past two years, with people using health-related technological advancements for rapid testing, effective diagnosis, telemedicine, tele-consultation, and home delivery of medication, etc. Telemedicine and tele-consultation were seen as emerging trends, with many people utilising the technological advances in this area as opposed to traditional healthcare services.

Emerging Technologies in Digital Healthcare in India

Telemedicine

Telemedicine refers to the use of various information and communication tools for healthcare where the presence of both the patient and the healthcare provider is virtual. Telemedicine includes the tools used for carrying out technology-based patient consultation via video, audio or text. Although telemedicine has been in use in India for many years, the COVID-19 pandemic caused a significant increase in its adoption. A survey from Practo, an Indian health-tech company, recently estimated that there was a 32% drop in in-person appointments and a massive 300% growth in online medical consultations between March and November 2020.

In view of this, the Ministry of Health and Family Welfare of India (MoHFW) introduced the Telemedicine Practice Guidelines (TPG) in March 2020. The TPG were introduced to assist medical practitioners in providing effective, safe and fast medical care online. The TPG prescribe regulations relating to:

  • the physician–patient relationship;
  • issues of liability and negligence;
  • evaluation, management and treatment;
  • informed consent;
  • continuity of care;
  • referrals for emergency services;
  • medical records;
  • privacy and security of the patient records and exchange of information;
  • prescribing;
  • reimbursement;
  • health education; and
  • counselling.

The TGP are applicable to registered medical practitioners (ie, those who are enrolled in the State Medical Register or the Indian Medical Register under the erstwhile Indian Medical Council Act 1956 and current National Medical Commission Act 2019 ("NMC Act")). Under the existing framework, the TGP do not apply to registered medical practitioners outside India.

With multiple lockdowns and movement restrictions throughout the country during the last two years, healthcare workers and doctors have been using telemedicine solutions to provide timely and faster access to patients. Telemedicine was found to be cost effective and significantly reduced the difficulties associated with patients travelling to visit a hospital or doctor. Telecommunication technologies can also maintain patients' medical records and help patients to manage their medication and diseases better.

During the nationwide lockdown in 2020–21, as patients were forced to stay at home, the healthcare practitioners started to provide remote consultations with the help of video or audio calls and text messages. During that time, technology-based consultations were also extended to COVID-19 patients with mild symptoms where hospitalisation was not required.

In addition, many healthcare organisations and doctors have been providing online counselling for the increased number people with mental health issues caused by COVID-19 quarantine measures. This includes non-affected people whose mental health was adversely affected by the lockdown.

Further, there were various efforts made to promote telehealth in India. The India Virtual Hospital, a medical technology service, launched the Patient Care App that enables doctors to track patient’s health and recovery periodically. Another health-tech company has recently launched an online platform, iCliniq, where users can receive medical advice from medical practitioners, physicians and therapists from the USA, UK, UAE, India, Singapore, Germany, and other countries, using e-mails, online chats and video and audio calls. Another Indian company setup a virtual hospital for cancer patients in 2019, for online consultation and treatment planning and management.

The Indian Council of Medical Research (ICMR) approved the first self-test COVID-19 kit in May 2021, which enabled users to conduct COVID-19 tests at home and obtain results within 20 minutes through a mobile app. As at March 2022, the ICMR has approved ten such self-testing kits, including those manufactured by foreign companies, such as Roche, Abbott, and Healgen. Moreover, the ICMR has declared that the US-FDA approved antigen-based COVID-19 self-test kits are exempted from ICMR validation.

The telemedicine platforms currently governed under the NMC Act are:

  • the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations 2002 ("IMC Regulations");
  • the Drugs and Cosmetics Act 1940 ("D&C Act");
  • the Drugs and Cosmetic Rules 1945 ("D&C Rules");
  • the Clinical Establishment (Registration and Regulation) Act 2010;
  • the Information Technology Act 2000 ("IT Act"); and
  • the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 ("Privacy Rules").

Further, in cases of medical negligence, an aggrieved person may lodge a complaint before the relevant consumer forum under the Consumer Protection Act 2019, within two years from the date of injury. Similarly, a civil suit for damages, a criminal petition under the Indian Penal Code 1860, or a complaint with the NMC can also be initiated. Currently, there is no law in India that governs online consultation provided by foreign medical practitioners.

