“Digital health” and “digital medicine” have been gaining traction in India over the past few years, and were heavily promoted since the COVID-19 pandemic; however, from a legal and regulatory standpoint, they remain undefined under existing Indian laws. Digital health, as defined by the World Health Organization, is understood as a broad umbrella term encompassing eHealth, as well as emerging areas, such as the use of advanced sciences in big data, genomics and artificial intelligence. The digital health platforms include the information and communication tools (digital medicine products) used for improving and enhancing healthcare services.
Existing Indian laws do not define the terms “digital health” or “digital medicine”. However, the earlier issued Draft Digital Information Security in Healthcare Act 2018 defined “digital health data” as an electronic record of health-related information about an individual, including information regarding:
The Ministry of Health and Family Welfare (MoHFW) released the revised Draft Digital Information Security in Healthcare Act 2022 (the “DISHA Bill”), which removed the definition of the expression “digital health data”.
Further, the Telemedicine Practice Guidelines (TPG), issued by the Indian government in March 2020, adopted the World Health Organization’s definition of telemedicine as “The delivery of healthcare services, where distance is a critical factor, by all healthcare professionals using information and communication technologies for the exchange of valid information for diagnosis, treatment and prevention of disease and injuries, research and evaluation, and for the continuing education of healthcare providers, all in the interests of advancing the health of individuals and their communities.”
The following are some of the key emerging technologies in India in the field of digital healthcare.
Telemedicine
There has been significant growth and advancement in the field of telemedicine and teleconsultation in India. This includes the use of information and communications tools for healthcare services with the virtual presence of both the patient and the healthcare provider. The tools are used for carrying out technology-based patient consultation communication via video, audio and text. Under the existing legal framework, the telemedicine practices in India are primarily governed by the TPG and the Information Technology Act 2000 (the “IT Act”).
Wearable Devices
India has witnessed a tremendous increase in the use of wearable devices for health monitoring. Although these digital technologies have existed and have been used for several years, their use for more specific purposes and also as an alternative to conventional physical health monitoring, has increased since the COVID-19 pandemic. The preliminary screening of one’s health data without having to visit a hospital or a diagnostic centre has bolstered the growth and prominence of digital technologies. Several wearable devices are now available in India, featuring heart-rate trackers, blood oxygen-level trackers and other devices including water consumption, weight, sleep and diet monitors. Wearable devices that are capable of being utilised for diagnosing, preventing, monitoring or treating any disease or disorder are categorised as “drugs” from time to time by the Central Government by notification in the Official Gazette under the Drugs & Cosmetics Act, 1940 (the “D&C Act”).
Online Pharmacies
There has been a significant rise in the number of online pharmacies delivering medicines to patients’ homes in India, more so since the pandemic. While the D&C Act and its allied rules, and the Pharmacy Act, 1948 (the Pharmacy Act) govern the manufacture, sale and distribution of pharmaceutical and cosmetic products in India, there are currently no specific laws that regulate online pharmacies. The MoHFW issued a draft amendment to the Drugs and Cosmetics Rules 1945 (D&C Rules) to regulate e-pharmacies under the D&C Act, which is yet to be enacted.
Artificial Intelligence
AI-based systems have witnessed significant growth in India for the diagnosis of diseases and for treatment purposes.
One of the major emerging issues is that the increasing number of digital and other new technologies in the healthcare industry is giving rise to concerns about data protection and the privacy of patients.
Although most of the data collection, storage and usage by healthcare providers complies with India’s applicable data privacy laws, there are critical issues with the misuse of this data for other commercial purposes and the breaching of privacy obligations. The absence of adequate training and awareness building concerning the aspects of data privacy among the people collecting, processing and handling such data on the digital health platform also aggravates the situation.
Additionally, the absence of a specific law to regulate these aspects is a major concern. Although the MoHFW has issued the DISHA Bill, it has not yet become law. Further, the MoHFW has issued a Health Data Management Policy to promote the National Digital Health Mission, which lays down principles for the protection of an individual’s digital health data privacy.
The MoHFW
The MoHFW is the apex authority in the organisational structure of the healthcare system in India. The MoHFW is comprised of two departments, (i) the Department of Health and Family Welfare (DoHFW), which is responsible for organising and delivering all national health programmes; and (ii) the Department of Health Research, which is responsible for the promotion of health and clinical research, development of health research and ethics guidelines, grants for research training, etc, in India.
The Ministry of AYUSH
The Ministry of Ayurveda, Yoga and Naturopathy, Unani, Siddha and Homeopathy (AYUSH) develops and promotes research in alternative medicine practices. The central government’s responsibilities include policy making, planning, guiding, assisting, evaluating and co-ordinating the work of the various state-level health authorities, and providing funding to implement national health programmes.
The Central Drugs Standard Control Organisation (CDSCO)
The CDSCO is the National Regulatory Authority of India and is responsible for the approval of drugs, conducting clinical trials, laying down the standards for drugs and control over the quality of imported drugs in India. The Drug Controller General of India (DCGI) is the head of the CDSCO and is responsible for licensing and controlling the functions of the CDSCO.
The National Medical Commission and the National Health Authority
The recently constituted National Medical Commission (NMC) regulates and governs medical practice in India, including the promotion of equitable and universal healthcare, enforcement of ethical standards, and the establishment of a grievance redressal system, among others. Besides this, the MoHFW recently established the National Health Authority (NHA), which acts as the apex body responsible for implementing public health assurance schemes, developing strategy, building healthcare technological infrastructure and implementing the “National Digital Health Mission” in India.
The Ayushman Bharat Digital Mission (ABDM)
MoHFW introduced the National Digital Health Mission (NDHM) on 15 August 2020 to create a digital health ecosystem, and recently renamed it as Ayushman Bharat Digital Mission (ABDM). ABDM aims to develop the backbone necessary to support the integrated digital health infrastructure of the country.
Under ABDM, every citizen gets a unique health account (Ayushman Bharat Health Account), which acts as a digital repository of all health-related data of an individual. The ABHA ID is voluntary and free of cost and enables access and exchange of health records of citizens with their consent. It also enables interaction with participating healthcare providers and allows the participants to receive their digital lab reports, prescriptions and diagnoses from verified healthcare professionals and health service providers. It has been reported that, as of December 2023, over 50 crore ABHA IDs have been created and 33 crore health records digitally linked under ABDM.
The Healthcare Professionals Registry (HPR) under ABDM is a comprehensive repository of all healthcare professionals involved in the delivery of healthcare services across both modern and traditional systems of medicine. Enrolling in the HPR enables them to connect with India’s digital health ecosystem.
The Health Facility Registry (HFR) is a repository of health facilities across different systems of medicine. Participating entities of the ABDM must register as healthcare providers. It includes both public and private health facilities, such as hospitals, clinics, diagnostic laboratories and imaging centres, pharmacies, etc.
The ABHA mobile app will have electronic records of health-related information that conform to nationally recognised interoperability standards and that can be drawn from multiple sources while being managed, shared and controlled by the individual. Such information can be fully controlled by the individual.
Unified Health Interface (UHI)
The UHI is a network of open protocols under the NHA that facilitate interoperability in health services. Through UHI-enabled applications, patients can search for, book and pay for services offered by a variety of participating providers from any application of their choice.
The services under UHI will include teleconsultation to book an online consultation with any doctor; booking physical appointments; discovering the availability of critical care beds; booking home visits for lab sample collections; and booking an ambulance.
The ABDM has recently launched a new initiative that has revolutionised the way patients register for Outpatient Department (OPD) services at hospitals in India. The new initiative enables patients to use their smartphones to scan a QR code and share their verified demographic data with hospitals’ Health Management Information Systems (HMIS) with just one click. This has drastically reduced the waiting time for patients and ensured accurate data entry into the HMIS, doing away with the need for patients to stand in long queues.
The National Pharmaceuticals Pricing Authority
The National Pharmaceuticals Pricing Authority is the authority for controlling and monitoring the prices and availability of medicines.
State-Level Authorities
At the state level, each state has a separate MoHFW, Directorate of Healthcare Services and DoHFW, which are responsible for organising and delivering healthcare services, consisting of participants from both the public and private sectors. The State Drug Standard Control Organisation (SDSCO) is responsible for the regulation of the manufacture, sale and marketing of drugs in each Indian state.
The organisational structure consists of administrative subordinate offices at regional/zonal, district and sub-district levels. The public healthcare system consists of primary (community health centres), secondary (sub-district hospitals), and tertiary (district hospitals and medical colleges) care centres. Primary and secondary care hospitals are in the public sector, whereas tertiary care hospitals are in either the public or private sector. Apart from these, there are several clinics and diagnostic centres set up by individual medical practitioners.
The services provided by the private sector are registered and regulated under national/state councils constituted under the Clinical Establishment (Registration and Regulation) Act 2010, while the public sector comes under the authority of the MoHFW and state health ministries. At the district level, local self-government institutions (Panchayati Raj) are responsible for establishing primary health centres in rural areas.
The following are the key regulatory developments pursuant to the rise of digital healthcare in India and which are expected to have the biggest impact on the governance and growth of digital healthcare.
These regulations will address many ambiguities from the legal, regulatory and compliance perspectives, for service providers as well as consumers. More accountability, governance and grievance-redressal mechanisms, which have comparable speed, ease and efficiency to that of digital healthcare services, are some other primary needs for this sector.
The MoHFW enforces laws relating to healthcare in India. The National Medical Commission enforces the provisions related to medical education and practice under the National Medical Commission Act 2019.
The CDSCO and the SDSCO enforce regulations relating to the manufacture, distribution and sale of drugs and cosmetics under the Drugs and Cosmetics Act 1940 (D&C Act). The central government can confiscate, regulate, restrict or prohibit the manufacture, sale or distribution of some drugs and impose a ban on certain drugs. The court can further impose penalties and imprisonment for offences under the D&C Act.
Currently, there are no digital healthcare-specific non-healthcare regulatory agencies.
The new healthcare technologies, while providing fast and convenient services to consumers, also pose several questions and concerns. In addition to the protection under consumer protection laws, more specific regulatory regimes for data privacy and an expert regulatory body in each state, as well as at the national level for grievance redressal, are some of the immediate requirements.
Preventative and Diagnostic Care Systems
Preventative care includes services such as routine health screenings and check-ups that detect health issues at an early stage. Preventive health check-up tests help to ascertain the measures to be taken to prevent any disease.
The diagnostic care system includes services that diagnose a disease based on already existing symptoms, such as ultrasound, radiology and laboratory tests.
Regulatory Regimes Applicable to Preventative and Diagnostic Healthcare
India does not have a specific law on preventative or diagnostic health check-ups. The existing Indian laws also do not describe the terms “preventive healthcare” or “diagnostic healthcare”.
However, the following regulations contain provisions relating to preventive and diagnostic healthcare in India:
The following factors have resulted in the increased use of preventative healthcare in India.
The terms “fitness and wellness information” are not separately regulated or defined under Indian law.
However, organisations and companies are given a compliance period until the Data Protection Board is set up, as the DPDP Act still serves as “regulatory guidance” pending notification. It is anticipated that the Central Government will pass a notification to make the DPDP Act effective by the end of 2024. Any information relating to a medical health condition is categorised as sensitive personal data and continues to be regulated by the SPDI Rules.
As explained in 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information, the SPDI Rules prescribe mandatory principles for handling and processing sensitive personal data by the body corporate handling such information. There is no separate law in India to regulate health data. The DISHA Bill proposes to regulate privacy and security measures for health-related data. The Health Digital Management Policy issued by the MoHFW also lays down principles for health data protection. The DISHA Bill and the Health Digital Management Policy are mainly based on the principles of the SPDI Rules.
Further, the right to privacy of all citizens is a part of the fundamental right to life and personal liberty under Articles 19 and 21 of the Constitution of India. The Supreme Court of India has recognised the right to privacy as a fundamental right in the landmark judgment of Justice K S Puttaswamy (Rtd) and Another v Union of India and Others (2017) 10 SCC 1.
Pursuant to the aforementioned judgment, the Ministry of Electronics and Information Technology (MeitY) formed the Justice BN Srikrishna Committee, which introduced the Draft Personal Data Protection Bill 2019 in the lower house of the Indian Parliament (the Lok Sabha) on 11 December 2019. After consulting various stakeholders, including government agencies, regulatory bodies, companies, law firms and academics experts, the Ministry of Electronics and Information Technology introduced a revised Digital Personal Data Protection Bill 2022 (PDP Bill) in November 2022. The gazetted DPDP Act was based on the 2022 Bill, but also certain new provisions were introduced.
Currently, the SPDI Rules provide the security practices and procedures that a body corporate or any person collecting, receiving, possessing, storing, dealing or handling information on behalf of the body corporate is required to observe for protect the personal data of users.
Provisions related to Protected Health Information (PHI) are governed by the IT Act, along with the SPDI Rules, while the provisions of the DPDP Act are fully notified. The patient data is treated as sensitive personal data or information. Before the DPDP Act, the Government had introduced the DISHA Bill to provide healthcare data privacy, security, confidentiality and establishment of the National Electronic Health Authority (NeHA) and Health Information Exchanges.
The DPDP Act has removed the concept of deemed consent and specified that consent should be specific, free, unconditional, unambiguous and informed. Withdrawal of consent should also be permitted. The Consent Manager should be managing the data principles. A notice must be given to the data principal before seeking consent for processing of their personal data. The notice should contain details about the personal data to be collected, the purpose of processing, as well as the manner in which the data principal may withdraw its consent, avail the grievance redressal mechanism, and make a complaint to the Data Protection Board.
When the DPDP Act is made effective by notification, health data can be processed by the data fiduciary as a legitimate use, in case there is a medical emergency that involves a threat to life or an immediate threat to the health of a data principal or any other person or in there is a situation like an epidemic, outbreak of a disease or any other threat to public health.
The MoHFW released the draft Public Health (Prevention, Control and Management of Epidemics, Bioterrorism and Disasters) Act in 2017. The MoHFW is in the process of finalising the provisions of the bill and it is expected to be introduced in the Parliament soon. This bill will replace the existing Epidemic Disease Act 1897, which was implemented to control the bubonic plague. There have been no amendments or regulations made under the Epidemic Disease Act since its implementation.
The Bill empowers central, state, district and local authorities to adopt several procedures to control the spread of epidemic-prone diseases. The Bill also empowers the states to conduct medical examinations as well as provide treatment to persons suffering from such diseases.
Further, as explained in 4.1 Preventative Versus Diagnostic Healthcare, the Occupational Safety, Health and Working Conditions Code, Income Tax, Telemedicine Guidelines, Guidelines on Wellness and Preventive Benefits and various government initiatives currently address preventative healthcare in India.
In recent years, several technology companies and start-ups in India have developed solutions to issues in the healthcare industry, such as the following:
The main challenge presented by these companies relates to data protection and patient privacy. Although the SPDI Rules apply to health data, the increase in these new technologies in India requires a robust and comprehensive data protection regime. The exact model of regulation can be assessed once the provisions under the DPDP Act are notified.
The internet of medical things (IoMT) has completely transformed the healthcare sector in India and enabled healthcare practitioners to connect faster with patients, even in remote areas and to deliver better services. Further, the use of internet and mobile devices has increased exponentially in India and connectivity is widely available, even in the majority of rural areas.
Technologies such as AI, telemedicine, augmented and virtual reality, wearable devices (smart watches and fitness bands) have changed the landscape of the healthcare system in India. IoMT is being significantly used in India for tracking health and symptoms, treatment of disease, telemonitoring patients’ health conditions, tracking medicine dosage, etc.
The COVID-19 pandemic has led to an increase in the need for remote patient monitoring and consultation and a reduction in hospital visits. This has been greatly assisted by the IoMT.
There has been an increase in demand for homecare facilities following discharge from the hospital. Many healthcare service providers and hospitals in India now provide an intensive care unit system that can be set up at home. The system includes electronic medical records, audiovisuals, a smart alert system, response tools, 24-7 monitoring and assessment systems.
A healthcare practitioner or a hospital can be held liable for medical negligence in cases of an adverse healthcare outcome. In this regard, there are both civil and criminal liabilities for medical negligence in India.
As regards civil liability, a complaint can be filed in the Consumer Court against the hospital (if the doctor is an employee of a hospital) or a doctor or a healthcare practitioner under the Consumer Protection Act 2019 (CP Act), claiming compensation for damages suffered by the consumer. The CPA defines the term “deficiency” as “any fault, imperfection, shortcoming or inadequacy in the quality, nature and manner of performance which is required to be maintained by or under any law for the time being in force or has been undertaken to be performed by a person in pursuance of a contract or otherwise in relation to any service and includes any act of negligence or omission or commission by such person which causes loss or injury to the consumer.”
As regards criminal liability, medical negligence is treated as an offence under the Indian Penal Code 1860 (IPC). The IPC prescribes that if a person commits a rash or negligent act due to which human life or personal safety of others is threatened, such act is punishable by a maximum two-year prison term or a maximum fine of INR1,000 (USD15 approximately), or both.
Health practitioners or hospitals have the following defences:
Additionally, when looking at a digital healthcare perspective, the principles of vicarious liability as well as intermediary liability may also be taken into consideration.
There are various case laws where the Supreme Court of India has granted compensation to patients in cases of medical negligence.
The Supreme Court has also recognised the Bolam Test in Jacob Mathew v State of Punjab (2005) 6 SCC 1 as a standard of ascertaining whether the act of a person would be an act of an ordinary competent person exercising ordinary skill in that profession.
In the recent case of Harish Kumar Khurana v Joginder Singh (2021 SCC SC 673), the Supreme Court observed that every death of a patient cannot, on the face of it, be considered as death due to medical negligence, unless there is material on record to that effect.
In every case where the treatment is not successful or the patient dies during surgery, it cannot be automatically assumed that the medical professional was negligent. The Court further observed that the principle of res ipsa loquitur is only applicable where the negligence is obvious. Mere legal principles and a general standard of assessment were not sufficient in the case in question as there was no clear medical evidence that the patient’s condition could not withstand the surgery.
The IoMT collects and shares a high amount of medical data of users with health practitioners, which makes it vulnerable to misuse. The patient’s medical information is considered sensitive personal data under the SPDI Rules and are attributed to the highest level of protection.
Sensitive Data Under DPDP
The contracts and healthcare institution policies are governed by the following currently applicable laws in India:
The principles of SPDI Rules and privacy policy are explained in 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information.
The MoHFW introduced the DISHA Bill to regulate the generation, collection, storage, transmission, access and use of all digital health data. The DISHA Bill also provides for the establishment of a National Digital Health Authority as a statutory body to enforce privacy and security measures for health data and to regulate the storage and exchange of health records. However, the DISHA Bill does not specifically define “internet of medical things” or “internet of things”.
The MoHFW has also approved a Health Data Management Policy based on the PDP Bill to govern data in the National Digital Health Ecosystem. The Health Data Management Policy also does not specifically define internet of medical things or internet of things; however, the policy applies to all methods of contact, including via internet or email.
The provisions of the DISHA Bill and Health Data Management Policy are explained in 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information.
Currently, there are no specific regulatory frameworks or guidelines to categorise or classify software as a medical device in India.
However, the MoHFW issued a notification on 11 February 2020 (the “MoHFW Notification”) specifying that medical devices be treated as drugs with effect from 1 April 2020. Therefore, all the regulations and compliances applicable to drugs are also applicable to medical devices. The MoHFW Notification stipulates that a medical device is an instrument, apparatus, appliance, implant, material or other article, including software or an accessory for:
On 11 May 2023, the CDSCO released a notification setting up a Clinical Research Organisation (CRO) which will be conducting clinical trials and monitoring the bioavailability and bioequivalence of new drugs; however, they should follow the rules issued by the Central Licensing Authority.
Further, in September 2021, CDSCO released the official guidelines on the classification of the various software as medical devices (SaMD) into four categories based on the intended use and risk factor, as:
The MoHFW introduced the DISHA Bill to regulate the generation, collection, storage, transmission, access and use of all digital health data. The DISHA Bill also provides for the establishment of a National Digital Health Authority as a statutory body to enforce privacy and security measures for health data and to regulate the storage and exchange of health records. However, the DISHA Bill does not specifically define “internet of medical things” or “internet of things”.
