All of us have probably received several messages on our social media feeds or through instant messengers regarding the COVID-19 outbreak, ranging from statistical numbers, to medical information on the “virus”, symptoms, how to protect oneself, etc. At a time where so much medical information is being transmitted through electronic media, it becomes critical for businesses to understand the regulations applicable to “digital healthcare”. In this article, I will explain what is “digital health” and briefly discuss the laws that regulate it.
What is “digital health”?
Digital healthcare or electronic health has been defined by the World Health Organization as a cost-effective and secure use of information and communications technology for providing health and health related services.
The main advantage of digital health is that there is no need for patients to physically be present in front of a doctor to receive medical advice, nor does the patient need to be in a hospital to receive medical treatment. In the current scenario facing us, with the COVID-19 outbreak, digital healthcare assumes great significance, as it could free up hospital capacity for treating more serious cases.
Some examples of digital health:
(i) Telemedicine
Telemedicine is defined in the Telemedicine Practice Guidelines, as “… the delivery of healthcare services, where distance is a critical factor, by all health care professionals using information and communications technology for the exchange of valid information for diagnosis, treatment and prevention of disease and injuries, research and evaluation, and of the continuing education of health care providers, all in the interests of advancing the health of individuals and communities”. The most common types of telemedicine are (i) interactive telemedicine, which allows patients and doctors to communicate in real time; and (ii) processing telemedicine, where intermediaries collect patient information and share the same with doctors who are independent of the intermediaries.
(ii) Monitoring health care devices
These are healthcare devices such as smart watches and other devices that collect the health information of its users. This information is either relayed to the user or to a practicing doctor.
(iii) Electronic health records
An electronic health record is a digital version of a person’s health record, which is stored digitally and can be accessed at any point of time by a doctor, irrespective of where the health information was stored.
(iv) E-Pharmacies
The draft e-pharma regulations define an e-pharmacy as “the business of distribution or sale, stock, exhibit or offer for sale of drugs through a web portal or any other electronic medium”.
Regulations surrounding digital health
The main regulations governing digital health in India are:
- The Telemedicine Practice Guidelines issued by the Ministry of Family Health and Welfare;
- The Information Technology Act, 2000 read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011;
- The Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002;
- The Drugs and Cosmetics Act, 1940 read with the Drugs and Cosmetics Rules, 1945; and
- The Clinical Establishment (Registration and Regulation) Act, 2010Who can practice telemedicineOnly a Registered Medical Practitioner (“RMP”) is permitted to provide telemedicine consultation to patients in The TPC defines a RMP as a person who is enrolled in either a state register or the national register under the Indian Medical Councils Act, 1956.Patient Consent: The TPC stipulates that if a patient initiates the consultation, then the consent is implied and no further consent is required. However, if the RMP initiates the consultation, the explicit consent of the patient will be required.
The RMP can obtain the explicit consent of the patient in any manner (i.e. via email, text, audio or video message). However, (a) the patient must expressly state that he/she consents to availing a consultation via telemedicine; and (b) the RMP must record such explicit consent in the patient’s medical records.
TELEMEDICINE PRACTICE GUIDELINES (“TPC”)The Ministry of Health and Family Welfare issued these guidelines in March, 2020 to all entities that intent to provide telemedicine services. The TPC states that “health systems that are invested in telemedicine are well positioned to ensure that patients with Covid-19 kind of issues receive the care they need”.
The opportunity for use of telemedicine in tackling Covid-19 is enormous and has been recognized by the All India Institute of Medical Sciences, which has recently announced that it will launch a telemedicine facility for COVID-19 patients.
The TPC prescribes three modes of telemedicine, namely, telemedicine conducted via video media (“Video Telemedicine”), telemedicine conducted via audio media (“Audio Telemedicine”), and telemedicine conducted via messaging media (“Message Telemedicine”).
A brief summary of the regulations outlined by the TPC are as follows:
Restrictions on prescribing drugs: RMPs cannot prescribed Schedule X drugs (as defined in the Drugs and Cosmetics Act, 1940) using Further, RMPs can prescribe List A drugs (as defined in the Drugs and Cosmetics Act, 1940) only if the RMP has examined the patient using Video Telemedicine.
Guidelines to technology platforms providing telemedicine Technology platforms providing telemedicine (a) should conduct a due diligence to ensure that the person giving medical treatment is a RMP; (b) a platform based solely on artificial intelligence and/or machine learning cannot provide any medical advice to patients or prescribe any medications; and (c) the provider must ensure that there is a proper mechanism in place to address any queries or grievances that the end user may have.
Elements of telemedicine not regulated by TPC: The TPC does not govern or regulate (a) the specifications for hardware or software, infrastructure building and maintenance required for providing telemedicine; (b) the data management systems involved; (c) data privacy; (d) use of digital technology to conduct surgical or invasive procedures remotely; and (e) consultations provided outside India.
THE INFORMATION TECHNOLOGY ACT, 2001 (“IT ACT”) READ WITH THE INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION) RULES, 2011 (“SPI RULES”)
The IT Act read with the SPI Rules governs the processing of all personal data in India as of today. The SPI Rules classifies personal data into 2 categories – personal information and sensitive personal information. As per the SPI Rules, all medical information such as medical history and physiological information will be classified as sensitive personal information.