Wearable devices

Several wearable devices are now available in India, that can track heart rates, blood oxygen-levels, water consumption, weight, sleep patterns and diet. These devices allow the patients to self-detect any physiological changes in the body and alert them to possible arising issues. All medical devices are regulated by the NMC Act, IMC Regulations, the Medical Devices Rules 2017, the IT Act and the Privacy Rules. Although there are no specific rules or regulations pertaining to wearable devices, the above-mentioned Acts will apply to such devices as well. Under the current regulatory framework, medical wearable devices require registration and approval from the Central Drugs Standard Control Organisation (CDSCO) in India.

For instance, the CDSCO recently approved three medical wearable devices in India namely, the Smart Vital, Vital 3.0 and Vital EGC from GOQii, a California-based fitness company. These devices measure body temperature, pulse oximeter, heart rate, sleep, blood pressure, steps taken and exercise performed.

Online pharmacies

There has been a significant rise in the number of online pharmacies in India that deliver medicines to patients’ homes in the past few years, more so during the pandemic. Although the manufacture and sale of medicines are regulated by the D&C Act, D&C Rules, Registration and Regulation Act, NMC Act and IMC regulations, there is currently no law in India that specifically governs online pharmacies. The MoHFW issued a notification in August 2018 to amend the D&C Rules to bring online pharmacies under its purview ("Draft Rules").

The Draft Rules include provisions for sale of drugs by e-pharmacies. Further, the Draft Rules define the term “e-pharmacy” as the business of distribution or sale, stock, exhibit or offer for sale of drugs through a web portal or any other electronic mode. The Draft Rules contain provisions for registration and validity of e-pharmacies; conditions for registration imposed on the e-pharmacies such as location, disclosure of information, procedure for distribution and sale, etc. While the Draft Rules are yet to be enacted, e-pharmacies in India currently require registration with the CDSCO.

Online pharmacies will also have to adhere to the Privacy Rules in relation to collecting, handling and processing patients' sensitive personal information, including financial information, bank account details, physical, physiological and mental health data, sexual orientation, medical records and history, and biometric information.

Artificial intelligence (AI) 

AI-based systems are used for disease diagnosis and also for treatment purposes. Robotic surgeries allow doctors to perform complicated procedures with the help of automated machines. AI is also used for vaccine development, thermal screening, CT scans, etc. The AI-based systems are also regulated by the NMC Act, IMC Regulations, the Medical Devices Rules, 2017, IT Act and the Privacy Rules. India is home to several globally well-known multi-speciality hospitals and centres that are equipped with highly sophisticated technologies. With the increasing role of robotic surgeries and AI in healthcare in India, the Insurance Regulatory and Development Authority of India issued Guidelines on Standard Individual Health Insurance Product in January 2020, directing insurers to cover robotic surgeries under their standard health insurance policies.

Electronic health records (EHR) 

Digital health data records provide easy access to patients' medical history so that doctors can have relevant consultations and make recommendations, in an efficient and timesaving manner. Digital health records also eliminate duplication of tests and significantly save costs. Many private multi-speciality and super-speciality hospitals in India maintain EHR databases; however, most government hospitals have not as yet upgraded to their use.

The MoHFW originally enacted the Electronic Health Record Standards 2013 and also revised these standards in December 2016 by issuing the new Electronic Health Record Standards 2016 ("EHR Standards"). All EHR technologies must comply with the EHR Standards. These EHR Standards are largely based on the principles of data protection laid down under the Privacy Rules. Most recently, the Indian state of Kerala successfully deployed an efficient EHR system by collecting and storing the EHRs of over 25.8 million people as part of its e-Health project. This initiative has allowed patients to walk into any government hospital needing to bring any paper records with them.

With the increasing demand for contactless procedures, especially since the pandemic, several state governments are in the process of adopting EHR systems and other such digital mechanisms to maintain health records.

Online aggregators for health services 

There are several new online platforms in India that allow users to search for doctors with different specialities in a particular region. These platforms also allow users to book online appointments with doctors and provide reviews and ratings to these doctors for their services and guidance. Currently, there is no specific law in India that regulates online health aggregator platforms. However, the MoHFW issued a direction in January 2021 to all the state governments to regulate online health aggregation platforms. Under the existing regulatory framework, as with online pharmacies, these online health aggregator platforms will require registration with the CDSCO.

The increasing number of technologies collecting health data gives rise to concerns relating to data protection and the privacy of patients. Information relating to a person’s health is categorised as sensitive personal information under the Privacy Rules. The Privacy Rules lay down mandatory principles of data privacy to be followed by the body corporates collecting, handling and processing sensitive personal information. India does not currently have a comprehensive data protection law. The Government of India had introduced the Personal Data Protection Bill 2019 ("PDP Bill") in the lower house of the Indian Parliament, which was referred to a Joint Parliamentary Committee (JPC). The JPC presented a revised version of the PDP Bill in Parliament in December 2021. Once enacted, the PDP Bill will become a comprehensive data protection law in India.

There is no specific law in India that regulates digital health tools and digital health data. However, the government has taken several new initiatives to address the privacy concerns relating to digital health in India, as explained below.

Healthcare Regulatory Developments in India

The Government of India enacted the draft Digital Information Security in Healthcare Act 2018 (the "DISHA Bill") to protect the digital health data of Indian citizens. The DISHA Bill defines the term “digital health data” as an electronic record of health-related information about an individual. The government proposed the DISHA Bill to standardise and regulate the processes related to collection, storing, transmission and use of digital health data, and to ensure the reliability, data privacy, confidentiality and security of such data. However, India is yet to adopt legislation to regulate and govern digital health tools in India.

As a temporary measure, the Government of India issued the TPG in March 2020, which contain norms and standards for registered medical practitioners to consult patients via digital means. The TPG regulate all channels of communication with patients that leverage information technology platforms, including voice, audio, text, and digital data exchange.

The Government of India also issued the Health Data Management Policy in October 2020 to impose standards for data privacy protection in India. The DISHA Bill and the Health Data Management Policy are both based on the data privacy principles laid down under the PDP Bill.

In 2020, the Government of India introduced the National Digital Health Mission in India based on the Health Data Management Policy. The National Digital Health Mission was renamed "Ayushman Bharat Digital Mission" in 2021 and aims to develop an integrated digital health infrastructure in India. Under this Mission, the Government has introduced the ABHA App which allows users to store, access and share their health data with health facilitates and healthcare professionals who are registered with the Mission. The users are given full control over their health data. The app is also integrated with Sandbox, which will test the products and technology used by the registered health companies before rolling it out to large numbers of consumers.

In the Union Budget 2022 the Indian Government announced the release of an open platform for the National Digital Heath Ecosystem, containing digital registries of health providers and access to health facilities. The Indian Government has also announced the launch of the National Telehealth Programme in 2022 to enable people of all ages to access quality mental health counselling and care services. The programme is expected to establish 23 telehealth centres for mental health in India.

The Government also launched the Unified Health Interface in 2022, a digital healthcare platform that will connect healthcare service providers with patients for bookings, consultations, etc.

Other Emerging Trends and Developments in India

Rise in digital solutions

Besides the use of telemedicine/telehealth in the Indian healthcare sector, there was a rapid increase in digital payments during the COVID-19 pandemic. People of all age groups have become accustomed to carrying out digital payments, to reduce physical contact. There has been a momentous increase in mobile applications and online platforms that allow door-step delivery of groceries, medicines and other products and services.

Work-from-home policy

The work-from-home policy and online meetings through Zoom, Google Meet and Microsoft Teams have been adopted across every industry and have seen a tremendous rise since the beginning of the pandemic. Many healthcare professionals and non-frontline workers, including therapists, psychiatrists and dieticians, have been conducting programmes, seminars and consultations using these platforms.

5G network in India

India is in the process of launching the 5G network. The rapid increase in the use of digital solutions demands higher speed and connectivity. The 5G network will ensure more effective and efficient teleconsultations, remote monitoring of patients and handling of patients' health data.

The 5G network will also facilitate faster transmission of large health data files and will provide better video/audio telecommunications between doctors and patients, improve the use of augmented and virtual reality and enhance the use of AI in health care devices.

Role of social media platforms

Social media platforms, such as Facebook, Instagram, Twitter and WhatsApp, have been very popular in India, and their use has only increased since the pandemic.

For example, when a second wave of COVID-19 hit in India in 2021 and resulted in a shortage of oxygen cylinders and hospital beds, social media platforms played a key role in providing people with information on the availability of oxygen cylinders and hospital beds around the country.

