India, being a huge country, has always suffered from lack of universal access to quality healthcare. As a result, a huge chunk of healthcare needs end up being unmet. However, with the increased proliferation of information technology in the healthcare industry, access to healthcare has been positively influenced. Healthcare is now accessible at our fingertips in the form of online appointments, online consultations, online delivery of medicines, etc. However, this digital avenue also requires the government to lay down the appropriate legal framework to prevent misuse of technology and exploitation of the end customer/user.


The Drugs and Cosmetics Act, 1940 (Act) read with Drugs and Cosmetics Rules, 1945 (Rules) are the key regulations that regulate the manufacture, sale, import and distribution of drugs in India. The Act and Rules require the manufacturer of drugs to obtain a license before the sale of any drug. The Act and the Rules further mandate that drugs can be sold only on the production of a valid prescription issued by a registered medical practitioner. The lacuna; however, was that the Act and the Rules did not specifically allow or restrict the operations of online pharmacies, and therefore, vide a notification dated December 30, 20151 (Notification), the office of the Drugs Controller General of India, the principal enforcement and regulatory office of the Act and the Rules, clarified that the provisions of the Act shall apply similarly to the online pharmacies the way it was understood to be applicable to the physical brick and mortar pharmacies. The import of this notification was that an online pharmacy had to function in the same way as a physical pharmacy.

Though the intention of the Notification was to regulate the unregulated sale of drugs online, it ignored the practical working of an online pharmacy. Since "health" is a state subject in India, the Act and the Rules require that a pharmacy obtain a license from the respective state regulator, i.e., the State Drugs Control Organisation. Unlike a physical pharmacy, which has a geographical limitation and can function only in a single state at a given point of time, an online pharmacy can operate in multiple states simultaneously.

After representations by a group of major online pharmacies, a sub-committee was constituted in the 48th Drugs Consultative Committee (DCC) meeting to examine issues concerning the sale of drugs on the internet.2 Its recommendation to allow online sale of drugs with elaborate regulations was considered in the 50th DCC meeting, and was, thereafter, forwarded to the government as well.3  This led to the draft Drugs and Cosmetics (Amendment) Rules, 2018 (Draft E-Pharmacy Rules).4  The Draft E-Pharmacy Rules define an "e-pharmacy" to mean "business of distribution or sale, stock, exhibit or offer for sale of drugs through web portal or any other electronic mode", and require any person who wishes to distribute, sell, stock, exhibit, or offer for sale drugs through an electronic method to obtain a registration certificate (which is valid for a period of three years) from the licensing authority. Further, the sale of drugs that qualify as "narcotic" and "psychotropic" under the Narcotic Drugs and Psychotropic Substances Act, 1985, tranquilizers and other drugs covered under Schedule X of the Rules are prohibited under the Draft E-Pharmacy Rules. However, the Draft E-Pharmacy Rules have not been notified yet. The lack of specific rules and regulations has also led to some disputes filed before the Delhi High Court which are still pending.5

Finally, last year, the Telemedicine Guidelines 2020 (Guidelines) formulated by NITI Aayog were notified under the Indian Medical Council (Professional Conduct, Etiquette, and Ethics) Regulations (Ethical Guidelines) on March 25, 2020. The Guidelines lay down the norms regarding consultation by doctors via phone, video and chat applications including telemedicine platforms and WhatsApp, in addition to making doctors accountable to patients, to provide teleconsultation as per the Guidelines, which provide a set of do's and don'ts for doctors. The Guidelines define "telemedicine" as "the delivery of health care services, where distance is a critical factor, by all health care professionals using information and communication technologies for the exchange of valid information for diagnosis, treatment and prevention of disease and injuries, research and evaluation, and for the continuing education of health care providers, all in the interests of advancing the health of individuals, and their communities."


Since the entire gamut of e-pharmacy and telemedicine involves online medium of exchange and storage of information/data, it is crucial to understand the laws that would additionally apply to such medium. The Information Technology Act, 2000 (IT Act) was enforced to accord legal recognition to transactions carried out by means of electronic data interchange and by other means of electronic communication. Various rules have been enforced under the IT Act which deal with data regulation.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI Rules) regulate the exchange of data between the patient and healthcare professional such as physical and mental health condition, sexual orientation, etc. which would be in the nature of sensitive personal data. The Information Technology (Intermediaries Guidelines) Rules, 2011 (Intermediary Guidelines) govern the entities which act as a facilitator of e-healthcare services to the patients partnering with independent healthcare professionals.

