Notification

  • Image

    Webinar | Angel Investing in India: Mistakes First-Time Investors Avoid

    Book your seat

Data Privacy for Telemedicine Platforms

Get in touch with us

    Your information is confidential and secure


    AI Summary
    • Telemedicine Platforms are technology platforms, websites or apps, that facilitate online medical care through audio, visual and text based means between patients and Medical Professionals.
    • In India, telemedicine data handling is presently regulated by the Information Technology Act 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, and the Information Technology (Intermediaries Guidelines) Rules 2011.
    • Platforms that record Sensitive Personal Data or Information or place cookies to track user behaviour can attract liability under the IT Act, the Data Protection Rules and the Intermediary Guidelines.
    • The Digital Information Security in Healthcare Act was proposed in 2018 to establish a National e-health Authority and State e-health Authorities, a goal the government has deliberated since 2015.
    • The Digital Personal Data Protection Bill 2022 will materially affect how telemedicine platforms collect, process and safeguard patient and Medical Professional data once enacted.
    • Under section 79 of the IT Act, a platform that qualifies as an Intermediary is not liable for third party information, data or communication links it merely hosts or transmits.
    • The section 79 exemption applies only if the platform does not initiate the transmission, does not select the receiver, and does not select or modify the information transmitted, while also observing due diligence under the Intermediary Guidelines.
    • A telemedicine platform that actively facilitates transactions between patients and Medical Professionals, rather than merely hosting communication, risks losing Intermediary status and the associated liability exemption.
    • Telemedicine platforms should evaluate their technology architecture and user data workflows against section 79 criteria to determine whether they qualify as Intermediaries or bear direct data protection obligations.

    Get in touch with us

      Your information is confidential and secure


      Telemedicine Platforms are those that provide a technology platform (website or an app) to facilitate online medical care, through audio, visual and text based means.

      Such Telemedicine Platforms must be cognisant of: (a) their practices relating to handling data of patients, Medical Professional(s) (“MP(s)”) and other caregivers (hereinafter referred to as “User Data”); and (b) what impact mishandling of such User Data would have.

      In India: (a) the Information Technology Act, 2000 (“IT Act”); (b) the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Data Protection Rules”); and (c) the Information Technology (Intermediaries Guidelines) Rules, 2011 (“Intermediary Guidelines”), presently regulate how Platforms providing telemedicine services handle the data of its users.

      Platforms which: (a) provide services that enable recording of Sensitive Personal Data or Information (“SPDI”); and (b) place cookies to record user behaviour,  could become liable under the  IT Act, the Data Protection Rules and the Intermediary Guidelines.

      Given the sensitivity of health care data, the Indian Government proposed the Digital Information Security in Healthcare Act (“DISHA“) in the year 2018, and has been deliberating upon the establishment of a National e-health Authority (“NeHA”) since 2015 with a goal to ensure the development of an e-health ecosystem and enable people centric health services in a cost-effective manner. DISHA aims to establish NeHA and State e-health Authorities (SeHA). Moreover, the enactment of the Digital Personal Data Protection Bill, 2022 (“DPDP Bill”), and its consequent effect will be something that would impact how Platforms provide their services.

      Role of Platforms as Intermediaries: Active or Passive?

      The applicability of the IT Act is slightly different for Platforms which are set up to only facilitate the interaction between the patient and the MP, and are not directly involved in the provision of medical care. In such cases the Platform would be considered as an ‘Intermediary’ under the IT Act and the Intermediary Guidelines. Under the Indian legal framework, Intermediaries are exempt from many of the liabilities/obligations placed by the IT Act on entities processing personal data.

      As per section 79 of the IT Act, an Intermediary is not liable for any third party information, data, or communication link made available or hosted by it. This exemption applies only if:

      1. the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted;
      2. the intermediary does not – initiate the transmission; select the receiver of the transmission AND select or modify the information contained in the transmission; and
      3. the intermediary observes due diligence (as prescribed under the Intermediaries Guidelines) while discharging its duties under the IT Act.

      One of the key elements of section 79 of the IT Act is that a Platform must not, (a) initiate the transmission of communication/data by, between its users; and (b) select the receiver of the transmission; and (c) select or modify the information contained in the transmission.

      The manner in which a Telemedicine Platform provides its services, would more often than not, require it to facilitate a transaction and/or transmission of data initiated by their users (i.e. MPs and patients), and thereby, many a times, placing more responsibility on a Telemedicine Platform than would be applicable to an Intermediary, under the IT Act. Since a Platform would need to build their tech framework in a manner that facilitates transactions/transmissions, this circumstance may seem harsh.

      However, when it comes to initiating a transmission, selecting the receiver of a transmission or selecting or modifying the information contained in the transmission, the Courts in India have laid down the test of passivity.

      Essentially, the following are the factors that could determine that a Telemedicine Platform is playing a passive role in the ecosystem, and is therefore granted the protection of an Intermediary:

      1. Whether the role played by that service provider is neutral, in the sense that its conduct is merely technical, automatic and passive, pointing to a lack of knowledge or control of the data which it stores;
      2. Whether the platform is responsible for initiating the transmission, i.e., placing the listing on the website (for Platforms the important question would be whether there is any active uploading, suggesting or placing on such Tech Platform, the services of an MP);
      3. Whether the platform is involved selecting the persons who receive the information (for Platforms this would mean whether they choose/have a say (apart from legally mandated due diligence requirements on MPs) in who/what gains access to their services); and
      4. Does the entity controlling the platform have the power to select or modify the information that is being exchanged on its platform.

      Thus, Platforms would only be considered as Intermediaries if their conduct is passive, technical and automatic in their facilitation of Telemedicine based care.

      Privacy related Protocols to be followed by Telemedicine Platforms

      1.    A Platform would be required to have in place a set of rules and regulations in place that determine how data of users of its Platform will be used. This would require the publishing of a privacy policy, user agreement, terms and conditions et al. that determine the terms of access and use of the service provided by the Platform.

      2.    The privacy policy and terms of use/user agreement of a Tech Platform, should be designed and stated in such a way that the patients using the Platform, are aware of the type of SPDI collected, the purpose for which the same is done, the intended recipients of the SPDI and the requirement and the persons/parties to whom SPDI will be disclosed to.

      3.    Before the SPDI of a patient/user is disclosed to a third party, or before the same is transferred, consent of such patient/user must be acquired.

      4.    The Platform shall be required to have in place a grievance officer, the details of which are provided on the user agreement/privacy policy of the Platform, and such an officer shall be required to deal with the grievances of the patients/users in relation to their processing of the SPDI.

      5.    The Platform shall be required to comply with ‘reasonable security procedures and practices’ under the IT Act. A Platform will be deemed compliant with such procedures and practices if it implements the data security standard afforded by the IS/ISO/IEC 27001 on “Information Technology– Security Techniques – Information Security Management System – Requirements” or similar standards, in order to protect the SPDI.

      About the Author
      Koustubh Athavale
      Koustubh Athavale social-linkedin
      Senior Associate | Legal | koustubh.a@treelife.in

      Provides expertise in commercial contracts, dispute resolution, and data privacy. Leverages extensive experience in the startup ecosystem to deliver tailored legal solutions for diverse business needs.

      We Are Problem Solvers. And Take Accountability.

      Related Posts

      Decoding DPIIT Deep Tech for startups: eligibility and taxation
      Decoding DPIIT Deep Tech for startups: eligibility and taxation

      The Department for Promotion of Industry and Internal Trade formally defined Deep Tech Startup as a distinct legal category for...

      Learn MoreLearn More
      Data Fiduciary vs Data Processor: Redrafting Your B2B Vendor DPAs Under the DPDP Act 2023
      Data Fiduciary vs Data Processor: Redrafting Your B2B Vendor DPAs Under the DPDP Act 2023

      Most Indian B2B contracts signed before 2024 were not written with the Digital Personal Data Protection Act, 2023 in mind....

      Learn MoreLearn More
      Who Owns the Prompt? Modifying Employee IP Assignment Clauses for the GenAI Era
      Who Owns the Prompt? Modifying Employee IP Assignment Clauses for the GenAI Era

      Most Indian employment agreements assign to the employer everything an employee creates, develops, or invents during employment. That clause was...

      Learn MoreLearn More

      For Customer Support

      Mumbai | Delhi |
      Bangalore | GIFT City

      Speak to Us!

      We respond within 60 minutes.

        Your information is confidential and secure


        Let's talk.

        We've seen most founder problems before. Tell us yours.






          Typically responds within 4 hours
          Or reach out directly