Telemedicine Platforms are those that provide a technology platform (website or an app) to facilitate online medical care, through audio, visual and text based means.

Such Telemedicine Platforms must be cognisant of their practices relating to handling user (which would include patients, Medical Professional(s) [“MP(s)”] and other caregivers) data, and what impact mishandling of the same would have.

In India the Information Technology Act, 2000 (“IT Act”) Act, The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Data Protection Rules”) and the Information Technology (Intermediaries Guidelines) Rules, 2011 (“Intermediary Guidelines”) presently regulate how a Platform providing telemedicine services handle the data of its users. Platforms provide services that enable recording of Sensitive Personal Data or Information (“SPDI”) as well as place cookies to record user behaviour which would make them processors of SPDI and thus liable under the IT Act and Rules.

The framework to regulate patient data is set to undergo a change. How that will finally look like is still some ways to be finalised. Given the sensitivity of health care data, the Indian Government proposed the Digital Information Security in Healthcare Act ("DISHA") in the year 2018. The Ministry of Health and Family Welfare (“MoHFW”) has been deliberating upon the establishment of a National e-health Authority (NeHA) since 2015 with a goal to ensure the development of an e-health ecosystem and enable people centric health services in a cost-effective manner. DISHA aims to establish NeHA and State e-health Authorities (SeHA). Moreover, the enactment of the Personal Data Protection Bill, 2019 (“PDP Bill”), and its consequent effect will be something that would impact how Platforms provide their services.

More on this evolving framework in a later post.

Role of Platforms as Intermediaries: Active or Passive?

The applicability of the IT Act is slightly different for Platforms which are set up to only facilitate the interaction between the patient and the MP, and are not directly involved in the provision of medical care. In such cases the Platform would be considered as an Intermediary under the Intermediary Guidelines. Intermediaries are exempt from many of the liabilities/obligations placed by the IT Act on entities processing personal data.

As per section 79 of the IT Act, an Intermediary is not liable for any third party information, data, or communication link made available or hosted by it. This exemption applies only if:

i.      the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted;

ii.    the intermediary does not – initiate the transmission; select the receiver of the transmission AND select or modify the information contained in the transmission; and

iii.   the intermediary observes due diligence while discharging its duties under the IT Act.

One of the key elements of section 79 of the IT Act is that a Platform must not, a) initiate the transmission of communication/data by, between its users; or b) select the receiver of the transmission; or c) select or modify the information contained in the transmission.

The manner in which a Telemedicine Platform provides its services, would more often than not, require it to facilitate a transaction and/or transmission of data initiated by their users (i.e. MP’s and patients), and thereby, many a times, placing more responsibility on a Telemedicine Platform than would be applicable to an Intermediary, under the IT Act. Since a Platform would need to build their tech framework in a manner that facilitates transactions/transmissions – this circumstance may seem harsh.

However, and as a defence to the same, when it comes to initiating a transmission, selecting the receiver of a transmission or selecting or modifying the information contained in the transmission the Courts in India have laid down the test of passivity.

Essentially, the following are the factors that could determine that a Tech Platform is playing a passive role in the ecosystem, and is therefore granted the protection of an Intermediary:

i.              whether the role played by that service provider is neutral, in the sense that its conduct is merely technical, automatic and passive, pointing to a lack of knowledge or control of the data which it stores;

ii.             can platforms be considered as being in a neutral position, or should they be held as having active participation in a transmission;

iii.            is the platform responsible for initiating the transmission, i.e., placing the listing on the website [for Tech Platforms this would mean whether or not that are actively putting, suggesting or placing on their website the services of an MP];

iv.            is the platform involved in selecting the persons who receive the information [for Tech Platforms this would mean whether they choose/have a say (apart from legally mandated due diligence requirements on MP’s) in who/what gains access to their services; and

v.             does the entity controlling the platform have the power to select or modify the information that is being exchanged on its platform.

Thus Platforms would only be considered as Intermediaries if the conduct of technology used is passive, technical and automatic in their facilitation of Telemedicine based care.

Privacy related Protocols to be followed by Telemedicine Platforms

1.    A Platform would be required to have in place a set of rules and regulations in place that determine how data of users of its Platform will be used. This would require the publishing of a privacy policy, user agreement, terms and conditions et al. that determine the terms of access and use of the service provided by the Platform.

2.    The privacy policy and terms of use/user agreement of a Tech Platform, should be designed and stated in such a way that the patients using the Platform, are aware of the type of SPDI collected, the purpose for which the same is done, the intended recipients of the SPDI and the requirement and the persons/parties to whom SPDI will be disclosed to.

3.    Before the SPDI of a patient/user is disclosed to a third party, or before the same is transferred, consent of such patient/user must be acquired.

4.    A Platform is required to have in place a grievance officer, details of whom are provided on the user agreement/privacy policy of the Platform, and such an officer shall be required to deal with the grievances of the patients/users in relation to their processing of SPDI.

5.    A Telemedicine Tech Platform is required to comply with ‘reasonable security procedures and practices’ under the IT Act. A Platform will be deemed compliant with such procedures and practices if it implements the data security standard afforded by the IS/ISO/IEC 27001 on “Information Technology– Security Techniques – Information Security Management System – Requirements” or similar standards, to protect the SPDI.

The content of this article is intended to provide a general guide to the subject matter.  It is not intended to provide specialist advice, and should not be construed as the same.

For quick consulting legal advice for telemedicine products, please reach out to us on support@treelife.in or on our website.

Download Startup Guide
A guide with complete lifecycle of startup
Download
close-link

Treelife Ventures Services Private Limited.
All Rights Reserved. © 2020.