31 August 2022


Spice Route Legal


Spice Route Legal logo
Spice Route Legal, India’s leading law firm for cross jurisdictional matters, was established with a singular purpose – to provide exceptional levels of legally astute and commercial advice to participants in international trade and commerce. We bring a unique approach to the table, designed to offer the best solution for legal and business challenges that our clients face across the world.
The technology sector, and the practical applications of technological developments, have grown exponentially over the years, and the healthcare and pharma industries have ...
India Food, Drugs, Healthcare, Life Sciences
To print this article, all you need is to be registered or login on

The technology sector, and the practical applications of technological developments, have grown exponentially over the years, and the healthcare and pharma industries have benefitted alongside many others. To add to this, the outbreak of Covid-19 and consequent lockdowns also accelerated the usage of digital healthcare, not only in India but also globally, thereby leading to the rapid growth of start-ups within the digital healthcare space.

As per the World Health Organisation, digital health is a broad umbrella term encompassing eHealth (which includes mHealth), as well as emerging areas, such as advanced computing sciences in 'big data', genomics, and artificial intelligence.1

Combining technology with healthcare, the digital healthcare ecosystem encompasses different aspects of technology used for monitoring, diagnosing, preventing, and curing health. In today's world, this includes robot-assisted surgeries, fitness wearables, telemedicine, software as a medical device, mobile phone trackers, the internet of medical things, electronic health records, and artificial intelligence applications in healthcare, among others.

With the increased proliferation of technology in the healthcare industry, there is a clear need for regulatory intervention to ensure that this technology is not misused. Due to the regular exchange of personal data regarding health issues and consultation between patients and the service providers, the protection of the personal data thus generated has become a matter of concern. Today, everyone is freely using smartphones with pulse trackers, smartwatches that monitor people's heart rate even during sleep, and menstruation trackers, without being aware of the amount of data generated and stored.

In the light of the concerns cited above, there is an urgent need for regulators to pass specific laws and regulations addressing current and prospective issues relating to the digital healthcare ecosystem.

The present note deals with the current regulatory regime for digital healthcare in India and how a change in the definition of 'medical devices' by the Ministry of Health and Family Welfare might affect the digital healthcare industry in India.


In a revolutionary move on February 11, 2020, the Ministry of Health and Family Welfare released two notifications concerning medical devices in India2:


The effect of the said notifications is that medical devices, including digital healthcare systems, will now fall within the definition of "Drugs" under the Drugs and Cosmetics Act, 1940. Some examples like - blood sugar monitor, diabetes tracker, pulse and sleep monitor applications are currently regulated as drugs. This can have far-reaching implications, which the regulators seem to have overlooked, such as the ability of the Central Drugs and Standards Control Organisation (CDSCO) to adequately regulate medical devices and drugs.








The Clinical Establishments (Central Government) Rules, 2012

  • Required the maintenance of electronic records of patients by clinical establishments.
  • These rules were pre-mature and failed to capture the issues concerning data breach and data usage, and storage.



The National Health Policy, 20173

  • The policy aimed to achieve highest possible level of health and well-being for all in India, while ensuring universal access to good quality of healthcare without anyone having to face financial hardships because of accessing the same.
  • Focused on creating a Digital Health Technology Ecosystem.
  • Suggested the establishment of a National Digital Health Authority to mainly focus on digital health.
  • Recommended linking and integrating Aadhaar with the health data of individuals.



The Draft Digital Information on Security in Healthcare Act4

  • Proposed the establishment of state as well as national authorities to implement its provisions.
  • Recommended setting up "Health Information Exchanges" under a Chief Health Information Executive ("CHIE"), to be appointed under the said Act. The Act further provided that the CHIE-controlled Health Information Exchanges will be responsible for maintaining, storing, protecting, and transmitting health data generated daily.
  • The owner of the health data would be given full authority and autonomy to maintain such data privately, along with a right to refuse the transmission or storage of their digital health data.
  • Enumerated the list of things that may be done using the data (like research), albeit with the owner's consent.
  • The draft was published for public comments; however, it is yet to be adopted/ tabled in the Parliament.



The National Health Stack, 20185

  • Envisaged a centralized health record for all citizens of the country in order to streamline the collection of health information and facilitate the effective management of the same. It aimed at achieving the "portability" of healthcare – i.e. access to healthcare from anywhere.
  • Proposed the creation of master health data for the nation, and personal health records for individuals, apart from generating digital health IDs and health data directories.
  • Contemplated a "coverage and claims platform" for integrating health insurance programs in the system.



The National Digital Health Blueprint, 2019 ("Blueprint")6

  • To implement the National Health Stack, a committee chaired by Shri J. Satyanarayana released a report called the "National Digital Health Blueprint".
  • The Blueprint proposed an approach to establish "Federated Architecture in terms of its Building Blocks" i.e., various layers at various levels to create a digital health technology ecosystem.
  • Suggested the establishment of the National Digital Health Mission to drive the implementation of the blueprint mentioned above, and promote and facilitate the evolution of a National Digital Health Ecosystem.



The National Digital Health Mission, 2020 ("NDHM")7

Salient features:

  • Health ID: A unique health ID, managed by a health data consent manager and linked to Aadhaar, intended to be a repository for all related health information of every Indian. It will be voluntary and applicable across states, hospitals, diagnostic laboratories, and pharmacies.
  • Health Data Analytics: Every Health Information Provider ("HIP") is to generate aggregated data on the health information that is being managed by them in the federated architecture. A Health Data Analytics platform to be developed which will subscribe to the aggregated data from HIPs, subject to compliance with data protection and privacy laws.
  • Healthcare Professionals Registry: Master data of information on doctors, nurses, paramedical staff, and other healthcare professionals.
  • Health Facility Registry: One record and a unique identifier for each healthcare facility in the country.
  • Consent Manager and Gateway: Portal for exchange of health information. Health records can only be issued/viewed with patient consent.
  • Open telemedicine and e-pharmacy network: Open digital playground to be created for any market players but at the same time the core control to be with the government to ensure accountability.



Health Data Management Policy, 20208

  • A policy framed under NDHM.
  • Lays down a consent framework to monitor the collecting, storing, processing, and sharing of data in alignment with the objective that users should always have control and decision-making power over their data. The policy introduced the concept of an electronic consent manager i.e., an electronic system that interacts with users to obtain consent to access their health data.
  • The policy protects the rights of the data owners and lays down the rules for access, portability, correction, or erasure of their data.
  • The policy further lays down the obligations of data fiduciaries (i.e., anyone, including the state, who determines the purpose and means of processing personal data) and implements limitations on the collection, usage, and storage of such data.
  • The National Health Authority has now released consultation papers for implementing the Health Facility Registry (HFR) and the Healthcare Professionals Registry (HPR). The NHA is currently receiving comments from the stakeholders by 13 July 2021.


While the Blueprint has recognised various building blocks at multiple levels that need to be regulated to create a digital healthcare ecosystem, the focus has primarily remained on data protection and privacy, as it relates to health data. As a result, the Blueprint seem to have overlooked other regulatory aspects that may arise with the change in the new definition of medical devices.

The 2020 notification, which has expanded the ambit of medical devices to include all things that assist a human body in diagnosis, prevention, monitoring or supporting life9, has also created a lot of ambiguity on how digital healthcare will be treated. The laws regulating drugs don't seem to be equipped to regulate the intangible nature of software and other evolving technology in the healthcare sector.

For example, under the Drugs and Cosmetics Act, 1940, the word 'import' is defined as "bringing anything into India". Therefore, any software developed outside India may be deemed to be imported once the software is used in India. With that, the software owner may, without his knowledge, be subject to Indian laws. Will he then need to comply with the 11 February 2020 notification?

Other pertinent issues that may arise would be:

  1. Would all 'tracking software' need to get registered as a medical device?
  2. Applicability of price control under the Drugs Price Control Order, 2013 on software as a medical device.
  3. Applicability of Legal Metrology (Packaged Commodities) Rules, 2011, BIS standards, or compliance with respect to ISO 13485 standard accredited by National Accreditation Board for Certification Bodies or International Accreditation Forum (which is required under the 11 February 2020 notification).

These are all certainly issues that need the urgent attention of, and clarity from, the regulators.


While the regulators are moving in the right direction, it is time that in India, the entire category of medical devices be delinked from the definition of "Drugs" and be regulated under an entirely different law. In addition, digital healthcare, and data generated by digital healthcare, also needs to be protected, not just by policies (which currently seem to be changing with the changing governments), but by stringent enforceable law. There is also a need to expand on the definition of medical devices to recognise tangible, intangible (like software) and artificial intelligence-based medical devices, so that we may regulate them all in a more streamlined manner.


1. WHO guideline: recommendations on digital interventions for health system strengthening. Geneva: World Health Organization; 2019. Licence: CC BY-NC-SA 3.0 IGO Accessed at -

2. Ministry Of Health and Family Welfare, Notification, S.O. 648(E), dated 11 February 2020; Ministry of Health and Family Welfare, Notification, G.S.R. 102 (E), dated 11 February 2020

3. The National Health Policy, 2017, Accessed at:

4. The Draft Digital Information on Security in Healthcare Act, Accessed at:

5. The National Health Stack, 2018, Accessed at:

6. The National Digital Health Blueprint, 2019, Accessed at:

7. The National Digital Health Mission, 2020, Accessed at:

8. Health Data Management Policy, 2020, Accessed at:

9. Ministry Of Health and Family Welfare, Notification, S.O. 648(E), dated 11 February 2020.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More