This article is written by Umang Dudeja, pursuing BBA LLB from IMS Unison University, Dehradun. This article is basically upon the legal perspective in the digital healthcare sectors, that what all issues come in that and some laws and penalties to that.
According to the 2018 Consumer Survey on Digital Healthcare by Accenture, approximately 75 percent of the patients use digital tools. It is clear that by 2022, the health sector is expected to cross 8,6 billion Rupees, while digital health services will bite a large part of the paste. Nevertheless, the emerging legislative and legal framework regulating Digital Health is fragmented and unclear. This article talks about the regulatory bodies of digital healthcare and issues regarding it. It also covers the key emerging technologies and protection of devices of consumers. There is no or very little legal scholarship in the field of digital health in India to make matters worse. Digital Health’s scope is vast and encompasses various business models, making it inherently difficult to regulate as a whole. Digital Health is becoming more and more essential for our day to day life, especially for the elderly. As early baby boomers enter their 70s, medical institutions, insurance providers and the state are leading to the challenges and cost of health care to this large portion of the population to explore technologies. As with other sectors of ageing in place technologies, it is common to see stories of Digital Health company entrepreneurs motivated by experiences of loved ones. As nowadays people are buying wearable watches in order to get their heartbeat rate, blood pressure (BP), etc. to regularly check their health status
What is digital health
Digital health or digital health care programs are the convergence of digital technologies in terms of health, healthcare of the society, improving delivery and making medicine and healthcare more personalized and accurate. Digital health includes the use of information and communication technologies in order to resolve the health problems and issues faced by people who are under treatment. These technologies include both hardware and software solutions. It can cover everything from wearable gadgets to ingestible sensors, from mobile health apps to artificial intelligence, from robotic carriers to electronic records and from web-based analysis to remote monitoring sensors. It is basically about applying digital transformation, through disruptive technologies and cultural dynamics, to the healthcare sector and services.
In general, digital health concerns the advancement of integrated health systems to increase the use of technology, smart devices and communication media to help healthcare professionals and their clients handle and monitor diseases and health threats, and to encourage safety and well-being.
To know more about Digital Signature please visit
In India, healthcare schemes can mainly be categorised as Central Sector Schemes, Centrally Sponsored Schemes, and State Schemes. The Ministry of Health and Family Welfare (MOHFW) is the supreme entity at national level. Furthermore, at the state level, the organization is headed by a minister under the Health and Family Welfare Department of each state and has a secretariat under the responsibility of the Secretary or Commissioner (Health and Family Welfare) from the Indian Administrative Service (IAS) framework. Furthermore, at regional level, each regional and zonal set-up covers three to five districts and acts under the authority of the State Health Services Directorate; at district level, the health services structure is a mid-level management organization that links the state and regional structures on one hand and the primary health centers and sub-centers on the other.
In addition, one community health center has been established at a community level that provides basic specialty services in general medicine, pediatrics, surgery, obstetrics, and gynaecology. Various schemes, such as: Pradhan Mantri Swasthya Suraksha Yojana; National AIDS and STD Control Programme; Family Welfare Schemes; National Pharmacovigilance Programme; National Organ Transplantation Programme; Impacting Research Innovation and Technology (IMPRINT) Scheme; and Swachhta Action Plan (SAP) are covered under Central Sector Schemes. Additionally, programs such as the National Health Mission (NHM), the National Rural Health Mission (NRHM), and the National Urban Health Mission (NUHM) are centrally sponsored schemes covering various other sub-scheme.
Through government initiatives like Digital India, Make in India and Start-up India, new entrepreneurs and multinational companies are eye-boosting the healthcare industry. But there are also responsibilities and obligations along with benefits. For example, all applications for e-health, m-health, telemedicine, are subject to legal techno agreements. Currently, India’s healthcare sector and healthcare startups are acting more on the violation side than on compliances.
Medical device firms and their application needs to follow Indian laws & principles precisely. Medical device manufacturers and application manufacturers also need to bear in mind India ‘s encryption laws and India’s cloud computing agreements.
There are various laws in India which broadly cover Digital Health services which are discussed below:
The Information Technology Act, 2000 (“IT Act”), The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Data Protection Rules”) and the Information Technology (Intermediaries Guidelines) Rules, 2011 (“Intermediary Guidelines”)
Digital Health includes data sharing between the patient and the service provider. Under the Data Protection Laws, personal details of the patient, such as medical history and clinical conditions, is regarded as Confidential Personal Data or Knowledge. Consent is one of the most significant conditions under the Data Protection Regulations, which is to be received in writing in acts.
The applicability of the IT Act is slightly different for digital health services, they only facilitate the interaction between the patient and the service provider and do not participate directly in the provision of the services. In those cases, the service provider would be considered as an intermediary under the Intermediary Guidelines and the IT Act and certain relaxations are given to intermediaries with respect to liability for third party data or communication.
Service providers rendering Application Services which include telemedicine services using telecom resources provided by telecom service providers must be registered with the Telecommunications Department as Other Service Provider (OSP).
The TCCP Regulations and TCCP Regulations forbid the sending of unsolicited commercial messages over voice or SMS. Promotional messages can only be sent to customers who, once registered with an access provider, have opted in to receive these communications. However, there is no legal bar over sending transactional messages or voice calls. Any information sent for OTP or purchase of goods and services would be identified as a transactional message. All other messages (even though directly connected with the delivery of goods) may only be sent as per a format registered with the access provider after obtaining the consent of the receiver.
This controls drug production, selling, importation, and distribution in India. There is a difference in many international countries between a medical prescription that must be marked under the control of a licensed pharmacist to obtain a valid prescription, i.e. signed by a licensed medical practitioner and those which the general retailers will sell over the counter. The D&C Rules clearly lay down which drugs can be sold only on the production of a prescription issued by a registered doctor, which implies that there is a distinction between prescription and non-prescription drugs. Drugs which can be sold only on prescription are stated in Schedules H, H1, and X of the D&C Rules.
Protection of consumer devices
In general, consumer devices are protected under the Designs Act,2000. A ‘design’ has been defined to mean only characteristics of shapes, arrangements, patterns, ornaments, or the composition of lines or colours applied to a ‘post.’ With regards to digital safety, the two main components that would need design security will be the applications like Graphical User Interface (GUI) and system architecture. GUI may be protected under the Designs Act, in particular under Article 14-04 of the 2001 Design Rules, which covers ‘Screen Displays and Icons’. Such as we see various types of devices having different shapes and designs, like Apple Watches having somewhat a square shape, while the Mi Fit bands have a cylindrical shape. So, there are various companies prospecting their devices by doing such things.
As we know that India’s health-care market is continuously experiencing changes. India is promoting health-tech start-ups to improve digital health-related services. As of now, India has about 2,975 start-ups to deliver digital healthcare solutions, and they rise in size, year after year. In India, a rising market in healthcare is very exciting because it is expected to introduce new medical technology, create more job opportunities and increase treatment rates. But these also carry some risks, because in healthcare IT, it can be more difficult to avoid the release of each individual’s identification and sensitive information. Healthcare companies use technology to regularly process high-profile data from a vast number of patients. The more data that is stored online, the greater the risk there is to hacking and data theft.
Key emerging technologies in digital healthcare
Health care is a little behind than other industries when it comes to technology adoption. Nonetheless, there is a strong chance of seeing major improvements in the next few years, as many businesses are becoming more technologically advanced and are applying technology to their functional aspects. To get a better understanding of these innovative emerging technologies in digital healthcare, following list has been curated:
Nowadays, telemedicine is widely adopted technology and at the same time, doctors are also finding this trend very beneficial. Some of the trends in healthcare in the field of telemedicine are:
Improved healthcare apps
Remote communication is prevalent, and so telemedicine is trying to improve the quality of interaction and communication between patients and healthcare providers and its interface. Therefore, we can surely expect that the apps will become more intuitive and easy to use and take it to a next level.
Solidifying cyber security
Technology and cyber security are working together. Healthcare operations are now leading towards cybercrime, so healthcare data protection is naturally the major priority so that no fraud or cyber crimes can take place due to the misuse of confidential information used by some application or software.
Another trend of the technological transformation in the digital healthcare sector are, companies collecting their own health data from medical devices such as wearables.
In the past, most patients were happy by undergoing a physician once a year and checking in with their doctors when something went wrong. But nowadays, patients are focusing more on prevention and maintenance, and more frequently seek information about their health. As a result of which, healthcare companies are being cautious by investing in wearable devices that can provide regular updates in tracking and monitoring of high-risk patients to assess the probability of a major health incident like heart attack and many more. According to Business Insider Intelligence Research a recent survey, the demand for wearable medical devices is expected to hit more than $27 million by 2023, which demonstrates how the trend for wearable devices is growing.
