One of the few silver linings to emerge from the tragic disruption wrought by the brutal and ongoing Covid-19 pandemic has been the unprecedented adoption of digital technologies in the life sciences and healthcare industry, globally.
As the pandemic brought clinical trials, supply chains and sales rep visits to a grinding halt, new ways of working, collaborating and living suddenly emerged. Change was now necessary, not optional. The life sciences industry “transitioned from a technologically averse, inwards looking model, to working in an agile and collaborative manner”. Novel technologies that were expected to evolve over a decade were adopted in months, sometimes days. Vaccines were developed and approved over the fastest timeline in human history. Clinical trials became “remote” and “decentralised”. The industry pivoted to embrace the new operational realities that were emerging. And patients became more amenable to remote healthcare solutions, triggering an overnight explosion in the proliferation, evolution and financing of “healthtech”.
Yet, even as technology leaps ahead, law often plays the laggard, cautiously placing one foot in front of the other. This appears to be true of the healthtech sector in India today.
In this piece, we look at some of the different kinds of healthtech platforms operating in India today, and analyse the patchwork of laws and regulations that struggle to regulate the sector.
These are some of the more popular healthtech players in the market right now (with more crashing through the window every day):
- Telemedicine platforms: Platform aggregators provide details of registered medical practitioners and offer teleconsultation services. Platforms also aggregate tele-psychotherapy service providers.
- E-pharmacies: The two models in this sector involve: (i) pharmacies that carry their own inventory and operate online, selling drugs against prescriptions (Netmeds); and (ii) pharmacy platforms that operate as “online marketplaces” of brick-and-mortar pharmacists (PharmEasy, Onemg).
- Wearable self-monitoring health devices: Medical devices that can be worn and used to track weight, sleep patterns, diet and exercise routines, collect and process user data. These devices can empower consumers to better track and manage their health and provide new options for facilitating prevention, early diagnosis of life-threatening diseases, and management of chronic conditions outside of traditional healthcare settings.
- Digital health data aggregation systems: The business model is designed to aggregate patient records and provide a one-stop solution. This model recognises that health data has been available for a while, but piecemeal, disaggregated and in siloed platforms. The need to mine real world data generated from disparate sources and drive interoperability, has led to the rapid growth of scalable unified cloud platforms, aiming to create a connected healthcare ecosystem.
The Rules of the Game
The legal and regulatory framework that governs healthtech companies is largely a patchwork of existing technology, consumer and data protection laws with a few healthtech specific regulations sprinkled in:
- Telemedicine Practice Guidelines, 2020
The Telemedicine Practice Guidelines notified in March 2020 provide a framework for registered medical practitioners to follow for teleconsultations. The unique feature of these guidelines is the specific focus on platform aggregators. Guideline 5 lays down certain mandatory guidelines for these platforms. For instance, they must ensure that consumers consult only with “registered medical practitioners” (RMPs) i.e. professionals duly registered with national or State Medical Councils, conduct their due diligence before listing any RMP on its online portal, and create a proper grievance redressal mechanism. The Guidelines also clarify that technology platforms based on artificial intelligence/machine learning are not allowed to counsel the patients or prescribe any medicines to a patient. Only a RMP is entitled to counsel or prescribe and has to directly communicate with the patient in this regard. The Guidelines also prescribe strict consequences for non-compliance including blacklisting of the platform.
In April 2020, the Department of Clinical Psychology, National Institute of Mental Health and Neurosciences issued the guidelines for tele-psychotherapy services. However, unlike the Telemedicine Practice Guidelines, these do not appear to impose separate obligations for platforms providing aggregation services.
- Consumer Protection Act, 2019, and the Consumer Protection (E-Commerce) Rules, 2020
These rules have been put into place to regulate e-commerce marketplaces. Since several platforms have online stores where customers can purchase fitness equipment and health supplements, compliance with these rules would also become relevant. These platforms must require sellers “to ensure that descriptions, images, and other content pertaining to goods or services on their platform are accurate and correspond directly with the appearance, nature, quality, purpose and other general features of such good or service”. This information must be provided in a clear and accessible manner. Further, these platforms must also publish the terms and conditions that govern their relationship with sellers on its platform, a description of any differentiated treatment which they give or might give between goods or services or sellers of the same category.
For inventory e-commerce entities, the duties include display of accurate information relating to all sale related details (return/exchange/payment method/shipping, etc.), ensuring accuracy in advertisements and ensuring authenticity of products as advertised.
- Food Safety and Standards (Health Supplements, Nutraceuticals, Food for Special Dietary Use, Food for Special Medical Purpose, Functional Food, and Novel Food) Regulations, 2016 (the Nutraceuticals Rules)
Due to the nature of the product, there are certain additional rules for sale of health supplements, nutraceuticals and the like. The rules require food business operators to ensure that health claims in respect of an article are based on adequate level of documentation and valid proof and that these non-drug claims are subject to prior approval by the Food Authority. Further, comprehensive product information, safety and claims support data and shall periodically get it reviewed and scrutinised by a scientist or expert with relevant qualifications and experience. Since healthtech businesses act as platforms hosting these products, in order to comply with due diligence obligations in the intermediary guidelines, they must reasonably comply with these regulations as well.
- Drugs and Cosmetics Act, 1940 and Drugs and Cosmetics Rules, 1945
The principal legislation governing the manufacture, sale, and distribution of drugs and cosmetics in India is the Drugs and Cosmetics Act, 1940 (D&C Act) read with the Drugs and Cosmetics Rules, 1945 (D&C Rules), and the Pharmacy Act, 1948.
The D&C Act requires that, in order to manufacture for sale or distribution, sell, distribute, or stock, or offer for sale, the person must have a valid licence. Further, drugs in Schedule H, Schedule H-1 or Schedule X of the D&C Rules can be sold only against a valid prescription signed by a registered medical practitioner. For the issuance of a prescription, it is mandatory for the RMP to examine the patient as required by the Medical Council of India. This calls into question the model of telephonic authorisation to sell prescription drugs.
According to the draft Drugs and Cosmetics (Amendment) Rules, 2018 (aka the E-Pharmacy Rules – see below), a prescription generated by the e-pharmacy, through its own panel of doctors would also be valid.
For those who believe prescriptions are the weak link in the business model of online pharmacies and ask what systems and controls such pharmacies must implement to verify the authenticity of prescriptions, or argue that a doctor employed by an organisation that sells drugs may have a conflict of interest while prescribing those drugs, it is worth noting that the draft E-Pharmacy Rules do not address these points.
The Drugs and Cosmetics Act also deals with counterfeiting of drugs. Manufacturing, sale and distribution (Sections 16, 17-A, 17-B and 18) and import (Sections 9-A, 9-B and 10) of counterfeit drugs is prohibited and attracts penalty (Sections 13 and 27).
- Drugs and Cosmetics (Amendment) Rules, 2018 (E-Pharmacy Rules)
The D&C Act and D&C Rules govern the offline sale of drugs but understandably, do not make specific reference to online sale. The Pharmacy Act, 1948 and Pharmacy Practice Regulations, 2015 impose certain obligations and duties on pharmacists in connection with the preparation and sale of drugs, but again do not appear to envisage online sales of drugs.
To regulate the sale of drugs online, a sub-committee was constituted by the Drugs Consultative Committee, a statutory body under the D&C Act. Based on the recommendations of this sub-committee submitted in its 2016 report, the draft E-Pharmacy Rules were issued but not notified by the Ministry of Health and Family Welfare on 28-8-2018.
These rules have not yet been notified and as such, are not yet law. In their draft form, they provide legal recognition to e-pharmacies that are currently operating without a specific legislation to govern them. Under these rules, an e-pharmacy has been defined as “the business of distribution or sale, stock, exhibit or offer for sale of drugs through web portal or any other electronic mode”. (Rule 67-I)
This raises the question as to whether the business model followed by certain online pharmacies that do not carry their own inventory and only provide an online marketplace for licensed pharmacies even falls within the definition of an e-pharmacy. This was the argument raised by a group of online pharmacies before the Madras High Court in Tamil Nadu Chemists and Druggists Assn. v. Union of India and Delhi High Court in Zaheer Ahmed v. Union of India, as a defence against petitions filed in those courts seeking a ban on online sales of drugs. While the Delhi High Court did ban online sale of drugs, the Madras High Court did not.
The rules provide for mandatory registration of the e-pharmacy (Rule 67-J) and setting up a grievance redressal mechanism [Rule 67-N(2)]. E-pharmacies must register with the Central Licensing Authority and pay a licence fee of 50,000 rupees (Rule 67-L). The rules clarify that e-pharmacy registration holder shall not carry out e-pharmacy with respect to the drugs covered under the categories of the narcotic and psychotropic as referred to in the Narcotic Drugs and Psychotropic Substances Act, 1985 (61 of 1985), tranquilisers and the drugs as specified in Schedule X of Drugs and Cosmetics Rules (Rule 67-M). The e-pharmacy registration holder, on receipt of the prescription shall arrange the registered pharmacist to verify the details of the patient and dispense the drugs.
However, this does not line up with the recommendations by a sub-committee constituted by the Drugs Consultative Committee under the Drugs Controller General of India (DGCI) in 2016 which recommended online sale of drugs on the basis of an electronically generated and digitally signed prescription to prevent misuse (multiple use of one prescription or forged prescriptions).
The sub-committee had noted that there are some “alarming risks” involved in case of sale of drugs through the internet. First, monitoring of fake and illegal pharmacies could be a challenge and cyber experts need to be employed to tackle such cases. Secondly, a scanned copy of a prescription is not considered authentic under the D&C Act as well as under the Information Technology Act, 2000. One prescription can be uploaded on two different e-pharmacy sites, leading to drug abuse.
Further, Electronic Health Record (EHR) Standards, 2016 issued by Ministry of Health, also state that it must be ensured that e-prescription is digitally signed by a registered medical practitioner. These stipulations are not found in the E-Pharmacy Rules.
There are, however, in-built privacy safeguards within the rules. Rule 67-K provides that the information collected by the e-pharmacy through prescriptions or otherwise cannot be shared with any other person apart from the Central/State Government for “public health purposes”. Further, there is a strict data localisation mandate. Rule 67-K(3) provides that:
(3) The e-pharmacy portal shall be established in India through which they are conducting the business of e-pharmacy and shall keep the data generated localised:
Provided, that in no case the data generated or mirrored through e-pharmacy portal shall be sent or stored, by any means, outside India.
Finally, there is a bar on advertising drugs through e-pharmacy. Rule 67-S provides that “No e-pharmacy shall advertise any drug on radio or television or internet or print or any other media for any purpose.”
Healthtech is the blue-eyed belle of the venture capital ball this season. Like most innovative and disruptive new age industries, it has moved fast, broken things and asked permission later.
Law continues to lag behind commerce in this fast-paced industry, in particular, the law relating to privacy and data protection. Healthtech players collect a tremendous amount of sensitive personal data, especially self-monitoring health devices. Part 2 of this piece will focus on data and privacy laws as they apply to healthtech.
† Shantanu is the founder of Ronin Legal, a legal boutique with a focus on pharma, biologics and healthcare. He can be reached at firstname.lastname@example.org and on Twitter [@LegalRonin].
Varunavi Bangia’s research has been acknowledged by the Author.
 WP No. 11711 of 2018