Digital Healthcare In India: Is There A Suitable Regulatory Framework?

In recent years, the widespread use of digital health solutions has led to rapid evolution and implementation of healthtech, and the pandemic has proved that healthcare technology is already a reality and is here to stay, with these solutions fundamentally altering the quality and delivery of healthcare. Digitized data and technology have merged with healthcare delivery and payment, as the doctor-patient connection advances beyond the in-person meeting.

Digital Health is a combination of two generally disparate sectors: technology and healthcare, and each of these areas has its own plethora of challenges. The World Health Organisation defines digital health as “a broad umbrella term encompassing eHealth, as well as emerging areas, such as the use of advanced computing sciences in ‘big data’, genomics and artificial intelligence.”[1] The Digital health ecosystem includes various digital health technologies, such as:

• Health and Wellness Applications
• Health IT & Services,
• Telemedicine / Telehealth
• Automation & Robotics,
• Consumer Apps and Wearables,
• Connected Devices / Internet of Things (IoT),
• Medical Algorithms and
• Clinical Decision Support Software for Clinical Research which rely upon AI and Machine Learning.

Common to all of these technologies, is the ability to process and use vast amounts of data and technology. The ecosystem of Digital Health increasingly requires industry players to navigate a myriad of issues relating legal and regulatory requirements, data protection, liability, and corporate and commercial transactions, in general. 

India’s digital health regulatory framework is evolving and has seen various policy related proposals and its implementation via the National Health Policy, 2017, with the aim of attaining universal healthcare through the creation of a digital health ecosystem.

Although there are no specific legislations that govern Digital Health in India, there are certain laws and rules that broadly cover the Digital Health ecosystem which are discussed here in brief:

The following important legislations and frameworks that broadly cover the ecosystem of Digital Health:

• THE INFORMATION TECHNOLOGY ACT OF 2000, THE INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTISES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION) RULES, 2011 (SPDI RULES), AND THE INFORMATION TECHNOLOGY (INTERMEDIARY GUIDELINES) RULES, 2011.

Data security and protection become extremely important when it comes to patient-provider concerns about health conditions and recommendations, for which the IT Act and its relevant Rules are available. However, due to their strict adherence, no standards have been devised to mandate the implementation of data protection and security.

Although, under the data protection framework, all online transactions, transfer of electronic data, specifically health data, authentication of digital signatures, collection, disclosure and transfer of confidential personal data such as medical records are regulated by the IT Act. The IT Act and its Rules broadly address cybercrime related issues as well. The government has also proposed a new bill, called DISHA, to regulate data security in the healthcare industry. (DISHA is discussed in detail, later.)

• THE DRUGS AND COSMETICS ACT, 1940 (DCA) AND DRUGS AND COSMETICS RULES, 1945 (DCR).

The manufacture, import, sale and distribution of drugs, including medical devices in India are governed by the DCA and the DCR and the primary regulatory authority for medical devices and its diagnostics is the Central Drug Standards Control Organisation (CDSCO) with its top official being Drug Controller General of India (DCGI) who formulates policies to uniform implementation of the DCA throughout India. The DCA and the DCR apply to a Software of a medical device and provide its approval for clinical use. Broadly, the online services, such as E-Pharmacies in India will have to be compliant with the DCA and DCR framework. Although the DCA does not specifically recognise any form of online services or product deliveries, the ambit of the regulation is broad and is understood to be applicable to click and mortar business models as well.

• THE NATIONAL MEDICAL COMMISSION ACT, 2019 (NMC ACT), AND THE INDIAN MEDICAL COUNCIL (PROFESSIONAL CONDUCT, ETIQUETTE, AND ETHICS) REGULATIONS, 2002 (IMC REGULATIONS), ARE THE LAWS THAT GOVERN THE INDIAN MEDICAL COUNCIL.