Therefore, prior to providing any digital health services to patients, both the technology platform and the RMP should ensure that:
-
- Explicit consent is obtained: The SPI Rules mandate that processors will need to obtain the explicit consent of the individual prior to processing any sensitive personal information. Hence, technology providers and/or the RMPs will need to obtain the explicit consent of their patients prior to providing any digital health This may be done in the manner prescribed in the TPC.
- Appropriate safety standards: The SPI Rules mandate that all processors will need to conform to IS/ISO/IEC 27001 or similar standards in order to maintain the integrity and security of the sensitive personal information.
- Maintain a terms of use and privacy policy: The technology platform should display its terms of use and privacy policy outlining (a) the manner in which the patient’s medical information is collected, (b) the manner in which the patient’s medical information is processed, and (c) if the patient’s medical information is shared with any third party and if yes, the purpose for the same.
- Appoint a grievance officer: The SPI Rules mandate all processors to appoint a grievance officer and publish their contact details.THE INDIAN MEDICAL COUNCIL (PROFESSIONAL CONDUCT, ETIQUETTE AND ETHICS) REGULATIONS, 2002 (“PROFESSIONAL CODE”)The Professional Code was notified under the Indian Medical Council Act, 1956 (“IMC Act”). Although the National Medical Commission Act, 2019 replaces the IMC Act, the National Medical Commission is yet to be constituted and has not issued any regulations to replace the Professional Code. Hence, all RMPs continue to be governed by the Professional Code as of today.The Professional Code lays down certain professional and ethical standards for interactions between doctors and their patients. A few of these standards are:
- Maintenance of Medical Records: All RMPs are required to maintain the medical records of their patients for a minimum of 3 (Three) years after the commencement of treatment.
- Confidentiality: It is the responsibility of the RMP (and thus extends to the technology provider) to maintain the upmost confidentiality of the patient’s information.
- Display registration: Every RMP must display his/her registration number in his/her clinic and prescription. In the age of digital health, this will mean the RMP’s registration number will need to be indicated to the patient event if the consultation is occurring via Audio Telemedicine or Message Telemedicine.
- Use of Generic Drugs: RMPs should, as far as possible, prescribe drugs with generic names.THE DRUGS AND COSMETICS ACT, 1940 (“D&C ACT”) READ WITH THE DRUGS AND COSMETICS RULES, 1945 (“D&C RULES”)The D&C Act read with the D&C Rules regulate the manufacture, classification, import sale and distribution of drugs in India. The D&C Act classifies certain categories of drugs as “over the counter”, for which no prescriptions are required. On the other hand, certain other categories of drugs, such as Schedule H, H1 and X drugs can be sold only with a prescription, and are referred to as “prescription drugs”.As the sole regulation for the sale and distribution of drugs currently, the D&C Act read with the D&C Rules regulate e-pharmacies in India. However, these rules and regulations do not explicitly recognize the online sale of drugs or e-pharmacies, leading to question being asked of the legality of e-pharmacies and online sales of drugs. Although the Central Government has proposed a separate e-pharma regulation to govern e-pharmacies, the same has not been notified as of today.Hence, all e-pharmacies will need to obtain a registration under the D&C Act prior to commencing operations and comply with the regulations prescribed thereunder.THE CLINICAL ESTABLISHMENT (REGISTRATION AND REGULATION) ACT, 2010 (“CLINICAL ESTABLISHMENT ACT”)The Clinical Establishment Act stipulates that all clinical establishments will need to register themselves under the Clinical Establishment Act and adhere to the norms outlined by the Clinical Establishment Act. The registration under the Clinical Establishment Act is usually valid for a period of 2 (Two) years, and can be renewed thereafter.The Clinical Establishment Act defines a Clinical Establishment as: “… a hospital, maternity home, nursing home, dispensary, clinic, sanatorium or an institution by whatever name called that offers services, facilities requiring diagnosis, treatment or care for illness, injury, deformity, abnormality or pregnancy in any recognised system of medicine established and administered or maintained by any person or body of persons, whether incorporated or not”.Additionally, certain states such as Maharashtra and Karnataka have enacted separate legislations to govern clinical establishments. In such cases, platforms will need to
obtain a registration under the state specific regulation and not the Clinical Establishment Act.
Author’s take and Conclusion:
COVID-19 has brought into focus the lack of a consolidated regulation to govern digital health, which could have otherwise been leveraged in dealing with epidemics, pandemics and other health consequences arising out of large scale disasters. This can be useful in future where a doctor in one region of the country can provide quality medical services to a person sitting in a remote village thousands of kilometres away and also reduce the burden on current medical infrastructure.
Although several proposals, such as the Digital Information Security in Healthcare Act (“DISHA”) have been proposed, there appears to be a lack of political will to streamline digital health regulations in India. However, it is hoped that one of the lessons learnt from the COVID-19 outbreak is to prioritize regulations on digital healthcare, to be better prepared for a healthier tomorrow.
Disclaimer: This post has been prepared for informational purposes only. The information/or observations contained in this post does not constitute legal advice and should not be acted upon in any specific situation without seeking proper legal advice from a practicing attorney.I would like to thank Amrut Joshi (amrut@gamechangerlaw.com) and Samheeta Rao (samheeta@gamechangerlaw.com) for their inputs.
Learn more about our Technology practice.
#DigitalHealth #TelemedicinePracticeGuidelines #India #Technology #GameChangerLawAdvisors