Role of Digital Health in India's Rural Healthcare Landscape

India’s vast rural expanse, home to more than two-thirds of the nation’s population, faces formidable challenges in accessing quality healthcare. Limited infrastructure, a shortage of qualified medical professionals, and geographic barriers create significant disparities between urban and rural healthcare delivery. Digital health solutions are emerging as a potent force in revolutionizing this landscape, promising to deliver equitable and accessible healthcare to India’s underserved rural communities.

Key Pillars of Digital Health Intervention

• Telemedicine and Remote Consultations: At the forefront of digital health, telemedicine platforms are bridging the gap between patients in remote villages and specialists residing in faraway urban centres. These platforms facilitate real-time video consultations, allowing rural patients to receive diagnoses, treatment plans, and follow-up care without the need for arduous journeys to cities. This significantly reduces travel costs, time, and the burden on rural families.
• Electronic Health Records (EHRs): Digitizing patient records is instrumental in improving care coordination and reducing medical errors. With EHRs, healthcare providers across different locations can access a patient’s medical history, ensuring continuity of care and informed decision-making. Digital records also streamline the referral process and aid in disease surveillance and outbreak management.

• Mobile Health (mHealth) Applications: The proliferation of smartphones and internet connectivity has made mHealth apps a valuable tool for rural communities. These apps provide health education, preventive care information, medication reminders, and symptom checkers, empowering individuals to take charge of their health. In particular, pregnancy tracking and maternal health apps are proving to be lifelines in remote areas.
• Remote Patient Monitoring (RPM): RPM technology allows healthcare providers to track vital signs, such as blood pressure and blood sugar, of patients with chronic diseases from afar. This proactive monitoring enables early interventions, facilitates timely adjustments to treatment plans, and reduces the risk of expensive hospitalizations.
• Point-of-Care Diagnostics: Portable diagnostic devices connected to smartphones or tablets are bringing laboratory-quality testing to remote corners of India. These devices can perform tests for infectious diseases, anaemia, and other conditions, leading to rapid diagnoses and faster treatment initiation, which is crucial in resource-limited settings.

Benefits of Digital Health for Rural India

• Improved Access to Care: Digital health transcends geographical barriers and overcomes the lack of specialists in rural areas. Patients can access essential medical services without the hardship and expense of traveling long distances.
• Enhanced Quality of Care: EHRs and telemedicine consultations with specialists support rural healthcare providers in delivering higher quality care, leading to improved patient outcomes.

• Cost Reduction: Digital health solutions reduce patient travel costs, minimize unnecessary hospitalizations, and improve efficiency in healthcare delivery, contributing to overall cost savings.
• Preventive Care and Empowerment: mHealth apps and educational resources empower rural communities to adopt healthier lifestyles, practice preventive care, and make informed decisions about their health.

Challenges and Considerations

While the transformative potential of digital health is undeniable, its widespread adoption in rural India faces hurdles:

• Digital Literacy & Adoption: Limited digital literacy and technological skills among some rural populations can hinder the uptake of digital health solutions.
• Infrastructure: Unreliable internet connectivity and electricity supply in certain areas pose challenges for telemedicine and other digital health interventions.

• Data Security and Privacy: Robust measures are needed to ensure the security and privacy of sensitive patient data in the digital realm. In this regard Government of India passed The Digital Personal Data Protection Act (DPDPA) in August 2023. DPDPA assigns restrictions and obligations to organizations that process personal data including sensitive patient data.

The Way Forward

To fully realize the benefits of digital health in improving rural healthcare in India, collaborative efforts among government, healthcare providers, technology companies, and communities are vital. Key measures include:

• Investing in Digital Infrastructure: Expanding broadband connectivity and ensuring reliable electricity supply in rural areas.
• Digital Literacy Campaigns: Educating rural communities on the use of digital tools, promoting their adoption.

