Digital Health

Market overview and transactional issues

Key market players and innovations

1 Who are the key players active in your local digital health market (eg, healthcare providers, research partners, government and academic institutions and investors) and what are the most prominent areas of innovation?

Some of the key players active in the local digital health market in India are:

• Medtronic;

• Narayana Hrudayalaya;

• Roche Diabetes;

• Practo Technologies;

• SigTuple;

• M-fine;

• 1mg Technologies;

• Pharmeasy;

• Qure.ai;

• Medlife;

• NetMeds;

• DocsApp;

• Medplus;

• Healthians;

• L&T Technology Services;

• Plexus;

• MedikaBazaar;

• GE Healthcare;

• IBM & Partners;

• CureFit; and

• CallHealth.

The most prominent areas of innovation in digital health in India are broad divisions of pharmacy, home healthcare, diagnostics and biotech. These include telemedicine, telehealth, video consultation, m-health, wearable sensors, robot-assisted surgery, electronic health records, big data in healthcare, Internet of Medical Things, e-pharmacies, electronic health records, health service aggregation, big data in healthcare, targeted advertising, e-learning in the healthcare sector, cloud computing and artificial intelligence.

Investment climate

2. How would you describe the investment climate for digital health technologies in your jurisdiction, including any noteworthy challenges?

India has been a hotbed for investments in the healthcare sector. This is evidenced from the fact that 53 per cent of the angel investments in 2019 were in this sector. In Q1 2020, there were 21 deals, in comparison to 14 deals in Q1 2019, a 50 per cent increase in terms of volume. Further, in terms of value, there was an increase of 14 per cent, to US$452 million in comparison to US$398 million in Q1 2019.

Owing to the steady inflow of foreign direct investment (FDI) and venture capital investment, as well as the support of the Indian government in the form of welfare initiatives, the digital health system in India is developing at a rapid pace. According to a 2019 report by Royal Philips, India is a frontrunner in the adoption of digital health technology because 76 per cent of healthcare professionals are already using digital health records. Further, it is estimated that by 2025, the Indian e-health sector will grow almost 13 times to become a US$16 billion market. In 2020, the number of angel/seed investments have been the highest to date, as compared to venture capital, private equity and public equity, with 57 per cent of the total angel investments going towards the healthcare technology sector. There were nine angel/seed deals in health tech in Q2 2020 in comparison to the three deals in Q1 2020, an increase of 300 per cent.

Having said that, there are still a few challenges involved while investing in India’s digital health sector, with the most important one being the high costs involved. Further, since the Indian exchange control regulations permit foreign investment up to 51 per cent in multi-brand retail under the government approval route, and that too is subject to several conditions, a majority investment by a foreign investor in a hospital entity operating an in-house pharmacy could result in regulatory issues. Thus, investors should be aware of the regulatory requirements. Investors should also evaluate the percentage of revenues derived via medical devices, whose prices are capped, since these would have a direct impact on the overall assessment of revenues.

Recent deals

3 What are the most notable recent deals in the digital health sector in your jurisdiction (eg, investments, partnerships and joint ventures)?

Some of the noteworthy deals over the years in the digital health sector in India have been:

● Narayana Hrudayalaya received funding of about US$48 million in 2015 from UK-based development finance institution CDC, for expanding affordable treatment in India;

● Practo Technologies raised about US$55 million in Series D round of funding in 2017. Practo also raised about US$32 million in 2020;

● SigTuple, a diagnostic startup, raised about US$16 million in Series C round of funding in 2019;

● M-fine, a health-tech startup, raised about US$17.2 million in Series B funding in 2019;

● DocsApp, an online doctor consultation app, announced a merger with MediBuddy, a digital consumer health business for enterprises, in 2020;

● Muse Wearables, maker of AI-powered hybrid smartwatch tracking health vitals, raised about US$3 million in 2020;

● BestDoc, an intelligent patient relationship management system that helps hospitals save on staffing costs and improve operational efficiency raised about US$2.1 million in 2020;

● Dozee, a developer of contactless vitals monitoring devices for chronic disorder management, parent care and critical patient monitoring, raised about US$1.7 million in 2020;

● PlumHQ, an online health insurance price comparison platform, raised about US$1 million in 2020;

● Wellcure, an online health and natural wellness information platform, raised about US$200,000 in 2020;

● Oga Fit, a home workout app that provides boutique digital fitness studio experience for users, raised an undisclosed amount of pre-Series A funding in 2020;

● HealthPlix, a healthtech startup raised about US$6 million in 2020;

● IVF Access, a healthcare startup focused on providing in vitro fertilisation (IVF) treatments in India, raised about US$5 million in Series A funding in 2020;

● Phable, a healthtech startup, raised about US$1 million in 2020;

● Remedo, a startup in the telemedicine vertical, raised an undisclosed amount in pre-Series A round of funding;

● Zealthy, a healthcare startup for women, raised an undisclosed seed funding;

● 1mg Technologies raised about US$10 million in funding in 2020. 1mg Technologies also raised about US$70 million in 2019; and

● Netmeds, an online pharmacy marketplace, was acquired by Reliance Retail Ventures Ltd in 2020.

Due diligence

4 What due diligence issues should investors address before acquiring a stake in digital health ventures?

Besides the due diligence that needs to be conducted in any investment, some of the key issues that venture capital and private equity firms should consider before investing in digital healthcare ventures include having a proper business plan; assessing the market opportunity; forming strategic partnerships; understanding the financial and key metrics of the business; identifying and taking steps to mitigate the potential risk for business; calculating the expected valuation; and taking steps for IP protection.

Financing and government support

5 What financing structures are commonly used by digital health ventures in your jurisdiction? Are there any notable government financing or other support initiatives to promote development of the digital health space?

Digital health ventures in India commonly rely on FDI or foreign venture capital investment. Under the automatic route, FDI in the hospital sector and in the manufacture of medical devices is permitted up to 100 per cent, whereas in the pharmaceutical sector, FDI is permitted up to 100 per cent in greenfield projects (new projects that are coming up in India) and up to 74 per cent in brownfield projects (existing projects in India). FDI beyond 74 per cent in brownfield projects requires government approval.

The Indian government has fostered an entrepreneurial environment for digital health through its various digitisation initiatives, such as the digital biometric identification programme (Aadhaar), the National Health Portal, e-Hospital and Integrated Health Information Programme. The Prime Minister also tweeted in April 2020: ‘We are already seeing several consultations without actually going to the clinic or hospital. Again, this is a positive sign. Can we think of business models to help further telemedicine across the world.’

Some of the other noteworthy initiatives by the government in the digital health care system are:

● on August 15, 2020, the Prime Minister unveiled the National Digital Health Mission, under which every Indian will get a unique health ID that will store the individual's medical records, including doctor visits, diseases, line of treatment and drugs taken. The digital platform will be launched with four key features: health ID, personal health records, Digi Doctor and health facility registry;

● launch of the Aarogya Setu Mobile app on 2 April 2020, with guidance from National Informatics Centre, which helps citizens identify the risk of contracting covid-19, trace potential victims and alert individuals and government regarding the potential number of patients and their locations. The app uses Bluetooth, location tracking and artificial intelligence;

● framing the Telemedicine Practice Guidelines, which seek to regulate the practice of remote clinical consultations through video, audio, email or text;

● National Health Stack and National eHealth Authority (NeHA), under which the government aims to compile digital health records for all citizens by 2022 to leverage the benefits of telemedicine and e-health for Indians. NeHA is a promotional, regulatory and standards-setting organisation in the health sector that aims to formulate a strategy for coordinated e-health adoption in the country; oversee the orderly evolution and guide the adoption of e-health; promote the setting up of state health records repositories and health information exchanges; formulate and manage all health informatics standards for India; and lay down policies and guidelines for managing patients’ data in accordance with laws as well as enforce laws pertaining to privacy, confidentiality and security of patients’ health information and records, among others;

● the e-Sanjeevani online platform, which enables two types of telemedicine services: doctor-to-doctor and OPD (patient-to-doctor) consultations;

● the proposed Digital Information Security in Healthcare Act seeks to formally establish NeHA and facilitate the online exchange of patient information with a view to preventing the duplication of work and streamlining resources;

● the proposed Personal Data Protection Bill 2019 (PDP) in its current form requires sensitive personal data or information to be processed only with the explicit consent of the data principal or to respond to a medical emergency involving a threat to life or a severe threat to the health of the data principal or any other individual. Currently, the government has not notified any form of personal data as critical personal data. However, health data may be classified as critical personal data under the PDP; and

● in 2019, NATHEALTH announced that it plans to infuse seed investment of up to US$1.5 million in healthcare start-ups, in collaboration with Well Technologies Ltd (Well Tech). Further, a partnership of NATHEALTH and the National Association of Software and Services Companies was also announced for bringing the benefits of technology, such as IoT and AI, to the healthcare sector.

Legal and regulatory framework

Legislation

6 What principal legislation governs the digital health sector in your jurisdiction? (Is there bespoke digital health legislation?)

There is no single piece of legislation that governs the digital health sector. The legal and regulatory framework in the digital health sector is usually governed by following:

● the Information Technology Act 2000, the Information Technology (reasonable security practices and procedures and sensitive personal data or information) Rules 2011, and the Information Technology (Intermediaries Guidelines) Rules 2011;

● Other Service Providers Regulations under the New Telecom Policy 1999;

● the Drugs and Cosmetics Act 1940 and Drugs and Cosmetics Rules 1945;

● the Indian Medical Council Act 1956 and the Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations 2002;

● Telemedicine Practice Guidelines released on 25 March 2020;

● the Drugs and Magic Remedies Act 1954 and Drugs and Magic Remedies (Objectionable Advertisements) Rules 1955;

● Telecom Commercial Communication Customer Preference Regulations 2018;

● the Clinical Establishments (Registration and Regulation) Act 2010;

● the proposed Digital Information Security in Healthcare Act (DISHA) and

● the proposed National eHealth Authority and State eHealth Authorities.

Regulatory and enforcement bodies

7 Which notable regulatory and enforcement bodies have jurisdiction over the digital health sector?

At the national level, the Ministry of Health and Family Welfare (MoHFW), and at the state level, the department of health and family welfare of each state, regulate this sector. Going further down, each regional and zonal set-up covers three to five districts under the authority delegated by the State Directorate of Health Services. The management at the district level works as a link between the state and the regional bodies at one end and primary health centres at the other. At the grassroots level, community health centres provide basic speciality services in general medicine, paediatrics, surgery, obstetrics and gynaecology.

The Central Drug Standards Control Organisation (CDSCO), under the MoHFW, is the nodal regulatory authority that looks into provisions of the Drugs and Cosmetics Act 1940 and Rules thereof. Further, the practice of medicine is regulated by the Medical Council of India. In addition, protection in terms of intellectual property is regulated under the Office of the Controller General of Patents, Designs and Trade Marks (CGPTDM). Further, copyright is governed by the Copyright Office. Both the CGPTDM and the Copyright Office are under the Department for Promotion of Industry and Internal Trade.

Licensing and authorisation

8 What licensing and authorisation requirements and procedures apply to the provision of digital health products and services in your jurisdiction (eg, medical device registration, marketing authorisation and clinical trial approvals)?

Primarily, the IT Act 2000 and Rules, the Drugs and Cosmetics Act and Rules, and the MCI Act and Rules and Code specify the regulatory requirements for digital health service providers.

Under the Drugs and Cosmetics Act 1940, it is mandatory for any person to be issued a licence from the licensing authority to manufacture or sell any drugs. Moreover, this Act also deals with regulations of clinical trials and regulations of imported drugs. The CDSCO coordinates with states to ensure uniformity in the enforcement of the Act, and also works in close context with Central Drug Laboratories to undertake and perform quality control tests. The Drugs Controller General of India (DCGI) is responsible for the approval of licences of specified categories of drugs, as well as overseeing clinical trials. DCGI is the key Indian regulatory authority and grants approvals based on reviews of clinical data and ascertainment of manufacturing quality.

Further, e-Pharmacies can only dispense prescription medication on the production of a valid prescription. Moreover, under the Doorstep Delivery Notification, drugs may be dispensed ‘based on receipt of prescription physically or through email’. Furthermore, to provide teleconsultation services, the service provider is mandated to be a registered medical practitioner registered in the State Medical Register or the Indian Medical Register established under the MCI Act. Any Digital Health Service provider that deals in sensitive personal data or information, as defined under the IT Act and Rules, is mandated to follow the requirements under the SPDI Rules.

Applicable regulatory legislation also varies from state to state and the service provider would need to comply with the laws of the state in which it intends to operate or where its functional activity will take place.

Soft law and guidance

9 Is there any notable ‘soft’ law or guidance governing digital health (eg, government and NGO-issued guidelines and best practices)?

On 25 March 2020, the Indian government issued the Telemedicine Guidelines 2020, which enable registered medical practitioners to provide healthcare services using telecommunication and digital technologies. Under the Telemedicine Practice Guidelines, video, audio and text modes of patient consultation are considered, which include telephones, video devices, chat platforms, email, fax and special apps developed for remote consultation. The Telemedicine Practice Guidelines also outline the process for prescribing medicines, first consult and follow-up consult, identity and consent, and action to be taken during emergency situations, among other concerns.

Liability regimes

10 What are the key liability regimes applicable to digital health products and services in your jurisdiction (eg, contractual, tort, product liability and consumer protection)? How do these apply to the cross-border provision of digital health products and services?

The liabilities that apply to adverse outcomes can be civil or criminal in nature and would be different for practitioners who are running the services and for service providers such as institutes and online suppliers. Civil suits could arise owing to breach of contract or some tortious liability, such as negligence. There could also be suits for vicarious liability where in the digital health sector, the employer could be held liable for the acts of his employees arising in course of their employment. Further, consumers can also claim compensation in the Consumer Forum if there is a deficiency or defect in the services provided or unfair trade practices. Remedies in such cases are available under the Consumer Protection Act 2019. Consumers can also raise complaints for professional misconduct by doctors with the relevant state medical council or before the ethics committee of the Medical Council of India. In the digital health sector, if, owing to rash or negligent service rendered, the service results in bodily injury or death of the user, the service provider may face criminal prosecution. However, criminal prosecution in cases of medical negligence only takes place when the negligence is ‘gross’ in nature and there has to exist a credible opinion of another doctor to support the charge of rashness or negligence on the part of the accused doctor. Further, criminal liability is covered under the provisions of the Indian Penal Code 1860.

Since digital health services are not location-specific, the plaintiff or user is entitled to institute a suit at a court or forum where he or she is situated. Moreover, if the user avails the service in India, the cause of action would arise in India, and the Indian courts will also have jurisdiction. Further, jurisdiction in cases of liability for breach of contract shall depend upon the terms of the contract.

Data protection and management

Definition of ‘health data’

11 What constitutes ‘health data’? Is there a definition of ‘anonymised’ health data?

As per the National Digital Health Mission, health data can be classified into the following categories:

• personal health data – data related to an individual containing detailed information of various health conditions and treatments. It includes any data with personally identifiable information of various stakeholders, such as healthcare professionals; and

• non-personal health data – includes aggregated health data such as number of dengue cases and anonymised health data where all personally identifiable information has been removed. This will also include information about health facilities, drugs and so on that do not involve personally identifiable information.

Further, ‘health data’ under section 3(21) of the Personal Data Protection Bill 2019 (PDP) is the ‘data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associating the data principal to the provision of specific health services’. Further, under section 3(36) of PDP 2019, ‘sensitive personal data’ means personal data that may reveal, be related to or constitute health data, among others. However, the Bill is still under debate in parliament and is yet to be enacted. Furthermore, under section 3(e) of the Digital Information Security in Healthcare Act (DISHA), digital health data is defined as ‘an electronic record of health-related information about an individual’.

The present law is silent on anonymised data. However, section 3(2) of PDP 2019 defines ‘anonymisation’ in relation to personal data as ‘such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standard of irreversibility specified by the Authority’. Further, the draft Health Data Management Policy, released by the government in August 2020, defines ‘anonymisation’ in relation to personal data, which ‘means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified through any means reasonably likely to be used to identify such data principal’. Further, as per the policy, sensitive personal data includes physical, physiological and mental health data and would include information relating to various health conditions and treatments of the data principal, such as electronic health records (EHR), electronic medical records and personal health records.

Data protection law

12 What legal protection is afforded to health data in your jurisdiction? Is the level of protection greater than that afforded to other personal data?

India does not have in force any specific data protection law like the USA’s Health Insurance Portability and Accountability Act to develop regulations protecting the privacy and security of certain health information.

There are two draft legislations in this regard:

• the PDP and

• DISHA by the Health Ministry, which is especially for the sharing of healthcare data.

Further, the government has also released a draft Health Data Management Policy, which aims to protect citizens’ health data.

Currently, a patient’s personal information, which includes health information, is treated as sensitive personal data or information (SPDI) under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, and is accorded higher protection than personal data. In this regard, it is imperative to note that in a recent judgment in April 2020 by the Kerala High Court, the court observed that there is a need ‘to ensure that there is no “data epidemic” after the covid-19 epidemic is controlled’.

Rule 3 of the Rules define ‘SPDI’ as personal information that consists of information relating to:

password;

financial information such as bank account, credit or debit card or other payment instrument details;

physical, physiological and mental health conditions;

sexual orientation;

medical records and history;

biometric information;

any detail relating to the above clauses as provided to body corporate for providing service; and any of the information received under the above clauses by a body corporate for processing, stored or processed under lawful contract or otherwise, provided that any information that is freely available or accessible in the public domain or furnished under the Right to Information Act 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.

Data privacy issues when dealing with SPDI can arise and service providers need to ensure that the requirements of a body corporate are complied with as per the SPDI Rules. When a body corporate collects, stores, transfers or processes SPDI, certain requirements under the Rules are mandated to be met regarding the collection, storing and transferring of SPDI. Consent, through letter, fax or email, is mandatory for the collection of SPDI. Further, the patient must be informed about the fact that SPDI is being collected, what it will be used for, the recipients of the data, and whether it will be transferred to any third parties, along with the contact details of the agency collecting the information. Further, the service provider is required to have a privacy policy in place. Service providers must ensure proper planning and systems are in place for data security and management. If SPDI is planned to be disclosed to a third party, prior permission of the owner of the SPDI is to be obtained. In cases where SPDI is being transferred, the body corporate transferring SPDI must ensure that the receiver of SPDI has adequate security practices in place in addition to obtaining the consent of the provider of the information for the transfer. Further, SPDI cannot be published. The Rules also mandate the implementation of reasonable security practices and procedures in order to keep SPDI secure and for the appointment of a grievance officer, whose contact details are to be published on the website. Apart from these, there are also other requirements such as allowing users to remove or amend their SPDI. However, body corporates that are collecting, storing, processing or transferring information out of a contractual obligation are not required to observe some of the requirements of the Rules, such as obtaining consent from the owner of SPDI for collecting or disclosing SPDI. The other requirements, though, must still be observed.

Anonymised health data

13 Is anonymised health data subject to specific regulations or guidelines?

There is no specific regulation or guideline presently for anonymised health data. However, DISHA contains some requirements in relation to anonymised health data, such as the bar on commercial use.

Enforcement

14 How are the data protection laws in your jurisdiction enforced in relation to health data? Have there been any notable regulatory or private enforcement actions in relation to digital healthcare technologies?

India does not have dedicated data protection laws; however, certain provisions of the Information Technology Act 2000 and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 deal with the protection of personal information and sensitive personal data that includes health data as well. Offences under the IT Act entail both imprisonment and fines. Further, any negligent disclosure of personal information may result in a claim for compensation. However, if the disclosure is coupled with criminal intent, it may result in imprisonment for a term of up to three years, a fine of up to 500,00 rupees, or both.

Very recently, the Kerala High Court, in the interim order in the case of Balu Gopalakrishnan v State of Kerala (Kerala High Court, WP (C) Temp No. 84 (2020), 24 April 2020), issued measures for protecting the data of covid positive patients in the state of Kerala, which include the duty of the state government to anonymise the data before sharing it with a third party, in this the entity being a US company. In future, all data to be relayed to the third party must be with the express consent of the individual. Further, after the processing of the data as per the contract, the third party must return the data to the state government. Lastly, the US company was injuncted to relay to any third party that it was in possession of any data related to covid-19 patients and was prohibited from commercially exploiting the name and logo of the state of Kerala.

Cybersecurity

15 What cybersecurity laws and best practices are relevant for digital health offerings? (What level of cyber insurance cover is required or advised?)

The IT Act 2000, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 and Information Technology (Intermediaries Guidelines) Rules 2011 are the relevant cybersecurity laws for digital health offerings. As per the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, any entity possessing SPDI is required to comply with the international standard IS/ISO/IEC 27001 on ‘Information Technology – Security Techniques – Information Security Management System – Requirements’ or such other comparable standards as per their documented information security programme and information security policies as approved and notified by the central government.

Best practices and practical tips

16 What best practices and practical tips would you recommend to effectively manage the ownership, use and sharing of users’ raw and anonymised data, as well as the output of digital health solutions (including secondary use)?

Some methods to effectively manage health data would be employing encryption methods to store data, strong passwords, ensuring that the data is only shared with the relevant people within the organisation, timely review of the firewall settings, securing all the devices that can access the personal data of an individual, and performing due diligence when sharing information with third-party vendors. The MoHFW also notified the Electronic Health Record (EHR) Standards 2016 with the objective of introducing a uniform standard-based system for the creation and maintenance of EHRs and its adoption by healthcare providers in their IT systems. A few standards recommended are ISO/TS 22220:2011 Health Informatics – Identification of Subjects of Health Care for storing the basic identity of patients; ISO 13940 Health informatics – System of Concepts to Support Continuity of Care, Digital Imaging and Communications in Medicine (DICOM) PS3.0-2015 for images, waveform, audio and video files; and ISO/IEC 14496 – Coding of Audio-Visual Objects for format for audio or video capture, etc.

Intellectual Property:

Patentability and inventorship

17 What are the most noteworthy rules and considerations relating to the patentability and inventorship of digital health-related inventions? (For example, can software, algorithms, databases and AI-generated content be protected? What rules and standard practices govern ownership of employee inventions?)

A digital health invention will most likely involve a computer software and it may attract an objection under section 3(k) of the Indian Patent Act 1970, which precludes patents being granted to a computer program per se. However, recently, the Delhi High Court has iterated that all computer programs are not barred under section 3(k) and when such a program demonstrates a ‘technical effect’ or a ‘technical contribution’, the invention would be patentable.

Additionally, a digital health-related invention may also get objected under section 3(i) of the Act if the invention involves a process for the medicinal, surgical, curative, prophylactic, diagnostic, therapeutic or other treatment of human beings or any process for a similar treatment of animals to render them free of disease or to increase their economic value or that of their products. However, if there is no direct relationship of the invention with any such process, such an objection can be well obviated.

In relation to inventorship of digital health-related inventions, section 6 of the Act shall be of relevance, as it stipulates that the true and first inventor of the invention or its assignee or the legal representative of the deceased person are only entitled to apply for a patent. However, the Act does not explicitly lay down provisions to govern ownership of employee inventions. Therefore, in such scenarios, the wording of the employment contract becomes the deciding factor.

Patent prosecution

18 What is the patent application and registration procedure for digital health technologies in your jurisdiction?

The patent application and registration procedure are the same for digital health technologies as any other patentable invention. The inventor is required to submit his or her patent application via Form 1 along with the specification (provisional or complete) in Form 2 with a declaration of inventorship in Form 5 (in the case of Indian inventors). Once a patent application has been submitted, it is published in the Patents Journal after a period of approximately 18 months, wherein it is open for pre-grant opposition. Thereafter, the applicant is required to submit a request for examination of the patent application within 48 months of the earliest priority date. After the application has been examined on substantive grounds, an office action is issued by the Indian Patent Office and the applicant is required to file detailed submissions to overcome the objections. Once the Patent Office is satisfied as to the patentability of the invention, the patent is granted and duly published in the Official Journal.

Other IP rights

19 Are any other IP rights relevant in the context of digital health offerings? How are these rights secured?

The source code or software for digital health applications as well as any clinical guidelines and data expressed in a medium may be protected under the Copyright Law. The design of healthcare devices as well as the graphical user interface for any digital health application may be protected under the Designs Act 2000. The brand name of the digital health offering or the shape of a healthcare device may be protected under the Trademarks Act 1999.

Licensing

20 What practical considerations are relevant when licensing IP rights in digital health technologies?

A few practical considerations that may be taken into account while licensing IP rights in digital health technologies will be strict quality control over the products and services in respect of which IP rights are being licensed; the IP right holder must ensure that the licensee has adequate data protection and security measures in place; the licence agreement must be clearly worded with respect to the grant clause, confidentiality clause, indemnity clause, exceptions, royalty considerations, infringement issues, tort liability for products or services covered by the licence, transferability, rights on improvement of invention, dispute resolution and termination clause and exit strategies.

Enforcement

21 What procedures govern the enforcement of IP rights in digital health technologies? Have there been any notable enforcement actions involving digital health technologies in your jurisdiction?

IP rights with respect to digital health technologies can be enforced by bringing a civil or criminal action against the infringer. The IP right holder may bring a civil suit for claiming reliefs such as a temporary or permanent injunction, damages, accounts for profit, Anton Piller orders, delivery up of infringing goods, etc. Criminal action may involve imprisonment, payment of fines, seizure of infringing goods, etc. However, there have been no notable enforcement actions in the digital health space as of yet.

Advertising, marketing and e-commerce

Advertising and marketing

22 What rules and restrictions govern the advertising and marketing of digital health products and services in your jurisdiction?

The advertising and marketing of digital health products and services is governed by the following Acts and Rules in India:

• the Drugs and Cosmetics Act 1940 and the Drugs and Cosmetics Rules 1945 lay down the requirement to obtain prior permission before advertising certain medicines for a specific therapeutic indication; prohibition on marketing of sub-standard or misbranded medicines; prohibition on marketing of medicines banned by the government, etc;

• the Drugs and Magic Remedies (Objectionable Advertisements) Act 1954 and the Drugs and Magic Remedies Rules 1955 lay down prohibition on the advertisement of medicines for certain diseases and disorders;

• the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations 2002 lay down prohibition on marketing directed towards doctors that may involve financial inducement;

• the Pharmacy Practice Regulation 2015 lays down prohibition on engaging pharmacies to advertise a specific medicine to patients;

• the Uniform Code of Pharmaceutical Marketing Practices, which is a self-regulating code, lays down that all claims on the marketing of the products must be true and accurate, specific disclosure requirements, non-inducement by any financial benefits towards any person qualified to prescribe drugs, etc; and

• the Code for Self-Regulation of Advertising content in India, published by Advertising Standards Council of India (ASCI).

On 20 October 2020, the ASCI issued an advisory against false claims being made that an advertised product could assist in the destruction of coronavirus. Further, the advertisers making claims that their products can fight against coronavirus must substantiate it with the technical support of national and international authorities.

e-Commerce

23 What rules governing e-commerce are relevant for digital health offerings in your jurisdictions (eg, any applicable rules for electronic payments and contracts)?