Some of the most used devices include under this are
- Heart rate sensor
- Exercise tracker
- Sweat meter
Artificial intelligence along with data analysis promises to give the sector a lot of value. They provide innovative ways to diagnose diseases, create treatment plans, do medical research, discover drugs, and conduct clinical trials, monitor and predict epidemic outbreaks during peak loads. AI-powered systems will be commonly used in personalized medicine, and five years later, autonomous technology will begin replacing human physicians.
As part of supporting AI, image recognition systems helps physicians perform high-quality diagnostics within a limited period of time, while humanity also faces various outbreaks of diseases which are avoided by new healthcare innovations. The artificial intelligence program that makes it possible to monitor and forecast epidemics has already been used in Africa. Doctors can study the DNA of mosquitoes to determine where and when the next outbreak is likely to occur. Nowadays, the efforts of radiologists, ultrasound specialists lead to image classification and their description. This can be done through AI in the future.
3D Printing in the Clinic
Not many people know that 3D printing has been around since 1984., is only since recent technological advances that 3D printing has become a trend to watch. Nonetheless, the lack of qualified experts, high development costs and stringent regulations are still holding back technology. In addition to rising R&D spending, increased demand for customization is a key factor. Personalized prosthetics and organ transplants are feasible thanks to 3D printing. But aside from customization, 3D printing benefits healthcare by offering an option for human transplantation that could dramatically reduce costs as technology is further being developed. The technology offers patients who are burnt, the ability to recover their bodies. It also opens the door to make life easier for patients who take multiple medications by mixing certain medications, layer by layer and until they are released to the body at multiple times.
Legal issues in digital healthcare
The use of emerging technology such as digital health apps, telemedicine, and sharing of information will bring game-changing benefits for both providers and patients. Nevertheless, with increased communication, there are increased threats to both the protection and privacy of patient information. Many digital health and telemedicine firms are mindful of data protection and infringements. Moreover, the deliberate sharing of protected health information ( PHI) with third parties is perhaps a more important field of enforcement, whether it is done for data mining, analysis or marketing purposes. As data sharing and data mining can only continue to expand in the healthcare sector, providers and vendors understand when and how they should exchange PHI.
Data Security is a significant issue regarding the use of personal data. The(Ministry of Health and Family Welfare) MoHFW notified the Electronic Health Record Standards (EHR Standards) for India in September 2013. These were chosen from the best existing, commonly used standards applicable to international electronic health records, in view of their suitability and applicability in India. Accordingly, the EHR Standards 2016 framework is notified and submitted for implementation in IT systems by healthcare organizations and providers around the world. MoHFW promoted its adoption by making available free-to-use standards such as the Systematized Nomenclature of Medicine Clinical Terminology (SNOMED CT) in India, as well as by naming the Interim National Release Center to follow the clinical terminology standard that is becoming widely recognized by healthcare IT stakeholders worldwide.
Through the proposed DISHA, the MoHFW aims to set up a legislative body in the form of a national digital health authority to promote and adopt: e-health standards; implement privacy and protection provisions for electronic health data; and regulate electronic health record storage and sharing. Additionally, MoHFW ‘s National Digital Health Authority (NeHA) is a proposed authority that is intended to be responsible for creating an integrated health information system in India. It is proposed to be a promotional, regulatory and standard-setting body to lead and help India’s digital health journey and the consequent realization of ICT benefits intervention in the health sector
The main concerns of sharing of personal data are primarily, but not limited to: confidentiality and data exchange control; security and privacy; and knowledge, trust, accountability and responsibility. The MoHFW created the draft Digital Information Security in Healthcare Act (DISHA) to protect data from the healthcare sector in India, giving people full control of their health information.
For example- If you visit a doctor for a check-up and the doctor puts the information into an electronic health record, the information is fully covered by DISHA as it is placed inside the health care system. DISHA proposes three main objectives such as:
- Establishing a national and state digital health authority;
- Enforcing privacy and security measures for electronic health data;
- Regulating the storage and exchange of electronic health records.
The draft also provides details on the creation of national and state electronic health authorities (NeHA and SeHA). In effect, it would provide Indian subjects with extensive data protection and govern the portability of data.
The Digital Health space has seen the creation of many groundbreaking products. In this highly competitive market, the security of certain ideas and innovations becomes important. India’s IPR law provides for such protection in different ways, including patents, copyrights, trademarks and designs. In the Digital Health sense, production is focused in the digital applications (including mobile apps) and wearable devices areas. In light of such developments, this section covers the various forms of IP protection available.
In India, the Patent Act, 1970 (‘Patent Act’) provides for patent protection. The Patent Act is essentially in line with the trade-related aspects of intellectual property rights (“TRIPS”) and India, as a signatory, is committed to the complete acceptance and application of the agreement’s provisions.
The software that runs, it is behind any Digital Health application which is basically a computer program. Under Section 3(k) of the Patent Act, 1970, a computer program ‘per se’ is excluded from the patentability. Nevertheless, in its ‘Guidelines for the Review of Computer Related Inventions (CRI)’ in 2017, the Indian Patent Office states that although the CRI itself is not patentable, a CRI asserted in combination with a novel hardware can be patented if it meets the other criteria, such as the three-prong test set out in the guidelines. Patents have been issued in the past for software programs where there is also a hardware component involved. Unless the technology/software fulfills these requirements, it will apply for a patent and, if the same is granted, get protection.
A patent will not be issued if the device or system is found to be ‘a method for the medicinal or other treatment of humans and animals’ pursuant to Section 3(i) of the Patent Act (section 3 deals with what is not called inventions). However, the observations of the patent examiner distinguish between a device and process where ‘a device for the detection of HIV antibodies and p24 HIV antigen in human serum or plasma’ was found to be outside the scope of section 3(i).
In India, the Copyright Act 1957 provides for protection of copyright. Under the Copyright Act, clinical instructions and data may be covered, provided they are conveyed in some type of media. Copyright law cannot cover a pure collection of data without any further effort. This is derived from the ‘sweat of the brow’ doctrine, where although there may not be any originality in content such as tables or databases, copyright would only survive when a person undertakes to collect the information independently. The person is then entitled to security of his or her efforts and expenses.
The Trade Marks Act, 1999 (‘TM Act’) regulates and protects Indian trademarks. Unregistered marks are also protected under common law, in addition to the statutory protection. Under the TM Act, a ‘mark’ has been defined to include ‘a device, a brand, a heading, a label, a ticket, a name, a signature, a word, a letter, a number, a product shape, a packaging or a color combination or any combination thereof.
The rules laid down in the TM Act provide for trademark classification. India is following the NICE Classification of Goods and Services which was incorporated into the rules in the schedule. One class to register a trademark is class 9, which includes computer software and computer programs.
Under the TM Act, the ‘label’ of a Digital Health application or device may be registered as a trademark, subject to certain exclusion requirements that constitute grounds for refusal of the trademark, such as devoid of distinctive character or marks or indications that have become commonplace in the current language or existing trade practice.
Various criteria which are not limited to the following can be technically implemented for collaborative improvements; such as: primary goals for such collaboration; specifics of all qualified members; consideration of governance management along with contract management dissemination; security and assessment of established intellectual property and technology transfer; and information consideration.
The working definition of healthcare and non-healthcare companies is distinct in structure and approach; however, customer loyalty is the prime concern for both industries. The confidentiality protocol for data sharing and data protection and privacy must also be remembered when considering the agreements.
Offences and penalties
Existing data security laws in India are clearly not structured to deal with the size of the proposed data creation and sharing. According to Section 43A of the Information Technology Act, 2000 (“IT Act”) and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 enacted under the IT Act regulating data protection in India, the fundamental prerequisite is that adequate security measures are in place for corporations. In the absence of these steps, a failure to safeguard data would allow a corporate body to grant liability to the person concerned. This is hardly sufficient as data security law.
The draft Digital Information Security in Healthcare Act of the Ministry of Health allows people to have the privacy, confidentiality and security of their digital health data. According to the Health Ministry ‘s proposed Digital Information Security in Healthcare Act (DISHA),
- Serious violations of healthcare data will be punishable by up to five years in prison and a fine of up to Rs. 5 lakhs.
- A serious breach of digital health data will be considered if a person infringes digital health data intentionally, dishonestly, fraudulently or negligently, shares information that is not anonymised or de-identified and a person fails to secure the data in accordance with the standards prescribed by the Act or with any rules.