The MoHFW has also approved a Health Data Management Policy based on the PDP Bill to govern data in the National Digital Health Ecosystem. The Health Data Management Policy also does not specifically define internet of medical things or internet of things, however, the policy is applicable to all methods of contact, including via internet or email.
The provisions of the DISHA Bill and Health Data Management Policy are explained in 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information.
The DCGI is responsible for the administration and approval of manufacturing, importing or marketing of medicinal products and medical devices in India. As a medical device now includes software, the DCGI is also responsible for software as a medical device. The D&C Act and the D&C Rules, and the Medical Devices Rules 2017 (MDR) govern approvals and define whether a product is categorised as a drug or any other category.
The CDSCO recently released Frequently Asked Questions (FAQ) document concerning medical devices provides some guidance regarding some general concerns and challenges in the healthcare industry. For example, the FAQ clarifies that all software qualifying as a “drug” under the D&C Act needs a license under the Medical Device Rules 2017 (MD Rules) and is not exempt from the prescribed labelling requirements. In case of any change (including updates) in the version of the software, the manufacturer shall comply with additional requirements prescribed under the MD Rules.
The legal framework for the regulation of software medical devices is currently at an early development stage in India and the regulatory regime for software medical devices will have to address the medical software industry’s needs as well as the potential challenges.
Therefore, it is difficult to ascertain which computer software/mobile application qualifies to be a medical device. This is a challenge common to application service providers, developers and stakeholders in India.
Similarly, there is no clarity on whether the Prices Control Order, which applies to drugs, will also apply to medical software applications and whether they will be able to control the price of their digital health-related software products.
Also, there is currently no specific legal framework in India for software based on AI and machine learning.
It is the common consensus of stakeholders in India that the government should adopt effective regulatory frameworks based on risk of use, and AI/machine learning, similar to the International Medical Device Regulation Forum’s medical software device framework and the US FDA’s Artificial Intelligence and Machine Learning Software as a Medical Device Action Plan.
India uses the New England Journal of Medicine (NEJM) Catalyst definition of “telehealth”, namely the delivery and facilitation of health and health-related services including medical care, provider and patient education, health information services, and self-care via telecommunications and digital communication technologies. Telehealth is a broad term used for technology for health and health-related services, including telemedicine.
Telehealth is a solution for providing timely and faster access to medical treatment. It also reduces the costs and efforts associated with travel to receive medical treatment, especially for people in rural India. Telecommunication technologies can also maintain patients’ medical records and can help patients manage their medication and diseases better. Telehealth has proven to be very beneficial in India, especially during the COVID-19 pandemic.
There have been various efforts made to promote telehealth in India. The India Virtual Hospital, a medical technology service in India, launched the Patient Care App, which enables doctors to track a patient’s health and recovery. Another health-tech company has recently launched an online platform, iCliniq, where users can get medical advice from doctors/medical practitioners, physicians and therapists from the USA, the UK, UAE, India, Singapore, Germany, and other countries, using emails, online chats and video and audio calls. Another Indian company set up a virtual hospital for cancer patients in 2019 for online consultation, treatment planning and cancer treatment management.
To practice medicine in India, one must be a licensed/registered medical practitioner (RMP) and must provide valid medical prescriptions that comply with the D&C Rules. While these are the basic standards to be upheld in in-person medical treatments, India currently does not have specific legislation that regulates telehealth or the use of online platforms in respect of telehealth.
One of the first steps taken by the Indian government relating to telemedicine was the publication of the “Recommended Guidelines and Standards of Telemedicine Practice in India”, in 2003. However, the non-binding nature of the guidelines made it insufficient to navigate through the various challenges faced.
However, as a result of the COVID-19 pandemic and the immediate necessity for safe and remote medical consultations, the Indian government issued the TPG in 2020, with an intention to enhance healthcare services and enable access to all. The guidelines are meant for RMPs, and prescribe the norms and standards for consulting patients, including all channels of communication with the patient that leverage IT platforms, including voice, audio, text and digital data exchange. Other aspects of telehealth, such as research and evaluation and the continuing education of healthcare workers and consultations outside the jurisdiction of India, are also included in the guidelines. Further, the TPG mandates a registered medical practitioner to obtain consent from the patient before a telemedicine consultation. If the patient voluntarily initiates the telemedicine consultation, consent is implied.
However, the TPG excludes specifications for hardware or software, infrastructure building and maintenance, data management systems, standards and interoperability or the use of digital technology to conduct surgical or invasive procedures remotely.
The principles regarding medical ethics, data privacy and confidentiality apply to registered medical practitioners.
The TPG prescribes that telemedicine consultations must be treated the same way as in-person consultations, from a fee perspective. The registered medical practitioner must also provide a receipt/invoice for the fee charged for the telemedicine consultation.
The internet of medical things (IoMT) includes digital medical devices and software applications used to provide effective and efficient services to patients and to reduce the cost of healthcare. Recent technologies, such as sensors, wearable devices, health apps, telemedicine, AI, oxygen and heart monitors, are widely used in India. The IoMT technologies make it easier for doctors and medical practitioners to track the progress of treatment and recovery in real time.
In the wake of the COVID-19 pandemic, the medical establishment began urging people to adopt the IoMT for teleconsultations, remote monitoring and treatment, thereby eliminating hospital visits. The Indian government has encouraged hospitals to adopt electronic health records containing patients’ health history and records.
An increase in IoMT technologies also brings an increase in data privacy risks and related issues because of the lack of adequate and specific regulations, a lack of awareness among the users and the service providers’ lack of compliance in the absence of a comprehensive legal framework in the country.
Technological issues, such as the compatibility of hardware and software with cloud services, are also the factors to be taken into consideration.
5G networks were launched in India in 2022. The higher speed and connectivity and low latency in the 5G network have boosted advanced telehealth solutions and improved the healthcare system in India. 5G networks ensure more effectiveness and efficiency in teleconsultations and remote monitoring of patients as well as the handling of patients’ health data.
5G networks are also helpful in the country’s rural areas, which lack adequate telecommunication infrastructure, through the following:
Information relating to a person’s health is categorised as sensitive personal information under the SPDI Rules. The SPDI Rules lay down mandatory principles of data privacy to be followed by the body corporates that handle and process sensitive personal information.
The primary requirement for body corporates under the SPDI Rules is to obtain written consent from the information provider before collecting and processing the sensitive personal data. Prior consent is also required for sharing sensitive personal data with third parties.
The information provider must be informed of the fact that sensitive personal data is being collected, the intended purpose of its use and whether it will be transferred to any third parties, along with the contact details of the agency collecting the information. It is also mandatory under the SPDI Rules for the body corporates to have a privacy policy containing the type of sensitive personal information collected, the purpose of collection, disclosure of that information, and the reasonable security practices and procedures to be implemented by the body corporates. India does not yet have a comprehensive data protection law. However, the government has issued the PDP Bill, which is intended to become a comprehensive data protection law in the country.
There is no separate legislation in India regulating data privacy issues for digital health. However, the proposed DISHA Bill aims to address the data privacy issues relating to digital health and is primarily based on the principles laid down under the PDP Bill. The MoHFW has also issued the Health Data Management Policy, which outlines the principles for the protection of an individual’s personal digital health data privacy.
The DISHA Bill proposes that a clinical establishment may, by duly obtaining written consent (on paper or electronically) from the owner, lawfully collect the required health data after informing the owner of the data of the following:
Further, the clinical establishment or any other entity must furnish a copy of the consent form to the owner of the data.
The current regulations do not specifically regulate the sharing of personal health data by a wearable healthcare device.
The SPDI Rules do not prescribe de-identification or anonymisation of data. However, the DISHA Bill and Health Data Management Policy defines “anonymisation” as the process of permanently deleting all personally identifiable information from an individual’s digital health data. “De-identification” is defined as the process of removing, obscuring, redacting or de-linking all personally identifiable information from an individual’s digital health data in a manner that eliminates the risk of unintended disclosure of the identity of the owner and that, if necessary, makes it possible for the data to be linked to the owner again.
The DISHA Bill proposes that de-identified or anonymised data must be used only for the following purposes:
The Health Data Management Policy prescribes that data fiduciaries may make anonymised or de-identified data in an aggregated form available for the following purposes:
The NDHM must set out a procedure through which any entity seeking access to anonymised or de-identified data will be required to provide relevant information, such as its name, purpose of use and nodal person of contact. Subject to approval being granted under this procedure, the anonymised or de-identified data must be made available to that entity on whatever terms may be stipulated on its behalf.
Any entity provided access to de-identified or anonymised data must not, knowingly or unknowingly, take any action that has the effect of re-identifying any data principal or the effect of any such data no longer remaining anonymised.
The data fiduciary that is undertaking to anonymise or de-identify data must be responsible for ensuring compliance with the procedure for the anonymisation or de-identification as set out by the NDHM. The de-identification or anonymisation of data by a data fiduciary must be done in accordance with technical processes and anonymisation protocols that may be specified by the NDHM. The technical processes and anonymisation protocols must be periodically reviewed by the NDHM.
The Information Technology Act 2000 prescribes that a body corporate, possessing sensitive personal data that is negligent in implementing and maintaining reasonable security practices and procedures, will be liable to pay damages by way of compensation. It also prescribes that if a body corporate has obtained sensitive personal data without the consent of the information provider, and discloses the information to any other person, this is punishable by a maximum two-year prison term or a maximum fine of INR100,000 (approximately USD1,400), or both.
New technologies are emerging in the digital health sector in India, including AI and machine learning. Currently, India does not have any legislation to regulate technologies such as AI/machine learning. However, the TPG prescribes that telemedicine platforms based on AI/machine learning are not permitted to counsel patients or prescribe any medicines to a patient. Technologies such as AI, the Internet of Things and advanced data science-based decision support systems may be used only to assist and support the clinical decisions of a registered medical practitioner. In all cases, the final prescription or counselling must be delivered directly by a registered medical practitioner.
With the growth of AI technologies in India, the Indian government authorised the public policy think tank, the National Institution for Transforming India Commission (NITI Aayog) to address strategy on AI-based technologies/machine learning in the agriculture and health sectors. In June 2018, the NITI Aayog issued a discussion paper on national strategy for artificial intelligence for healthcare, agriculture, education, smart cities and infrastructure and smart mobility and transportation. The discussion paper recognised AI, combined with robotics and IoMT, as the new nervous system for healthcare in India, presenting solutions to address healthcare problems. Currently, the NITI Aayog has worked with a large Indian hospital, the Tata Memorial Centre, to launch a digital pathology and imaging bio-bank for cancer detection. The Tata Memorial Hospital is teaching AI to help detect cancer at its early stages.
MEITY has constituted four committees for promoting AI initiatives and developing a policy framework. The committees have submitted their first reports on platforms and data on AI; leveraging AI for identifying national missions in key sectors; mapping technological capabilities; key policy enablers required across sectors; and on cybersecurity, safety, legal and ethical issues.
AI/machine-learning technologies use and share the medical conditions of patients with doctors/medical institutions, which is considered sensitive personal data under the SPDI Rules. The SPDI Rules prescribe mandatory compliance with the principles of data protection by corporate bodies that handle, store and process sensitive personal data.
Electronic health records (EHR) can ensure the easy accessibility of a patient’s records from anywhere at any time, easy storage, and can help in tracking the patient’s progress. The DISHA Bill and Health Data Management Policy also promote EHRs. The Indian government issued recommendations in 2016 on different standards for different purposes in respect of EHRs. For example, ISO/TS 22220:2011 Health Informatics – Identification of Subjects of Health Care, must be complied with to obtain basic identity details of patients; ISO/TS 14441:2013 Health Informatics – Security & Privacy Requirements of EHR Systems for Use in Conformity Assessment must be complied with to maintain basic data security and privacy requirements, and ISO TS 14265:2011 is for the processing of personal health information.
The 2016 EHR standards recommendations stipulate that only those persons, including organisations, duly authorised by the patient, may view the recorded data or part thereof. The term “security” refers to all recorded personally identifiable data, which will at all times be protected from any unauthorised access, particularly during transport (eg, from healthcare provider to provider, healthcare provider to patient). The term “trust” refers to that person, persons or organisations (doctors, hospitals and patients). The 2016 EHR standards recommendations are based on the principles of data protection laid down under the SPDI Rules.
The Ayush Grid Project
The Ayush Grid Project was developed by the Ministry of Ayush along with the MeitY in 2018, to create a comprehensive information technology backbone for the health sector, which envisages digitisation of service delivery across health services, education, research, drug administration and medicinal plants.
Companies developing healthcare technologies in India are operating without specific legislation on digital healthcare and, as a result, many general laws apply to such companies, such as the SPDI Rules, CPA, IPC, etc. The healthcare providers must have a privacy policy under the SPDI Rules for the collection, storage, processing and transfer of health data (ie, sensitive personal data). The SPDI Rules prescribe additional compliances for such digital healthcare providers, especially if they qualify as an intermediary under the Information Technology Act 2000 (IT Act).
Digital healthcare companies collect huge amounts of sensitive personal data from users; therefore, they must adopt reasonable security practices and policies to adhere to the SPDI Rules.
In the absence of specific legal provisions governing digital healthcare using virtual assistance and AI, companies using such technologies must comply with the SPDI Rules as well as the TPG.
Further, digital healthcare service providers are required to ensure that a user’s medical prescription is not automatically generated, but each prescription must be thoroughly verified and expressly endorsed by a registered medical practitioner. However, in the absence of specific legal guidance, the service providers will have to comply with requirements under multiple legislations and regulations.
The D&C Rules mandate that every prescription must be in writing and signed by the registered medical practitioner. However, online service providers are finding it difficult to generate such prescriptions with the practitioner’s signature and companies are now looking to generate prescriptions using the practitioner’s digital signature to be considered valid under the IT Act provisions. The Delivery Notification issued by the MoHFW also allows medicines to be delivered based on receipt of a prescription physically or by email.
Similarly, there is no specific law to regulate e-pharmacies in India. Currently, e-pharmacies are required to comply with the licence requirements and online prescription requirements under the D&C Act as well as the IT Act. Additionally, e-pharmacies are also required to comply with the Delivery Notification.
India is developing and adopting various technologies in the fields of telehealth, AI/machine learning, and the IoT to adopt the digital healthcare system. The IT infrastructure must be able to manage and secure the large amount of health data collected by the devices. Besides this, India requires a comprehensive data privacy and protection law to address the privacy and security risks related to digital health data.
India is developing and adopting various technologies in the fields of telehealth, AI/machine learning, and the IoT to adopt the digital healthcare system. The IT infrastructure must be able to manage and secure the large amount of health data collected by the devices. Besides this, India requires a comprehensive data privacy and protection law to address the privacy and security risks related to digital health data.
Currently, there are no proposed or enacted regulations in India on the implementation of IT upgrades.
The digital healthcare system thrives on novel ideas, inventions and advancements in software applications and smart devices. Indian intellectual property laws allow for the protection of patents, copyrights, trade marks and designs. From the digital health standpoint, the key areas of development are in the area of software.
Patents Act 1970 (Patents Act)
In India, patents are examined, granted and administered by the Patents Act, which complies with the Trade-Related Aspects of Intellectual Property Rights agreement. India is also a signatory to the Paris Convention, in addition to the Patent Co-operation Treaty. A digital health mechanism is essentially a software/computer program. Although the Patents Act excludes protection for standalone computer programs (Section 3(k) of the Patents Act), a piece of software claimed in conjunction with a novel hardware element will be patentable in India (Guidelines for Examination of Computer-Related Inventions 2017). Further, the Delhi High Court recently held that a computer program that demonstrates a technical effect or a technical contribution will be patentable in India. Software patents are subject to other restrictions under the Patents Act, including Section 3(i) of the Patents Act, which excludes patent protection for any process for medicinal, surgical, curative or other treatment of human beings or animals.
The Patent Office has granted several patents for software programs that involve hardware elements. Therefore, digital health mechanisms, including computer software/programs embedded in mobile software applications, wearable devices, etc, may be protected in India, as long as they include a novel hardware element.
Copyright Act 1957 (CRA)
The CRA provides for copyright protection in India. The CRA provides that a copyright subsists in the form of original literary, dramatic, musical or artistic work, cinematographic films and sound recordings. Although copyright registration is not mandatory for protection in India, a copyright registration will serve as evidence of the copyright in the work. The CRA covers computer programs under the purview of literary work, therefore, the literary portions of a computer program, including the source code, are protected under the CRA.
Trade Marks Act 1999 (TM Act)
The TM Act provides for trade mark protection in India. The TM Act not only accords statutory protection for registered trade marks, but also recognises common law protection for unregistered trade marks in India. Trade mark protection in India extends to any device, brand, label, word, shape of goods, packaging or combination of colours or any combinations thereof. Under Indian law, digital healthcare providers can claim trade mark protection for their brand names, logos, labels, names of devices/software applications, shape of medical goods or wearable devices, packaging, etc.
Designs Act 2000 (Designs Act)
The Designs Act provides for the protection of industrial designs in India, and it extends to features of shapes, configurations, patterns, ornaments or composition of lines, or colours that are applied to an article. From the digital health standpoint, the key areas where design protection can avail are with respect to graphical user interface of software applications, mobile applications, or similar computer programs used on medical devices, screen layout of a program, etc, so long as they do not fall within the exceptions under the Designs Act.
Trade Secrets
Currently, there is no legislation or statutory protection for trade secrets in India. However, different courts in India have extended protection for trade secrets and confidential information, provided that the information’s confidentiality is reflected in contractual documents, such as Confidentiality Agreements, Non-Disclosure Agreements and reasonable and legally enforceable non-compete clauses in the agreements.
There is no specific legislation or statutory protection for databases in India, nor in respect of data and databases used in machine learning. However, the CRA provides protection to a computer database under the purview of literary work. The CRA also provides protection for databases by granting rights associated with the labour involved in compiling and presenting data in a particular form.
Patent Protection
The grant of a patent enables the patent owner to prevent others from infringing the invention (ie, manufacturing or selling the invention without the owner’s consent). The protection enables the owner to enjoy a monopoly over the invention and to license the patent to a third party and gain profits. The patent grant also allows owners to publicly disclose their inventions, potentially attracting investors, stakeholders and consumers.
One of the key challenges faced by patent applicants in India is the lack of straightforward, broad protection for software patents. A digital health mechanism is essentially software in the form of a computer program or a mobile software application. The Patents Act excludes protection for standalone computer programs (Section 3(k) of the Patents Act) unless the protection for such a program is claimed in conjunction with a novel hardware element. Further, software patents are also subject to other restrictions under the Patents Act, including Section 3(i) of the Patents Act, which excludes patent protection for any process for medicinal, surgical, curative or other treatment of human beings or animals.
Additionally, while the term of a trade mark can be extended indefinitely by renewing the registration every ten years, patent protection in India is only valid for 20 years.
Also, patent protection can be expensive for companies as the official fees for filing and periodic maintenance of the patents can run into several thousands of dollars, especially if the applicants choose to protect their inventions in other jurisdictions. Further, initiating a patent infringement suit and defending a patent in Indian courts may also involve significant costs. However, the 2016 amendment to the Patents Rules 2003 offers heavily discounted fees for start-up companies and small enterprises.
Finally, there is a backlog in many departments of the Patent Office’s examination section. However, patent applicants can engage qualified local attorneys who can help expedite the patent prosecution by taking measures, such as carrying out proper freedom to operate searches and understanding the filing requirements beforehand, thereby avoiding objections and consequent delays at the examination stage. An attorney’s personal rapport with the Patent Office officials may also help in understanding the nature of objections and resolving them promptly.
The timeframes of patent prosecution are gradually shortening as a result of the modernisation of patent offices and an increase in the number of examiners.
Copyright Protection
Copyright protection prevents losses arising from piracy. Although copyright registration is not mandatory in India, copyright registration makes it easier to prove copyright ownership in courts.
Trade Mark Protection
One of the key advantages of trade mark protection in India is that the proprietors can continue to extend the life of trade marks indefinitely by renewing the protection every ten years. Moreover, the recent amendments to the Trade Marks Rules 2003 have introduced discounted official fees applicable to start-up companies and small enterprises.
The Indian Courts fully recognise the rights of patent owners and grant protection in infringement matters. In the case of Indoco Remedies Ltd v Bristol Myers Squibb Holdings, 2020 (83) PTC 551 (Del), the Delhi High Court prohibited Indoco from selling the drug “APIXABID”, as Bristol is a patent owner of the drug “APIXABAN” for treating COVID-19 and which was easily available to consumers.
In the case of Microsoft Corporation and Another v Kanhaiya Singh and Another, 5 W.P.(CRL) 558/2016, the Delhi High Court directed the defendant to pay compensation for damages and prohibited them from software piracy and passing off Microsoft’s software. There is also much leading case law in India on various issues of trade mark infringement and passing off, allowing the owners to claim proprietary rights over their trade marks in exclusion of others.
There are multiple types of licensing arrangements used in India, which apply to digital healthcare, such as software, patent, copyright and technology licensing.
Broadly, there are three types of intellectual property licensing arrangements used in India:
The ownership of IP in India varies under different IP laws. With regard to copyright, the employer (university or healthcare institution) will be the first owner of the copyright, not the physician or the inventor. However, this will not apply in the case of an independent contractor-developed copyright. Regarding the patents, the inventor will be the first owner, irrespective of whether they are an employee or a contractor.
In India, institutions, universities, or employers enter into development agreements with their employees. Standard development agreements normally provide that all the IP developed by the employees/inventors/researchers under the agreement will be assigned to and owned by the employers.
The TPG prescribes that the platforms based on AI/machine learning are not permitted to counsel or prescribe any medicines to a patient. However, technologies such as AI, the IoT and advanced data science-based decision support systems may be used only to assist and support the clinical decisions of a registered medical practitioner. In all cases, the final prescription or counselling has to be delivered directly by the registered medical practitioner. Therefore, the liability falls on the doctors or other medical service providers. Consumers can claim compensation from doctors/hospitals under the CP Act. Criminal liability can be imposed on the doctors, on grounds such as:
Third parties supplying products and services to healthcare institutions can be subject to civil and criminal liabilities, penalties and actions under the CP Act. They can also be held liable for penalties prescribed under the IT Act for data breaches.
7th Floor Keshava
Bandra Kurla Complex
Bandra East
Mumbai
400 051
India
+91 22 6112 8484
+91 22 6112 8485
anoop@anaassociates.com www.anaassociates.comDigitisation of healthcare mechanisms has seen an exponential increase in India in the past five years, with people using health-related technological advancements for rapid testing, effective diagnosis, telemedicine, teleconsultation and home delivery of medication, etc. Telemedicine and teleconsultation were seen as emerging trends, with many people utilising the technological advances in this area as opposed to traditional healthcare services.
Telemedicine refers to the use of various information and communication tools for healthcare where the presence of both the patient and the healthcare provider is virtual. Telemedicine includes the tools used for carrying out technology-based patient consultations via video, audio or text. Although telemedicine has been in use in India for many years, the COVID-19 pandemic caused a significant increase in its adoption. A survey from Practo, an Indian health-tech company, recently estimated that there was a 32% drop in in-person appointments and a massive 300% growth in online medical consultations between March and November 2020.
In view of this, the Ministry of Health and Family Welfare of India (MoHFW) introduced the Telemedicine Practice Guidelines (TPG) in March 2020. The TPG was introduced to assist medical practitioners in providing effective, safe, and fast medical care online. The TPG prescribes regulations relating to:
The TGP applies to registered medical practitioners (ie, those who are enrolled in the State Medical Register or the Indian Medical Register under the erstwhile Indian Medical Council Act 1956 and current National Medical Commission Act 2019 (“NMC Act”)). Under the existing framework, the TGP does not apply to registered medical practitioners outside India.
With multiple lockdowns and movement restrictions throughout the country during the pandemic, healthcare workers and doctors have been using telemedicine solutions to provide timely and faster access to patients. Telemedicine was found to be cost-effective and significantly reduced the difficulties associated with patients travelling to visit a hospital or doctor. Telecommunication technologies can also maintain patients’ medical records and help patients manage their medication and diseases better.
Further, there were various efforts made to promote telehealth in India. The India Virtual Hospital, a medical technology service, launched the Patient Care App that enables doctors to track patients’ health and recovery periodically. Another health-tech company has recently launched an online platform, iCliniq, where users can receive medical advice from medical practitioners, physicians and therapists from the USA, UK, UAE, India, Singapore, Germany and other countries, using e-mails, online chats and video and audio calls. Another Indian company set up a virtual hospital for cancer patients in 2019, for online consultation and treatment planning and management.
The telemedicine platforms currently governed under the NMC Act are:
Further, in cases of medical negligence, an aggrieved person may lodge a complaint before the relevant consumer forum under the Consumer Protection Act 2019, within two years from the date of injury. Similarly, a civil suit for damages, a criminal petition under the Indian Penal Code 1860, or a complaint with the NMC can also be initiated. Currently, there is no law in India that governs online consultation provided by foreign medical practitioners.
Several wearable devices are now available in India, that can track heart rates, blood oxygen levels, water consumption, weight, sleep patterns and diet. These devices allow the patients to self-detect any physiological changes in the body and alert them to possible arising issues. All medical devices are regulated by the NMC Act, IMC Regulations, the Medical Devices Rules 2017, the IT Act and the SPDI Rules. Although there are no specific rules or regulations pertaining to wearable devices, the above-mentioned Acts will apply to such devices as well. Under the current regulatory framework, medical wearable devices require registration and approval from the Central Drugs Standard Control Organisation (CDSCO) in India.
For instance, the CDSCO recently approved three medical wearable devices in India namely, the Smart Vital, Vital 3.0 and Vital EGC from GOQii, a California-based fitness company. These devices measure body temperature, pulse oximeter, heart rate, sleep, blood pressure, steps taken and exercise performed.
There has been a significant rise in the number of online pharmacies in India that deliver medicines to patients’ homes in the past few years. Although the manufacture and sale of medicines are regulated by the D&C Act, D&C Rules, Registration, and Regulation Act, NMC Act and IMC regulations, there is currently no law in India that specifically governs online pharmacies. The MoHFW issued a notification in August 2018 to amend the D&C Rules to bring online pharmacies under its purview (“Draft Rules”).
The Draft Rules include provisions for the sale of drugs by e-pharmacies. Further, the Draft Rules define the term “e-pharmacy” as the business of distribution or sale, stock, exhibit, or offer for sale of drugs through a web portal or any other electronic mode. The Draft Rules contain provisions for registration and validity of e-pharmacies; conditions for registration imposed on the e-pharmacies such as location, disclosure of information, the procedure for distribution and sale, etc. While the Draft Rules are yet to be enacted, e-pharmacies in India currently require registration with the CDSCO.
Online pharmacies will also have to adhere to the SPDI Rules in relation to collecting, handling, and processing patients' sensitive personal information, including financial information, bank account details, physical, physiological, and mental health data, sexual orientation, medical records and history, and biometric information.
AI-based systems are used for disease diagnosis and for treatment purposes. Robotic surgeries allow doctors to perform complicated procedures with the help of automated machines. AI is also used for vaccine development, thermal screening, CT scans, etc. The AI-based systems are also regulated by the NMC Act, IMC Regulations, the Medical Devices Rules, 2017, IT Act and the SPDI Rules. India is home to several globally well-known multi-specialty hospitals and centres that are equipped with highly sophisticated technologies. With the increasing role of robotic surgeries and AI in healthcare in India, the Insurance Regulatory and Development Authority of India issued Guidelines on Standard Individual Health Insurance Products in January 2020, directing insurers to cover robotic surgeries under their standard health insurance policies.
Digital health data records provide easy access to patients’ medical history so that doctors can have relevant consultations and make recommendations, in an efficient and timesaving manner. Digital health records also eliminate duplication of tests and significantly save costs. Many private general, multi-speciality and super-speciality hospitals in India maintain EHR databases; however, most government hospitals have not yet upgraded their use.
The MoHFW originally enacted the Electronic Health Record Standards 2013 and revised these standards in December 2016 by issuing the new Electronic Health Record Standards 2016 (“EHR Standards”). All EHR technologies must comply with the EHR Standards. These EHR Standards are largely based on the principles of data protection laid down under the SPDI Rules. Most recently, the Indian state of Kerala successfully deployed an efficient EHR system by collecting and storing the EHRs of over 25.8 million people as part of its e-Health project. This initiative has allowed patients to walk into any government hospital needing to bring any paper records with them.
With the increasing demand for contactless procedures, especially since the pandemic, several state governments are in the process of adopting EHR systems and other such digital mechanisms to maintain health records.
Several new online platforms in India allow users to search for doctors with different specialties in a particular region. These platforms also allow users to book online appointments with doctors and provide reviews and ratings to these doctors for their services and guidance. Currently, there is no specific law in India that regulates online health aggregator platforms. However, the MoHFW issued a direction in January 2021 to all the state governments to regulate online health aggregation platforms. Under the existing regulatory framework, as with online pharmacies, these online health aggregator platforms will require registration with the CDSCO.
The increasing number of technologies collecting health data gives rise to concerns relating to data protection and the privacy of patients. Information relating to a person’s health is categorised as sensitive personal information under the SPDI Rules. The SPDI Rules lay down mandatory principles of data privacy to be followed by the body corporates collecting, handling and processing sensitive personal information. India does not currently have a comprehensive data protection law. The Government of India recently enacted the Digital Personal Data Protection Act 2023 (“DPDP Act”) in August 2023. The PDP Act is the comprehensive data protection law in India, governing the handling of personal data in India by establishing a framework of data accountability and governance. The DPDP Act will supersede the provisions of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules 2011 (“SPDI Rules”) and Section 43A of the IT Act that currently regulates the protection of data.
Under the DPDP Act, health data can be processed by a data fiduciary for legitimate use, in case there is a medical emergency that involves a threat to life or an immediate threat to the health of a data principal or any other person or in there is a situation like epidemic, outbreak of a disease or any other threat to public health.
There is no specific law in India that regulates digital health tools and digital health data. However, the government has taken several new initiatives to address the privacy concerns relating to digital health in India, as explained below.
The Government of India issued the Draft Digital Information Security in Healthcare Act 2018 and recently released the Draft Digital Information Security in Healthcare Act 2022 (the “DISHA Bill”) to protect the digital health data of Indian citizens. The government proposed the DISHA Bill to regulate the processes related to the collection, storing, transmission and use of digital health data, and to ensure the reliability, data privacy, confidentiality and security of such data. However, India has yet to adopt legislation to regulate and govern digital health tools in India.
As a temporary measure, the Government of India issued the TPG in March 2020, which contains norms and standards for registered medical practitioners to consult patients via digital means. The TPG regulates all channels of communication with patients that leverage information technology platforms, including voice, audio, text and digital data exchange.
The Government of India also issued the Health Data Management Policy in October 2020 to impose standards for data privacy protection in India. The DISHA Bill and the Health Data Management Policy are both based on the data privacy principles laid down under the PDP Bill.
In 2020, the Government of India introduced the National Digital Health Mission in India based on the Health Data Management Policy. The National Digital Health Mission was renamed “Ayushman Bharat Digital Mission” in 2021 and aims to develop an integrated digital health infrastructure in India. Under this Mission, the Government has introduced the ABHA App which allows users to store, access and share their health data with health facilitates and healthcare professionals who are registered with the Mission. The users are given full control over their health data. The app is also integrated with Sandbox, which will test the products and technology used by the registered health companies before rolling it out to large numbers of consumers.
The Government also launched the Unified Health Interface in 2022, a digital healthcare platform that will connect healthcare service providers with patients for bookings, consultations, etc.
Besides the use of telemedicine/telehealth in the Indian healthcare sector, there was a rapid increase in digital payments during the COVID-19 pandemic. People of all age groups have become accustomed to carrying out digital payments, to reduce physical contact. There has been a momentous increase in mobile applications and online platforms that allow doorstep delivery of groceries, medicines, and other products and services.
The Ministry of Electronics and Information Technology (MEITY) enacted the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 on 25 February 2021. The Guidelines require digital media platforms to:
Since the pandemic, the courts and tribunals, including the Trade Marks Registry, the Patent Office, and the Design Office (“IP Offices”), in India have been conducting hearings and other meetings through video-conference (VC) facilities. There is even a proposal under consideration to do away with physical hearings. The VC hearings in the IP offices have helped not only in the faster disposal of pending IP applications and opposition proceedings but also made the process more transparent. The Delhi High Court has issued specific rules for conducting VC proceedings.
These VC proceedings have made the administrative and legal procedures much faster and more efficient, allowing companies, brand owners, inventors and other stakeholders to obtain faster protection of their intellectual property and to resolve legal disputes in an effective manner.
Considering the country’s size, demography and the size of the rural population without adequate access to the healthcare infrastructure, India has significant scope to develop advanced and affordable digital healthcare technologies and platforms. With regard to the legal regime, India has not thus far enacted a robust law on digital healthcare. Currently, India is in the process of enacting specific laws on digital healthcare, information security and personal data protection. A robust and unified digital health law may evolve very soon, given the pace of transformation in the healthcare sector.
7th Floor Keshava
Bandra Kurla Complex
Bandra East
Mumbai
400 051
India
+91 22 6112 8484
+91 22 6112 8485
anoop@anaassociates.com www.anaassociates.com