Social media platforms have also enabled patients to connect with relevant organisations such as NGOs that supply and deliver oxygen cylinders and other ICU equipment to setup at home. Additionally, many healthcare professionals and doctors in India have been consistently posting and sharing videos on social media, providing free consultations and guidance to people to tackle the virus.

Notwithstanding, the Government of India has been regularly discouraging people from taking unsolicited and unprofessional COVID-19-related advice from social media. However, many reputable health experts and physicians still continue to provide such advice on social media, which is not currently prohibited by the government. It appears that the government organisations are allowing professional and genuine healthcare experts to provide COVID advice on social media.

The Government of India has from time-to-time ordered social media platforms, including Twitter, Facebook, Instagram and YouTube, to remove posts that were fake and misleading, as well as those that were critical of its handling of the pandemic.

The Ministry of Electronics and information Technology (MEITY) enacted the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 on February 25 2021. The Guidelines require digital media platforms to:

  • implement grievance redressal mechanisms;
  • appoint resident grievance officers;
  • actively monitor content on the platform;
  • issue monthly compliance reports; and
  • adopt self-regulation mechanisms and an oversight mechanism deployed by the MEITY.

Online legal proceedings

Amid the COVID-19 pandemic, the courts and tribunals, including the Trade Marks Registry, the Patent Office and the Design Office (‘IP Offices’), in India have been conducting hearings and other meetings through video-conference (VC) facilities. There is even a proposal under consideration to do away with physical hearings. The VC hearings in the IP offices have helped not only in faster disposal of pending IP applications and opposition proceedings, but also made the process more transparent. The Delhi High Court has issued specific rules for conducting VC proceedings.

These VC proceedings have made the administrative and legal procedures much faster and efficient, allowing companies, brand owners, inventors and other stakeholders to obtain faster protection of their intellectual property and to resolve legal disputes in an effective manner.

Conclusion

Considering the country’s size, demography and the size of the rural population without adequate access to the healthcare infrastructure, India has significant scope to develop advanced and affordable digital healthcare technologies and platforms. With regard to the legal regime, India has not thus far enacted a robust law on digital healthcare. Currently, India is in the process of enacting specific laws on digital healthcare, information security and personal data protection. A robust and unified digital heath law may evolve very soon, given the pace of transformation in the healthcare sector.

ANA Law Group

303 Madhava Premises
Bandra Kurla Complex
Bandra East
Mumbai
400 051
India

+91 22 6112 8484

+91 22 6112 8485

anoop@anaassociates.com www.anaassociates.com
Author Business Card

Law and Practice

Authors



ANA Law Group is a full-service law firm based in Mumbai. Its team of experienced and committed professionals has broad industry knowledge and specialises in a wide spectrum of the law. Founded on traditional values and with prominent cross-border exposure, the firm has significant experience in counselling international clients on data protection and privacy in India, acting for many businesses in complex transactions. ANA Law Group has in-depth knowledge of all sectors of industry, such as banking and insurance, financial institutions, luxury goods, consumer goods and healthcare. The firm assists international companies on global privacy law involving Indian projects, drafting and negotiating contracts with their Indian counterparts, preparing data protection and privacy policies for those companies' Indian subsidiaries, compliant with major international privacy laws. Specifically, the firm advises clients on data processing and all aspects of data security, including handling cross-border data flows, security breaches and compliance with all regulatory requirements.

Trends and Development

Authors



ANA Law Group is a full-service law firm based in Mumbai. Its team of experienced and committed professionals has broad industry knowledge and specialises in a wide spectrum of the law. Founded on traditional values and with prominent cross-border exposure, the firm has significant experience in counselling international clients on data protection and privacy in India, acting for many businesses in complex transactions. ANA Law Group has in-depth knowledge of all sectors of industry, such as banking and insurance, financial institutions, luxury goods, consumer goods and healthcare. The firm assists international companies on global privacy law involving Indian projects, drafting and negotiating contracts with their Indian counterparts, preparing data protection and privacy policies for those companies' Indian subsidiaries, compliant with major international privacy laws. Specifically, the firm advises clients on data processing and all aspects of data security, including handling cross-border data flows, security breaches and compliance with all regulatory requirements.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.