The employer may also be sued in the provision of Digital Health services where there is an employer-employee relationship owing to the concept of vicarious liability, where the employer is considered to be vicariously responsible for the employee’s actions and omissions resulting in the course of his / her jobs. This would not usually be the case in an employer-independent contracting arrangement, where the service provider has no influence or supervision over the independent contractor’s actions.
Criminal prosecution takes place before criminal courts for reasons such as the commission of criminal offenses under any criminal law, particularly the Indian Penal Code, 1860. In the case of Digital Health Services, the provider may face criminal charges if a provider is reckless or incompetent in delivering a service and the service results in physical harm or death of the patient/user. The main charges faced by doctors and other providers of these services include causing death by neglect, actions endangering others’ lives or personal safety, causing harm by an act that endangers others’ lives or personal safety, and causing grievous harm by an act that endangers others’ lives or personal safety. In the event that a person is convicted on a criminal charge as described above, he/she may face both imprisonment and fines.
Unlike ordinary criminal prosecution, criminal prosecution in medical negligence cases happens only when the negligence is gross in nature. In addition, the Supreme Court took a sympathetic view of the prosecution of doctors in criminal matters. In the case of Hemaben Sanjeev Kumar Kanodiya v. Dr. D.N. Nanavati & Another 2013, The Court said that if the hands tremble with the dangerous fear of facing a criminal prosecution in the event of failure for whatever reason attributable to themselves or not, neither can a surgeon successfully exercise his life-saving scalper to perform an essential surgery, nor can a doctor administer the life-saving dose of medicine successfully.
Present situation of digital healthcare
Around the world, barriers to provide healthcare remotely – known as “telemedicine” – have come down overnight. COVID-19 has pushed us from a cautious discussion over whether to use telemedicine to an urgent need to revolutionise practice.
It has not been convenient. As a reaction, national and local health authorities began to engage with private firms to increase service coverage as the epidemic unfolded. Efforts were made to engage a variety of organizations, providing a mix of services from building ICT infrastructure, to aggregating and analyzing data at scale, to facilitating the delivery of virtual and/or AI-powered healthcare services.
Contact tracking, monitoring, and surveillance – each an integral part of the overall public health measures in holding the outbreak within a manageable scale – were each supplemented in China by data-driven technologies.
One of the widely used applications by the general public was to allow people to track whether they have ever been on the same train or flight or otherwise in close proximity to any confirmed cases in the past two weeks. The app, first developed by an independent software developer using data from social media and websites where case information could be found, was later made more reliable by aggregating data from all-level public surveillance systems and national transport authorities, including the Ministry of Transport, China Railway Corporation and the Civil Aviation Administration. Putting such risk assessments in the hands of the public has made it possible for individuals to be better informed of their level of exposure and given specific instructions on the need to continue practicing social distance and health monitoring. Three weeks after Wuhan’s lockdown, more than 140 million searches were made on the platform, helping more than 80,000 travelers to discover that they had traveled with confirmed cases.
Another notable method, less known to the unexposed public but more recognized by health professionals, was one used to boost diagnostic accuracy, eventually making diagnostics more efficient and accessible to greater numbers of people. Hospitals in Wuhan and nationwide deployed AI-powered CT imaging interpretation devices, which enabled radiologists to minimize CT reading time from hours to seconds. Some other resources allowed patients at community clinics to have their CT scan read by medical experts miles away. In the most extreme weeks of the epidemic this was of vital significance as it helped to reduce the risk of losing the track of infected patients while growing diagnostic skills without overwhelming healthcare staff.
The role of digital technology is still evolving. In an attempt to establish a framework for balancing economic and social practices with threats to public health by national and provincial authorities.
The Digital Health market offers many opportunities but risks are expected to be associated with any opportunity. Innovation in this sector has yet to reach a saturation point, with the frequent introduction of new products onto the market. The legislative mechanism for preserving and controlling these technologies will remain one step behind, as how the industry will evolve has yet to be seen. Regulators also take note of the limitations and, in many cases, the absence of the law and try to devise forward-looking policies and laws.
The NIPR is just one example of that. In a country where access to affordable healthcare remains a looming problem, the public stands to benefit enormously from the Digital Health industry’s growth. With the public interest in both the regulators and the innovators’ minds, it remains to be seen if the nation’s emerging legal and regulatory system will hinder or ignite its development. While there’s a long way to go, it’s hoped that the overall optimistic attitude and help the industry receives will continue in the future and maintain itself.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: