Can we say that pandemic has shown how prepared we are if we have to face some catastrophic event? Do India and its people have the potential to fight something big and unnamed? I think we do, let’s take an example of EdTech start-ups, we were in the habit of a conventional mode of teaching but now we are learning through e-platforms, another example of attendance of court proceedings through online platforms, and another big example is health tech start-ups. Because of the pandemic now we can rely on health tech, in terms of goods and services offered by them. But as we are growing we also need some regulation by legislation to match that growth. We have a few old and some new legislations like the Drugs and Cosmetics Act 1940, the Drug Rules, 1945, the Consumer Protection Act, 2019, the Consumer Protection (E-Commerce) Rules, 2020, Telemedicine Practice Guidelines of India, 2020, etc.


We are lacking DISHA in the regulatory framework, this is a draft bill, called the Digital Information Security in Healthcare Act 2018, which has not become law yet if this law is passed it will provide a legal framework to protect privacy and protection of information provided by the patient and patients will have more control over their information. There is another bill called the Personal Data Protection (PDP) Bill, 2019, this bill has been finalized by the Joint Committee of Parliament on 22-11-2021 after two years, but it is yet to become law.

Covid-19 has put health tech in spotlight


It will be correct to say that as much as pandemic has been a noose around the necks, it has also given a spotlight to telemedicine and health tech, it is not like we didn’t have health techs in India, but we can say that health techs have been allowed to grow in a conservative environment. It has provided us a clear way to provide health care, do series of innovations and it has spurred investment in the health tech sector. So, now what start-ups need to do is to adapt to the new ecosystem, operate according to what is ahead of us, avoid pitfalls like non-compliance of the legal framework and try to work around the emerging trends and opportunities.

As we have studied that health tech or telemedicine is not new to India, we have been aware of this since the 1990s, it is only pandemic that has given enough fuel to the small spark and that’s why we are now noticing the widespread adoption of this new model or a new way of providing medical care. It is not only a pandemic that is keeping this concept alive, but also the publishing of Telemedicine Practice Guidelines made sure that this concept now only stays alive but also grows with time, and these guidelines have regulated and legalized text or audio or video-based medical care.


Unpreparedness in regulatory compliances could be a drawback


There are many regulations a health tech company or start-ups need to complete like compliance to IT Act, 2000 and IT rules, Drugs and Cosmetics Act and Rules and MCI Act and Rules and Code, Telemedicine Practice guidelines, etc. It means that the more diverse the services of a telemedicine company are, the more they need to comply with the regulatory compliances. For example, if a new health tech start-up is starting its services in telemedicine, then it will have to handle data on its own, but it could happen that it is not regulatorily prepared which could be a drawback in its success and growth.


Necessary legal and regulatory compliances: Some of the most important regulations are given below:


The Information and Technology Act, 2000, and The Information and Technology Rules, 2011

We are well aware that when we avail the services of digital health, we may need to provide some necessary information like your full name, your mobile number, your email, your medical history, etc, so there is a constant exchange of information between the service provider and patients and this information is called Sensitive Personal Data or Information, (SPDI). It is a requirement that before using any data or information provided by the patient his/her written consent is mandatory and prior notice needs to be given to the patient in case of use of information.

Suitable security measures must be used while processing the information. The established health tech or body corporate need to comply with international standard IT – Security Techniques- Information Security Management System or some other equivalent standards sanctioned by the Central Government.

It is necessary that contact information of the Grievance Officer, must be provided on the internet and a choice must be given to users allowing them to change or withdraw their Sensitive Information.

The Information Technology Act doesn’t apply to digital health services, so they are governed under the Intermediary Guidelines and the IT Act, as an intermediary, and these intermediaries are provided certain exemptions like they are not liable for third-party data or communication. If the intermediary role is narrowed or bounded only to granting access to a communication system where information is hosted or stored and all the conditions outlined for due diligence have been religiously followed by the intermediary then he would not be liable for the third-party content hosted by the intermediary.


Telecom Policy, 1999 (Other Service Providers)

Those who provide Application Services, such as telemedicine are known as Service Providers, use telecom resources furnished by the telecom service provider, must register themselves as an “Other Service Provider” with the Department of Telecommunications.


The Indian Medical Council Act, 1956 (MCI) and the Indian Medical Council Regulations, 2002 (MCI Code)

The Medical Council of India is regulated and implemented by the MCI Act, 1956 and this Medical Council of India controls the medical education and profession in India. This act specifies that only those persons who have a recognized medical degree and are registered with the state medical council will be allowed to practice medicine in India.

The MCI Code, 2002 has provided that during the interactions with patients, colleagues, and pharmaceutical firms, the doctors need to conform to the professional and ethical guidelines. It also specifies that to retrieve the medical records quickly it is need of the hour to computerized the records and regarding this, a declaration will be signed by the doctors.


Telemedicine Practice Guidelines

To supervise the medical education and profession in India, a Board of Governors set up by the Central Government, issued Telemedicine Practice Guidelines with the collaboration of NITI Aayog. This idea has been included in the MCI Code and therefore is mandatory for allopathic medical practitioners. The benefit of these guidelines is that with the help of Telemedicine Practice Guidelines, medical practitioners would be able to practice from any part of the country and the advice, what kind or type of treatment can be provided and how they should be furnished. These guidelines have divided medications into four lists, describing which medicine can be given under which circumstances, like List A, List O, List B, and Prohibited List.


Telecom Commercial Communication Customer Preference Regulations, 2018 (TCCP Regulations)

According to the TCCP Regulations, if any unrequested or unsolicited commercial communication has been sent through voice or SMS, is prohibited. Only those customers who have voluntarily agreed to accept promotional messages after registering with the access provider may get the messages. If messages or phone calls are transactional in nature then it is not prohibited by law. Now we need to understand what is a transactional message? If information is communicated for OTP or purchase of goods and services, like shipping notifications, account alerts, and identity validation, these messages are regarded as transactional messages and the message must be delivered within 30 minutes. A format that has been registered with the access provider must be used for all other messages and ensure that receiver’s approval has been received.


Digital Information Security in Healthcare Act (DISHA)

We all are well aware that DISHA has not been passed yet, but contains many compliance requirements which are necessary for health tech companies and start-ups. Section 3(e), defines that when health-related information about an individual is stored electronically it is called digital health data and it will include the following:

  • Information or data related to the physical and mental health of a person;
  • Any information related to health services given to a person;
  • It contains information of donation of a body part, like eyes or bodily substances, like blood donation, by an individual;
  • If the test has been done on the body part or bodily substances, like blood or urine test, the information contained in that test report, etc.

Commercialization or use of digital health data for commercial purposes has been prohibited by the DISHA. It provides guidelines for which purposes health data can be used and on what uses bars have been put. It is also mentioned that for using permitted data, clear consent or legislation requiring such use must exist.

It has been further provided that full liberty is given to an individual, whose consent has been obtained for use of information, that at any point of time they can withdraw their consent. DISHA made sure that if any person wants to restrict the use of their information they should not be refused.

Other than State or private health insurance companies, like health and fitness apps, e-pharmacies, etc are governed by DISHA. For these entities permitted purposes of collecting, processing, and storing information are related to making medical decisions based on the provided data, to improve coordination between care and information, etc.


Personal Data Protection Bill, 2019 (PDP)

Personal Data Protection (PDP) Bill, 2019, this bill has been finalized by the Joint Committee of Parliament on 22-11-2021 after two years, but it is yet to become a law. This bill prepares a structure for general data protection for personal data as well as sensitive personal information. Chapter 2, 6, and 7 of the bill provides important and necessary data protection principles. For example section 4 of this bill says that you are not allowed to process personal data, section 5 says that if information or data is collected for purposes A, B, and C, this information will not for used for any other purpose like D to Z, what kind or nature of consent is required is given in section 11. Security safeguards like matters are dealt with in chapter 6 of the bill. For example, section 26 says that if there is any data breach, then it is mandatory to report those breaches, section 27 provides provision for conducting data protection impact assessment, section 27 for grievance redressal. The most important chapter is the chapter 7 which provides provisions for sensitive personal data.

There are some other regulations like The Clinical Establishment Act, 2010, The Drugs and Magic Remedies Act 1954 and Drugs and Magic Remedies Rules, 1955 and The Drugs and Cosmetic Act, 1940 and Drugs and Cosmetics Rules, 1945, which should be followed by the health tech start-ups.



You would be happy to hear that India’s healthcare sector is thriving and is one of the rapidly growing sectors in India. With the joining of healthcare and technology, and the opportunity to grow it would be a turning point for India. We have seen some other sectors of the economy like education, finance, which have grown by mixing both with technology and it is enough proof that technology has the potential to make a positive impact on the healthcare sector effectively.

There is some data given by the investors which says that it is anticipated that by 2022 healthcare market might have a value of $370 billion and will provide a favorable yield of up to 35-40 percent. We are well aware that the concept of health tech and telemedicine is not new but its growth was slow and pandemic and telemedicine guidelines gave it the necessary push, which is a game-changer but still using technology in India for healthcare services and even extending those services in India’s conservative environment has a long way ahead of it. Another problem is data protection and we are only reliable on IT act and rules, we need other specific statutes working only for healthcare, and because of the legislation that is not possible shortly. If data protection laws are absent then health tech start-ups or industries would be vulnerable to spam, extortion, blackmail, or misappropriation of valuable personal data. If we want people to trust health tech start-ups, legislation must assure them that in case of difficulty they will have a solution to the problem.



0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *