An insight into digital health in Indian Pharma. Prepared in association with Nishith Desai & Associates, a leading law firm in India, this is an extract from The Pharma Legal Handbook: India, available to purchase here for GBP 75.
151. Is the term ‘digital health’ defined in your jurisdiction? If no, how is the term generally understood?
The term digital health is not specifically defined in India. It is generally understood to include tools and services that use information and communication technologies (ICT) for purposes connected to health. These purposes may include improving accuracy of diagnosis, monitoring chronic diseases more closely and improving treatment outcomes for patients.
152. What digital health tools are specifically recognized and regulated in your jurisdictions?
Telemedicine is the only digital health tool specifically recognized and regulated. The government is currently in the process of regulating online pharmacies as well.
153. What is the regulatory framework applicable to the above-mentioned digital health tools? Who are the regulators with jurisdiction over these areas?
The Telemedicine Practice Guidelines (“TPG”) regulate telemedicine in India. The TPG is administered an enforced by the National Medical Commission (“NMC”) – the apex regulatory body governing medical education and the medical profession in India.
It should be noted that the TPG is only binding on healthcare practitioners licensed to practice in India. This is because the TPG are framed as part of the code of ethics to be followed by healthcare practitioners when practising medicine.
154. How is health data regulated in your jurisdiction? Is there a separately regulatory framework governing health data?
Health data is regulated under India’s data protection and privacy legislation, the Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“SPDI Rules”) framed thereunder. India does not have a separate regulatory framework governing health data at the moment.
Under the SPDI Rules, information relating the physical, physiological or mental health condition, and medical records and history of a individual are considered to be sensitive personal data or information (“SPDI”). Accordingly, the collector of this information is required to undertake certain compliances during the collection and processing of data to safeguard the privacy of the provider of information.
You may note that India is presently in the process of putting in place a new data protection and privacy framework. See response to question 157 for more details.
155. What are the obligations of entities collecting, storing, or otherwise processing health data in your jurisdiction?
The collector of information is required to adhere to the following broad compliances under the SPDI Rules.
- Obtain express consent from the provider of the information regarding the purpose of usage before such information is collected;
- Only collect information which is necessary for undertaking the function or activity of the body corporate;
- Take reasonable steps to inform the provider of information of the fact for which the information is being collected, the purpose for which the information is being collected, the intended recipients of the information and the name and address of the agency that will collect and/or retain the information;
- Provide an option at the time of collecting information to not provide the data or information;
- Use the information only for the purpose for which it has been collected;
- Not retain the information for longer than is required for the purpose for which the information may be lawfully used or longer than required by law;
- Follow reasonable security practices and procedures including documented information security programme and information security policies commensurate with the information assets being protected. Body corporates implementing the standard ISO 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” are deemed to have put in place reasonable security practices provided such security practices are duly audited by an independent, recognised auditor once a year or as and when the body corporate undertakes a significant upgradation of its process and computer resource. Nonetheless, a separate security standard may be agreed to upon by the provider of information and the collector of information.
- Appoint a grievance officer to address any discrepancies and grievances of the provider of information with respect to processing of information in a time bound manner.
156. Can health data be transferred abroad in your jurisdiction? What restrictions (if any) are applicable to cross-border transfer of health data?
Yes, health data may be transferred outside of India provided the following conditions are fulfilled:
- The transferor ensures that the receiver of the information implements the same level of data protection in respect of the data as the transferor; and
- The transfer is necessary for the performance of a lawful contract between the body corporate and the provider of information or where the provider of the information has consented to the transfer.
157. Are there proposals for reform or significant change to digital health regulation? If yes, when are they likely to come into force?
India is presently in the process of finalising a new data protection and privacy legislation. The Personal Data Protection Bill, 2019 was introduced in the Indian Parliament in December 2019. Subsequently, the bill was referred to a Joint Parliamentary Committee under the Chairpersonship of Meenakshi Lekhi for the committee to examine the bill and provide recommendations. The committee has reportedly made extensive amendments to the bill. The report of the committee is likely to be released during the Monsoon Session of the Indian Parliament in 2021.