• Government Initiatives: Continued support and favourable policies, including the Ayushman Bharat Digital Mission by National Health Authority (NHA), are key to scaling digital health initiatives. The Ayushman Bharat Digital Mission has the potential to transform the landscape of rural healthcare in India. Its focus on interoperability, inclusivity, and patient empowerment directly addresses the unique challenges of healthcare delivery in these regions.
• Partnerships and Capacity Building: Training rural healthcare workers in digital health technologies and fostering collaboration between healthcare providers and technology innovators.

Digital health holds the key to bridging the healthcare divide between rural and urban India. Its strategic implementation offers an unprecedented opportunity to deliver affordable, accessible, and high-quality healthcare to the doorstep of those who need it the most.

Digital Personal Data Protection Act 2023: Impact On Indian Healthcare Industry

The Digital Personal Data Protection Act, 2023 (DPDP Act) is a new law regulating personal data processing in India. It aims to protect the privacy rights of individuals and create a framework for data governance and accountability. The DPDP Act will significantly impact the Indian healthcare industry, which is still in its early stages of digital evolution. Some of the key impacts are:

• The DPDP Act will require healthcare providers and entities to obtain explicit consent from data principals (individuals whose data is processed) before collecting, using, or sharing their personal health data, which is classified as sensitive personal data under the law

• The DPDP Act will also mandate healthcare providers and entities to implement appropriate security measures, conduct data protection impact assessments, appoint data protection officers, and comply with the codes of practice and standards issued by the Data Protection Board of India

• The DPDP Act will enable data principals to access, correct, erase, port, and restrict the processing of their personal health data and seek redressal for any grievances or violations of their rights

• The DPDP Act will create new opportunities for innovation and collaboration in the healthcare industry, as it will facilitate the use of personal health data for research, public health, emergency response, and other purposes, subject to certain conditions and safeguards

Implications of Digital Personal Data Protection Act 2023 in Healthcare Sector

The Digital Personal Data Protection Act, 2023 (DPDP Act) will have various implications in the healthcare sector in India, such as:

• It will require healthcare providers and entities to adopt privacy-conscious and data-responsible practices, such as obtaining explicit consent, implementing security measures, conducting data protection impact assessments, and appointing data protection officers

• It will enhance patient trust and confidence in using their personal health data, which is classified as sensitive personal data under the law.

• It will create new opportunities for innovation and collaboration in using personal health data for research, public health, emergency response, and other purposes, subject to certain conditions and safeguards

• It will also create challenges for developing and adopting data-driven technologies, such as artificial intelligence and machine learning, which may require balancing the protection of patient privacy and the potential of these technologies.

It will interact with other existing or proposed laws and policies related to health data, such as the Ayushman Bharat Digital Mission (ABDM), which aims to create a unique health ID named ABHA and a digital health record for each person. 

Government Initiatives to Protect Patient Data

The Information Technology Act 2000 governs provisions related to Protected Health Information (PHI) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. 

Patient data, including health information, is treated as sensitive personal data or information and, under the IT Act, offers some degree of protection to the collection, disclosure, and transfer of sensitive personal data. 

Also, long before DPDP Act 2023, the Government introduced the Digital Information Security in Healthcare Act (DISHA), India’s counterpart of the Health Insurance Portability and Accountability Act (HIPAA), aimed at providing healthcare data privacy, security, confidentiality, and standardization and establishment of the National Electronic Health Authority (NeHA) and Health Information Exchanges. While this act aims to encourage the pan-India adoption of e-health standards, DISHA has not yet come into force. 

Penalties in Digital Personal Data Protection Act 2023 

Under the DPDP Act, 2023, you have the right to file a complaint with the Data Protection Board of India (DPB), which is the enforcement body established under the act, if you suspect or experience any non-compliance by a third party that collects or processes your personal data. The DPB can inquire into the complaint, direct any remedial or mitigation measures, inspect any document, summon and enforce the attendance of any person, and impose penalties for non-compliance. 

The act allows only monetary penalties for breaches or non-compliance, ranging from INR 50 crore to INR 250 crore, with a maximum penalty of INR 500 crore for significant data breaches. You can also seek compensation from the DPB for any harm caused to you due to the non-compliance by the third party. However, the act does not provide criminal liability or imprisonment for non-compliance. 