Going forward, India's proposed data protection law, the Personal Data Protection Bill, 2019 (PDP Bill), introduced in Parliament late last year and currently being reviewed by a Joint Parliamentary Committee, shall be the principal legislation. The PDP Bill aims to protect the privacy of individuals with respect to their personal data6 and sensitive personal data7 and governs the relationship between individuals and entities processing their personal data. The PDP Bill does not apply to the processing of anonymised data and governs the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India.

As far as health records are concerned, the e-Health Division of the Department of Health & Family Welfare under the Ministry of Health & Family Welfare (MoHFW) issued the Electronic Health Record Standards for India (EHR) first time in 2013 and then the revised version in 2016. EHR recommends the adoption of electronic health informatics standards in EHR/EMR (Electronic Medical Records) and other similar clinical information systems, interoperability and standards, clinical informatics standards, data ownership, privacy and security aspects, and the various coding systems. The EHR's vision that any person in India can go to any health service provider/practitioner, any diagnostic centre or any pharmacy and yet be able to access and have fully integrated and always available health records in an electronic format is not only empowering but also the vision for efficient 21st century healthcare delivery.

Further, as per the EHR, protected health information would refer to any individually identifiable information whether oral or recorded in any form or medium that (i) is created or received by a stakeholder; and (ii) relates to past, present, or future physical or mental health conditions of an individual; the provision of health care to the individual; or past, present, or future payment for health care to an individual.

Electronic Protected Health Information (ePHI) refers to any protected health information that is created, stored, transmitted, or received electronically. Electronic protected health information includes any medium used to store, transmit, or receive PHI electronically. The SPDI Rules refer to "sensitive personal data or information" as the subject of protection, but also refer, with respect to certain obligations, to "personal information." Sensitive personal information is defined as a subset of personal information. Following are sensitive personal information that relate to (I) passwords; (ii) financial information such as bank account or credit card or debit card or other payment instrument details; (iii) physical, psychological, and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) biometric information; (vii) any detail relating to (i) – (vi) above received by the body corporate for provision of services; and (viii) any information relating to (i) – (vii) that is received, stored or processed by the body corporate under a lawful contract or otherwise.

As per the EHR Guidelines, data shall be "individually identifiable" if it includes any identifiers like name, address (all geographic subdivisions smaller than street address, and pin code), all elements (except years) of dates related to an individual (including date of birth, date of death, etc.), telephone, cell (mobile) phone and/or fax numbers, email address, bank account and/or credit card number, medical record number, health plan beneficiary number, certificate/ license number, any vehicle or other any other device identifier or serial numbers, PAN number, passport number, AADHAAR card, voter ID card, fingerprints/ biometrics, voice recordings that are non-clinical in nature, photographic images and that possibly can individually identify the person, any other unique identifying number, characteristic, or code for an individual; or for the individual's employer or family member, or if the provider or researcher is aware that the information could be used, either alone or in combination with other information, to identify an individual.


The MoHFW released the Health Data Management Policy, 2020 (HDM) in August 2020,8 to digitize the entire healthcare ecosystem of India. The HDM stems from the National Health Policy of 2017 and the resultant National Digital Health Blueprint (NDHB), which was intended to complement the overall vision of the Government by creating an enabling and interoperable digital framework to support universal health coverage while ensuring the security of sensitive personal medical data of the citizens. The NDHB recommended the establishment of a new entity, called the National Digital Health Mission (NDHM), a purely governmental organization with complete functional autonomy.

HDM incorporates the concept of "Security and Privacy by Design" and is meant to act as the guiding document across the National Digital Health Eco-system (NDHE) and sets out the minimum standards for data privacy protection that should be followed across board. As per Article 2, HDM applies to all entities involved in the NDHM and partners of the NDHE including, inter alia, (i) entities and individuals who have been issued an ID under the Policy; (ii) healthcare professionals; (iii) relevant professional bodies and regulators; (iv) health information providers; (v) any health care provider who collects, stores and transmits health data in electronic form in connection with its transactions; (vi) payers i.e. Central and State Governments, insurers, charitable institutions, etc.; (vii) pharmaceutical organizations; (viii) research bodies; (ix) Health ID holders i.e. patients; (x) all individuals, teams, entities or ecosystem partners who collect or process personal or sensitive personal data as part of the NDHE; and (xi) all methods of contact.

In terms of the scope of collection and processing of personal or sensitive personal data, control of data principals over the same, appointment of a data protection officer, clear and conspicuous privacy notice requirements, and information requirements thereto, the HDM is in alignment with the PDP Bill. The HDM via Article 14 grants certain rights with respect to the data collected to the data principal, namely right of confirmation and access, correction and erasure, restrict or object to disclosure, and data portability.

Article 15 of HDM envisages the creation of a Health ID framework. A data principal can request for the creation of a Health ID at no cost, by which they can participate in the NDHE and the personal data of the data principal will be linked to their Health ID, recognizing such data principal as the owner of the personal data so shared. The Health ID is intended to function as a single point of reference for all instances of data collection and processing in accordance with the provisions of this HDM. Chapter V of HDM explores the obligations of the data fiduciaries in relation to the processing of personal data and lays down the foundations on which any collection of personal data shall rest, including the accountability, transparency, privacy by design9 , choice and consent driven sharing, purpose limitation, data quality, and collection, use and storage limitation.


In addition to the above specific laws, healthcare is generally governed by several other laws. The Drugs and Magic Remedies (Objectionable Advertisements) Act, 1954, and the rules therein regulate the advertisement of drugs in India and specifically prohibit the advertisements that promise magical remedies for the usage of the drugs. This includes online advertisements. The Ethical Guidelines provide certain qualifying criteria for persons who wish to practice medicine in India and will include the conduct of medical practitioners in an online space. The Clinical Establishments (Registration and Regulation) Act, 2010, require an establishment, which calls itself a "clinic" to register with the relevant authority and conform to certain minimum standards as prescribed thereunder. Each state has its variation of this law based on their specific requirement. Depending on the registered office of the online clinic, it would be crucial for them to adhere to the compliances mandated under these regulations. Finally, every patient of a body corporate would ideally fall within the definition of a "consumer" and can avail its remedy in the event of any deficiency of services or products delivered to them by an e-healthcare provider under the Consumer Protection Act, 2019.


Even though there has been an honest attempt at regulating the online healthcare industry by the authorities, the current regulatory regime is a hit and miss. The regulatory clarity around the e-healthcare industry does not extend to the e-pharmacy industry, because of which the last mile connectivity of the e-healthcare industry is severely affected. E-pharmacies have been caught in a regulatory quagmire ever since they first started operating in the country. The need of the hour is to put in place a comprehensive framework for digital healthcare in India which takes into its fold all its key components. Online delivery of medicines cannot be divorced from online consultations and therefore, a standardised regulatory regime needs to be set up to provide clarity to all the stakeholders in this industry. The regulatory initiatives relating to online consultations such as the Telemedicine Guidelines, EHR Guidelines, etc. also need to be extended to online pharmacies to instil confidence in major market players.


1 No.7-5/2015/Misc/e-Governance/091; Office of DCGI; December 30, 2015 (Last visited January 25, 2021)

2 Report of the 48th  Meeting of DCC: /48dcc.pdf (Last visited January 25, 2021). 3 Report of the 50th  Meeting of DCC: pk=ODEy (Last visited January 25, 2021).

4 G.S.R. 817 (E), Draft E-Pharmacy Rules; 28 August 2018; (Last visited on January 24, 2021).

5 Dr. Zaheer Ahmed v. The Union of India & Ors., W.P. (C) No. 11711 of 2018 & CM APPL. No. 45307 of 2018.

6 Defined as data about or relating to a natural person who is directly or indirectly identifiable, having regard to a feature of identity or a combination of such features (whether virtual or physical) and also includes inferences drawn from such data for the purpose of profiling.

7 Are personal data that reveals, is related to, or constitutes financial data, health data, official identifiers, sex life and sexual orientation, biometric data, genetic data, transgender status, intersex status, and caste or tribe, religious, political belief or affiliation, and any other category as may be notified.

8 The draft stage and will be finalized after receiving suggestions from members of the general public.

9 Data protection requirements shall be considered as part of the implementation and design of the systems, products, and business practices by the data fiduciaries.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.