The state of Telemedicine policy, law and digital infrastructure in India

Introduction

This post builds on the questions that were raised in the talk: Telemedicine Policies and Standards in India , adds more information, references, a detailed prescription and creates some structure.

The first part is descriptive. I will attempt to provide a clear understanding of the different aspects of telemedicine as it stands in India with regards to policy and infrastructure. In the second part I will focus on prescription, or describing what I think are the key issues and what I (and others) think should be done about them.

Part I — The description

Current State of regulations on telemedicine in India

Telemedicine is not new in India; for about 20 years, various governmental and non-governmental organizations have been involved in various kinds of telemedicine projects in India. The ISRO currently maintains a network of 130 hospitals in India that are connected for telemedicine [1]. Most of these are doctor to doctor consults, in which a doctor in a rural or secondary care setup discusses the care and treatment of a patient with a specialist based in one of the nodal centers, like AIIMS, or other central or state institutes. We do not have clear information about how many patients are treated overall, and what kind of outcomes are being measured and if there are any specific interventions being conducted in these centers. Mishra (2008, 2009) DeSouza (2014) and others have delved into this and more in detail. I maintain an updated bibliography on the research into telemedicine which has more references on these issues and more.

Despite this history, there has been very little in terms of legal or official documentation about what services count as telemedicine, what kind of services can be provided via telemedicine (and what cannot), what the liability structure for these consultations are, and what clinical guidelines or standards apply. While anecdotal information about health worker adoption of these technologies abound there are not a lot of published reports from academia.

In the last 5 years or so, with the boom in the number of smartphone users [2], a large number of mobile health providers have been doing telemdicine in India. The legal status of these is discussed frequently in media, Quora etc. But not a lot of clarity exists. As recently as 2019, the Karnataka medical council notified all doctors to stop doing telemedicine, and opined that telemedicine consultations are illegal. [3]

During this time startups based in Bangalore sent details of the legal provisions and clinical audits and security practices to the KMC, which silently gave a go ahead, without really going public about it. I know this because I was involved in the making of these responses.

I have been working in health technology in India since 2010 and have been focusing on mobile-based telemedicine since 2016. Over the years I have collaborated with legal and other organizations to understand and frame the legal and ethical issues in telemedicine and have been involved some of the policy conversations around telemedicine in India. This post is a result of those experiences.

The legislative or official backing of telemedicine providers is framed like this by most private providers:

1. The Indian Medical Council Act, 1956 specifies who can practice medicine in India (registered medical practitioner), and what a legally valid prescription is. This indicates that as long as any consultation is done by a registered medical practitioner and they provide a prescription following this standard it is a legal consultation.
2. Pharmacy Council of India which regulates training and registration of pharmacists and pharmacies in India, in its Pharmacy Practice Regulations, 2015 №14–148/ 2012- PCI defines that prescriptions can be physical or electronic.
3. The IT act of 2000 and its amendments(chapters 2, 5 and 7) describe how to digitally sign an electronic health record, and make it clear that this makes it a legally valid record.

Put these together and we have the broad framework under which you can have an online consultation.

In March 2020, The Medical Council of India published a guideline for telemedicine in India, which provides a broad practice framework. The board of governess has since accepted this guideline and has decided to provide statutory basis for them under Professional conduct, Etiquette and Ethics regulations. MCI-211(2)/2019 (Ethics)/201858 [PDF]

While this is far from comprehensive, it provides some way in which a doctor can be held liable for online malpractice, and provides clearer legitimacy to online consultations.

EHRs, regulations and their relationship with telemedicine

Since telemedicine creates and stores medical information about patients, all telemedicine providers who store data digitally need to adhere to EHR standards. The definition of what and EMR is and what EHRs are are detailed in the MoHFW — released EHR standard 2016, and it is clear that any agency that stores patient information must comply with these standards.

Besides this, in 2018, the ministry has also set up a National Resource Centre (sic) for EHR Standard (NRCeS) to “ augment facilitation for adoption of the notified EHR Standards in technical association with Centre for Development of Advanced Computing (C-DAC), Pune for providing assistance in developing, implementing and using EHR standards effectively in healthcare Information Technology (IT) applications”. This organization has been working with vendors and creators of EHRs in providing training etc.

