Data Privacy for Telemedicine Platforms

Telemedicine Platforms are those that provide a technology platform (website or an app) to facilitate online medical care, through audio, visual and text based means.

Such Telemedicine Platforms must be cognisant of: (a) their practices relating to handling data of patients, Medical Professional(s) (“MP(s)”) and other caregivers (hereinafter referred to as “User Data”); and (b) what impact mishandling of such User Data would have.

In India: (a) the Information Technology Act, 2000 (“IT Act”); (b) the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Data Protection Rules”); and (c) the Information Technology (Intermediaries Guidelines) Rules, 2011 (“Intermediary Guidelines”), presently regulate how Platforms providing telemedicine services handle the data of its users. 

Platforms which: (a) provide services that enable recording of Sensitive Personal Data or Information (“SPDI”); and (b) place cookies to record user behaviour,  could become liable under the  IT Act, the Data Protection Rules and the Intermediary Guidelines.

Given the sensitivity of health care data, the Indian Government proposed the Digital Information Security in Healthcare Act ("DISHA") in the year 2018, and has been deliberating upon the establishment of a National e-health Authority (“NeHA”) since 2015 with a goal to ensure the development of an e-health ecosystem and enable people centric health services in a cost-effective manner. DISHA aims to establish NeHA and State e-health Authorities (SeHA). Moreover, the enactment of the Digital Personal Data Protection Bill, 2022 (“DPDP Bill”), and its consequent effect will be something that would impact how Platforms provide their services.

Role of Platforms as Intermediaries: Active or Passive?

The applicability of the IT Act is slightly different for Platforms which are set up to only facilitate the interaction between the patient and the MP, and are not directly involved in the provision of medical care. In such cases the Platform would be considered as an ‘Intermediary’ under the IT Act and the Intermediary Guidelines. Under the Indian legal framework, Intermediaries are exempt from many of the liabilities/obligations placed by the IT Act on entities processing personal data.

As per section 79 of the IT Act, an Intermediary is not liable for any third party information, data, or communication link made available or hosted by it. This exemption applies only if:

1. the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted;
2. the intermediary does not – initiate the transmission; select the receiver of the transmission AND select or modify the information contained in the transmission; and
3. the intermediary observes due diligence (as prescribed under the Intermediaries Guidelines) while discharging its duties under the IT Act.

One of the key elements of section 79 of the IT Act is that a Platform must not, (a) initiate the transmission of communication/data by, between its users; and (b) select the receiver of the transmission; and (c) select or modify the information contained in the transmission.

The manner in which a Telemedicine Platform provides its services, would more often than not, require it to facilitate a transaction and/or transmission of data initiated by their users (i.e. MPs and patients), and thereby, many a times, placing more responsibility on a Telemedicine Platform than would be applicable to an Intermediary, under the IT Act. Since a Platform would need to build their tech framework in a manner that facilitates transactions/transmissions, this circumstance may seem harsh.

However, when it comes to initiating a transmission, selecting the receiver of a transmission or selecting or modifying the information contained in the transmission, the Courts in India have laid down the test of passivity.

Essentially, the following are the factors that could determine that a Telemedicine Platform is playing a passive role in the ecosystem, and is therefore granted the protection of an Intermediary:

1. Whether the role played by that service provider is neutral, in the sense that its conduct is merely technical, automatic and passive, pointing to a lack of knowledge or control of the data which it stores;
2. Whether the platform is responsible for initiating the transmission, i.e., placing the listing on the website (for Platforms the important question would be whether there is any active uploading, suggesting or placing on such Tech Platform, the services of an MP);
3. Whether the platform is involved selecting the persons who receive the information (for Platforms this would mean whether they choose/have a say (apart from legally mandated due diligence requirements on MPs) in who/what gains access to their services); and
4. Does the entity controlling the platform have the power to select or modify the information that is being exchanged on its platform.

Thus, Platforms would only be considered as Intermediaries if their conduct is passive, technical and automatic in their facilitation of Telemedicine based care.

Privacy related Protocols to be followed by Telemedicine Platforms

1.    A Platform would be required to have in place a set of rules and regulations in place that determine how data of users of its Platform will be used. This would require the publishing of a privacy policy, user agreement, terms and conditions et al. that determine the terms of access and use of the service provided by the Platform.

2.    The privacy policy and terms of use/user agreement of a Tech Platform, should be designed and stated in such a way that the patients using the Platform, are aware of the type of SPDI collected, the purpose for which the same is done, the intended recipients of the SPDI and the requirement and the persons/parties to whom SPDI will be disclosed to.

3.    Before the SPDI of a patient/user is disclosed to a third party, or before the same is transferred, consent of such patient/user must be acquired.

4.    The Platform shall be required to have in place a grievance officer, the details of which are provided on the user agreement/privacy policy of the Platform, and such an officer shall be required to deal with the grievances of the patients/users in relation to their processing of the SPDI.

5.    The Platform shall be required to comply with ‘reasonable security procedures and practices’ under the IT Act. A Platform will be deemed compliant with such procedures and practices if it implements the data security standard afforded by the IS/ISO/IEC 27001 on “Information Technology– Security Techniques – Information Security Management System – Requirements” or similar standards, in order to protect the SPDI.

---

Disclaimer
The content of this article is for information purpose only and does not constitute advice or a legal opinion and are personal views of the author. It is based upon relevant law and/or facts available at that point of time and prepared with due accuracy & reliability. Readers are requested to check and refer to relevant provisions of statute, latest judicial pronouncements, circulars, clarifications etc. before acting on the basis of the above write up. The possibility of other views on the subject matter cannot be ruled out. By the use of the said information, you agree that the Author / Treelife Consulting is not responsible or liable in any manner for the authenticity, accuracy, completeness, errors or any kind of omissions in this piece of information for any action taken thereof.