Digital health apps and telemedicine in India

(a) Yes, software used for certain specified purposes is considered a medical device under Indian law. Software was included as a medical device under the Drugs and Cosmetics Act, 1940 (the primary legislation governing medical devices) (“D&C Act”) pursuant to an amendment in 2020. [1]  Software is considered a medical device if it is used for the following purposes:

• Diagnosis, prevention, monitoring, treatment or alleviation of any disease or disorder.
• Diagnosis, monitoring, treatment, alleviation or assistance for any injury or disability.
• Investigation, replacement or modification, or support of the anatomy or of a physiological process.
• Supporting or sustaining life.
• Disinfection of medical devices.
• Control of conception.

Under the Medical Devices Rules, 2017 (“MD Rules”), medical devices (including software) are classified into 4 risk-based categories ranging from Class A (low risk) to Class D (high risk). This also includes software in the form of digital health applications that is used for any of the aforementioned purposes. [2] [3]  For example, photoplethysmograph analysis software, used for home analysis of data collected from fitness devices such as Fitbit devices, is categorised as a Class B (low-moderate risk) medical device. [4]  Depending on the risk-based classification, software may require registration and/or licensing under the MD Rules for import, manufacturing, clinical investigation, sale, and/or distribution. [5] [6]  For example, Class A medical devices (including software) that are non-sterile and non-measuring only need to be registered and are exempt from licensing requirements.

(b) The following are the key legislations that would regulate the civil liability arising out of digital health apps:

• Consumer Protection Act, 2019 (“CPA 2019”): Software in the form of digital health apps is considered a “product” under the CPA 2019, except software that is obtained for resale or commercial purposes. CPA 2019 applies to digital health software manufacturers, service providers and sellers, and provides for transparency, fair trade practices, and redressal mechanisms for consumers.
• Contract Law: Liability may also arise under the Indian Contract Act, 1872 if the developer or service provider breaches any end user agreement or terms of service.

Under CPA 2019, there are certain exceptions to product liability actions. [7]  The liability of a manufacturer, service provider or product seller is exempted in certain cases, for example: (i) a seller of a product is not liable if the product was misused, altered, or modified by the consumer; and (ii) a manufacturer is not liable for any deficiency in providing warnings and instructions if the consumer, while using the product, was under the influence of alcohol. [8]  Under contract law, liability can also be limited through disclaimers or limitation of liability clauses in user agreements, provided such clauses are reasonable and legally enforceable.

Yes, there are other legal regimes in relation to data protection that govern digital health apps/software (collecting data pertaining to medical records/history) in India. These have been broadly set out below:

(a) In India, the Information Technology Act (“IT Act”) and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“SPDI Rules”), constitute the primary regulatory framework applicable to the collection, receipt, processing, storage, transfer, dealing/handling (in any manner) of personal information and sensitive personal data or information (“SPDI”) by different entities/businesses. “Personal Information” includes any information that relates to a person and is capable of identifying such person. [9]  SPDI, which is a sub-set of Personal Information, inter alia, specifically includes medical records and history as well as information pertaining to physical, psychological and medical health condition of an individual. [10]  Any contravention/unauthorised disclosures of such information may result in claims for damages, along with penalties as prescribed under the IT Act.

In addition to the data protection framework discussed above, the legal regime governing cyber security is also applicable to digital health apps/software. In this regard, the IT Act, read with the:  (i) Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“CERT-In Rules”), and (ii) ‘Directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet’ dated April 28, 2022 (collectively, “CERT-In Framework”), prescribe the procedure to be followed by various entities in the event of a cyber incident [11] /cyber security incident. [12]  This includes reporting requirements to be observed upon suspicion/having knowledge of occurrence of such incident. Any contravention may result in imprisonment of certain individuals and imposition of fines as set out in the IT Act.

The Supreme Court recognises the right to privacy of an individual (including in relation to processing of an individual’s personal data) as part of right to life under Article 21 of the Constitution of India, 1950.

(b) With the objective of overhauling and superseding the SPDI Rules read with the IT Act, the Digital Personal Data Protection Act, 2023 (“DPDP Act”) has been passed by the Indian Parliament and has received Presidential assent, but has not yet been brought into force in India.

The DPDP Act applies to the processing [13]  of personal data, i.e., any data about an individual (that is, data principal) who is identifiable by or in relation to such data in digital form.  Unlike the SPDI Rules, the DPDP Act does not differentiate between different categories of personal data and includes health related data within its scope. [14]  It is important to note, however, that the obligation of compliance with requirements under the DPDP Act will lie solely with data fiduciaries (similar to the concept of data controllers in the EU) to the exclusion of any data processors.  Any contravention may result in imposition of penalties as set out in the DPDP Act.

The Electronic Health Record Standards, 2016 (“EHRS”) issued by the Ministry of Health and Family Welfare governs the management of electronically available health records. The EHRS provide comprehensive guidelines covering data access protocols, confidentiality obligations and security standards for health information maintained in an electronic format. The EHRS reiterates the applicability of the IT Act (including its amendments) and the SPDI Rules to collection, processing and maintenance of confidentiality of health information.

Certain additional guidelines like the Indian Council of Medical Research’s guidelines for Good Clinical Laboratory Practices, and the National Ethical Guidelines for Biomedical and Health Research Involving Human Participants (issued under the New Drugs and Clinical Trials Rules, 2019), which prescribe certain data protection measures for health related data, may also be applicable in specific scenarios when such data sets are processed.

• IT Act, SPDI Rules and Cert-In Framework

IT Act and Cert-In Framework: The applicability of the IT Act (and the underlying Cert-In Framework) extends to: (i) all persons (which includes natural and juristic persons) within India, regardless of nationality/residency; and (ii) any offence or contravention committed outside India by any person, insofar as the act or conduct constituting the offence or contravention involves a computer, [15]  computer system [16]  or computer network [17]  (“Computer”) located in India. [18]  Accordingly, the IT Act (and the underlying Cert-In Framework) will be applicable where: (a) users and/or entities that are processing data are situated in India; or (b) the processing of the data takes place in India.  Having said that, it must be noted that in certain limited instances, even where none of the stakeholders are in India, but where the Computer is located in India, the IT Act may still apply, and this will have to be analysed on a case-by-case basis.

SPDI Rules: The compliance requirements under the SPDI Rules are only applicable to body corporates or persons located within India. [19]  When both the body corporate and the persons involved are located outside India, the obligations under the SPDI Rules may not apply. However, in cases involving unauthorised access to a Computer located in India, the body corporate may still be held liable under the IT Act.

• DPDP Act

The DPDP Act applies: (i) in connection with any processing of personal data within the territory of India; and (ii) to processing of digital personal data outside the territory of India, if such processing is in connection with the offering of goods/services to data principals in India. Accordingly, the DPDP Act would be applicable in a scenario where the entity processing personal data sets (data fiduciary) is undertaking the processing in India, or where the processing activity undertaken by the entity is in relation to provision of services in India.

• IT Act and Cert-In Framework: The applicability as set out in point (a) will not be different in treatment of B2B and/or B2C businesses, except for the limited relaxations available to a body corporate under the SPDI Rules (specifically regarding the requirement to obtain prior consent, and certain disclosure requirements) in B2B arrangements.
• DPDP Act: While for B2C businesses, the applicability as set out in point (a) will remain identical, for B2B businesses the applicability (and responsibilities under the DPDP Act) would be contingent on whether both entities qualify as data fiduciaries or if one of the entities would qualify as a data processor, in which case such entity will be exempt from the direct applicability of the DPDP Act in re compliance. However, such entity acting as a data processor may continue to be contractually bound to obligations under the DPDP Act, by the data fiduciary. The role of each party undertaking personal data processing and the applicability of the DPDP Act to such processing will have to be studied on a case-by-case basis.

No, particular features such as location tracking, or monitoring real-time information do not currently trigger any additional consent requirement, or regulatory approval in India, under the abovementioned regulatory framework (i.e., the IT Act, SPDI Rules and the Cert-In Framework).

However, there may be certain additional restrictions that can apply to tracking of location data by different entities in India.  Under the Guidelines for acquiring and producing Geospatial Data and Geospatial Data Services including Maps, dated February 15, 2021, the Department of Science and Technology, while adopting a liberalised approach for using of geospatial data (which includes processing of location data) by different entities (Indian or foreign), has mandated self-certification in certain instances while using this data and has imposed some additional restrictions in regards to processing of this data by foreign entities (including foreign owned and controlled Indian entities).

Separately, under the DPDP Act, specific consent requirements (such as obtaining “verifiable consent” from a parent/guardian) may be applicable for the processing of personal data of children/disabled persons.  Additionally, there are prohibitions on the processing of children’s personal data that may result in tracking or behavioural monitoring along with prohibitions on data processing that may have “any detrimental effect on the well-being of a child.”

In India, physicians remain primarily liable for their clinical decisions during both in-person and teleconsultations, even when relying on standalone digital health software. [20]  While this is the case, the liability of physicians for harm caused by faults or inaccuracies in the software can be limited in certain circumstances.

A physician would be liable only where his conduct falls below that of a reasonably competent doctor and he does not take reasonable care and caution. [21]  If the harm arises specifically due to a defect, malfunction, or inaccuracy in the software itself, such as incorrect data or faulty algorithms, the developer or manufacturer may be held liable based on product liability principles under CPA 2019. 

In India, enforcement mechanisms and legal consequences for non-compliance with regulations applicable to digital health software are multi-tiered and involve different regulators, as briefly described below:

• D&C Act and MD Rules:  The Central Drugs Standard Control Organization (“CDSCO”) is the primary enforcement authority of the D&C Act and MD Rules. The D&C Act prescribes penalties for violations, which were recently amended by the Jan Vishwas (Amendment of Provisions) Act, 2023 (“Jan Vishwas Act”).  Some of the key penalties are: (i) for manufacture or sale of substandard devices, imprisonment for a term not less than 1 year but which may extend to 2 years, and a fine which shall not be less than INR 20,000; (ii) for manufacture or sale of spurious devices, imprisonment for a term which shall not be less than 3 years but which may extend to 5 years, and a fine which shall not be less than INR 50,000. It is pertinent to note that the Jan Vishwas Act has also expanded the scope of compounding of certain offenses under the D&C Act, which allow offenders to avoid imprisonment by paying a monetary penalty.
• Data Protection and Privacy: The Ministry of Electronics and Information Technology (MeitY) is the primary regulatory authority for the enforcement of the IT Act and the SPDI Rules.  Under the IT Act and the SPDI Rules, digital health apps that handle sensitive personal data (which includes health information) may be subject to penalties for data protection violations, such as negligent handling of sensitive personal data, and disclosure of sensitive personal data.
• Consumer Protection Laws:  Under the CPA 2019, there is a three-tier consumer dispute redressal mechanism with forums at the district, state and national level.  CPA 2019 prescribes penalties for various non-compliances, such as misleading advertisements, manufacturing, sale, and distribution of hazardous or unsafe products. Consumer disputes arising from defective software or unfair trade practices are raised before and adjudicated by Consumer Disputes Redressal Commissions.

Non-compliance under the above laws can result in a range of legal consequences such as administrative penalties, monetary penalties, suspension or revocation of licenses, product recalls, compensation claims, criminal prosecution, and reputational damage.  Enforcement actions depend on the nature and severity of the breach and the regulatory body involved.

While the DPDP Act is yet to come into force, once it is implemented, it will supersede the SPDI Rules and create a structured data privacy regime, including for personal health data, with a Data Protection Board of India overseeing adjudication and enforcement.  

Also, the D&C Act is the primary legislation governing medical devices, including digital health apps/software.  The D&C Act is proposed to be replaced by the Drugs, Medical Devices and Cosmetics Bill.  Given that the Bill is yet to pass through the prescribed parliamentary procedure before it becomes a law, the impact on digital health apps/software which are treated as a medical device is not currently evident.

Physicians in India are primarily regulated by the National Medical Commission (“NMC”) which was established by the National Medical Commission Act, 2019 (“NMC Act”).  The NMC replaced the Medical Council of India (“MCI”) in 2020.

In addition to the NMC, each state has its own State Medical Council (such as the Delhi Medical Council of the National Capital Territory of Delhi). The State Medical Councils are regulated by the NMC Act, which provides for the registration of medical practitioners and maintaining a register of such practitioners. The State Medical Council also regulates the conduct of such practitioners by way of receiving complaints from the public and has the power to reprimand or suspend such practitioners and remove their name from the register.

Physicians are also required to adhere to the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002 which outline the responsibilities and conduct expected of physicians.

In addition to the laws mentioned above, physicians practicing telemedicine in India are also governed by the Telemedicine Practice Guidelines, 2020 (“Telemedicine Guidelines”) issued by the Ministry of Health and Family Welfare. These guidelines provide a legal framework for registered medical practitioners (RMPs) to consult patients remotely via various communication platforms.

Key aspects of the Telemedicine Guidelines are outlined below:

• Eligibility: Only physicians registered with the NMC or State Medical Councils are permitted to practise telemedicine.
• Professional Standards: Adherence to the same standard of care, ethics, and confidentiality as in-person consultations.
• Prescriptions: Telemedicine Guidelines specify the medications and prescriptions that are permitted to be prescribed on teleconsultation.
• Patient Consent:  Consent is considered implied if the patient initiates the teleconsultation. Explicit consent is required in certain cases such as telepsychotherapy, telecounselling, and telegroup therapy.
• Privacy and Data Protection: Physicians must ensure confidentiality and security of patient information during teleconsultations.
• Liability: Physicians are liable for their clinical decisions made through telemedicine and must exercise due diligence.
• Technology Use:  Use of technology platforms that ensure privacy, security, and accessibility is recommended. Physicians should consider the mode/technologies available and their adequacy for a diagnosis before choosing to proceed with any health education, counselling or medication. The technology platforms that can be used include telephone, video call, devices connected over LAN, WAN, internet, mobile or landline phones, WhatsApp, Facebook Messenger, etc.

The Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002 also applies to physicians practising telemedicine, reinforcing ethical obligations.

As per the Telemedicine Guidelines, physicians must use their own discretion to decide whether telemedicine can be used to treat a patient.  Once a physician concludes that a patient can be treated through telemedicine, the use of telemedicine is regulated by the Telemedicine Guidelines. 

The requirements under the Telemedicine Guidelines include:

• Physicians must be registered with the NMC or a state medical council.
• Teleconsultations should be conducted using appropriate technology platforms that protect patient privacy and confidentiality.
• Physicians must obtain patient consent — consent is implied if the patient initiates the consultation; explicit consent is required in certain cases.
• The standard of care provided in teleconsultations must be equivalent to in-person consultations.
• Physicians must use their professional judgement to decide if a teleconsultation is appropriate or if an in-person visit is necessary.
• Prescriptions issued in teleconsultations must comply with the Telemedicine Guidelines. Certain medicines, that have a potential of abuse and could harm the patient or the society at large if used improperly, are restricted from being prescribed remotely through teleconsultations.
• Proper documentation and record-keeping of teleconsultations is mandatory.

Under the Telemedicine Guidelines, physicians must obtain patient consent before providing teleconsultation. For this purpose, consent can be:

• Implied consent: If the patient initiates the consultation.
• Explicit consent: Required in specific circumstances, such as when sharing patient data with another healthcare provider or issuing prescriptions.

Physicians are required to inform patients about:

• The limitations of telemedicine compared to in-person consultations, including potential risks due to the absence of physical examination.
• The scope and nature of teleconsultation, including privacy and data protection measures.
• The patient’s right to seek an in-person consultation at any time.

While no standardised disclaimer is mandated, physicians should clearly communicate these points as part of the consent process and adequately document the interaction.

The standard of care expected from physicians remains the same whether the consultation is in-person or via telemedicine. However:

• Telemedicine may increase the risk of liability if the physician fails to exercise adequate clinical judgement about when remote consultation is appropriate, or if they overlook the need for physical examination in complex cases.
• For tasks such as certifying fitness for employment or issuing medical certificates, virtual assessments might be challenged for lack of thoroughness, potentially raising liability exposure. Physicians must exercise caution and may need to recommend in-person evaluation where appropriate.
• Ultimately, liability depends on whether the physician acted in accordance with the accepted medical standards and Telemedicine Guidelines.

Yes, Telemedicine Guidelines set out clear restrictions on the types of medicines that can be prescribed through telemedicine. Under the Telemedicine Guidelines, medicines have been categorised into medicines that can be prescribed through telemedicine and those that are restricted. These restrictions aim to ensure patient safety by limiting remote prescription of potentially harmful or controlled medications.

Medicines that can be prescribed through telemedicine are categorised into three lists:

• List O: Over-the-counter drugs safe for first consultation via any mode (audio/video/text). Examples include paracetamol, oral rehydration salts, and cough lozenges.
• List A: Relatively safe drugs that can be prescribed during the first video consultation for common conditions (e.g., topical agents, and vitamins).
• List B: Medicines that can be prescribed during follow-up consultations only (after an initial in-person consultation or teleconsultation).

The following list under the Telemedicine Guidelines sets out the restricted medicines:

• Prohibited List:  Certain drugs cannot be prescribed via telemedicine at all, including Schedule X drugs and narcotic or psychotropic substances regulated under the Narcotic Drugs and Psychotropic Substances Act, 1985.

Telemedicine services are increasingly recognised and reimbursable under certain schemes, but the landscape is still evolving:

• Public health insurance schemes such as the Ayushman Bharat – Pradhan Mantri Jan Arogya Yojana (PM-JAY) [22]  have started to include teleconsultation, especially following the SARS-CoV-2 pandemic, to improve healthcare access.
• Some private insurers [23]  have begun covering telemedicine consultations, but there is no uniform regulatory obligation on insurers for mandatory coverage of telemedicine consultations.
• Specific provisions regarding reimbursement for digital healthcare through mobile applications that combine digital health and telemedicine are specific to the insurance provider.
• For applications used primarily by healthcare professionals (e.g., clinical decision support tools), costs are usually borne by healthcare providers, hospitals, or clinics as part of their operational expenses.  This also includes applications that have been created by the hospital to provide and facilitate online consultations.
• For applications used directly by patients, costs may be covered by insurance if the application is part of an approved telemedicine service or reimbursable package, but patients often pay out-of-pocket.  Some private health insurance providers offer reimbursements for consultations through digital health apps as part of health plans, but this is not standard practice.

In addition to the above listed data protection regulations for digital health apps, the Telemedicine Guidelines prescribe some guidelines applicable specifically to data collection and processing falling within the remit of telemedicine.  These guidelines essentially specify the need to maintain the confidentiality of patient data/records by “registered medical practitioners” and clarify the applicability of the IT Act (with its amendments) and the SPDI Rules to ensure confidentiality and privacy of such data and records.

In essence, telemedicine data is protected under existing general data privacy laws and medical confidentiality principles, but India awaits a dedicated, comprehensive data protection law to specifically regulate telemedicine data privacy.

The regulatory framework for telemedicine in India is likely to continue evolving to enhance accessibility, data protection, and professional standards. Key anticipated developments include:

• The DPDP Act: It establishes comprehensive data protection measures, including patient consent, data security, breach notifications, and rights to access and erasure of personal data.
• Draft Digital Personal Data Protection Rules, 2025: These rules aim to operationalise the DPDP Act, focusing on data localisation, compliance requirements for significant data fiduciaries, and timelines for data retention.

While no developments are anticipated in the Telemedicine Guidelines, developments with respect to Drugs, Medical Devices and Cosmetics Bill may have a consequent impact on telemedicine in India.