The EHR standard lays down the best practices for storage, retrieval, and communication of health information. It follows international standards in EHR design and explains the complexity of EHRs very well. How enforceable these standards are is still unclear, as are penalties, if any that exist for not complying. There doesn’t seem to be any national certifying methodology or agency for EHRs.

Privacy and security of health data in India

Health data In India is owned by the patient, at least in the broad sense.

At present, the IT act if 2000 and its amendments are what form the legal basis of the right to privacy and security of personal information. This bill covers health information but is not very exhaustive.

The MoHFW had proposed a Digital Information Security in Healthcare (DISHA) act [PDF] for comprehensively covering health related data, but this bill has been replaced by and subsumed into another bill tabled by the ministry of Electronics and Information Technology: The personal data protection (PDP) bill. This has been tabled in lok sabha and has been sent to a standing committee for discussion.

The (PDP) bill provide for protection of personal data of individuals, and establishes a Data Protection Authority for the same. It defines what personal health information is and lays out penalties for breaches etc. But it also makes it clear that the government has ultimate power in making decisions about health data and lays out a large set of non-exhaustive circumstances or reasons for breaching consent. It also states that the government may ask “data fiduciaries to provide it with any: (i) non-personal data and (ii) anonymised personal data (where it is not possible to identify data principal) for better targeting of services.”

The law doesn’t speak of the right of a patient to be forgotten, and the entire system assumes the national health stack and which in turn is built on top of Aadhaar, and so anonymity doesn’t seem to be an option, and it very much wants every patient to be identified.

Consent

The current law [IT act] does not address the matter of consent very well. As a result of this, consent for using reusing, researching and doing what ever needs to be done is taken by most health apps upfront as part of the EULA. Chances are, if you’ve ever clicked on one of those I Agree buttons, you’ve provided a blanket agreement for the use of your data. There is some distinction made about anonymizing and de-identifying data.

Anonymized data is data that has been stripped of all information that could be considered as personally identifiable. De-identifiable data is what which has been through a reversible removal of identity.

The current legal framework gives software providers and other health providers with unfettered rights to data as long as it is anonymized, and doesn’t specify how often and in what situations consent must be taken.

In the PDP, consent is deliberated on in some detail and an XML standard for logging consent has been proposed, I discuss the issues later.

India’s digital health infrastructure

Before going further into what the government is doing for the creation of digital health infrastructure, let me state that

1. The public health system in India is extremely good in some places and extremely bad in some places. And the difference between these places is not technology, it’s the way they solved the people problems. You cannot solve people problems with technology. The people problems are caste, favoritism, and the informational, financial and power asymmetry between people who deliver healthcare and the people who receive it.
2. If we don’t address these structural issues first, and this is not something you can do in parallel, and you throw tech at it, there is plenty of evidence from studies around the world, that this worsens the problem.
3. The current health system is in desperate need of load-shedding. It cannot really deliver what needs to be delivered, and I have felt many times that maybe we need to delete it all and restart.

The national health stack.

In 2018–19 the govt unveiled the Ayushman bharat program which does two things,

1. Sets up 1.5 lakh primary healthcare centers (largely as as public-private partnerships).
2. An insurance scheme — which covers ~10 Cr families at INR5 lakh per family.

Source: PMJAY

In order to deliver this (and only this), the govt Set up an independent body called the National health authority. The PMJAY website is very clear about its scope.

The Niti Aayog was entrusted with figuring out the tech for this — how to get health insurance to those who need it, and came up with the National health stack.[PDF] in July 2018.

In this proposal the NITI Aayog starts off by saying,

In this document, we present the idea of a National Health Stack (NHS)-a digital infrastructure built with a deep understanding of the incentive structures prevalent in the Indian healthcare ecosystem. The NHS, a set of building blocks which are essential in implementing digital health initiatives, would be “built as a common public good” to avoid duplication of efforts and successfully achieve convergence. Also, the NHS will be “built for NHPS but designed beyond NHPS” as an enabler for rapid development of diverse solutions in health and their adoption by states

Its Components:

A. National health electronic registries: to create a single source of truth for and manage master health data of the nation; (Suddenly we are not talking about PMJAY recipients)

B. A coverage and claims platform with fraud detection;

C A Federated personal health records (phr) Framework:

D. A national health analytics platform:

E. Other things including, Digital Health ID, Health Data Dictionaries and Supply Chain Management for Drugs, payment gateways etc shared across all health programs.

With all of this built on top of the Aadhaar

In about 40 pages of the proposal it goes from being an insurance providing system for 50 crore people, to the central and unified system for accessing health for everyone in the country, and the central verifier of many truths.

To implement this National health stack the MoHFW proposed the national digital health blueprint in April 2019

Since then, an organization called iSPIRT Foundation, which is a volunteer run non-profit, funded by some of the biggest names in the tech industry are currently going ahead and building the national health stack. In fact parts of it are already ready and the code’s on github.

From what I could gather from their website and materials provided by them, the organization takes a systems thinking approach and the volunteers clearly have experience in building tech infrastructure. They are very open about their work. It seems like the foundation has brought together smart minds and industry to work on creating an ecosystem for building digital products and business in India, including the NHS.

For the last few weeks they have been holding an open house discussing the NHS, parts of which have already been made! and a certification of some kind is in the works.

They are working with private industry very well, and I have reached out to health startups who mention that they are informed about the work being done and are generally happy about the quality of the discussions, although how far recommendations from policy, disability and patient rights organizations etc. are considered is unclear.

Source: Open House Discussion on PHR and Doctor Registry #2 [Youtube]

The Community

Before I jump into the prescriptive part of this post, I think it’s important to discuss some of the initiatives, communities and organizations that are involved in the discussion around telemedicine and digital health infrastructure of the country. This list is in no particular order and is not exhaustive. If you are an organization or community interested in this, please comment.

Jan Swasthya Abhiyan (JSA) The JSA forms the Indian regional circle of the global People’s Health Movement (PHM). They do a lot of advocacy around universal health coverage and gender and patient rights and commonly comment on health related legislation in India.

Digital health india, an NGO. No policy briefs so far, but a corona CDSS was made publicly available by them. They, in collaboration with the NRCeS have created and maintain a Telemedicine provider registry, which is a great project. It also conducts evaluations of telemedicine providers and the research is available on their website. Run by health and social work professionals.

Digital Health Providers Association, consisting of a few healthcare startups, has recently come up with a policy brief for telemedicine. Run by Health technology professionals.

Telemedicine society of india — The oldest Indian organization. Involved in conferences and research. Run by School of Telemedicine and Bio-Medical Informatics at Sanjay Gandhi Post Graduate Institute of Medical Sciences. No policy briefs, but many papers have been produced by them and they were early advocates of telemedicine. Run by doctors and health informatics professionals.

Software Freedom Law Center does a lot of advocacy, PILs, and other policy related work in the privacy, information security and related areas. Their responses to NDBP and others are well researched. Run by FOSS practitioners and has some academic backing.

Center for internet and society a non-profit organization that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. has produced some of the finest policy work when it comes to technology and digital living in india. Run by policy specialists and a research team.

Kaarana — organized the aforementioned talk and is involved with discussions around privacy, Aadhaar etc.

You should note that I have been unable to find academic departments or chairs in Indian universities who have responded to or been involved from the public’s side in all these discussions. I think there is a grave paucity of policy makers engaging in health technology in India.

Part II: The prescription

In this section I will list problems and my recommendations referencing all the elements discussed in the description section.

MCI Telemedicine Practice Guidelines

Overall, while the guideline was much needed and came at the right time, the guidelines seem hurried. A full response to the guideline is outside the scope of this already scope-thin document, so I will be brief.

1. They fail to take in account the telemedicine that’s already happening in India. So it’s more a guide for someone new to this.
2. There are no background papers or surveys of existing practices in telemedicine in India as the foundation of this document.
3. It also tries to do too many things, and offers different levels of detail in different areas. For example, it mentions a list of medication that may or may not be used online. And it states that violating this directive can be construed as malpractice. This sort of an approach, where you dictate what medications are OK and what are not are not in line with research from other countries or with the dynamic nature of medicine. The guideline and the MCI should instead discuss safe and unsafe prescription habits. It already had to amend the list of drugs, because the first version made it illegal to prescribe psychiatric medication in India. Keep in mind that lack of access to psychiatry and mental healthcare are among the top five reasons people use telemedicine!
4. The MCI is also geared to come up with practice guidelines on how to manage different issues online, which I think is not a good idea, because the various medical academic societies need to think this through and come up with guidelines. and for this a fair bit of background research is needed.

There is a great need for a collaborative approach. There needs to be at least a few studies into what kind of things are already being treated online, what kind of people are accessing health this way, and understand the system before trying to govern it.

What direction is needed from MCI:

1. Create a collaboration with industry and academia in understanding how telemedicine can be delivered safely and efficaciously.
2. Identify research lacunae in clinical practice and policy and ethics of online consultations
3. Propose and study safe online prescription habits
4. Delineate what kind of training someone who practices telemedicine needs
5. Guide on how EHR and telemedicine providers can get ethical oversight from medical institutions.

In summary, instead of focusing on getting lost in the details , it should focus on creating a framework that is non restrictive and safe, and allows doctors to practice fearlessly, and promotes collaboration and research that leads to better guidelines and practice.

EHR standards

1. It has too many standards that apply, some 20 different standards of ISO referenced, all of which are paid. This sets the entry cost too high for smaller organizations
2. The recommendations for clinical terms- The SNOMED CT does not have Indian language versions of the or any localization. The point of a clinical terminology dictionary is to understand and communicate local health problems with the greater community. Use of SNOMED CT will causes loss of information, and preserving local languages of health is very important.
3. Also, while the government has bought access to SNOMED CT, this only applies to Government agencies, private players would have to pay thousands of dollars yearly to get access.
4. While it’s a very comprehensive document, it makes sets the bar too high for people making EHRs. I’m not saying we should be lax, I’m saying we need to be practicaal.
5. The other standards it recommends like the LOINC, have been mentioned in a way that hospitals with older machines and smaller labs would not be able to comply.

Recommendations:

1. Recommend free and open source standards where ever possible.
2. Recommend using standards that have some benefit. So far, using SNOMED terminology is beneficial to a very small subset of EHR providers.
3. Create or open the creation of India specific clinical terminologies, personal health information standards etc.
4. Understand that with the advent of modern algorithmic computing, the need for each entity to follow strict standards for terminology is going away. As long as locally accepted standard terminology is being used, interoperability can be established using other means.

Privacy and health data

1. The blanket permission given to the government to use patient data without consent is in direct opposition to many learned commissions and committees constituted in this area, the supreme court rules on related issues and research into the importance of privacy in healthcare.
2. There exist apps out there that do not mention clinical research as part of the EULAs but go head and do it anyway.
3. In part, this is because of the lack of ethical literacy among technologists. To be clear, I am not saying us technologists are an unethical lot, but it seems like ethics is not part of the CS curriculum, and tech till recently maintained that they were just tool builders and didn’t have to worry about the effects.
4. Over the years, my experience in bringing up ethics in software circles has not be wonderful, mainly because there just isn’t enough literacy about the issue and because ethics are often confused with moral policing.
5. We need to keep in mind that beyond the lack of literacy, here is plenty of current data and research into the harms that are being caused by unethical practices in technology or ignoring of ethics in technology.
6. While there has been some work in the area of teaching software professionals in making and using EHRs, there has been no talk of ethics in this policy space.
7. Neither the agencies dealing with EHRs nor any documents from Niti Ayog, which leads the policy making, have any mention of the need for ethical literacy for software makers or mention ethical oversight of digital health providers.
8. With the advent AI, there is now a lot of evidence that just removing someone’s name and such details doesn’t actually anonymize data. Further steps need to be taken and this is an area that will keep needing to catch up with various misuses of data and so needs a flexible framework.

Recommendations:

1. Data ethics literacy for health technologists. This needs to be part of the computer science curriculum, and periodically discussed and dealt with in organizations.
2. Ethical oversight of health data providers. Academia and ethical experts in the country need to make it easy for digital health providers to access their expertise and financially viable to receive ethical oversight for research and development.
3. We clearly need a LOT more focus on individual rights and the evidence for this in the healthcare context, and our laws need to be informed of the advances in this area. The current law and the proposed Data protection law fall short in reassuring people that their interests are being taken care of.
4. One of the foundational assumptions of this stack is that the identity of the individual MUST be verified via aadhar, or other methods.
5. The issues with the national digital health blueprint whose problems have been explored in detail in a talk at Kaarana and there are comments and reports on it available.
6. Comments by JSA, SFLC and CIS in particular stand out, and not with any coordination, they all point out the problems of consent, inclusion, and priavcy.

From JSA — comments on NDBP, PDF linked here

It could work- but more often than not, as global experience shows it does not- though in the process it could provide many lucrative contracts to India’s IT majors. In a worst case scenario it could disrupt not only an ongoing incremental process of IT development that is ongoing, but also the organization of healthcare services at the district and sub-district levels- especially when new systems are being proposed as replacing all others. An approach where the biggest and newest software seeks to undermine or stop all others, even if they may be working well in their local settings is one reason- why some of these bold new ‘disruptive” innovations- can be literally disruptive of progress being made, without offering any alternative.

We therefore would call for an incremental approach that builds on the current situation and processes, with center providing technical support and guidance to multiple decentralized efforts. We set out some of the main features of such an alternative below

The main purpose of IT systems in the states and districts should be for decentralized management at that level.The center should limit itself to data that is actionable for the center-it need not be able to “see” every facility, let alone every individual

A central repository is neither required nor manageable nor desirable.Though these repositories are justified in the name of universal coverage and reaching the poor, it will like most such systems provide little in the way of entitlements to the poor. However in the hands of a powerful state, it can be used to encroach on privacy harms elect individuals who are perceived as hospital by the government of the day. Such large data banks have also commercial value and there is much data mercantilism-on which the entire document is silent. This silence is of great concern.There needs to be safeguards and guarantees against this.

From SFLC

The Government of India has formed multiple committees and held multiple rounds of consultations to decide upon the issue of Privacy and Data Protection. Justice A.P. Shah Committee formed by the Planning Commission released a report on privacy in 2012.[1] In its report, nine National Privacy Principles were recommended.[2] In 2017, a nine-judge bench of the Supreme Court of India unanimously recognized the existence of a fundamental right to privacy under Article 21 of the Constitution of India

The pressing concern with the National Digital Health Blueprint (NDHB) report is that it suggests a framework that severely infringes upon the fundamental right to privacy. These concerns are heightened in the absence of a comprehensive data protection law. The report also ignores a series of advancements on privacy and data protection that have taken place over the years. It does not adhere to the privacy principles recommended by Group of Experts on Privacy (Justice A.P. Shah Committee) and the more recent, Justice B.N. Srikrishna Committee report whose recommendations on data protection form the core foundation for the draft Personal Data Protection Bill, 2018.

A detailed analysis of the National health stack has been done by Smriti Mudgal Sharma

In conclusion it may be said that NHS is a great move towards monitoring and evaluation of the implementation of ABY. However, technology can at best streamline processes and help create a digital backbone for execution of public health programmes; it alone cannot solve the greater public health challenges. This endeavour needs to be complemented by strengthening the implementation capacity of states. The real need of the hour is to fix accountability of the medical professionals, improve standards of care, ensure transparency, and procure high-quality data without compromising privacy and choice of beneficiaries.

The CIS-India comments

We also note that the nature of data which would be subject to processing in the proposed digital framework pre-supposes a robust data protection regime in India, one which is currently absent. Accordingly, we also urge ceasing the implementation of the framework until the Personal Data Protection Bill is passed by the parliament. The NDHB also assumes that access and delivery of the services promised under the ecosystem would be facilitated by the prospect of ‘near universal coverage’ of smart phones across India. However, this ‘mobile first’ premise rests on an assumption of widespread digital literacy, which is simply absent when one considers the social realities of the country.

Section 3.5 of the NDHB states the standards that will be in place for privacy and security, which includes provisions that are to be included in the operational aspects. This includes a provision on immutability, which states that a record cannot be deleted without following due process. We recommend that such due process takes into consideration the right of the data principal to delete specific entries or the entire set of records containing their personal information. We had also made this recommendation for the Digital Information Security in Healthcare Act 2018 49 , and reiterate it for the NDHB.

Nayantara Narayanan also provides a great write up in scroll on this issue

To summarize the recommendations:

1. We need digital infrastructure but this (NHS and NDHB) do not address systemic inequalities which are the root cause of the problems this system is trying to solve. This is foolhardy and suspiciously represents and solves the problems of the industry and not the patient.
2. We need good data protection provisions in our laws, and without that, there is great deal of misuse that can happen due to this stack and the blueprint.
3. This is creating a system that might perpetuate the exclusion that pervades health and industry in India.

The iSPIRT foundation

Pretty much all learned groups so far have opined that before embarking on this glorious project we need to

1. Address systemic inequalities, and don’t ignore the fact that the lack of tech is not the core issue with health delivery in India.
2. Improve the data protection standards in India, pass strict data protection laws and then start this project

However, as I already pointed out, a non-profit with no official links to the NITI Aayog or the MoHFW is currently holding consultations with the industry for building the NHS and has already built parts of it.

Some questions that I am unable to find any answers for in official documentation or RTIs filed on this issue by others are

1. Who appointed them? What was the process? Who entrusted them with this highly complex job of creating a digital infrastructure for India before we finished discussing what infrastructure we really need?
2. Who do they answer to?
3. Do I and other civil society organizations have a right to be heard by them?
4. Is it even legal to start building the NHS using an informal agreement when neither the NDHB is finalized, nor are the laws around data protection passed?
5. Who is paying the developers? How are they selected?

Neither their website, nor the publications from NITI Aayog or MoHFW have any clues to give us.

What we see here is an organization that uses public resources and is creating public goods, but has no accountability to the public.

We do not know if the government designed and operates this or it has been subcontracted to them

You could say that has been designed to “get things done” and avoid the red tape.

Which is great if you’re building one app, but when you’re building national infrastructure, and if you are outside the purview of the RTI act, or any parliamentary oversight, and you are funded by a small group of tech billionaires, there is a problem.

Concluding Overall Recommendations

1. Transparency about who is building the NHS and who they are accountable to and if this is even legal
2. Create Systems that make consultative progress easier — I would love to have signed up for a newsletter that tells me that comments are elicited on a health policy related issue from the govt. or its organizations.
3. For the industry and the folks at NITI etc. to understand that consultative building, doesn’t mean slow, it means deliberate and harm reducing and exclusion free. The voices of the most vulnerable people in this nation are not being represented or consulted with while designing a system for them
4. Civil society, policy specialists, activists, FOSS proponents — Participate — join ispirt consultations, and listen and comment. Get involved.
5. For all these groups working in isolation to start talking to each other. Like the people’s health movement, we need a coalition of health technologists, policy specialists and health advocates.

Footnotes

[1]: While numbers as high as 250 are often touted, in a recent answer, the GOI has clarified that the ISRO currently has 130 centers operational: And it is putting up a new siddha medicine telemedicine project.

[2]: Objective and good quality data on this is sparse as it’s largely large consulting firms that have provided numbers, here’s one figure to explain this from the McKinsey Digital India report of 2019

[3]: Some further reading on the legal issues in telemedicine referencing case law

References

1. Mishra SK, Kapoor L, Singh IP. Telemedicine in India: current scenario and the future. Telemedicine and e-Health. 2009 Jul 1;15(6):568–75.
2. Mishra SK. Current status of E-health in India. Retrieved from openmed. nic. in/1265/01/skm12. pdf on. 2008;30(06).
3. DeSouza SI, Rashmi MR, Vasanthi AP, Joseph SM, Rodrigues R. Mobile phones: The next step towards healthcare delivery in rural India?. PloS one. 2014 Aug 18;9(8):e104895.