Data Principal

A key ingredient in laws in other countries is the power to impose penalties up to a particular amount as prescribed for offenses or as a percentage of total worldwide turnover, whichever is higher.

A data principal is under an obligation to not register a false or frivolous complaint with a data fiduciary or the Board, not to furnish any false particulars or suppress any material information. 

DPDP Act 2023 has introduced a penalty of up to ₹10,000/- (Rupees Ten Thousand) on the data principal for failure to comply with its proposed obligations.

The proposed DPDP Act 2023 introduces the concept of ‘Deemed Consent’, where the data principal is deemed to have given consent for processing their personal data. 

Consensual processing of personal data may be done in case of medical emergencies involving a threat to life or an immediate threat to the health of the Data Principal. In the context of such processing, a parallel may be drawn with India’s draft Health Data Management Policy by ABDM released in April 2022, which also envisages provisions relating to the processing of Personal Data in case of medical emergencies. 

Notably, the ABDM contemplates the appointment of a nominee to provide valid consent on behalf of the Data Principal in case such Data Principal becomes seriously ill or mentally incapacitated or where the Data Principal is facing a threat to life or a severe threat to health and is unable to give valid consent. 

Unlike the DPDP Act 2023, the ABDM does not propose Deemed Consent in the absence of a nominee but instead shifts the right to give valid consent on behalf of the Data Principal to an adult member of the family of the Data Principal.

Despite the recommendation under the JPC Report, the DPDP Act 2023 has kept the 'Non-Personal Data' of the individuals, such as information collected by the Government, NGOs, and other private sector entities, outside its ambit. The usage of phrases 'as it may be considered necessary' and 'as may be prescribed' can lead to administrative ambiguities. The autonomy of the Data Protection Board, which is entrusted with overseeing the protection of individual's personal data and ensuring compliance with the provisions of the law, is not reassuring. Further, the Government and its instrumentalities can retain personal data for an indefinite period irrespective of whether the purpose for which data was processed has been fulfilled. 

Conclusion

By 2030 India is projected to be the world’s third-largest economy and will have one of the world’s largest digital personal data footprints in motion and at rest. 

The DPDP 2023 Act’s essentiality shines in our strengthening role in the global order. With the G20 Presidency and multiple Free Trade and Regional Trade Agreements in place, we must find solutions for Data Free Flow with Trust and cross-border data flows.

The pros and cons of using ChatGPT in Healthcare

Generative Pre-trained Transformer, often known as GPT, is an innovative kind of #ArtificialIntelligence (#AI) that can produce writing that seems to have been written by a person. OpenAI created this AI language model called ChatGPT. It is built using the GPT architecture and is trained on a large corpus of text data to respond to natural language inquiries that resemble a person’s requirements. 

This technology has lots of applications in #healthcare. This technology has the potential to improve the way #patients interact with healthcare providers and enhance the overall quality of healthcare services. Some people will immediately embrace ChatGPT as a medical resource, while others will avoid it for as long as they can. Both feelings are justified. The man who ignited the home computer revolution, #BillGates, believes ChatGPT will 'change the world,' claiming that AI is just as important as the PC and the internet. The need for accurate and current data is one of the major obstacles to adopting ChatGPT in healthcare. GPT must have access to precise and up-to-date medical data to provide trustworthy suggestions and treatment options.

Pros of including ChatGPT in our health care system

1. ChatGPT can provide real-time information and support, answering patients' questions and offering guidance on health-related topics, including symptoms and treatments.
2. It can help healthcare professionals automate various tasks and provide better treatment.
3. ChatGPT can educate patients on various health topics, such as managing chronic conditions, understanding treatment options, and adopting healthy lifestyles.
4. It can provide information and answer questions about health and wellness so that people can make informed decisions about their health.
5. ChatGPT has the potential to revolutionize healthcare by providing patients and healthcare professionals with access to medical information and clinical decision support.
6. It helps patients access medical information, such as symptoms, diagnoses, and treatment options, before or instead an appointment.
7. ChatGPT can help reduce the workload of healthcare professionals by automating routine tasks such as appointment scheduling.
8. It can help improve patient outcomes by providing personalized care plans based on individual needs.
9. ChatGPT can help reduce healthcare costs by providing more efficient care.
10. It can help improve patient satisfaction by providing a more convenient way to access medical information.

Cons of including ChatGPT in our health care system

1. One critical limitation is the potential for bias in the training data, which can result in biased or inaccurate responses.
2. ChatGPT is a statistical model, lacking the medical expertise and judgment of a healthcare professional. Even if it does score over 60% on a medical test, it cannot diagnose or treat medical conditions.
3. ChatGPT cannot provide hands-on learning experiences. Medical education requires practical training, and ChatGPT cannot replace the importance of hands-on training in medical education.
4. ChatGPT may not be able to understand complex medical terminology or nuances that are important for accurate diagnosis and treatment.
5. It may not be able to provide personalized care plans based on individual needs.
6. ChatGPT may not be able to provide accurate information about rare diseases or conditions that are not well understood.
7. It may not be able to provide accurate information about medications or treatments that are not well understood.
8. ChatGPT may not be able to provide accurate information about alternative therapies or treatments that are not well understood.
9. It may not be able to provide accurate information about mental health conditions or treatments.
10. ChatGPT may not be able to provide accurate information about emergency situations.

Conclusion

ChatGPT is a state-of-the-art language model that has numerous advantages and applications in the healthcare and medical domains. It can assist medical professionals in various tasks, such as research, diagnosis, patient monitoring, and medical education. However, the use of ChatGPT also presents several ethical considerations and limitations such as credibility, plagiarism, copyright infringement, and biases. Therefore, before implementing ChatGPT, the potential limitations and ethical considerations need to be thoroughly assessed and addressed. Future research can focus on developing methods to mitigate these limitations while harnessing the benefits of ChatGPT in the healthcare and medical sectors.

Digital Personal Data Protection Bill 2022 – History & Impact in Healthcare Industry

 

On November 18, 2022, the Ministry of Electronics and Information Technology (MeitY) released the draft of the Digital Personal Data Protection Bill, 2022 (DPDP Bill 2022), inviting suggestions and comments from relevant stakeholders. In its fourth iteration since 2017, the DPDP Bill 2022 attempts a better ‘comprehensive legal framework’. Previous versions of the proposed general data protection legislation drew heavily upon European Union’s General Data Protection Regulation (GDPR) and were dense, voluminous documents, etc. The Bill draws inspiration from Singapore’s Personal Data Protection Act, 2012, and is a condensed and concise document. The new bill is a lot simpler than the previous one as it is having only 24 pages as compared to 70 pages as well as 30 guidelines as compared to 90 in the previous draft bill.

Let’s first understand the status of privacy in the Indian context. As per Part III of the Indian Constitution, we have many fundamental rights like Right to Life & Personal Liberty, Right to Equality, Freedom of Speech & Expression, etc. Fundamental rights provide a high degree of protection from encroachment but the fundamental right to privacy was not guaranteed under the Constitution of India till 2017. Before 2017 in many cases e.g. M. P. Sharma vs. Satish Chandra and Kharak Singh v. State of Uttar Pradesh, the status of Privacy was not recognized as a Fundamental right. In Justice K. S. Puttaswamy v Union of India, the nine Judge Bench unanimously reaffirmed the right to privacy as a fundamental right under the Constitution of India. As per instruction of the Supreme Court of India an expert committee headed by Justice B. N. Srikrishna was created to examine various issues related to data protection in India. The Committee submitted its report and a draft Personal Data Protection Bill, 2018 to the Ministry of Electronics and Information Technology.

Provisions related to Protected Health Information (PHI) are governed by the Information Technology Act, 2000, together with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Patient data, including health information, is treated as sensitive personal data or information and under the IT Act offers some degree of protection to the collection, disclosure, and transfer of sensitive personal data. Also long before DPDP Bill 2022, the Government introduced the Digital Information Security in Healthcare Act (DISHA), India’s counterpart of the Health Insurance Portability and Accountability Act (HIPAA), aimed at providing healthcare data privacy, security, confidentiality, and standardization and establishment of the National Electronic Health Authority (NeHA) and Health Information Exchanges. While the purpose of this act is to encourage the pan-India adoption of e-health standards, DISHA has not yet come into force.

Digital Personal Data Protection 2022 Bill operates on a triad - Data Principal, Data Fiduciary, and Grievance Resolver. Unlike the GDPR, the bill boldly defines “harm”, “loss”, and “public interest” in small lists. A first in India’s legislative history, the bill uses “her” and “she” for an individual, irrespective of gender—a welcome populist and inclusive move. The Bill mandates obtaining consent for processing after providing notice in clear and plain language, “describing” the type of personal data sought to be collected and an ‘itemized’ list of the purposes of the processing. PDDP Bill 2022 allows the transfer of personal data outside India to countries notified by the Indian government.

The provisions for penalties in DPDP Bill 2022 Bill fall far short of other data protection legislation around the world, such as GDPR or similar laws in China. In the proposed bill, Healthcare Organizations are subject to penalties of up to ₹500 crores for non-compliance. Other than that, the bill includes a laundry list of penalties: up to ₹250 crores for failing to take adequate precautions against data breaches; ₹200 crores for failing to notify of a breach or complying with provisions related to children; ₹10 crores for violating data localization norms; ₹150 crores when a significant Healthcare Organization fails to carry out their additional obligations under the proposed law. A key ingredient in laws in other countries is the power to impose penalties up to a particular amount as prescribed for offenses or as a percentage of total worldwide turnover, whichever is higher.

A data principal is under an obligation to not register a false or frivolous complaint with a data fiduciary or the Board, not to furnish any false particulars or suppress any material information. DPDP Bill 2022 has introduced a penalty of up to ₹10,000/- (Rupees Ten Thousand) on the data principal for failure to comply with its proposed obligations.

The proposed DPDP Bill 2022 introduces the concept of ‘Deemed Consent’ where the data principal is deemed to have given consent for processing their personal data. Consensual processing of Personal Data may be done in case of medical emergencies involving a threat to life or an immediate threat to the health of the Data Principal. In the context of such processing, a parallel may be drawn with India’s draft Health Data Management Policy by NDHM released in April 2022 which also envisages provisions relating to the processing of Personal Data in case of medical emergencies. Notably, the NDHM contemplates the appointment of a nominee to provide valid consent on behalf of the Data Principal in case such Data Principal becomes seriously ill, or mentally incapacitated, or where the data principal is facing a threat to life or a severe threat to health and is unable to give valid consent. Unlike the DPDP Bill 2022, the NDHM does not propose Deemed Consent in absence of a nominee but rather shifts the right to give valid consent on behalf of the Data Principal to an adult member of the family of the Data Principal.

Despite the recommendation under the JPC Report, the DPDP Bill 2022 has kept the 'Non-Personal Data' of the individuals such as information collected by the Government, NGOs, and other private sector entities, outside its ambit. The usage of phrases 'as it may consider necessary' and 'as may be prescribed' can lead to administrative ambiguities. The autonomy of the Data Protection Board which is entrusted with overseeing the protection of individual's personal data and ensuring compliance with the provisions of the law is not reassuring. Further, the Government and its instrumentalities can retain personal data for an indefinite period irrespective of whether the purpose for which data was processed has been fulfilled.

By 2030 India is projected to be the world’s third-largest economy and will have one of the world’s largest digital personal data footprints in motion and at rest. The DPDP 2022 Bill’s essentiality shines in our strengthening role in the global order. With the G20 Presidency and multiple Free Trade and Regional Trade Agreements in place, we will have to find solutions for Data Free Flow with Trust and cross-border data flows.

Security & Privacy by Design - 'The Guiding Principle' of Health Data Management Policy by ABDM

Every byte of data has a story to tell. The question is whether the story is being narrated accurately and securely. Usually, we focus sharply on the trends around data with a goal of revenue acceleration but commonly forget about the vulnerabilities caused due to bad data management. Data possesses immense power, but immense power comes with increased responsibility. In today’s world collecting, analyzing and build prediction models is simply not enough. Keep in mind that we are in a generation where the requirements for data security have perhaps surpassed the need for data correctness. Hence the need for Privacy By Design is greater than ever.

“Privacy by Design” and “Privacy by Default” have been frequently-discussed topics related to data protection. The first thoughts of “Privacy by Design” were expressed in the 1970s and were incorporated in the 1990s into the RL 95/46/EC data protection directive. Privacy by design is an approach to systems engineering that seeks to ensure protection for the privacy of individuals by integrating considerations of privacy issues from the very beginning of the development of products, services, business practices, and physical infrastructures. The adoption of security and privacy principles is a crucial step in building a secure, audit-ready program.

Privacy by Design is based on following 7 principles:

1. Proactive not Reactive; Preventative not Remedial - Privacy by Design comes before-the-fact, not after.
2. Privacy as the Default Setting - it is built into the system, by default.
3. Privacy by Design is embedded into the design and architecture of IT systems and business practices
4. Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner not Zero-Sum
5. End-to-End Security — Full Life-cycle Protection
6. Visibility and Transparency — Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives,
7. Respect for User Privacy — Keep it User-Centric

Privacy by Design in Health Data Management Policy by ABDM

Consider  data  protection  requirements  as  part  of  the  design  and  implementation  of  systems, services,  products  and  business  practices.  The  federated  design  of  the  National  Digital  Health  Ecosystem ensures  that  no  personal data other than  what  is  required  at  a  minimum  to  create  and  maintain  Health  IDs,  Facility  IDs  or  Health  Professional  IDs shall  be  stored  centrally.  Electronic  medical  records  shall  be  stored  at  the  health  facility  where  such  records  are created,  or  at  such  other  entities  as  may  be  specified  by  Policy.  Electronic  health  records  shall be  maintained  by  entities  specified  by  Policy,  as  a  collection  of  links  to  the  related  medical records.  ABDM  shall  issue  appropriate  technological  and  operational  guidelines  providing  for  the establishment  and  maintenance  of  the  federated  architecture,  for  ensuring  the  security  and  privacy  of  the personal  data  of  data  principals,  and  for  maintenance  of  electronic  medical  records  and  electronic  health records.

Prepare  a  privacy  policy  containing  the  following  information:

(a)  clear  and  easily  accessible  statements  of  its  practices  and  policies;  

(b)  type of personal  or  sensitive  personal  data  collected; 
(c) the  purpose  of  collection  and  usage  of  such  personal  or  sensitive  personal  data;   
(d)  whether  personal  or  sensitive  personal  data  is  being  shared  with  other  data  fiduciaries  or  data processors;   
(e)  reasonable  security  practices  and  procedures  used  by  the  data  fiduciary  to  safeguard  the personal or  sensitive  personal  data  that  is  being  processed. 

The  privacy  policy  referred  shall  be  published  on  the  website  of  the  data  fiduciary.  In  addition, the  data  fiduciary  shall  also  make  available  a  privacy  by  design  policy  on  its  website  containing  the following  information:

(a)  the  managerial,  organisational,  business  practices  and  technical  systems  designed  to  anticipate, identify  and  avoid  harm  to  the  data  principal; 

(b)  the  obligations  of  data  fiduciaries; 

(c)  the technology  used in  the  processing  of  personal data,  in  accordance  with  commercially  accepted or  certified  standards; 

(d)  the protection of privacy throughout processing from the point of collection to deletion of personal data; 

(e)  the  processing  of  personal  data  in  a  transparent  manner;  and 

(f)  the  fact  that  the  interest  of  the  data  principal  is  accounted  for  at  every  stage  of  processing  of personal  data. 

The  privacy  policy  issued  and  the  principles  of  privacy  by  design  followed  by  the  data  fiduciaries  should be  in  consonance  with  this  Policy  and  applicable  law.

Digital Healthcare – Laws & Regulations in India

Digital health is using technologies to help improve individuals' health and wellness. These technologies include both hardware and software solutions and services, including telemedicine, web-based analysis, email, mobile phones and applications, text messages, wearable devices and clinic or remote monitoring sensors. Really it's about applying digital transformation, through disruptive technologies and cultural change, to the healthcare sector. Digital health is a multi-disciplinary domain involving many stakeholders, including clinicians, researchers and scientists with a wide range of expertise in healthcare, engineering, social sciences, public health, health economics and data management.

Digital Healthcare has been around in India since long but COVID-19 pandemic has put it in the spotlight and we are noticing mass adoption as 5 crore Indians accessed healthcare online in the last three months (Practo’s Insights Report, 18 Jun3 2020). In a significant move, the Ministry of Health and Family Welfare (“MoHFW”) on March 25, 2020, has issued the Telemedicine Practice Guidelines to provide healthcare using telemedicine and that is another major reason behind surge in online consultations. Also these Guidelines are one of the best guidelines ever published and the reason that telemedicine practice will stay in India. The Guidelines have made the practice of text/audio/video based medical care legal and regulated and thus have given platforms (mobile apps, web portals & social media) as well as doctors the standards to follow.

The legal and regulatory framework in India is/will be govern by following relevant acts / bills –

• Telemedicine Practice Guidelines by MCI & NITI Aayog, 2020
• Personal Data Protection Bill, 2019
• Information Technology Act, 2000 & Information Technology Rules 2011
• Clinical Establishment Act, 2010
• MCI Act, 1956 & MCI Regulations 2002
• Indian Medical Council Act, 1956 and Indian Medical Council Regulations 2002
• Drugs & Cosmetics Act, 1940 and Rules 1945
• Other Service Providers Regulations under the New Telecom Policy 1999

In September 2013, MoHFW notified the EHR Standards (Electronic Health Record Standards) for India.  Those standards were chosen from the best available & previously used standards applicable to International EHRs, keeping in view their suitability to and applicability in India.  Accordingly the EHR Standards 2016 document is notified and is placed herewith for adoption in IT systems by healthcare institutions and providers across the country.  The MoHFW facilitated its adoption by making available standards such as the Systematized Nomenclature of Medicine Clinical Terminology (SNOMED CT) free-for-use in India, as well as appointing the interim National Release Centre to handle the clinical terminology standard that is gaining widespread acceptance among healthcare IT stakeholder communities worldwide.

In addition, the MoHFW has proposed a new bill named DISHA (Digital Information Security in Healthcare Act) to govern data security in the healthcare sector.  The purpose of this Act will be to provide for electronic health data privacy, confidentiality, security and standardization.  The MoHFW, through the proposed DISHA, plans to set up a statutory body in the form of a national digital health authority for promoting and adopting: e-health standards; enforcing privacy and security measures for electronic health data; and regulating the storage and exchange of electronic health records.

One of the most immediate changes that health tech companies may need to be prepared for is the cost of compliance – with the Personal Data Protection (PDP) Bill 2019. As of the current interpretation of the text of the PDP Bill, 2019 (which effectively can get signed into law at any time) there is no period provided to affected companies to comply with the data protection measures in the Bill. The requirement of having a privacy-by-design system in place means that for a lot of companies the cost of compliance will go up as they would have to upgrade/overhaul their data protection systems and software. This change would be akin to the one experienced by European companies when they needed to comply with the General Data Protection Regulation (GDPR), but at least, in that case, there was a period prescribed within which companies were permitted to overhaul their security systems.

If any IT company or startup into Digital Healthcare plans to offer and add telemedicine/telehealth software to already existing software like healthcare CRMs, clinical software and patient management systems, have to incorporate all the relevant Acts & guidelines. It will not only help their clients but also will help companies because as per Telemedicine Practice Guidelines, technology platforms are obligated to ensure many instructions otherwise can be blacklisted.