In this COVID-19 era, when most of the hospitals and health care facilities are dedicated to treating COVID-19 patients, it is the e-health technology that is coming to the rescue of non-COVID-19 patients. E-health or better known as "Digital Health" is defined by the World Health Organization ("WHO") as "use of information and communication technologies for health." The European Commission has also defined Digital Health in a more precise and comprehensive manner. As per the European Commission, Digital Health refers to "tools and services using information and communication technologies that can improve prevention, diagnosis, treatment, monitoring and management." Thus, Digital Health means the usage of information technology tools and services for providing various health care facilities to the needy.
We often come across various apps/websites which serve as a platform for medical practitioners to provide consultancy to patients without meeting them physically. While using such apps /websites, we exchange various information pertaining to ourselves and our health which is in turn used by the medical practitioners for diagnosis. The concern surrounding such a practice is the safety of the data/information provided by us. This is not the only way as digital health includes various other ways such as e-pharmacies, robot-assisted surgeries, self-monitoring healthcare devices, electronic health records, etc. Out of all these processes, a lot of data/ information which is personal or sensitive in nature can be procured and used without authorization. Thus, it is mandatory to regulate digital health services. This article discusses the various regulatory framework in India governing digital health services.
"The use of digital technologies offers new opportunities to improve people's health," says Dr. Soumya Swaminathan, Chief Scientist at WHO. "But the evidence also highlights challenges in the impact of some interventions.
These challenges as pointed out by Dr. Swaminathan are pertaining to data protection. No doubt the intervention of technology into healthcare is capable of doing wonders and will help to achieve universal health coverage, however, at the same time, it is necessary to assure people that their data is safe with those who are providing digital health services.
IT Act and SPDI Rules
Currently, in India, collection, storage and handling of data/ information are all regulated under the Information Technology Act, 2000("IT Act") read with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 (the "SPDI Rules"). The IT Act and the SPDI Rules are India's principal legislation which regulates data protection across industries. It prescribes that all body corporate who collects, stores or handles data must ensure that prior written consent is obtained from the provider of information for collection, storage and handling of his/her data. Further, the IT Act and the SPDI Rules also provide that any wrongful gain or wrongful loss that might cause due to contravention of the provision of the SPDI Rules shall be compensated by damages.
Digital Information Security in Healthcare Act1
Given the sensitivity of health care data, the Indian Government proposed the Digital Information Security in Healthcare Act ("DISHA" or "Draft Bill") in the year 2018. The Ministry of Health and Welfare has been deliberating upon the establishment of a National e-health Authority (NeHA) since 2015 with a goal to ensure the development of an e-health ecosystem and enable people-centered health services in a cost-effective manner. The government has time and again issued various notifications2 with regard to e-health however, none of them were mandatory in nature. Thus, the government published DISHA for public comments. DISHA aims to establish NeHA and State e-health Authorities (SeHA). It also aims to establish a health information exchange. It further regulates the collection, storage and transmission of Digital Health Data (DHD) and associated Personally Identifiable Information (PII). The function of NeHA & SeHA, as per DISHA, would be to promote e-health, enforce strict privacy and security norms vis-à-vis DHD and PII at both macro and micro levels. DISHA will primarily regulate clinical establishments i.e. clinics and pathology labs, however, it excludes pharmacies, insurers and other healthcare organizations who collect, generate, transmit or store DHD.
Further, DISHA confers the power to exercise the "right to refuse" upon the owners of information among other rights. And, those who refuses to give consent for generation, collection, transmission or storage of DHD shall not be refused any health service. It mandates that any DHD or PII shall be used only for the purpose of treatment of the patient to whom such DHD & PII belongs. At the same time, DHD allows usage of DHD & PII after anonymising or de-identifying them for the purpose of any specific public health such as research and development. However, it is strictly suggested that such DHD & PII cannot be used for commercial purposes. Constraining pharma companies and insurance companies from accessing the DHD & PII for commercial purposes will be obstructive to pharma companies' research and development activities.
The current version of DISHA does not restrict the healthcare exchange from accessing DHD, however, accessing data by healthcare exchanges does not make sense as they are only intermediaries who will facilitate the transmission of data between the owners and the clinical establishments. Further, it also does not envisage the flow of data between two healthcare information exchanges.
Telemedicine Practice Guidelines
Recently on March 25, 2020, the Ministry of Health and Family Welfare issued the Telemedicine Practice Guidelines ("Guidelines")3 which is the first piece of legislation on telemedicine. The Guidelines defines "telemedicine" as is the delivery of health care services, where distance is a critical factor, by all the healthcare professionals using information and communication technologies for the exchange of valid information for diagnosis, treatment and prevention of disease and injuries, research and evaluation, all in the interests of advancing the health of individuals and their communities. The Guidelines were much-needed statute and it was a spot on as due to the outbreak of COVID-19 pandemic and unprecedented lockdown, patients who are suffering from health issues other than the COVID-19 can consult any registered medical practitioner by using information technology platforms, including audio, text and digital exchange. The Guideline regulates the conduct of medical practitioners, patients and the information technology platform provider for the purpose of practicing telemedicine.
The Guidelines are appended to the Appendix 5 of the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulation, 2002 ("Professional Conduct Regulation") issued under the Indian Medical Council Act, 1956 ("IMC Act"). Thus, it is imperative for medical practitioners to stay compliant with the Professional Conduct Regulation at all times while practicing telemedicine.
Only Registered Medical Practitioners (RMP) i.e. those who are enrolled in the State Medical Register or the Indian Medical Register under the IMC Act can practice telemedicine in India and the standard of professional and ethical norms should be at par with the traditional way of practice.
Further, the Guidelines also impose a limitation on the prescription of drugs while practicing telemedicine. It clearly states that the RMP cannot prescribe medicines in the prohibited lists which are listed in Schedule X of the Drugs and Cosmetics Act 1940 or any narcotic and psychotropic substance listed in the Narcotics Drugs and Psychotropic Substances Act, 1985. Apart from these, the Guidelines have provided three lists i.e. list O, A & B which the RMP may prescribe while telemedicine depending upon the nature of the consultation.
In addition to compliance with the Professional Conduct Regulation, the RMPs have to ensure compliance with the IT Act and SPDI Rules for protection of patient's privacy and confidentiality.
The Guidelines were the need of the hour and now that the first piece of legislation has come into effect, we can hope that soon DISHA will also come in to effect. These regulations will definitely open broad avenues for not only the medical practitioners but also for those who are looking for investment in healthcare services as it will help build trust in the industry. Now that legislation is in place and more are in line in the near future, venture capital and private equity firms may also feel encouraged to invest in intermediaries who are providing platforms for digital healthcare by way of mobile apps or websites.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.