In 2020, the Ministry of Health and Family Welfare released the Telemedicine Practice Guidelines, (“TPG”)[1] to ensure continuity of care and break geographical barriers to accessing healthcare (our full summary of the TPG can be accessed here). However, as far as telehealth technology platforms go, the TPG is the tip of the iceberg. Several other laws apply to telehealth products.
In this post, we draw on our experiences from advising various telehealth platforms, to outline some steps for launching an agile and compliant telehealth product (the “Technology Platform” or “Product”).
2. Steps for launching your telehealth start-up:
- Step 1: Know your product:
Half the job is done if you know your Product in microscopic detail. This means having a clear idea of the features and services being offered, their intended use, and the various entities interacting through or with those features or services. An indicative list of questions, based on legal considerations, for evaluating your product and your vision for the product is presented here:
- Are patients able to input health records (e.g., scans, doctors’ notes, lab reports) and health-related information (e.g., height, weight, sugar values), and if yes, in what format?
- Who can access these health records and health-related information? What is the process for access and sharing such health records and health-related information (e.g., OTP authentication)?
- Will you share articles and tips on the management of health?
- Will there be fields or areas where doctors and other healthcare-related professionals/establishments can input information/records of the patients they treat?
- Will the Product enable patients to book other services (e.g., lab work, radiology scans, etc.)?
- Will the Product rely on third-party applications for providing its services?
It is helpful to know the needs and on-ground realities of the various entities using your product. This includes knowing who your target end-user is (e.g., are there are linguistic or knowledge barriers that you need to account for in your product’s terms of use?), and what challenges are faced by healthcare-related professionals and establishments (e.g., what does their daily workflow look like, and is your product easing this flow or adding to their workload).[2]
- Step 2: Mapping your Product with the law:
Knowing your product means the applicable laws can be mapped to ascertain the following:
No. | Issue | Explanation and illustration |
1. | What do laws require of your Product? | This will depend on the features of your Product and the services provided through it. Some examples of the kinds of requirements that different features/services will attract are listed here: (i) On-boarding healthcare professionals. Ensuring healthcare-related professionals or entities have licenses under applicable laws and reporting malpractice to the Board of Governors of the National Medical Commission. Failure to do so will result in the blacklisting of your product, meaning that doctors can no longer provide healthcare services through your product.[3] Their credentials must also be visible to all patients not just in the listing, but also during the tele-consult. Additionally, each profession will have specific credentials and requirements for its professionals. There may even be multiple legal requirements. For example, with mental health professionals, there may be requirements under the National Commission for Allied Health Professionals Act, 2021, the Mental Health Act, 2017, the Rehabilitation Council of India Act, 1992, and the Rights of Persons with Disabilities Act, 2016. (ii) Grievance redressal. Various laws, like the TPG, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“Intermediary Guidelines”), and the Consumer Protection (E-Commerce) Rules, 2020, require a grievance officer and a grievance redressal procedure to be available to users of your Product.[4] (iii) Data Protection. You will need to comply with data protection laws if your Product creates user profiles and/or collects, stores, or processes medical records/history, information about the physical, physiological and mental health condition or biometric information of your end-users (i.e., patients using your Product to access the healthcare services so listed). You will be required to get consent from all the users of your product (e.g., doctors, labs, patients, etc.) before collecting such information.[5] A privacy policy that details the kinds of information being collected and their purpose(s), instances of disclosure of information, and the reasonable security measures taken to protect their information. (Please note that the impending Personal Data Protection Bill, 2019 will require data protection measures that are more granular. Our compliance checklist for this Bill can be read here). (iv) Content from you. Disclaimers to remind users that such information/articles are not medical advice are necessary to ensure patients are not misled. As per the TPG, only ‘registered medical practitioners’[6] (e.g., doctors) are allowed to provide health education and counselling[7]to patients.[8] Additionally, where you chose to write articles or source them from, say doctors using your Product, you may be treated as a ‘publisher of online curated content’[9], and thus have further obligations.[10] This includes ensuring a grievance redressal mechanism, implementing and participating in the levels of self-regulation, and adhering to the general principles for online curated content in the Code of Ethics, appended to the Intermediary Guidelines. (v) Content from your Product users. Where the platform facilitates user interactions, say it makes users’ posts visible to other users, hosts user-generated content, or acts as an online marketplace, the platform can qualify as an “intermediary” and can be absolved of liability for the content. To avail of this benefit, the platform will have to conduct certain ‘due diligence’: publish a privacy policy and user agreement;[11]inform users not to post certain content;[12] take down content where required to by appropriate authorities;[13] and inform users that the company can terminate access to the platform, at least once a year.[14] (vi) Application of the Medical Device Rules, 2017. Where the Product offers technology tools (e.g., AI/ML-based solutions) intended for (a) diagnosis, prevention, monitoring, treatment, or alleviation of any disease or disorder; or (b) diagnosis, monitoring, treatment, alleviation or assistance for, any injury or disability, such tools may fall under the laws that regulate medical devices in India. Such tools would be considered stand-alone medical devices (or software as medical devices), under the Medical Device Rules, 2017, and would need evaluation and appropriate licenses for use. While currently, no stand-alone software solutions have been notified for consideration under the Medical Device Rules, 2017, it is very possible in the new future; considering the expansion of the HealthTech industry. (Our analysis of the likelihood of this can be read here). |
2. | What is permissible under healthcare regulation? | The TPG is clear on what is permissible through a tele-consult. This may have implications for the Product or the healthcare-related professionals using the Product: (i) For an emergency, patients must be advised to take in-person care, and any support provided through teleconsultation should be confined to first aid, life-saving measures, and advice/referral to an in-patient care option.[15] (ii) Registered medical practitioners cannot prescribe drugs listed in Schedule X of the Drugs and Cosmetics Act, 1940 and Rules, 1945, and narcotic and psychotropic drugs listed under the Narcotic Drugs and Psychotropic Substances Act,1985, through a tele-consult.[16] (iii) Diagnosis and care of a patient’s condition cannot be done purely by AI/ML algorithms. A doctor must provide the final diagnosis and treatment plan.[17] This may impact your Product’s UI/UX and/or the kind of features you offer (e.g., a Product may offer AI/ML imaging of diagnostic scans, but such a feature should only be accessible to doctors, and not open for patients, lest it become a tool for self-diagnosis, or it appear that the Product itself is providing diagnosis and counselling). Companies must inform registered medical practitioners, healthcare-related professionals, and end-users of what is and isn’t permissible at the time of onboarding; in addition to examining their Product’s UI/UX and features. |
3. | What are the legal requirements of entities listed and/or using your Product? | If you are an aggregator of healthcare services (e.g., tele-consults for telehealth, providing listings and bookings for blood banks, ambulance facilities, clinical establishment, etc.) and service providers (e.g., registered medical practitioners, clinical establishments), ensuring that all entities so aggregated, have the appropriate licenses under laws applicable to them. Some examples include: (i) The sale of medicines is regulated under the Drugs and Cosmetics Act, 1940 and Rules, 1945. Therefore, either you or the entities you partner with to fulfil either of these services (e.g., pharmacies will need appropriate licenses under this law). (ii) Clinical Establishments (e.g., clinics, hospitals, diagnostics labs/centres) should be appropriately accredited by various standard-setting bodies, like the National Board for Accreditation of Hospitals, or the National Board for Testing and Calibration Laboratories. |
- Step 3: Document the Product and legal specifications:
The final step involves ensuring that:
- Legal documentation is available for the Product and onboarding of each entity (i.e., patients, healthcare professionals, healthcare service providers, or clinical establishments). This should include (i) privacy policy for each entity; (ii) terms of use for each entity that clearly defines the Product, its features and services, relationship between entities on the platform, and the relationship between you and each entity; and (iii) contractual arrangements to articulate the obligations, liabilities, and commercial arrangements (lest you be held liable for medical injury resulting from the care provided on your platform by, say a doctor or diagnostic lab).