The relevant rules and regulations that govern e- commerce for digital heath offerings are:

• Consumer Protection E-commerce Rules 2020, which apply to all goods and services bought or sold over digital and electronic networks, including digital products;

• the Drugs and Cosmetics Act 1940 and the Drugs and Cosmetics Rules 1945, which govern the manufacture, sale, import and distribution of drugs in India;

• the Pharmacy Act 1948, which regulates the pharmacy profession;

• the Information Technology Act 2000 (IT Act) is the primary legislation that provides a legal framework for e-commerce in India;

• the Indian Medical Act 1956 and Code of Ethics Regulations 2002 regulate the practice of the medical profession in India. Only medical practitioners registered under the Act can practise allopathy in India. The Act as well as the Code lay down the standard of professional conduct and etiquette to be followed by all medical practitioners;

• the Narcotic Drug and Psychotropic Substances Act 1985 lays down prohibition on the manufacture, distribution, cultivation, sale, transport, storage, etc, of narcotic drugs or psychotropic substances;

• the Drugs and Magic Remedies (Objectionable Advertisement) Act 1954; and

• the Payment and Settlement Systems Act 2007 and the Guidelines on Regulation of Payment Aggregators and Payment Gateways regulate e-payments in India.

The Ministry of Health and Family Welfare came out with a draft to amend the Drugs and Cosmetics Rules 1945 to include suitable provisions for sale of drugs by e-pharmacies, but it is still pending for approval.

Payment and reimbursement

Coverage

24 Are digital health products and services covered or reimbursed by the national healthcare system and private insurers? (Please provide examples.)

Most health insurance in India covers hospitalisation expenses, with a few offering reimbursement for a general health check-up once every four years. Further, digital health products and services covered by private insurers include robot-assisted cataract operations, laser lithotripsy, etc. However, digital health products or services related to spectacles, contact lenses and hearing aids, dental treatment or surgery (unless requiring hospitalisation), convalescence, general debility, congenital external defects, venereal disease, AIDS, expenses for diagnosis, x-ray or laboratory tests not consistent with the disease requiring hospitalisation, treatment relating to pregnancy or childbirth including caesarean section, naturopathy treatment, etc, may not be reimbursed by private insurers.

Update and trends

Recent developments

25 What have been the most significant recent developments affecting the digital health sector in your jurisdiction, including any notable regulatory actions or legislative changes?

The government of India has taken several initiatives in the field of digital health sector, such as:

● the National Health Digital Mission was announced in 2020, whereby every Indian citizen will be given a unique health ID. It also aims to provide digitised health records, as well as a registry of doctors and health facilities. Accordingly, the draft of the Health Data Management Policy to protect and regulate the health data of Indian citizens was also released;

● the Aarogya Setu mobile application was launched by the government. This is a contact tracing and self-assessment application, which alerts the user of active coronavirus cases in the vicinity and tells the user if they might have come in contact with any covid-positive patient;

● the proposed Digital Information Security in Healthcare Act and the Personal Data Protection Bill 2019 are the two major proposed pieces of legislation in the digital health space;

● the proposed nodal authority – the National Digital Health Authority – is intended to develop an integrated health information system along with the application of telemedicine and mobile health by collaborating with various stakeholders; and

● the Telemedicine Practice Guidelines were announced in March 2020, which spell out how technology and the transmission of voice, data, images and information should be used in conjunction with other clinical standards, protocols, policies and procedures for the provision of care.

Coronavirus

26 What emergency legislation, relief programmes and other initiatives specific to your practice area has your state implemented to address the pandemic? Have any existing government programs, laws or regulations been amended to address these concerns? What best practices are advisable for clients?

In view of the lockdown imposed because of covid-19, the Indian Intellectual Property Office issued a public notice dated 19 June 2020 clarifying that the timelines for the completion of various proceedings, filing of documents, payment of fees, etc, falling due after 15 March 2020 stand suspended until further notice. This has been in line with the order of the Supreme Court, pronounced on 23 March 2020, suspending deadlines in all matters until further orders. Thus, effectively all due dates from 15 March 2020 currently stand suspended. However, since this may entail many administrative follow-ups at a later stage to reinstate the deadlines, it is advisable to abide by the statutory deadlines. Further, provisions were made for the e-filing of suits in all courts across the country, as well as for matters before the Intellectual Property Appellate Board. Additionally, all hearings are being conducted through videoconferencing at all levels.

The original study was published by Lexology Getting The Deal Through and can be accessed here: