E-Health- Laws and Regulations

Home     Articles      E-Health- Laws and Regulations

E-Health- Laws and Regulations

April 11, 2020



According to the World Health Organization, e-Health is the use of information and communication technologies (ICT) for health[1]. In this era, when the globe is moving towards digital services in various sectors, India has taken its initiation to move towards digital India. In today’s era, e-services and social networking platform is a need, particularly in the urban areas, which is less time consuming and aims to provide immediate solutions.

The Ministry of Health and Family Welfare, in order to take up the digital India initiative ahead, has started various e-Gov initiatives in Health care sectors in India, the division is named as e-Health division, with a vision to deliver better healthcare services in terms of access, quality, affordability, lowering of disease burden and efficient monitoring of health entitlements to citizens.

The key benefits of e-Health may be briefed as below:

  1. Increase in efficiency in affordable costs;
  2. Improving and enhancing the quality of healthcare services;
  3. By making the knowledge bases of medicine and personal electronic records accessible to consumers over the internet, e-Health opens a new method for patient cantered medicine and enables evidence-based patient choice;
  4. With the knowledge available to the patients in the platform, the patient and health professional move towards a trusted partnership relationship where decisions are made in a shared manner;
  5. The physicians are educated through online resources like medical education and consumers like health education, preventive information etc.;
  6. Enabling information exchange and communication in a standardized way between health care establishments; and
  7. The scope of health care is extended beyond its conventional boundaries. It means both in the geographical and conceptual sense, e-Health enables consumers to easily obtain health services online from global providers.


1. Information Technology Act, 2000 (“IT Act”): The IT Act was enforced to provide legal recognition to transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as “electronic commerce”, which involve the use of alternatives to paper-based methods of communication and storage of information.

Under the IT Act, the following rules have been enforced which triggers in the e-Health sector:

The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“SPDIR”):

It is a common knowledge that e-Health involves the constant exchange of data between the patient and healthcare professional (“HCP”), specially the patient is required to share his/her data such as physical, physiological and mental health condition, sexual orientation or medical records and history for quality and appropriate provision of healthcare services in a platform, which are considered as sensitive personal data or information[2]. The SPDIR mandates a body corporate or person who, on behalf of the body corporate, collects, receives, possess, stores, deals or handles information of the provider of information, including sensitive personal data shall provide a privacy policy for handling of or dealing of the afore-mentioned information[3].

Another major aspect, in relation to the dealing with the data of the patients is to obtain written consent from them before the collection of such data from the patient[4]. The provision of the SPDIR has gain validated the electronic means and has permitted to collect such consents through e-mail and fax apart from letter. However, as the concept of e-contract has been validated by various provisions under applicable laws (discussed below), the expressed consent of the patients can be taken through a simple click by the patient, agreeing to the terms of the privacy policy placed by the body corporate in their respective websites as mandated by law[5].

Although the body corporates can transfer the patient’s data to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under SPDIR only in case it is necessary[6], however, in order to disclose the information to any third party, the body corporate shall obtain prior written permission of the patient[7], provided that the body corporate need not obtain the prior permission of disclosure from the patient where such disclosure of the data is mandated by law or order from the Government agents.

The Information Technology (Intermediaries Guidelines) Rules, 2011 (“Intermediary Guidelines”):

Apart from the body corporates which provide e-Health services, there are certain entities which merely facilitate e-Healthcare services to the patients by partnering with independent HPCs. In such events, the entity is merely an intermediary and the Government has enforced the Intermediary Guidelines for them.

These intermediaries, with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes[8].

Such intermediary entities are relaxed from certain liabilities, provided that they observe certain due diligence such as, publishing rules and regulations, privacy policy and user agreement for access or usage of the intermediary’s computer resource by any person and specifically includes the boundaries and restrictions with regard to sharing of information in the platform[9].

Further, such intermediaries are mandated to inform its users, once in every month, that the consequence of any violation of the terms of rules and regulations, privacy policy and user agreement for access-or usage shall lead to termination of access for the users[10]. Further, these intermediaries are mandated to provide such information or assistance as asked for by any government agency or assistance concerning security of the State or cyber security; or investigation or detection or prosecution or prevention of offence(s); protective or cyber security and other connected matters, within 72 hours of communication from the Government[11]. The intermediaries have a duty to report any or all violations to the government authorities and are mandated to preserve all information for a period of 180 days for investigation purposes, if any.

While these intermediaries may be of any entity, however, if the number of users in a platform of the intermediary exceeds fifty lakhs, then the intermediary must be incorporated under the provisions of the Companies Act, 2013 and shall appoint in India, a nodal person of contact and alternate senior designated functionary, for 24×7 coordination with law enforcement agencies and officers to ensure compliance with their orders/requisitions made in accordance with provisions of law or rules[12].

2. E-Contracts:

In light of the above, we understand that the patients’ need to be informed about the collection of his/her data, the usage as well as the measures taken by the body corporate to maintain its confidentiality and obtaining consent before collection and disclosure of the same. The basic question that arises is how to obtain the patients’ consent?

As discussed above, the body corporate requires to frame a privacy policy/terms and conditions or user agreement for its platform. Click-wrap and browse-wrap contracts are one of the most common forms of e-contracts. In each of these contracts, the terms and conditions of the contract are made available to the contracting party in a form that is significantly different from the usual paper contracts on electronic form. In case of a click-wrap contract, the contracting party’s affirmative acceptance is taken by means of clicking on an “I accept” tab. Also, there is typically a scroll box that allows the contracting party to view the terms and conditions. Further, in some of the contracts/terms and policies, it is mentioned that upon usage of the platform or interaction, as the case may be, the terms of the policies by default applies to the patients, and that they would be, by default, bound by it, which is terms as browse wrap contracts.

The IT Act[13] validates all kinds of e-contracts and further amendments to the Indian Evidence Act, 1872[14] affirm the same. Therefore, once the patients accept the terms of the privacy policy/user agreement placed on the electronic platform, it is deemed that the patients have accepted the same and given his/her consent as well as acknowledged all the terms and measures of data security practised by the body corporate.

3. The New Telecom Policy, 1999:

All service providers who render “Application Services” – which includes telemedicine services – using telecom resources provided by telecom service providers, are required to be registered as an ‘Other Service Provider’ (“OSP”) with the Department of Telecommunications[15].

4. Intellectual Property Rights:

E-Healthcare facilities/platforms give way to innovations, developments, trademarks and content generation and the protection of the same is a high priority in today’s market. Intellectual Property laws enable the entities to protect their ideas, innovations and developments in various forms, few of which is briefed below:

  • Copyrights: To protect the contents/ data placed on the platform under the Copyright Act, 1957. Further, any application/platform needs a software to operate. The Copyright Act, 1957 can also protect these softwares as it falls under the definition of ‘computer program’ and such computer programs falls within the ambit of the Copyright Act, 1857[16].
  • Patent: To protect an invention, the Patent Act, 1970 has come in force. Unfortunately, in India, the functionality of the software cannot be patented, however, if it is a novel software with a known hardware which goes beyond the normal interaction with such hardware and affects a change in the functionality and/or performance of the existing hardware, may be considered for protection under the provisions of the Patent Act, 1970[17].
  • Trademarks: To protect the words, taglines or logos with which any person would identify. The ‘mark’ of an e-Health application or device could be registered as a trademark under the Trademark Act, 1999 subject to certain exclusion criteria as mentioned under the afore-mentioned enactment.

5. The Drugs and Cosmetics Act, 1940 (“D&C Act”) and Drugs and Cosmetics Rules, 1945 (“D&C Rules”):

In order to regulate the manufacture, sale, import and distribution of drugs in India, D&C Act and D&C Rules have come into force. The D&C Act requires that all drugs must be sold under a license. The D&C Rules clearly lay down which drugs can be sold only on the production of a prescription issued by a registered doctor, which implies that there is a distinction between prescription and non-prescription drugs.

6. The Drugs and Magic Remedies (Objectionable Advertisements) Act, 1954 and Drugs and Magic Remedies (Objectionable Advertisements) Rules, 1955 (“DMRA”):

DMRA is enforced in India with the main objective to regulate the advertisement of the drugs. The provisions of the DMRA makes it punishable, with both fine and imprisonment, if there is a false or misleading advertisement of a medicine or drug.

Therefore, the body e-Health service providers, specifically online pharmacies must take care that they provide an accurate and genuine description of the medicines/drugs listed on their platform.

7. Telemedicine Guidelines March 25, 2020:

The Ministry of Health and Family Welfare (“MoHFW“) on March 25, 2020, has issued the Telemedicine Practice Guidelines (“Guidelines“) for enabling Registered Medical Practitioners (“RMPs“) to provide healthcare using telemedicine. ‘Telemedicine’ is the delivery of health care services, where distance is a critical factor, by all health care professionals using information and communication technologies for the exchange of valid information for diagnosis, treatment and prevention of disease and injuries, research and evaluation, and for the continuing education of health care providers, all in the interests of advancing the health of individuals and their communities[18].

The Guidelines have been adopted as an amendment to the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002 by adding regulation 3.8 titled as ‘Consultation by Telemedicine’. In accordance with these regulations, the consultation through telemedicine by the RMPs under the Indian Medical Council Act, 1956 will be permissible in accordance with the Guidelines. The Guidelines in its scope covers the telemedicine consultations provided in India only. Some of the key directives are as follows:

  • Appropriateness and Sufficiency: The RMPs must decide whether a telemedicine consultation is appropriate in a given situation or an in-person consultation is needed in the interest of the patient. They should consider the mode/technologies available and their adequacy for a diagnosis before choosing to proceed with any health education or counselling or medication. Further, the RMP shall uphold the same standard of care as in an in-person consultation but within the intrinsic limits of telemedicine[19].
  • Identification of the RMP and the Patient: Both patient and the RMP need to know each other’s identity. An RMP should verify and confirm patient’s identity by name, age, address, email ID, phone number, registered ID or any other identification as may be deemed to be appropriate[20]. Similarly, the RMP should facilitate the patient about his/her name and qualifications before the consultation. Further, every RMP should display his/her registration number granted by the State Medical Council/National Medical Commission, on prescriptions, website or electronic communication[21].
  • Patient Consent: While treating a patient through telemedicine, it is necessary to obtain the consent of the patient. The consent can be either implied or explicit depending on the situation, i.e. if the patient has initiated the telemedicine consultation, then the consent will be implied and if the RMP is initiating the telemedicine consultation then the consent will be explicit. The consent can be recorded either through e-mail, text or audio/video message and the said consent must be recorded in the patient’s records[22].
  • Prescribing Medicines: The Guidelines states that an RMP may prescribe medicines via telemedicine only when RMP is satisfied that he/ she has gathered adequate and relevant information about the patient’s medical condition and prescribed medicines are in the best interest of the patient. However, the Guidelines further impose restriction on prescribing certain variety of medicines via telemedicine and lists down certain categories[23].

8. Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002 (“IMCR”):

The Indian Medical Council Act, 1956 provides that only those persons who have a recognized degree in medicine and are registered with one of state medical councils have the right to practice medicine in India. On the other hand, IMCR lays down professional and ethical standards of interaction of doctors with patients. The doctors shall observe the laws of the country in conducting the practice of medicine and shall also not assist others to evade such laws. He/she should be cooperative in observance and enforcement of sanitary laws and regulations in the interest of public health. A doctor shall observe the provisions of the state acts like Drugs and Cosmetics Act, 1940; Pharmacy Act, 1948; Narcotic Drugs and Psychotropic substances Act, 1985; Medical Termination of Pregnancy Act, 1971; Transplantation of Human Organ Act, 1994; Mental Health Act, 1987; Environmental Protection Act, 1986; Pre–natal Sex Determination Test Act, 1994; Drugs and Magic Remedies (Objectionable Advertisement) Act, 1954; Persons with Disabilities (Equal Opportunities and Full Participation) Act, 1995 and Bio-Medical Waste (Management and Handling) Rules, 1998 and such other Acts, Rules, regulations made by the central/state governments or local administrative bodies or any other relevant act relating to the protection and promotion of public health[24].

The IMCR lays down detailed obligations for all the physicians in relation to the medical practise and the relationship he/she shares with the patients, and any violation of the same may lead to tortious liability for such physician. The IMCR has further mentioned that the physicians shall make efforts to computerize all the data of the patients[25] for quick retrieval.

The body corporate/entity shall conduct a proper due diligence of the physicians/doctors/HPCs before allowing them to register themselves in the platform and take declaration from them to abode by the applicable laws in India.

9. Dentists (Code of Ethics) Regulations, 2014 (“DCR”):

 All the dental practitioners in India is bound by the provisions of DCR, apart from the provisions of the other applicable laws. The dentists must abide by the protocols and code as laid down under the DCR. A common obligation to the dentists under DCR is to maintain professionalism and confidentiality of the patients’ records.

10. AYUSH:  

The Department of Ayurveda, Yoga and Naturopathy, Unani, Siddha and Homoeopathy, (“AYUSH”) is a governmental body in India purposed with developing education and research in ayurveda (Indian traditional medicine), yoga, naturopathy, unani, siddha, and homoeopathy, and other alternative medicine systems. Earlier, it was operating under MHFW. However the Department has been elevated to an independent Ministry w.e.f. 09.11.2014. In the event that any body corporate/HPCs intends to offer ayurveda, yoga, naturopathy, unani, siddha, and homoeopathy, and other alternative medicine systems, they must comply with the rules and regulations which have been laid down by AYUSH is various enactments and rules.

11. Homoeopathic Practitioners (Professional Conduct, Etiquette and Code of Ethics) Regulations, 1982 (“HPR”):

Central Council of Homoeopathy is the prime authority under the HPR. It lays down the code of conduct. The professionals are bound by the provisions of HPR and are mandated to give a declaration to that effect[26]. All professionals who intend to provide consultation with respect to homeopathic medication shall be registered under the HPR[27].

12. The Clinical Establishments (Registration and Regulation) Act, 2010 (“ECA”):

Establishments falling under the definition of a ‘clinical establishment’ under the Clinical Establishments Act would be required to register with the relevant authority and conform to the minimum standards as prescribed under the act.

The ECA defines a clinical establishment as a hospital, maternity home, nursing home, dispensary, clinic, sanatorium or an institution by whatever name called that offers services, facilities requiring diagnosis, treatment or care for illness, injury, deformity, abnormality or pregnancy in any recognised system of medicine established and administered or maintained by any person or body of persons, whether incorporated or not[28].

The Clinical Establishments Act is applicable in Arunachal Pradesh, Uttar Pradesh, Uttarakhand, Rajasthan, Bihar, Jharkhand, Himachal Pradesh, Mizoram, Sikkim and all Union Territories except the NCT of Delhi.  Certain states such as Maharashtra and Karnataka have their own state clinical establishment legislations.


A Consumer means a person who- (i) buys any goods for consideration which has been paid or promised or partly promised or partly paid or under any system of deferred payment and includes any user of such goods for consideration paid or promised or partly paid or partly promised or under any system of deferred payment when such use is made with the approval of such person, but does not include any person who obtain such goods for resale or for any commercial purpose. (ii) who hires any service or services for a consideration which has paid or promised or partly paid or partly promised or under any system of deferred payments and includes any beneficiary or such services other than the person who heirs or avails of the services for consideration paid or promised, partly or partly promised or under any system of deferred payment when such services are availed of with the approval of the first mentioned person[29]. Every person who hires or avails services of a medical practitioner after payment comes within the ambit of consumer section 2 (1) (0) of CPA.[30].

Therefore, the patients of the body corporate fall within the definition of a ‘consumer’ and can avail its remedy in the event of any deficiency of services or products delivered to them by e-Healthcare service providers.


As we can observe in light of the above, there are multiple legislations that a body corporate/entity/HPCs need to abode by and be an acquaintance of in order to render or even facilitate e-Healthcare services in India. The most crucial point of discussion in the e-Healthcare section is the preservation and maintenance of confidentiality of the information/data provided by the patient in the platform. However, there is a ray of hope named ‘DISHA’. The Digital Information Security in Healthcare Act (‘DISHA’) is proposed to be enacted to provide for electronic health data privacy, confidentiality’ security and standardization and provide for establishment of National Digital Health Authority and Health Information Exchanges and such other matters related and incidental thereto. However, it is hoped that in the current lock-down situation, the Government understand the importance of DISHA and enforces it to regularize the usage of the information/data provided by the patients while availing the e-Healthcare services in India.

Disclaimer: The content of this article is intended to provide a general guide to the subject matter. For any queries, the authors can be reached at (i) prashant@samistilegal.in (ii) abhishek@samistilegal.in.

 Updated as on April 11, 2020


[1] https://www.who.int/ehealth/about/en/

[2] Rule 3 of the SPDIR

[3] Rule 4 of the SPDIR

[4] Rule 5(1) of the SPDIR

[5] Rule 4 (1) of the SPDIR

[6] Rule 7 of the SPDIR

[7] Rule 6 of the SPDIR

[8] Section 2(w) of the Information Technology Act, 2000

[9] Rule 3 of the Intermediary Guidelines.

[10] Rule 3 (4) of the Intermediary Guidelines

[11] Rule 3 (5) of the Intermediary Guidelines.

[12] Rule 3 (7) of the Intermediary Guidelines https://meity.gov.in/writereaddata/files/Draft_Intermediary_Amendment_24122018.pdf

[13] Section 10-A of the IT Act

[14] Section 65-A of the Indian Evidence Act, 1872

[15] https://main.trai.gov.in/sites/default/files/ACTO_21052019.pdf

[16] Section 2(o) of the Copyright Act, 1857

[17] Rule 5 of ‘Guidelines for Examination of Computer Related Inventions, 2015.

[18] https://www.mohfw.gov.in/pdf/Telemedicine.pdf

[19] Rule 3.1 of the Guidelines

[20] Rule 3.2.2 of the Guidelines

[21] Rule 3.2.5 of the Guidelines

[22] Clause 3.4 of the Guidelines

[23] Rule 3.7.4 of the Guidelines

[24] Rule 1.9 of IMCR

[25] 1.3.4 of IMCR

[26] Rule 2 of the HPR

[27] Rule 34 of the HPR

[28] Section 2 (c) of the ECA

[29] Section 2(1) (o) of the CPA

[30] Indian Medical Association vs. VP Shantha & Ors, 1995 SCC (6) 651

Image generation credits: https://www.canva.com/templates/

Join Our List To Stay In Touch

Leave your email id to receive regular updates on
corporate law changes that have impact on businesses.