- Internally mapping the workflows in the Product and their corresponding responsibilities for you, across the lifecycle of each entity’s use of the Product. This is particularly relevant for health data management, to ensure that there is clarity on (i) user consent; (ii) entry points of data in the Product; and (iii) access and control protocols on which entity, can access which data, and for what purpose.
3. Conclusion:
Against the backdrop of the COVID-19 lockdown, and the release of the TPG, numerous start-ups and clinical establishments all across the country have begun developing and offering telehealth services. One report estimates that the Indian telemedicine market will grow at a 31% CAGR between 2020-2025 (to USD 5.5. billion); adding that teleconsultations, telepathology, teleradiology, and e-pharmacy as sectors experiencing an “encouraging stimulus” due to the pandemic.[18] Whilst being a part of this much-needed boom, it is key that all HealthTech products have strong legal foundations, not merely as a matter of regulatory compliance, but to build trust in such products and ensure that internally, HealthTech companies’ processes are calibrated to ensure patient safety, from multiple angles. By breaking it down into steps, companies can ensure the roll-out of compliant and trustworthy Products.
This piece has been authored by Shambhavi Ravishankar, Associate, Ikigai Law, with inputs from Anirudh Rastogi, Founding and Managing Partner at Ikigai Law.
For more on the topic, please get in touch at contact@ikigailaw.com
Image Credits: Freepik
[1] https://www.mohfw.gov.in/pdf/Telemedicine.pdf
[2] Amit Sharma, Stream of challenges facing self-funded healthcare start-ups, https://www.biospectrumindia.com/views/59/18426/stream-of-challenges-facing-self-funded-healthcare-startups.html (April 13, 2021); “What the healthcare startups are missing is that they have been created by engineers who are completely unaware of a doctor’s workload or operational methods”
[3] Para 5.7., Telemedicine Practice Guidelines, 2020, https://www.mohfw.gov.in/pdf/Telemedicine.pdf
[4] Telemedicine Practice Guidelines, 2020; Consumer Protection (E-Commerce) Rules, 2020 (https://consumeraffairs.nic.in/sites/default/files/E%20commerce%20rules.pdf);
[5] Rule 5, Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, https://www.wipo.int/edocs/lexdocs/laws/en/in/in098en.pdf.
[6] Para 1.1.3., Telemedicine Practice Guidelines, 2020, “Registered Medical Practitioner: For the purpose of this document a ‘Registered Medical Practitioner’ is defined as a person who is enrolled in the State Medical Register or the Indian Medical Register under the IMC Act 1956.”
[7] Para 3.7.2., Telemedicine Practice Guidelines, 2020, “Health Education: An RMP may impart health promotion and disease prevention messages. These could be related to diet, physical activity, cessation of smoking, contagious infections and so on. Likewise, he/ she may give advice on immunizations, exercises, hygiene practices, mosquito control etc.”; Para 3.7.3., Telemedicine Practice Guidelines, 2020, “Counselling: This is specific advice given to patients and it may, for instance, include food restrictions, do’s and don’ts for a patient on anticancer drugs, proper use of a hearing aid, home physiotherapy, etc to mitigate the underlying condition. This may also include advice for new investigations that need to be carried out before the next consult”.
[8] Para 5.4., Telemedicine Practice Guidelines, 2020.
[9] Rule 2(1)(u), Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
[10] Part III: Code of Ethics and Procedure and Safeguards in relation to Digital Media, Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
[11] Rule 3(1)(a), Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
[12] Rule 3(1)(b), Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
[13] Rule 3(1)(d), Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
[14] Rule 3(1)(c), Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
[15] Para 1.4.2.3., Telemedicine Practice Guidelines, 2020.
[16] Prescribing medicine, Prohibited List, Para 3.7.4., Telemedicine Practice Guidelines, 2020.
[17] Para 5.4., Telemedicine Practice Guidelines, 2020.
[18] Ernst & Young and IPA, Healthcare goes mobile: Evolution of teleconsultation and e-pharmacy in new Normal, https://assets.ey.com/content/dam/ey-sites/ey-com/en_in/topics/health/2020/09/healthcare-goes-mobile-evolution-of-teleconsultation-and-e-pharmacy-in-new-normal.pdf (September 2020)