“Digital health” and “digital medicine” have been gaining traction in India over the past couple of years, particularly due to the COVID-19 pandemic; however, from a legal and regulatory perspective, they remain undefined under existing Indian laws. Digital health, as defined by the World Health Organization, is understood as a broad umbrella term encompassing eHealth, as well as emerging areas, such as the use of advanced sciences in big data, genomics and artificial intelligence. The digital health platforms include the information and communication tools (digital medicine products) used for improving and enhancing healthcare services.

Existing Indian laws do not define the terms “digital health” or “digital medicine”. However, the proposed law in this regard, which is the Digital Information Security in Healthcare Act 2018 (the DISHA Bill), defines “digital health data” as an electronic record of health-related information about an individual, including information regarding:

• an individual’s physical and mental health condition;
• health service provided to an individual;
• the donation by an individual of any body part or any bodily substance;
• testing and examination data of an individual’s body part or bodily substance;
• data collected in the course of providing health service to an individual; or
• details of the clinical establishment accessed by an individual.

Further, the Telemedicine Practice Guidelines (TPG), issued by the Indian government in March 2020, has adopted the World Health Organization’s definition of telemedicine as “The delivery of healthcare services, where distance is a critical factor, by all healthcare professionals using information and communication technologies for the exchange of valid information for diagnosis, treatment and prevention of disease and injuries, research and evaluation, and for the continuing education of healthcare providers, all in the interests of advancing the health of individuals and their communities.”

The following are some of the key emerging technologies in India in the field of digital healthcare.

Telemedicine

There has been significant growth and advancement in the field of telemedicine in India. This includes the use of information and communications tools for healthcare services with the virtual presence of both the patient and the healthcare provider. The tools are used for carrying out technology-based patient consultation communication via video, audio and text. The Ministry of Health and Family Welfare of India (MoHFW) issued the TPG in March 2020.

Wearable Devices

India has witnessed a tremendous increase in the use of wearable devices for health monitoring. Although these digital technologies have existed and have been used for several years, their use for more specific purposes, and also as an alternative to conventional physical health monitoring, has increased because of the COVID-19 pandemic. The preliminary screening of one’s health data without having to visit a hospital or a diagnostic centre has bolstered the growth and prominence of digital technologies. Several wearable devices are now available in India, featuring heart-rate trackers, blood oxygen-level trackers, and other devices including water consumption, weight, sleep, and diet monitors.

Online Pharmacies

There has been a significant rise in the number of online pharmacies delivering medicines to patients’ homes in India, more so during the pandemic.

Artificial Intelligence

AI-based systems have witnessed significant growth in India for the diagnosis of disease and also for treatment purposes.

One of the major emerging issues is that the increasing number of digital and other new technologies in the healthcare industry is giving rise to concerns about data protection and the privacy of patients.

Although most of the data collection, storage and usage by healthcare providers complies with India’s applicable data privacy laws, there are critical issues on the misuse of this data for other commercial purposes and also on the breaching of privacy obligations. The absence of adequate training and awareness building with regard to aspects of data privacy among the people collecting, processing and handling such data on the digital health platform also aggravates the situation.

Additionally, the absence of a specific law to regulate these aspects is a major concern. Although the MoHFW has issued the DISHA Bill, it has not yet become law. The DISHA Bill proposes to establish national and state health authorities to enforce privacy and security measures for health-related data. Further, the MoHFW has issued a Health Data Management Policy to promote the National Digital Health Mission, which lays down principles for the protection of an individual’s digital health data privacy.

COVID-19 has led to a significant rise in the adoption and use of digital healthcare technologies in India, especially in the area of telemedicine. As non-COVID-19 patients were forced to stay at home during the nationwide or state-specific lockdowns, healthcare practitioners provided remote consultations with the help of video/audio calls and text messages.

Technology-based consultations and remote monitoring and treatments were also extended to COVID-19 patients with mild symptoms and where hospitalisation was not required. As one of the measures to support telemedicine, the MoHFW issued the TPG in March 2020 as a temporary measure and allowed home delivery of medicines. The Indian government also developed a mobile application, Aarogya Setu, to trace COVID-19 hotspots in India and the number of people affected by COVID-19 in a particular user’s geographical area. The government has also recently introduced another digital application, the CO-WIN portal, to carry out the COVID-19 vaccination drive in India.

The MoHFW

The MoHFW is the apex authority in the organisational structure of the healthcare system in India. The MoHFW is comprised of two departments, (i) the Department of Health and Family Welfare (DoHFW), which is responsible for organising and delivering all national health programmes; and (ii) the Department of Health Research, which is responsible for the promotion of health and clinical research, development of health research and ethics guidelines, grants for research training, etc, in India.

The AYUSH

The Ministry of Ayurveda, Yoga and Naturopathy, Unani, Siddha and Homeopathy (AYUSH) develops and promotes research in alternative medicine practices. The central government’s responsibilities include policy making, planning, guiding, assisting, evaluating and co-ordinating the work of the various state-level health authorities, and providing funding to implement national health programmes.

The Central Drugs Standard Control Organisation (CDSCO)

The CDSCO is the National Regulatory Authority of India and is responsible for the approval of drugs, conducting clinical trials, laying down the standards for drugs and control over the quality of imported drugs in India. The Drug Controller General of India (DCGI) is the head of the CDSCO and is responsible for licensing and controlling the functions of the CDSCO. The National Medical Commission and the National Health Authority (NHA).

The recently constituted National Medical Commission (NMC) regulates and governs medical practice in India. Besides these, the MoHFW has recently established the NHA, which is the apex body responsible for implementing public health assurance schemes, to develop strategy, build healthcare technological infrastructure and implement the “National Digital Health Mission” in India.

The Ayushman Bharat Digital Mission (ABDM)

MoHFW introduced the National Digital Health Mission (NDHM) on 15 August 2020 to create a digital health ecosystem, and recently renamed it as Ayushman Bharat Digital Mission (ABDM). ABDM aims to develop the backbone necessary to support the integrated digital health infrastructure of the country.

The following are the main components of ABDM:

Under ABDM, every citizen gets a unique health account (Ayushman Bharat Health Account), which acts as a digital repository of all health-related data of an individual. The ABHA ID is voluntary and free of cost, and enables access and exchange of health records of citizens with their consent. It also enables interaction with participating healthcare providers, and allows the participants to receive their digital lab reports, prescriptions and diagnosis from verified healthcare professionals and health service providers. It has been reported that, to date, over 38 crore ABHA IDs have been created and 26 crore health records digitally linked under ABDM.

The Healthcare Professionals Registry (HPR) under ABDM is a comprehensive repository of all healthcare professionals involved in the delivery of healthcare services across both modern and traditional systems of medicine. Enrolling in the HPR enables them to connect with India’s digital health ecosystem.

The Health Facility Registry (HFR) is a repository of health facilities across different systems of medicine. Participating entities of the ABDM must register as a healthcare provider. It includes both public and private health facilities, such as hospitals, clinics, diagnostic laboratories and imaging centres, pharmacies, etc.

The ABHA mobile app will have electronic records of health-related information that conform to nationally recognised interoperability standards and that can be drawn from multiple sources while being managed, shared, and controlled by the individual. Such information can be fully controlled by the individual.

Unified Health Interface (UHI)

UHI is a network of open protocols that facilitate interoperability in health services. Through UHI-enabled applications, patients can search for, book and pay for services offered by a variety of participating providers from any application of their choice.

UHI Services

The services under UHI will include teleconsultation to book an online consultation with any doctor; booking physical appointments; discovering availability of critical care beds; booking of home visits for lab sample collections; and booking an ambulance.

The ABDM has recently launched a new initiative that has revolutionised the way patients register for Outpatient Department (OPD) services at hospitals in India. The new initiative enables patients to use their smartphones to scan a QR code and share their verified demographic data with hospitals’ Health Management Information Systems (HMIS) with just one click. This has drastically reduced the waiting time for patients and ensured accurate data entry into the HMIS, doing away with the need for patients to stand in long queues.

The National Pharmaceuticals Pricing Authority

The National Pharmaceuticals Pricing Authority is the authority for controlling and monitoring the prices and availability of medicines.

State-Level Authorities

At the state level, each state has a separate MoHFW, Directorate of Healthcare Services and DoHFW, which are responsible for organising and delivering healthcare services, consisting of participants from both the public and private sectors. The State Drug Standard Control Organisation (SDSCO) is responsible for regulation of the manufacture, sale and marketing of drugs in each Indian state.

The organisational structure consists of administrative subordinate offices at regional/zonal, district and sub-district level. The public healthcare system consists of primary (community health centres), secondary (sub-district hospitals), and tertiary (district hospitals and medical colleges) care centres. Primary and secondary care hospitals are in the public sector, whereas tertiary care hospitals are in either the public or private sector. Apart from these, there are several clinics and diagnostic centres set up by individual medical practitioners.

The services provided by the private sector are registered and regulated under national/state councils constituted under the Clinical Establishment (Registration and Regulation) Act 2010, while the public sector comes under the authority of the MoHFW and state health ministries. At the district level, local self-government institutions (Panchayati Raj) are responsible for establishing primary health centres in rural areas.

The following are the key regulatory developments pursuant to the rise of digital healthcare in India and which are expected to have the biggest impact on the governance and growth of digital healthcare.

• The Indian government issued the Telemedicine Practice Guidelines (TPG) in March 2020, which cover the norms and standards of registered medicine practitioners to consult patients via telemedicine. Telemedicine includes all channels of communication with the patient that leverage information technology platforms, including voice, audio, text, and digital data exchange.
• The proposed DISHA Bill in 2018 is to standardise and regulate the processes related to the collection, storing, transmission and use of digital health data, and to ensure the reliability, data privacy, confidentiality and security of that digital health data.
• The government also issued the Health Data Management Policy in October 2020 to impose standards for data privacy protection in India.
• In April 2022, after receiving the public comments, the NHA released a Draft Health Data Retention Policy (HDR Policy) for further consultation. The HDR Policy aims to create a uniform system  governing the operation of data fiduciaries, data processors, health information providers/users and data repositories within the National Digital Health Ecosystem.

These regulations will address many ambiguities from the legal, regulatory and compliance perspectives, for service providers as well as consumers. More accountability, governance and grievance-redressal mechanisms, which have comparable speed, ease and efficiency to that of the digital healthcare services, are some other primary needs for this sector.

The MoHFW enforces laws relating to healthcare in India. The National Medical Commission enforces the provisions related to medical education and practice under the National Medical Commission Act 2019.

The CDSCO and the SDSCO enforce regulations relating to the manufacture, distribution and sale of drugs and cosmetics under the Drugs and Cosmetics Act 1940 (D&C Act). The central government can confiscate, regulate, restrict or prohibit the manufacture, sale or distribution of some drugs and impose a ban on certain drugs. The court can further impose penalties and imprisonment for offences under the D&C Act.

Currently, there are no digital healthcare-specific non-healthcare regulatory agencies.

The new healthcare technologies, while providing fast and convenient services to consumers, also pose several questions and concerns. In addition to the protection under consumer protection laws, more specific regulatory regimes with respect to data privacy and an expert regulatory body in each state, as well as at the national level for grievance redressal, are some of the immediate requirements.

Preventative and Diagnostic Care Systems

Preventative care includes services such as routine health screenings and check-ups that detect health issues at an early stage. Preventive health check-up tests help to ascertain the measures to be taken to prevent any disease.

The diagnostic care system includes services that diagnose a disease based on already existing symptoms, such as ultrasound, radiology and laboratory tests.

Regulatory Regimes Applicable to Preventative and Diagnostic Healthcare

India does not have a specific law on preventative or diagnostic health check-ups. The existing Indian laws also do not describe the terms “preventive healthcare” or “diagnostic healthcare”.

However, the following regulations contain provisions relating to preventive and diagnostic healthcare in India.

• The Occupational Safety, Health and Working Conditions Code 2020 mandates every employer to provide an annual health examination or free tests to employees in specific types of work, such as factories, mines, construction work, dock work, cigar manufacturers and any other establishments prescribed by the government. The code also mandates employers to conduct free medical examinations and investigations to detect occupational diseases.
• The Income Tax Act 1961 allows individuals to claim the benefit of tax deductions on the health insurance premium, including on Preventative Health Check-ups. 
• The Telemedicine Guidelines 2020 prescribe rules on healthcare services provided for diagnosis, treatment and prevention of disease and injuries using telecommunications and digital communication technologies.
• In 2015, the Indian government established the Free Diagnosis Service Initiative directing States to:
1. ensure availability of a minimum set of diagnostics;
2. reduce high expenditure on diagnostics;
3. enable initiation and continuation of appropriate treatment based on accurate diagnosis and use of appropriate diagnostics to screen patients; and
4. improve the quality of healthcare and patients’ experience.
• The Indian government has also launched a few initiatives to promote preventative healthcare, such as “Ayushman Bharat: Focus on Preventive and Promotive Health”, the “Fit India Movement” and “Eat Right India”. 
1. The Ayushman Bharat guidelines, launched in 2018, are a framework for health and wellness centres to provide healthcare services. The guidelines require these centres to have the capacity to provide basic diagnostics and screening capacities and are in accordance with Free Diagnosis Service Initiative.
2. The Fit India Movement was launched in 2019 to promote fitness. The Fit India mobile app was released under this initiative to track fitness levels, steps, sleep and calorie intake, as well as offering diet plans.
3. The Eat Right India Initiative was launched in 2019 to ensure the availability of safe and wholesome food for people in India.
• The Insurance Regulatory and Development Authority of India issued Guidelines on Wellness and Preventative Benefits in September 2020 which are applicable to all life, general and health insurance companies. These guidelines suggest that insurance companies include wellness provisions in their policies, such as discounts on health check-ups, diagnostics, vouchers for memberships in yoga centres, gyms, sports club and fitness centres.
• The Indian healthcare system is slowly moving from a treatment approach to a preventative care approach. The COVID-19 pandemic led to shortage of hospital beds, oxygen, and doctors, which led the healthcare industry to realise the importance of preventative care. The pandemic enabled people to access technology including wearable gadgets, online platforms, home-based test kits, etc, to monitor their health status.

The following factors have resulted in the increased use of preventative healthcare in India.

• COVID-19 pandemic: the pandemic was a wake-up call for people to get their health under control. The pandemic led to a high death rate across the country due to shortage of hospital beds, oxygen and doctors. This pushed people to take preventative measures at home, such as adopting healthy eating habits to build their immune system and periodically tracking and monitoring their health using wearable and medical devices such as oximeters, blood pressure monitors, blood glucose monitors and nebulisers.
• Telemedicine and telehealth: the adoption and increase in teleconsultation services in India has led to an increase in preventative healthcare. As people could not physically visit health practitioners during the pandemic, they availed themselves of remote consultations on preventative measures with the help of video/audio calls and text messages. Telehealth proved to be a cost-effective and faster way to use preventative measures. The country also experienced a tremendous increase in telecounselling services for patients suffering from mental health issues. An increase in online/live fitness (yoga or workout) programmes and platforms have also helped people to control their health and fitness from the comfort of their home.
• Government initiatives: as stated previously, the Government of India has launched a few initiatives to promote preventive healthcare, such as “Ayushman Bharat: Focus on Preventive and Promotive Health”, the “Fit India Movement” and “Eat Right India” (see 4.1. Preventative Versus Diagnostic Health).
• Social trends: social media influencers have increased the awareness of preventative measures and have played a great role in encouraging people to adopt healthy lifestyles and regular fitness regimes.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (the Privacy Rules) describe physical, physiological and mental health conditions, medical records and medical history as “sensitive personal data or information”.

The terms “fitness and wellness information” are not separately regulated or defined under Indian law.

Broadly, any information relating to a medical health condition is categorised as sensitive personal data and is currently regulated by the Privacy Rules.

As explained in 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information, the Privacy Rules prescribe mandatory principles for handling and processing sensitive personal data by the body corporates handling such information. There is no separate law in India to regulate health data. The DISH Bill proposes to regulate privacy and security measures for health-related data. The Health Digital Management Policy issued by the MoHFW also lays down principles for health data protection. The DISH Bill and the Health Digital Management Policy are mainly based on the principles of the Privacy Rules.

The right to privacy of all citizens is a part of the fundamental right to life and personal liberty under Articles 19 and 21 of the Constitution of India. The Supreme Court of India has recognised the right to privacy as a fundamental right in the landmark judgment of Justice K S Puttaswamy (Rtd) and Another v Union of India and Others (2017) 10 SCC 1.

Pursuant to the aforementioned judgment, the Ministry of Electronics and Information Technology formed the Justice BN Srikrishna Committee, which introduced the Draft Personal Data Protection Bill 2019 in the lower house of the Indian Parliament (the Lok Sabha) on 11 December 2019. After consulting various stakeholders, including government agencies, regulatory bodies, companies, law firms and academics experts, the Ministry of Electronics and Information Technology introduced a revised Digital Personal Data Protection Bill 2022 (PDP Bill) in November 2022. Once enacted, the PDP Bill will become a comprehensive data protection law in India. The revised PDP Bill introduced the concept of deemed consent, the right to nominate as a data subject, omission of data localisation, the penalty for non-compliance of up to 500 crores, etc.

Currently, the Privacy Rules provide the security practices and procedures that a body corporate or any person collecting, receiving, possessing, storing, dealing or handling information on behalf of the body corporate is required to observe for protecting personal data of users.

The MoHFW released the draft Public Health (Prevention, Control and Management of Epidemics, Bioterrorism and Disasters) Act in 2017. The MoHFW is in the process of finalising the provisions of the bill and it is expected to be introduced in Parliament this year. This bill will replace the existing Epidemic Disease Act 1897, which was implemented to control the bubonic plague. There have been no amendments or regulations made under the Epidemic Disease Act since its implementation.

The Bill empowers central, state, district and local authorities to adopt several procedures to control the spread of epidemic-prone diseases. The Bill empowers the states to conduct medical examinations as well as provide treatment to persons suffering from such diseases.

Further, as explained in 4.1 Preventative Versus Diagnostic Healthcare, the Occupational Safety, Health and Working Conditions Code, Income Tax, Telemedicine Guidelines, Guidelines on Wellness and Preventive Benefits and various government initiatives currently address preventative healthcare in India.

In recent years, several technology companies in India have developed solutions to issues in the healthcare industry, such as the following:

• Qure.ai provides AI products to healthcare professionals to conduct preventative screenings, early detection, emergency care, and treatment adherence, etc;
• Niramai Health Analytix has developed an AI-based sensing device to detect breast cancer;
• HealthifyMe provides AI-based virtual assistance, which helps users to track calorie intake and answer queries relating to fitness and nutrition;
• Artelus has developed an AI-based diabetic retinopathy screening system; and
• Tricog has developed products that interpret and analyse ECG reports and echocardiograms. 

The main challenge presented by these companies relates to data protection and patient privacy. Although the Privacy Rules are applicable to health data, the increase in these new technologies in India requires a robust and comprehensive data protection regime.

The internet of medical things (IoMT) has completely transformed the healthcare sector in India and enabled healthcare practitioners to connect faster with patients, even in remote areas, and to deliver better services. Further, the use of internet and mobile devices has increased exponentially in India and connectivity is widely available, even in the majority of rural areas.

Technologies such as AI, telemedicine, augmented and virtual reality, wearable devices (smart watches and fitness bands) have changed the landscape of the healthcare system in India. IoMT is being significantly used in India for tracking health and symptoms, treatment of disease, telemonitoring patient’s health conditions, tracking medicine dosage, etc.

The COVID-19 pandemic has led to an increase in the need for remote patient monitoring and consultation and a reduction in hospital visits. This has been greatly assisted by the IoMT.

There has been an increase in demand for homecare facilities following discharge from hospital. Many healthcare service providers and hospitals in India now provide an intensive care unit system that can be set up at home. The system includes electronic medical records, audio visuals, a smart alert system, response tools, 24-7 monitoring and assessment systems.

A healthcare practitioner or a hospital can be held liable for medical negligence in cases of an adverse healthcare outcome. In this regard, there are both civil and criminal liabilities for medical negligence in India.

As regards civil liability, a complaint can be filed in the Consumer Court against the hospital (if the doctor is an employee of a hospital) or a doctor or a healthcare practitioner under the Consumer Protection Act 2019 (CP Act), claiming compensation for damages suffered by the consumer. The CPA defines the term “deficiency” as “any fault, imperfection, shortcoming or inadequacy in the quality, nature and manner of performance which is required to be maintained by or under any law for the time being in force or has been undertaken to be performed by a person in pursuance of a contract or otherwise in relation to any service and includes any act of negligence or omission or commission by such person which causes loss or injury to the consumer.” 

As regards criminal liability, medical negligence is treated as an offence under the Indian Penal Code 1860 (IPC). The IPC prescribes that if a person commits a rash or negligent act due to which human life or personal safety of others is threatened, such act is punishable by a maximum two-year prison term or a maximum fine of INR1,000 (USD15 approximately), or both.

Health practitioners or hospitals have the following defences:

• anything which occurs because of an accident or misfortune and without criminal intention or knowledge in the doing of a lawful act in a lawful manner by lawful means and with proper care and caution is not an offence;
• anything done that is likely to cause harm, but without any intention to cause harm and in good faith to avoid other damages to a person;
• anything done in good faith for the good of other people and does not intend to cause harm even if there is a risk involved and the patient has given implicit or explicit consent.

There are various case laws where the Supreme Court of India has granted compensation to patients in cases of medical negligence.

The Supreme Court has also recognised the Bolam Test in Jacob Mathew v State of Punjab (2005) 6 SCC 1 as a standard of ascertaining whether the act of a person would be an act of an ordinary competent person exercising ordinary skill in that profession.

In the recent case of Harish Kumar Khurana v Joginder Singh (2021 SCC SC 673), the Supreme Court observed that every death of a patient cannot, on the face of it, be considered as death due to medical negligence, unless there is material on record to that effect.

In every case where the treatment is not successful or the patient dies during surgery, it cannot be automatically assumed that the medical professional was negligent. The Court further observed that the principle of res ipsa loquitur is only applicable where the negligence is obvious. Mere legal principles and a general standard of assessment are not sufficient in case in question as there was no clear medical evidence that the patient’s condition could not withstand the surgery.

The IoMT collects and shares a high amount of medical data of users with health practitioners, which makes it vulnerable to misuse. The patient’s medical information is considered sensitive personal data under the Privacy Rules.

The contracts and healthcare institution policies are governed by the following currently applicable laws in India:

• the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations 2002 (IMCR) imposes patient confidentiality obligations on medical practitioners; and
• the principles embedded in the Privacy Rules, such as:
1. the patient’s consent before collection, storage, transfer or processing of health data;
2. the body corporate/healthcare institution must have a privacy policy in place as per the Privacy Rules; and
3. implementation of reasonable security practices and procedures for protecting the patient’s health data.

The principles of Privacy Rules and privacy policy are explained in 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information.

The MoHFW introduced the DISH Bill in 2017 to regulate the generation, collection, storage, transmission, access and use of all digital health data. The DISH Bill also provides for the establishment of a National Digital Health Authority as a statutory body to enforce privacy and security measures for health data and to regulate the storage and exchange of health records. The principles in the DISH Bill are based on the PDP Bill. However, the DISH Bill does not specifically define “internet of medical things” or “internet of things”.

The MoHFW has also approved a Health Data Management Policy based on the PDP Bill to govern data in the National Digital Health Ecosystem. The Health Data Management Policy also does not specifically define internet of medical things or internet of things; however, the policy is applicable to all methods of contact, including via internet or email.

The provisions of the DISH Bill and Health Data Management Policy are explained in 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information.

