Law Firm in India

Healthcare Data Privacy in India

August 29, 2023 | Corporate & Commercial Law

Doctors in India are not allowed to share any medical information about their patients with any individual or entity without obtaining the exclusive consent of the patients.

When availing of any healthcare services in India, individuals are required to provide their personal details for various reasons, including maintaining a patient history for reference to previous medical records, etc. It is essential that any entity receiving such patient information ensures the privacy of their medical information.

What is Meant by Privacy of Medical Information?

Privacy of medical information refers to the fact that doctors cannot disclose any medical information about any patient to a third party with the exclusive consent/permission of the patient.

What is Digital Health?

Digital health is a concept that has become prevalent since the outbreak of the Covid-19 pandemic. It basically provides a link between the healthcare sector and the latest technology with the aim of improving healthcare efficiency in the country while also providing a more personalized healthcare experience to patients.

As per Digital Information Security in the Healthcare Act, 2018, ‘digital health data’ refers to providing a digital record of a patient’s physical and mental health condition, medical history, healthcare services accessed by them, etc.

  • But there have been no specific guidelines or provisions related to practicing telemedicine or providing healthcare through video, phone, or other Internet-based platforms like email, chat, web applications, etc.
As of now, the existing provisions under the Indian Medical Council Act, 1956, the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002, Drugs and Cosmetics Act, 1940 and Rules 1945, Clinical Establishment (Registration and Regulation) Act, 2010, Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 mainly oversee how medicine and information technology is practiced. As such, the gaps in the regulations and the lack of clarification in relation to the rules pose significant risks for both doctors and patients.

The Indian Government’s Telemedicine Practice Guidelines (TPG), which was issued in March 2020, aim to standardize practicing telemedicine in the country. The provisions mentioned under TPG are in accordance with the definition of telemedicine as provided by the World Health Organization (WHO), which defines it as ‘the delivery of healthcare services, where distance is a critical factor, by all healthcare professionals using information and communication technologies for the exchange of valid information through diagnosis, treatment and prevention of diseases and injuries.’

Data security is crucial to protect the confidentiality of any communication between any patient and healthcare professional regarding their health, recommendations and results.

Although the Information Technology Act, 2000 (IT Act), the Data Protection Rules, 2011 and the Intermediaries Guidelines of 2011 have been drafted in order to be referred to in case of privacy concerns and to help fulfill the growth in demand, no benchmarks have been set that necessitate the implementation of data protection and security.

Core Healthcare Regulatory Schemes

Digital health is regulated by certain legal provisions, guidelines and norms.

Even though different digital health tools or business models are governed independently, certain regulations apply universally to digital health technology. These regulations include the following:

  • Information Technology Act, 2000,
  • Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data and Information) Rules, 2011 (SPDI Rules), and
  • Information Technology (Intermediaries Guidelines) Rules, 2011.
The data protection system in India generally comprises the IT Act, SPDI Rules and the data protection framework. The improved security guidelines under the IT Act, 2000 have enabled the possibility of performing online transactions and exchanging data electronically. A wide range of activities on the Internet are governed by provisions of the IT Act, 2000, including the legal position of digital records and authentication of digital signatures. In addition, the Act tackles a wide range of cybercrime like hacking.

Core Regulatory Schemes for Digital Health

The current lawful structure for e-health protection in India is regulated by the IT Act, 2000 and the SPDI Rules, 2011. They provide certain safeguard in relation to gathering, disclosure and transfer of confidential personal details like an individual’s medical history.

As per the Clinical Establishments (Registration and Regulation) Act, 2010, all clinical institutions must have electronic medical records (EMR) of all the patients, whose registrations need to be recorded. As such, there has been a rise in the adoption of electronic medical records (EMR) across the country, as numerous medical institutions and healthcare professionals have started recording their patient history in EMR.

Regulatory Schemes for Consumer Healthcare Devices or Software

Consumer devices are protected by the provisions of the Designs Act, 2000. The term ‘designs’ under the Act encompasses the shape, configuration, pattern, ornaments, or the composition of lines applied to an article.

The device’s design and the application’s Graphic User Interface (GUI) are two critical aspects of digital health which need design protection. As such, GUIs are safeguarded accurately by Article 14-04 of the Designs Rules, 2001, under the Designs Act, 2000, which basically protects ‘screen displays and icons.’

Furthermore, a list of all the risk categories for medical devices that are regulated by the New Definition Notification was issued by the Central Drugs Standard Control Organization (CDSCO).

Key Areas of Enforcement in Digital Health

It is vital to implement digital health standards that safeguard and maintain the security confidentiality and privacy of patients’ medical history and records. It is imperative to maintain a record of data protection and violations considering all private health data is stored under high security and only accessed when market analysis demands, marketing requirements and regulatory transfers necessitate this data to be interpreted.

Major Issues for Digital Platform Providers

Digital platform service providers are generally busy with analyzing and managing the period of transitions when installing and implementing new technologies. As such, some of their critical functions include replacing and enhancing the IT systems, training the workers, realizing the significance of market demand and in-line supply and having adept leadership that supports them at all times.

Is Extent of Data Use defined in the Regulations?

  • The Regulations do provide a definition for the ‘scope of data use’ after getting the beneficiary and service provider’s permission.
  • The Regulations also provide the definition for ‘sensitive health-associated data’ and ‘crucial personal details.’


It is crucial to safeguard the privacy of patient records and history and ensure such details are stored under high security. Further, it must be ensured that this data is not readily available to any third party without the exclusive consent of the patient. Besides, failing to comply with the data privacy guidelines of the healthcare sector in India can result in severe repercussions.

How Can we Help You?

Write to us with your enquiries, questions or request a meeting with a lawyer to discuss your potential case. One of our experts would review the form and revert back shortly.

Thank you for getting in touch!

We appreciate you contacting us at India Law Offices. We will review the details that you have submitted and one of our experts will connect with you shortly.

Invalid Captcha