The NMC Act which is administered by the National Medical Commission regulates the medical education and medical profession in India and provides that only those persons who have a recognized degree in medicine and having passed the National Exit Test will be eligible to practice medicine in India, with few other conditions as well. The IMC Regulations lay down standards to be followed by doctors in their interaction with patients, pharmaceutical companies and within the profession. The IMC Regulations also state that medical records should be computerised so that they may be retrieved easily.[2] The IMC Regulations bind doctors and require them to sign a declaration to that effect.[3]

The NMC Act and the IMC Regulations apply to digital health applications to the extent that they include a physician providing healthcare to Indian patients.

• THE DRUGS AND MAGIC REMEDIES ACT OF 1954 (DMRA), AS WELL AS THE DRUGS AND MAGIC REMEDIES RULES OF 1955, GOVERN THE USE OF DRUGS AND MAGIC REMEDIES.

The DMRA sets out provisions to curb advertisements of drugs and remedies alleged to possess magic qualities, particularly for the procurement of miscarriage or for conception, correction of menstrual disorders, maintenance/improvement of the capacity for sexual pleasure, the diagnosis, cure, treatment or prevention of any disease, disorder or condition specified in the schedule to the DMRA.

On February 3, 2020, the Ministry of Health and Family Welfare released a draft amendment to the DMRA that expands the list of diseases, disorders, or conditions in the DMRA’s schedule, increases penalties for DMRA violations, and amends the definition of “advertisement” under the DMRA to specifically include advertisements made over an online/ electronic medium.[4]

• TELECOM: COMMERCIAL COMMUNICATION CUSTOMER PREFERENCE REGULATIONS, 2018 (TCCP REGULATIONS) AND UNSOLICITED COMMERCIAL COMMUNICATIONS REGULATIONS, 2007.

The TCCP Regulations make it illegal to send unsolicited commercial messages by voice or SMS. Only subscribers who have opted in to receive promotional messages after registering with an access provider may receive them. Sending transactional messages or making voice calls, on the other hand, is not prohibited by law. A transactional message is one that is triggered by a transaction carried out by the message’s recipient, provided that the recipient is a customer of the sender and that the message is sent within 30 minutes of the transaction and is directly tied to it.

• THE CLINICAL ESTABLISHMENTS ACT, 2010 (CE ACT)

The CE Act requires establishments that fall under the definition of a “clinical establishment” to register with the relevant authority and adhere to the act’s minimum standards.

All medical and clinical institutions and healthcare providers in India are increasingly storing patient information in Electronic Medical Records and Electronic Health Records (EHRs). As per the CE Act, each Clinical Establishment has to register and maintain an EHR for each of its patients. The Electronic Health Record Standards, 2016 (“EHR Standards”) has been formulated for the creation of a uniform standard-based system for EHRs in India and provides measures for maintenance of health data records. The EHR standards will also be applicable to all Digital Health Entities which fall under the ambit of the CE Act.

• TELEMEDICINE PRACTICE GUIDELINES, 2020 (TELEMEDICINE GUIDELINES)

The Telemedicine Guidelines were issued by the Indian Government in March 2020 and have been incorporated into the IMC Regulations and are thus binding on allopathic medical practitioners. These guidelines adopt the World Health Organisations (WHO) definition of telemedicine as “the delivery of healthcare services by all the healthcare professionals, using information and communication technologies, where distance is a critical factor.” The Telemedicine Guidelines allow medical practitioners to perform telemedicine from anywhere in the country and provide direction on the types of care that can be provided and how that care should be delivered. It specifies which form of communication (audio, video, or text) should be used for various types of consultations such as emergency, non-emergency, or medical practitioner to medical practitioner.

• PERSONAL DATA PROTECTION BILL, 2019 (PDP BILL)

The PDP Bill which was introduced in 2019 but has yet not come into force, aims to strengthen the data protection regime in India and govern collection, storage, processing and transfers of personal data in India. It is applicable to the Government, domestic companies, foreign companies and any individual dealing with personal data of citizens.

Health data, according to the latest draft of the PDP Bill., is “sensitive personal data” that includes “all data related to the data principal’s physical or mental health, including records regarding the data principal’s past, present, or future state of health,” “data collected in the course of registration for, or provision of health services,” and “data associating the data principal with the provision of specific health services.”[5]

• DIGITAL INFORMATION SECURITY IN HEALTHCARE ACT (DISHA)

The 2018, the DISHA was introduced as a step toward managing data flow in the digital health ecosystem by imposing considerable constraints on the usage of health data. The DISHA has been in circulation for a considerable period, but has not been passed as an Act yet. It defines digital health data as an electronic record of health-related information about an individual and shall include the following information: (i) physical or mental health of the individual; (ii) any health service provided to the individual; (iii) any donation of any body part or any bodily substance by the individual; (iv) information derived from testing or examination of a body part or bodily substance of the individual; (v) collected in the course of providing health services to the individual; or (vi) relating to details of the clinical establishment accessed by the individual. This Bill is especially relevant for businesses aggregating patient records as well as for e-pharmacies collecting digital prescriptions of patients.[6]

• AYUSHMAN BHARAT DIGITAL MISSION (ADBM)

The Ministry of Health and Family Welfare introduced the Ayushman Bharat Digital Mission (ADBM), (previously known as the National Digital Health Mission), to create a digital health ecosystem, which is now applicable PAN-India, albeit its participation is voluntary.

The ABDM aims to establish a federated e-health architecture, health information exchanges, and a national health information network by 2025, which will enable the accessibility and portability of health records across public and private healthcare institutions.[7] It is based on the establishment of these components – Unique Health IDs for patients, Healthcare Professionals Registry, Health Facility Registry, Health Records and Consent Manager.

Additionally, there are several other entities in the ADBM ecosystem:

Health Data Management Policy, 2020 – lays down the framework for security by creating Health IDs for patients, practitioners and establishments.

ABDM Sandbox – AA framework wherein all healthcare related products, services and technology will be tested in compliance with the ADBM standards and based on its consumer/market reactions, the same will be introduced to a larger platform.

Guidelines for Health Information Providers, Health Information User, Health Repository Provider and Health Lockers – The responsibilities of Entities participating in ABDM is provided.

United Health Interface (UHI) –The UHI is an open network system, or a Gateway which will be managed by the ABDM and will enable all health service providers including hospitals, healthcare professionals, pharmacies etc. and patients to connect and communicate for bookings, consultation, e- prescriptions, etc., and also securely transfer medical records, using standard protocols.

CONCLUSION

Implementing a specific health data law or some form of guidelines will be advantageous in facilitating a strong system and IN assisting Digital Health Establishments in anticipating future issues for health data privacy. The ABDM is a one of a kind strategy to unify the healthcare system in India and promote innovation in the industry, and this new regulatory process would facilitate faster patient access, increase patient safety, and position India as a desirable investment and launch market. Regulation plays a crucial role in proving the system’s credibility to the public and users, as well as in instilling confidence in the use of data, software, and technologies in health and care delivery and in this view in mind, it is recommended that the Digital Health Industry make good use of or provide access to Regulatory Sandboxes.

---

[1] WHO Guideline on Recommendations on Digital Interventions for Health System Strengthening, World Health Organisation (WHO).

[2] Regulation 1.3.4 of the Indian Medical Council (Professional Conduct, Etiquette, and Ethics) Regulations, 2002

[3] Regulation 1.A of the Indian Medical Council (Professional Conduct, Etiquette, and Ethics) Regulations, 2002

[4] Draft of the Drugs and Magic Remedies notified by the Ministry of Health and Family Welfare., February 3, 2020.

[5] Clause 3(41), Data Protection Bill, 2021.

[6] Section 3(e), Draft of Digital Information Security in Healthcare, Act (DISHA).

[7] Global Digital Health Partnership Symposium at Australia, Ministry of Health and Family Welfare., February 21, 2018.

 

YLCC would like to thank Shloka Jain for her valuable insights in this article.