07 July 2020
Telemedicine Platforms are those that provide a technology platform (website or an app) to facilitate online medical care, through audio, visual and text based means.
Such Telemedicine Platforms must be cognisant of: (a) their practices relating to handling data of patients, Medical Professional(s) (“MP(s)”) and other caregivers (hereinafter referred to as “User Data”); and (b) what impact mishandling of such User Data would have.
In India: (a) the Information Technology Act, 2000 (“IT Act”); (b) the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Data Protection Rules”); and (c) the Information Technology (Intermediaries Guidelines) Rules, 2011 (“Intermediary Guidelines”), presently regulate how Platforms providing telemedicine services handle the data of its users.
Platforms which: (a) provide services that enable recording of Sensitive Personal Data or Information (“SPDI”); and (b) place cookies to record user behaviour, could become liable under the IT Act, the Data Protection Rules and the Intermediary Guidelines.
Given the sensitivity of health care data, the Indian Government proposed the Digital Information Security in Healthcare Act ("DISHA") in the year 2018, and has been deliberating upon the establishment of a National e-health Authority (“NeHA”) since 2015 with a goal to ensure the development of an e-health ecosystem and enable people centric health services in a cost-effective manner. DISHA aims to establish NeHA and State e-health Authorities (SeHA). Moreover, the enactment of the Digital Personal Data Protection Bill, 2022 (“DPDP Bill”), and its consequent effect will be something that would impact how Platforms provide their services.
The applicability of the IT Act is slightly different for Platforms which are set up to only facilitate the interaction between the patient and the MP, and are not directly involved in the provision of medical care. In such cases the Platform would be considered as an ‘Intermediary’ under the IT Act and the Intermediary Guidelines. Under the Indian legal framework, Intermediaries are exempt from many of the liabilities/obligations placed by the IT Act on entities processing personal data.
As per section 79 of the IT Act, an Intermediary is not liable for any third party information, data, or communication link made available or hosted by it. This exemption applies only if:
One of the key elements of section 79 of the IT Act is that a Platform must not, (a) initiate the transmission of communication/data by, between its users; and (b) select the receiver of the transmission; and (c) select or modify the information contained in the transmission.
The manner in which a Telemedicine Platform provides its services, would more often than not, require it to facilitate a transaction and/or transmission of data initiated by their users (i.e. MPs and patients), and thereby, many a times, placing more responsibility on a Telemedicine Platform than would be applicable to an Intermediary, under the IT Act. Since a Platform would need to build their tech framework in a manner that facilitates transactions/transmissions, this circumstance may seem harsh.
However, when it comes to initiating a transmission, selecting the receiver of a transmission or selecting or modifying the information contained in the transmission, the Courts in India have laid down the test of passivity.
Essentially, the following are the factors that could determine that a Telemedicine Platform is playing a passive role in the ecosystem, and is therefore granted the protection of an Intermediary:
Thus, Platforms would only be considered as Intermediaries if their conduct is passive, technical and automatic in their facilitation of Telemedicine based care.
3. Before the SPDI of a patient/user is disclosed to a third party, or before the same is transferred, consent of such patient/user must be acquired.
5. The Platform shall be required to comply with ‘reasonable security procedures and practices’ under the IT Act. A Platform will be deemed compliant with such procedures and practices if it implements the data security standard afforded by the IS/ISO/IEC 27001 on “Information Technology– Security Techniques – Information Security Management System – Requirements” or similar standards, in order to protect the SPDI.
The content of this article is for information purpose only and does not constitute advice or a legal opinion and are personal views of the author. It is based upon relevant law and/or facts available at that point of time and prepared with due accuracy & reliability. Readers are requested to check and refer to relevant provisions of statute, latest judicial pronouncements, circulars, clarifications etc. before acting on the basis of the above write up. The possibility of other views on the subject matter cannot be ruled out. By the use of the said information, you agree that the Author / Treelife is not responsible or liable in any manner for the authenticity, accuracy, completeness, errors or any kind of omissions in this piece of information for any action taken thereof.
Treelife Ventures Services Private Limited.
All Rights Reserved. © 2022.