The MoHFW introduced the DISH Bill in 2017 to regulate the generation, collection, storage, transmission, access and use of all digital health data. The DISH Bill also provides for the establishment of a National Digital Health Authority as a statutory body to enforce privacy and security measures for health data and to regulate the storage and exchange of health records. The principles in the DISH Bill are based on the PDP Bill. However, the DISH Bill does not specifically define “internet of medical things” or “internet of things”.

The MoHFW has also approved a Health Data Management Policy based on the PDP Bill to govern data in the National Digital Health Ecosystem. The Health Data Management Policy also does not specifically define internet of medical things or internet of things, however, the policy is applicable to all methods of contact, including via internet or email.

The provisions of the DISH Bill and Health Data Management Policy are explained in 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information.

The MoHFW issued a notification on 11 February 2020 (the “MoHFW Notification”) specifying that medical devices be treated as drugs with effect from 1 April 2020. Therefore, all the regulations and compliances applicable to drugs are also applicable to medical devices. The MoHFW Notification stipulates that a medical device is an instrument, apparatus, appliance, implant, material or other article, including a software or an accessory for the purposes of:

• diagnosis, prevention, monitoring, treatment or alleviation of any disease or disorder;
• diagnosis, monitoring, treatment, alleviation or assistance for any injury or disability;
• investigation, replacement or modification or support of the anatomy or of a physiological process;
• supporting or sustaining life;
• disinfection of medical devices; and
• control of conception.

The DCGI is responsible for the administration and approval of manufacturing, importing or marketing of medicinal products and medical devices in India. As a medical device now includes software, the DCGI is also responsible for software as a medical device. The D&C Act and the Drugs and Cosmetics Rules 1945 (DCR Rules), and the Medical Devices Rules 2017 (MDR) govern approvals and define whether a product is categorised as a drug or any other category.

The CDSCO classifies medical devices into four main categories, based on the risk of use.

However, currently, there are no specific regulatory frameworks or guidelines to categorise or classify software as a medical device in India. Therefore, it is difficult to ascertain which computer software/mobile application qualifies to be a medical device. This is a challenge common to application service providers, developers and stakeholders in India.

Similarly, there is no clarity on whether the Prices Control Order, which is applicable to drugs, will also apply to medical software applications and whether they will be able to control the price of their digital health-related software products.

Also, there is currently no specific legal framework in India for software based on AI and machine learning.

It is the common consensus of stakeholders in India that the government should adopt effective regulatory frameworks based on risk of use, and AI/machine learning, similar to the International Medical Device Regulation Forum’s medical software device framework and the US FDA’s Artificial Intelligence and Machine Learning Software as a Medical Device Action Plan.

India uses the New England Journal of Medicine (NEJM) Catalyst definition of “telehealth”, namely the delivery and facilitation of health and health-related services including medical care, provider and patient education, health information services, and selfcare via telecommunications and digital communication technologies. Telehealth is a broad term used for technology for health and health-related services, including telemedicine.

Telehealth is a solution for providing timely and faster access to medical treatment. It also reduces the costs and efforts associated with travel to receive medical treatment, especially for people in rural India. The telecommunication technologies can also maintain patients’ medical records and can help patients manage their medication and diseases better. Telehealth has proven to be very beneficial in India, especially during the COVID-19 pandemic.

There have been various efforts made to promote telehealth in India. The India Virtual Hospital, a medical technology service in India, launched the Patient Care App, which enables doctors to track a patient’s health and recovery. Another health-tech company has recently launched an online platform, iCliniq, where users can get medical advice from doctors/medical practitioners, physicians and therapists from the USA, the UK, UAE, India, Singapore, Germany, and other countries, using emails, online chats and video and audio calls. Another Indian company set up a virtual hospital for cancer patients in 2019 for online consultation, treatment planning, and cancer treatment management.

India currently does not have specific legislation that regulates telehealth or the use of online platforms in respect of telehealth.

As a result of the COVID-19 pandemic, the Indian government issued the Telemedicine Practice Guidelines (TPG) which are intended to enhance healthcare services and enable access to all. The guidelines are meant for registered medical practitioners, and prescribe the norms and standards for consulting patients, including all channels of communication with the patient that leverage IT platforms, including voice, audio, text and digital data exchange.

The TPG specifically exclude specifications for hardware or software, infrastructure building and maintenance, data management systems, standards and interoperability or the use of digital technology to conduct surgical or invasive procedures remotely. Other aspects of telehealth, such as research and evaluation and the continuing education of healthcare workers and consultations outside the jurisdiction of India, are also included in the guidelines.

The TPG mandates a registered medical practitioner to obtain consent from the patient before a telemedicine consultation. If the patient voluntarily initiates the telemedicine consultation, the consent is implied.

The principles regarding medical ethics, data privacy and confidentiality apply to the registered medical practitioners.

The TPG prescribes that the telemedicine consultations must be treated the same way as in-person consultations, from a fee perspective. The registered medical practitioner must also provide a receipt/invoice for the fee charged for the telemedicine consultation.

The internet of medical things (IoMT) includes digital medical devices and software applications used to provide effective and efficient services to patients and to reduce the cost of healthcare. Recent technologies, such as sensors, wearable devices, health apps, telemedicine, AI, oxygen and heart monitors, are widely used in India. The IoMT technologies make it easier for doctors and medical practitioners to track the progress of treatment and recovery in real time.

In the wake of the COVID-19 pandemic, the medical establishment began urging people to adopt the IoMT for teleconsultations, remote monitoring and treatment, thereby eliminating hospital visits. The Indian government has encouraged hospitals to adopt electronic health records containing patients’ health history and records.     

An increase in IoMT technologies also brings an increase in the data privacy risks and related issues because of the lack of adequate and specific regulations, a lack of awareness among the users and the service providers’ lack of compliance in the absence of a comprehensive legal framework in the country.

Technological issues, such as the compatibility of hardware and software with cloud services, are also a factor to be taken into consideration.

5G networks were launched in India in 2022. The higher speed and connectivity and low latency in the 5G network have boosted advanced telehealth solutions and improved the healthcare system in India. 5G networks ensure more effectiveness and efficiency in teleconsultations and remote monitoring of patients as well as the handling of patients’ health data.

5G networks are also helpful in the country’s rural areas, which lack adequate telecommunication infrastructure, through the following:

• faster transmission of large health data files;
• high-quality video/audio telecommunications between doctors and patients;
• improved use of augmented and virtual reality; and
• enhanced use of AI in healthcare devices.

Information relating to a person’s health is categorised as sensitive personal information under the Privacy Rules. The Privacy Rules lay down mandatory principles of data privacy to be followed by the body corporates that handle and process sensitive personal information.

The primary requirement for body corporates under the Privacy Rules is to obtain written consent from the information provider before collecting and processing the sensitive personal data. Prior consent is also required for sharing sensitive personal data with third parties.

The information provider must be informed of the fact that sensitive personal data is being collected, the intended purpose of its use and whether it will be transferred to any third parties, along with the contact details of the agency collecting the information. It is also mandatory under the Privacy Rules for the body corporates to have a privacy policy containing the type of sensitive personal information collected, the purpose of collection, disclosure of that information, and the reasonable security practices and procedures to be implemented by the body corporates. India does not yet have a comprehensive data protection law. However, the government has issued the PDP Bill, which is intended to become a comprehensive data protection law in the country.

There is no separate legislation in India regulating data privacy issues for digital health. However, the proposed DISH Bill aims to address the data privacy issues relating to digital health, and is primarily based on the principles laid down under the PDP Bill. The MoHFW has also issued the Health Data Management Policy, which outlines the principles for the protection of an individual’s personal digital health data privacy.

The DISH Bill proposes that a clinical establishment may, by duly obtaining written consent (on paper or electronically) from the owner, lawfully collect the required health data after informing the owner of the data of the following:

• the rights of the owner, including the right to refuse to give consent to the generation and collection of their data;
• the purpose of the collection of their health data;
• identity of the recipients to whom the health data may be transmitted or disclosed, after being converted into a digital format; and
• the identity of the recipients who may have access to that digital health data, on a need-to-know basis.

Further, the clinical establishment or any other entity must furnish a copy of the consent form to the owner of the data.

The current regulations do not specifically regulate the sharing of personal health data by a wearable healthcare device.

The Privacy Rules do not prescribe de-identification or anonymisation of data. However, the DISH Bill and Health Data Management Policy defines “anonymisation” as the process of permanently deleting all personally identifiable information from an individual’s digital health data. “De-identification” is defined as the process of removing, obscuring, redacting or de-linking all personally identifiable information from an individual’s digital health data in a manner that eliminates the risk of unintended disclosure of the identity of the owner and that, if necessary, makes it possible for the data to be linked to the owner again.

The DISH Bill proposes that de-identified or anonymised data must be used only for the following purposes:

• improve public health activities and facilitate the early identification and rapid response to public health threats and emergencies, including bio-terror events and infectious disease outbreaks;
• facilitate health and clinical research and healthcare quality;
• promote the early detection, prevention, and management of chronic diseases;
• carry out public-health research, review and analysis, and policy formulation; and
• undertake academic research and other related purposes.

The Health Data Management Policy prescribes that data fiduciaries may make anonymised or de-identified data in an aggregated form available for the following purposes:

• facilitating health and clinical research, academic research;
• archiving;
• statistical analysis;
• policy formulation;
• the development and promotion of diagnostic solutions; and
• any other purposes that may be specified by the National Digital Health Mission (NDHM).

The NDHM must set out a procedure through which any entity seeking access to anonymised or de-identified data will be required to provide relevant information, such as its name, purpose of use and nodal person of contact. Subject to approval being granted under this procedure, the anonymised or de-identified data must be made available to that entity on whatever terms may be stipulated on its behalf.

Any entity provided access to de-identified or anonymised data must not, knowingly or unknowingly, take any action that has the effect of re-identifying any data principal or the effect of any such data no longer remaining anonymised.

The data fiduciary that is undertaking to anonymise or de-identify data must be responsible for ensuring compliance with the procedure for the anonymisation or de-identification as set out by the NDHM. The de-identification or anonymisation of data by a data fiduciary must be done in accordance with technical processes and anonymisation protocols that may be specified by the NDHM. The technical processes and anonymisation protocols must be periodically reviewed by the NDHM.

The Information Technology Act 2000 prescribes that a body corporate, possessing sensitive personal data that is negligent in implementing and maintaining reasonable security practices and procedures, will be liable to pay damages by way of compensation. It also prescribes that if a body corporate has obtained sensitive personal data without the consent of the information provider, and discloses the information to any other person, this is punishable by a maximum two-year prison term or a maximum fine of INR100,000 (approximately USD1,400), or both.

New technologies are emerging in the digital health sector in India, including AI and machine learning. Currently, India does not have any legislation to regulate technologies such as AI/machine learning. However, the TPG prescribes that the telemedicine platforms based on AI/machine learning are not permitted to counsel patients or prescribe any medicines to a patient. The technologies such as AI, the Internet of Things and advanced data science-based decision support systems may be used only to assist and support the clinical decisions of a registered medical practitioner. In all cases, the final prescription or counselling must be delivered directly by a registered medical practitioner.

With the growth of AI technologies in India, the Indian government authorised the public policy think tank, the National Institution for Transforming India Commission (NITI Aayog) to address strategy on AI-based technologies/machine learning in the agriculture and health sectors. In June 2018, the NITI Aayog issued a discussion paper on national strategy for artificial intelligence for healthcare, agriculture, education, smart cities and infrastructure and smart mobility and transportation. The discussion paper recognised AI, combined with robotics and IoMT, as the new nervous system for healthcare in India, presenting solutions to address healthcare problems. Currently, the NITI Aayog is reportedly working with a large Indian hospital, the Tata Memorial Centre, to launch a digital pathology and imaging bio-bank for cancer detection.

AI/machine-learning technologies use and share medical conditions of patients with doctors/medical institutions, which is considered as sensitive personal data under the Privacy Rules. The Privacy Rules prescribe mandatory compliance with the principles of data protection by body corporates that handle, store and process sensitive personal data.

In February 2021, the NITI Aayog issued principles for the responsible use of AI. The NITI Aayog stated that the AI solutions must comply with the principles of data protection laid down in the PDP Bill, such as consent, purpose limitation and rights to the information provider. AI solutions must maintain the privacy and security of medical information/data, which is sensitive personal data, and ensure sufficient safeguards.

Electronic health records (EHR) can ensure the easy accessibility of a patient’s records from anywhere at any time, easy storage, and can help in tracking the patient’s progress. The DISH Bill and Health Data Management Policy also promote EHRs. The Indian government issued recommendations in 2016 on different standards for different purposes in respect of EHRs. For example, ISO/TS 22220:2011 Health Informatics – Identification of Subjects of Health Care, must be complied with to obtain basic identity details of patient; ISO/TS 14441:2013 Health Informatics – Security & Privacy Requirements of EHR Systems for Use in Conformity Assessment must be complied with to maintain basic data security and privacy requirements, and ISO TS 14265:2011 is for the processing of personal health information.

The 2016 EHR standards recommendations stipulate that only those persons, including organisations, duly authorised by the patient may view the recorded data or part thereof. The term “security” refers to all recorded personally identifiable data, which will at all times be protected from any unauthorised access, particularly during transport (eg, from healthcare provider to provider, healthcare provider to patient). The term “trust” refers to that person, persons or organisations (doctors, hospitals, and patients). The 2016 EHR standards recommendations are based on the principles of data protection laid down under the Privacy Rules.

The Ayush Grid Project

The Ayush Grid Project is developed by the Ministry of Ayush with the aim of creating a comprehensive information technology backbone for the health sector, which envisages digitisation of service delivery across the six functional areas – health services, education, research, drug administration, and medicinal plants.

Currently, there are no proposed or enacted regulations in India that address the use of AI and machine learning data in healthcare. 

Companies developing healthcare technologies in India are operating without a specific legislation on digital healthcare and, as a result, many general laws are applicable to such companies, such as the Privacy Rules, CPA, IPC, etc. The healthcare providers must have a privacy policy under the Privacy Rules for collection, storage, processing and transfer of health data (ie, sensitive personal data). The Privacy Rules prescribe additional compliances for such digital healthcare providers, especially if they qualify as an intermediary under the Information Technology Act 2000 (IT Act).

Digital healthcare companies collect huge amounts of sensitive personal data from users; therefore they must adopt reasonable security practices and policies to adhere to the Privacy Rules.

In the absence of specific legal provisions governing digital healthcare using virtual assistance and AI, companies using such technologies must comply with the Privacy Rules as well as the TPG.

Further, digital healthcare service providers are required to ensure that a user’s medical prescription is not automatically generated, but each prescription must be thoroughly verified and expressly endorsed by a registered medical practitioner. However, in the absence of a specific legal guidance, the service providers will have to comply with requirements under multiple legislations and regulations.

The D&C Rules mandate that every prescription must be in writing and signed by the registered medical practitioner. However, online service providers are finding it difficult to generate such prescriptions with the practitioner’s signature and companies are now looking to generate prescriptions using the practitioner’s digital signature to be considered as valid under the IT Act provisions. The Delivery Notification issued by the MoHFW also allows medicines to be delivered based on receipt of a prescription physically or by email.

Similarly, there is no specific law to regulate e-pharmacies in India. Currently, e-pharmacies are required to comply with the licence requirements and online prescription requirements under the D&C Act as well as the IT Act. The MoHFW has issued Draft E-Pharmacy Rules, 2018 (“draft rules”) to regulate e-pharmacies under the D&C Act, which are yet to be enacted. Additionally, e-pharmacies are also required to comply with the Delivery Notification.

India is developing and adopting various technologies in the fields of telehealth, AI/machine learning and the IoT in order to adopt the digital healthcare system. The IT infrastructure must be able to manage and secure the large amount of health data collected by the devices. Besides this, India requires a comprehensive data privacy and protection law to address the privacy and security risks related to digital health data.

Currently, there are no proposed or enacted regulations in India on the implementation of IT upgrades.

The digital healthcare system thrives on novel ideas, inventions, and advancements in software applications and smart devices. Indian intellectual property laws allow for the protection of patents, copyrights, trade marks and designs. From the digital health standpoint, the key areas of development are in the area of software.

Patents Act 1970 (Patents Act)

In India, patents are examined, granted and administered by the Patents Act, which complies with the Trade-Related Aspects of Intellectual Property Rights agreement. India is also a signatory to the Paris Convention, in addition to the Patent Co-operation Treaty. A digital health mechanism is essentially a software/computer program. Although the Patents Act excludes protection for standalone computer programs (Section 3(k) of the Patents Act), a piece of software claimed in conjunction with a novel hardware element will be patentable in India (Guidelines for Examination of Computer-Related Inventions 2017). Further, the Delhi High Court recently held that a computer program that demonstrates a technical effect or a technical contribution will be patentable in India. Software patents are subject to other restrictions under the Patents Act, including Section 3(i) of the Patents Act, which excludes patent protection for any process for medicinal, surgical, curative or other treatment of human beings or animals.

The Patent Office has granted several patents for software programs that involve hardware elements. Therefore, digital health mechanisms, including computer software/programs embedded in mobile software applications, wearable devices, etc, may be protected in India, as long as they include a novel hardware element.

Copyright Act 1957 (CRA)

The CRA provides for copyright protection in India. The CRA provides that a copyright subsists in the form of original literary, dramatic, musical or artistic work, cinematographic films and sound recordings. Although copyright registration is not mandatory for protection in India, a copyright registration will serve as evidence of the copyright in the work. The CRA covers computer programs under the purview of literary work, therefore, the literary portions of a computer program, including the source code, are protected under the CRA.

Trade Marks Act 1999 (TM Act)

The TM Act provides for trade mark protection in India. The TM Act not only accords statutory protection for registered trade marks, but also recognises common law protection to unregistered trade marks in India. Trade mark protection in India extends to any device, brand, label, word, shape of goods, packaging or, combination of colours or any combinations thereof. Under Indian law, digital healthcare providers can claim trade mark protection for their brand names, logos, labels, names of devices/software applications, shape of medical goods or wearable devices, packaging, etc.

Designs Act 2000 (Designs Act)

The Designs Act provides for protection of industrial designs in India, and it extends to features of shapes, configurations, patterns, ornaments or composition of lines, or colours that are applied to an article. From the digital health standpoint, the key areas where design protection can avail are with respect to graphical user interface of software applications, mobile applications, or similar computer programs used on medical devices, screen layout of a program, etc, so long as they do not fall within the exceptions under the Designs Act.

Trade Secrets

Currently, there is no legislation or statutory protection for trade secrets in India. However, different courts in India have extended protection for trade secrets and confidential information, provided that the information’s confidentiality is reflected in contractual documents, such as Confidentiality Agreements, Non-Disclosure Agreements, and reasonable and legally enforceable non-compete clauses in the agreements.

There is no specific legislation or statutory protection for databases in India, nor in respect of data and databases used in machine learning. However, the CRA provides protection to a computer database under the purview of literary work. The CRA also provides protection for databases by granting rights associated with the labour involved in compiling and presenting data in a particular form.

Patent Protection

The grant of patent enables the patent owner to prevent others from infringing the invention (ie, manufacturing or selling the invention without the owner’s consent). The protection enables the owner to enjoy a monopoly over the invention and to license the patent to a third party and gain profits. The patent grant also allows owners to publicly disclose their invention, potentially attracting investors, stakeholders, and consumers.

One of the key challenges faced by patent applicants in India is the lack of straightforward, broad protection for software patents. A digital health mechanism is essentially a software in the form of a computer program or a mobile software application. The Patents Act excludes protection for standalone computer programs (Section 3(k) of the Patents Act), unless the protection for such a program is claimed in conjunction with a novel hardware element. Further, software patents are also subject to other restrictions under the Patents Act, including Section 3(i) of the Patents Act, which excludes patent protection for any process for medicinal, surgical, curative or other treatment of human beings or animals.

Additionally, while the term of a trade mark can be extended indefinitely by renewing the registration every ten years, patent protection in India is only valid for 20 years.

Also, patent protection can be expensive for companies as the official fees for filing and periodic maintenance of the patents can run into several thousands of dollars, especially if the applicants choose to protect their inventions in other jurisdictions. Further, initiating a patent infringement suit and defending a patent in Indian courts may also involve significant costs. However, the 2016 amendment to the Patents Rules 2003 offers heavily discounted fees for start-up companies and small enterprises.

Finally, there is a significant backlog in many departments of the Patent Office’s examination section. However, patent applicants can engage qualified local attorneys who can help expedite the patent prosecution by taking measures, such as carrying out proper freedom to operate searches, understanding the filing requirements beforehand, thereby avoiding objections and consequent delays at the examination stage. An attorney’s personal rapport with the Patent Office officials may also help in understanding the nature of objections and resolving them in a timely manner.

The timeframes of patent prosecution are gradually shortening as a result of modernisation of patent offices and an increase in the number of examiners.

Copyright Protection

Copyright protection prevents losses arising from piracy. Although copyright registration is not mandatory in India, copyright registration makes it easier to prove copyright ownership in courts.

Trade Mark Protection

One of the key advantages of trade mark protection in India is that the proprietors can continue to extend the life of trade marks indefinitely by renewing the protection every ten years. Moreover, the recent amendments to the Trade Marks Rules 2003 have introduced discounted official fees applicable to start-up companies and small enterprises.

The Indian Courts fully recognise the rights of patent owners and grant protection in infringement matters. In the case of Indoco Remedies Ltd v Bristol Myers Squibb Holdings, 2020 (83) PTC 551 (Del), the Delhi High Court prohibited Indoco from selling the drug “APIXABID”, as Bristol is a patent owner of the drug “APIXABAN” for treating COVID-19 and which was easily available to consumers.

In the case of Microsoft Corporation and Another v Kanhaiya Singh and Another, 5 W.P.(CRL) 558/2016, the Delhi High Court directed the defendant to pay compensation for damages and prohibited them from software piracy and passing off Microsoft’s software. There is also much leading case law in India on various issues of trade mark infringement and passing off, allowing the owners to claim proprietary rights over their trade marks in exclusion of others.

There are multiple types of licensing arrangements used in India, which are applicable to digital healthcare, such as software, patent, copyright and technology licensing.

Broadly, there are three types of intellectual property licensing arrangements used in India:

• exclusive licensing, whereby only the licensee is authorised to use the intellectual property;
• non-exclusive licensing, allowing one party to license the intellectual property to more than one licensee; and
• sole licensing, whereby only the licensor and licensee may use the intellectual property.

The ownership of IP in India varies under different IP laws. With regard to copyright, the employer (university or healthcare institution) will be the first owner of the copyright, not the physician or the inventor. However, this will not apply in the case of an independent contractor-developed copyright. Regarding the patents, the inventor will be the first owner, irrespective of whether they are an employee or a contractor.

In India, the institutions or universities or employers enter into development agreements with their employees. Standard development agreements normally provide that all the IP developed by the employees/inventors/researchers under the agreement will be assigned to and owned by the employers.

The TPG prescribes that the platforms based on AI/machine learning are not permitted to counsel or prescribe any medicines to a patient. However, technologies such as AI, the IoT and advanced data science-based decision support systems may be used only to assist and support the clinical decisions of a registered medical practitioner. In all cases, the final prescription or counselling has to be delivered directly by the registered medical practitioner. Therefore, the liability falls on the doctors or other medical service providers. Consumers can claim compensation from doctors/hospitals under the CP Act. Criminal liability can be imposed on the doctors, on grounds such as:

• causing death by negligence;
• endangering the life or personal safety of others;
• causing hurt by an act endangering the life or personal safety of others; and
• causing grievous hurt by an act endangering the life or personal safety of others.

Third parties supplying products and services to healthcare institutions can be subject to civil and criminal liabilities, penalties and actions under the CP Act. They can also be held liable for penalties prescribed under the IT Act for data breaches.