The Medico-legal Discussion of the Digital and AI Revolution in the Indian Healthcare Industry

Digital technology has created a global revolution. The world is becoming more connected and increasingly relying on digital for developing solutions for every industry and sphere of life. They cover technologies ranging from smartphones, 3D printing, and cloud computing, social media to everyday workings of nearly all industries like banking, telecom, engineering and even healthcare.

Digital adoption is being driven by the advantages offered to the people of connectivity, increased accessibility to unlimited stores of information, products and services and personalized experience according to one’s preferences.

As a result of this increasing adoption of the internet and digital technologies, even the business models are rapidly changing to cater to the needs of the consumer of today. The following are four tools that make digital all powerful [1]: Social Media, Analytics, Cloud Computing and Mobile Applications.

Consumers now expect companies to leverage the power of digital for personalized and enhanced customer experience, quality product offerings and competitive market prices.

The use of Digital technology has deeply been ingrained in almost all major industries and has successfully proved to be a significant improvement.

With digital technology making its presence felt in most major industries and becoming indispensable for their functioning, the healthcare industry finds itself at crossroads in terms of deciding the extent to which it should jump on the digital bandwagon. It is a challenging dilemma as it is and will continue to change how care is delivered to patients while constantly pushing the borders of the extent of services that can be delivered via digital methods.

A patient survey predicts that more than 75% of all patients are expected to use digital services in the future[2]Technology is the best way yet to realistically provide affordable, accessible and quality healthcare to all patients and to achieve the vision of a connected healthcare ecosystem. Medical devices in hospitals, new age mobile care applications, wearable monitoring technologies are all modern digital innovations have and are continuously disrupting the existing healthcare system.

Some Digital healthcare initiatives which are noteworthy and are rapidly making inroads in our healthcare system are as follows:

  1. EMR
  2. Telemedicine
  3. Big Data Analytics
  4. Robot Assisted Surgery
  5. Wearable Health Monitoring Devices
  6. e-Pharmacies
  7. m-Health
  8. e-Learning and training
  9. CDSS-Clinical decision support systems
  10. Wearable medical devices

On the clinical side,  these “Internet of Medical Things” can be used to monitor the patient’s vitals continuously irrespective of the patient’s location and raise necessary alarms with subsequent following of protocols of emergency care rendered. In the ICU and wards, comprehensive dashboards can very concisely and accurately display all the significant patient information, triage and prioritize patients on their need for care and predict episodes like sepsis, stroke etc based on their accumulated as well as programmed knowledge[3]. This can help change the reactive approach of healthcare delivery currently practiced to that of proactive. This will lead to better patient outcomes, improve the quality of care given to patients and efficiently utilize the time of our bottleneck resource- the healthcare providers.

The importance of responsible and ethical AI has been highlighted by experts[4]. There is certainly a potential for digital technologies to transform healthcare in India. Having said that, the ethical, legal, and cultural factors need to be considered by developers, practitioners, and policy makers when designing, using, and regulating e-health platforms. How can the systems ensure consent? How will questions of liability be addressed? How does it fit into existing ethical frameworks in India? How can the security, privacy and accuracy of digital solutions be ensured – particularly in the health sector as individual lives can be at stake and highly sensitive data is being handled?

Let us discuss the above questions- the potential ethical, legal, and cultural concerns around digital in healthcare in some detail:

With the advent of Digital in healthcare, the age old system of paper-based storage of information is becoming obsolete. The Right to Privacy is held by the Supreme Court as a fundamental right[5]. The Srikrishna Committee constituted for recommendations on data privacy and its management made a draft bill called as the Personal Data Protection Bill, 2018. It is the first step towards India’s Data privacy journey

The current Privacy Policy is laid down under the following Acts:

  1. Section 43A of the Information Technology Act, 2000
  2. Regulation 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011 (the “SPI Rules”)
  3. Regulation 3(1) of the Information Technology (Intermediaries Guidelines) Rules, 2011

Hackers can exploit solutions like the Electronic Health Records to collect private and sensitive personal information . Machine learning algorithms can also be misused to develop autonomous techniques that jeopardize the security and safety of such vital information. AI systems can challenge privacy through real time collection and use of a multitude of personal data points that may or may not be disclosed to an individual in the form of a notice with consent taken.

In 2016, the hacking of a Mumbai-based diagnostic laboratory database led to the leaking of medical records (including HIV reports) of over 35,000 patients. This database held the records of patients across India, and many may be unaware that their details have been exposed. The database had been the victim of multiple hacks in the previous few months, sometimes up to thrice a week [6]. However, no action had been taken by the laboratory to secure the data.

This highlights the need for higher privacy and security standards regulating sensitive personal information in India and the need for requirements such as breach notification

The type of information collected from the user can constitute Personal Data and Sensitive Personal Data or Information (as defined later) relating to an individual. The collection, storage, handling, usage, analysis and transfer of Sensitive Personal Data or Information (SPDI) currently falls under the Information Technology Act 2000 under the Data Protection Rules. Servers, cloud based storage systems are amenable to hacking from where sensitive information of patients can be leaked or fall into the wrong hands

The following constitute Personal Data:

  1. contact data (such as your email address and phone number);
  2. demographic data (such as your gender, your date of birth and your pin code);
  3. data regarding your usage of the services and history of the appointments made by or with you through the use of Services;
  4. insurance data (such as your insurance carrier and insurance plan);
  5. other information that you voluntarily choose to provide to us (such as information shared by you through emails or letters)

 The following constitute SPDI[7]:

  1. passwords;
  2. financial information such as bank accounts, credit and debit card details or other payment instrument details;
  3. physical, physiological and mental health condition;
  4. sexual orientation;
  5. medical records and history;
  6. biometric information;
  7. information received by body corporate under lawful contract or otherwise;
  8. visitor details as provided at the time of registration or thereafter; and
  9. call data records.

The company is free to use, collect and disclose information that is freely available in the public domain without consent.

The e-health platforms have a responsibility of protecting patient privacy and anonymity. Usually a user is asked to agree to a barrage of terms and conditions before being allowed to use the services. The information that is collected by the e-health platforms are:

  1. Personal information and or SPDI
  2. information received by body corporate under lawful contract or otherwise;
  3. visitor details as provided at the time of registration or thereafter; and
  4. call data records of consultations

This collected information by the e-Health platforms can be used by them for the following purposes:

  1. for the purpose of providing the Services,
  2. for commercial purposes and in an aggregated or non-personally identifiable form for research, statistical analysis and business intelligence purposes
  3. for sale or transfer of such research, statistical or intelligence data in an aggregated or non-personally identifiable form to third parties and affiliates
  4. debugging customer support related issues
  5. Publishing such information on the Website.
  6. Contacting End-Users for offering new products or services.
  7. Contacting End-Users for taking product and Service feedback.
  8. Analyzing software usage patterns for improving product design and utility.
  9. Analyzing anonymized practice information for commercial use.

If the SPDI is shared with a third party or used for research purposes, the data should be made non-identifiable. Also, if a user wishes to stop receiving promotional and other communication from the company, then they should be provided with the option of “Opt-out”.

The MoH&FW is in the midst of enacting a sector-specific legislation called DISHA or Digital Information Security in Healthcare Act[8] (elaborated in detail later) . In addition to laying down guidelines for digital platforms, this law will also provide civil and criminal recourse for breach of data privacy.

The Data Protection Rules apply to any corporate entity in the same way as they do to any individual doctor. When collecting the sensitive information, consent is taken from the user which is supposed to be an informed one on the above mentioned aspects.

These Data Protection Rules were put in place at an earlier time when the use of Digital was not that extensive for sensitive personal information. But in today’s age, a greater need is felt for more regulation, laying down of concrete, unambiguous laws and also to account for liability on breach of the data privacy tenets.

DISHA is the result of these requirements of the industry for higher security measures in healthcare information. Once it is enforced it will replace the Information Technology Rules of 2011 and be a landmark Act of its kind.

Critical argument on a few areas which are still vague or contentious

There is a lack of clear definitions and guidelines on data safety, storage, access and sharing norms. Moreover, there is no watch-dog or regulatory authority which ensures the adherence to these Data Protection Rules. Companies can abuse this loophole for monetary benefits and thus violate the right to privacy of their users. The coming of DISHA and the establishment of NeHA as a regulatory authority is a welcome move and the need of the hour.

Also there is lack of transparency by the e-Health companies on the exact use to which their SPDI is being put and with whom it’s being shared. Many a times the “Opt-out” option is not available or easily accessible for users to stop receiving communication from the companies or get their information deleted from databases if they choose to.

Consent represents the legal and ethical expression of the basic right to have one’s autonomy and self-determination. Consent is now globally recognized as an essential first step in the acquisition, storage, processing, usage and transfer of personal data. For healthcare, consent takes on a very significant role and is imperative because if a medical practitioner attempts to treat a patient without a valid consent, then he will be liable both under tort and criminal law. 

Some online consultation platforms like Practo Tab have introduced digital consent forms[9]. Practo Tab is a practice management system for doctors which includes patient registration, appointment management, billing etc. Including a consent form in the online consultation module ensures that the patients understand the risk and complications before a treatment and be aware of alternate treatment options. It also safeguards the doctors against any grievance or negligence lawsuit post the treatment. These digital consent forms have to be legally compliant and use digital signatures as per Sec 2 of the Information Technology Act 2000[10].

In order to make it more air tight, the Practo consent forms are further made tamper-proof so that once signed, they cannot be modified in anyway by anyone.

Also in accordance with MCI guidelines, consent should have the following characteristics:

  • Consent should be freely given
  • Consent should be an informed one, wherein all the risks, complications and alternative treatment options have been informed to the patient
  • Consent can be implied, expressed or written depending on the procedure in question. For routine treatments an implied consent would suffice. For a more detailed examination an express oral consent is required.  Finally, for complex treatment procedures, express written consent is required
  • The validity of consent also needs to be determined carefully

Carte Blanc consent

At the time of logging on to any of the e-health platforms, users are required to agree to policy terms and conditions, without ticking which, one is not allowed to proceed and avail the services of the e-health platform. These T&Cs may include a lot of things which are not necessarily ethical or in alignment with the patient’s consent. Moreover, these policy T&C are many times not even read by the users or patients. Yet they give their approval for terms of data usage, waiving off liability and negligence on part of the e-Health platform. In consultation cases, where a written informed consent is mandatory, can such a consent be considered valid, where the patient, though being informed, is not aware? Can it amount to coercion, where services are denied based on agreement to all terms?

Recommendation: The consent should be broken down into sub segments and each consent should be separately taken. Also each time that patient data is to be shared with a third party, a separate consent request should be raised by the e-health company.

Doctors and patients share a legal fiduciary relationship which is contractual in nature. Due to this contract, the doctor owes a reasonable duty of care towards his patient. In case there is any harm caused to the patient resulting from the negligence of the doctor, the doctor in turn can be subject to liability. The liability can be both contractual and tortious. It may even be vicarious. It can be a Civil or a criminal Liability. In the case of digital healthcare, the liability will be different for the doctors and the service providers such as the online platforms and institutions which are hosting these doctor, patient interactions.

Civil Liability

Civil Liability suits can come from a breach of contractual obligations between the e-Health service provider and the patient or user. It can also be initiated by the patient under tort due to negligence on part of the doctor or the service provider. A breach in the contractual obligations can result in charges that can be compensated for by payment to the patient at an amount that is decided at the time of execution of contract or based on the decision of the court.

In order for the negligence to be established in court it should be a breach of duty caused by omission to do something or failed to exercise a standard of care which a normally skillful member of the profession may reasonably be expected to exercise in actual circumstances of the case in question. Not every slip or mistake counts as negligence[11]. The case of civil negligence is judged on the basis of whether a mistake was made by the doctor or the healthcare provider and if so, whether the mistake was one which another reasonably careful and skillful medical practitioner would not have made.

To establish negligence in a civil case, the following three points should be proved:

  • There was a legal duty to exercise due care
  • A breach of the said duty
  • There was damage to the patient/user because of the breach of said duty

In the context of a doctor-patient relationship on digital healthcare platforms, the platforms categorize themselves as intermediaries where the service provider just acts as a facilitator. As per the Supreme Court, “a person who holds himself out to give medical advice and treatment by implication undertakes that he is possessed of skill, knowledge and the necessary qualifications to do so. Such a person when consulted by a patient owes him certain duties like:

  • A duty of care in deciding whether to undertake the case or not
  • A duty of care in deciding the diagnosis and what treatment to give

A breach of any of these duties gives the patient a right to sue for negligence and claim damages[13]. There is no limit to the damages that can be claimed under this breach.

Vicarious Liability

In the provision of e-Health services where there is an employer-employee relationship, the employer can also be sued due to the principle of Vicarious Liability. It means that the service provider or platform can also be held responsible for negligence and the damage caused to the patient by the acts of the employee or doctor working for them.

Liability under the Consumer Protection Act, 1986

The CPA was enacted with a vision to enable consumers to address their grievances in a comparatively easier and quicker manner than having to do so at a civil court which can turn out to be expensive and time consuming. The CPA allows consumers to claim compensation from service providers in case of deficiency of in the service provided. Apart from deficiency of services, consumers can also institute claims for defective products and unfair trade practices. Consumer forums have been set up at the district, state and national level in order to deal with such matters. Medical services now fall under its ambit and is a legitimate case under the CPA if the patient has been charged for the services rendered.

For claims raised with the consumer forums, there is no limit as to the amount of the compensation that can be claimed[14].

Criminal Liability

It is decided before a criminal court and a high degree of negligence is necessary to prove the charge of criminal negligence. To fix the charge of criminal liability on a doctor or surgeon, the standard of negligence is required to be proved to be as high as can be described as gross negligence. If it is a matter of error of judgment, which can be made by any other careful and skilful doctor in the same circumstances, then it is not criminal liability. In case of e-health services, if a doctor is rash or negligent in rendering a service and such a service results in bodily injury or death of the patient, then the person may be charged with criminal negligence. It can be a case of either death by negligence[15] or an act endangering the life and personal safety of others[16] or causing hurt by aforementioned act. In the case of conviction under criminal negligence, the punishment can be imprisonment as well as fine.

The Supreme Court has taken a sympathetic view in such cases and requires the proof of gross negligence for imposing criminal liability against the doctor. It must be established that the negligence of the accused went beyond mere carelessness and that the damage to the patient caused is because of the direct result of such negligence. The credible opinion of another doctor of similar field of expertise is necessary to initiate criminal prosecution in such cases.

The principle of vicarious responsibility does not apply in the case of criminal prosecutions. This means that the institutions/online platforms that provide the digital healthcare services would not be criminally liable for the acts of its employees. 

Disciplinary Action by the MCI (now the National Medical Commission)

A consumer is entitled to raise a compliant with the relevant state medical council against the doctor for professional misconduct. If a complaint against a doctor has not been decided by the state medical council within six months from the date of receipt of the complaint, the MCI may, on its own or on the request of the consumer, impress on the relevant state medical council to decide on the complaint or refer the same to the Ethical Committee of the MCI for expeditious disposal[17]. Consumers who are not satisfied with the ruling of the state medical councils also have the right to appeal to the MCI within a period of 60 days[18].

These cases of professional misconduct are specified to the MCI code, such as non-maintenance of medical records[19], refusing treatment on discriminatory grounds like race, caste, performing surgeries or other procedures without a written informed consent[20] etc. They can even sue for acts of omission that are not covered in the MCI Code as well. if the complaint is found to be justified, the doctor faces the risk of suspensions or even cancellation of his medical license.

Responsibility of the e-health platforms

The e-health platforms claim to act as intermediaries and do not take any responsibility for the information provided on their platform or the consultation received via them. The current stance is that they are hence not liable for any of the following;

  1. User interactions and associated issues User has with the Practitioner;
  2. the ability or intent of the Practitioner(s) or the lack of it, in fulfilling their obligations towards Users;
  3. any wrong medication or quality of treatment being given by the Practitioner(s), or any medical negligence on part of the Practitioner(s);
  4. inappropriate treatment, or similar difficulties or any type of inconvenience suffered by the User due to a failure on the part of the Practitioner to provide agreed Services;
  5. any misconduct or inappropriate behaviour by the Practitioner or the Practitioner’s staff;
  6. cancellation or no show by the Practitioner or rescheduling of booked appointment or any variation in the fees charged, provided these have been addressed

The uncertain environment in which e-Health players are currently operating has made it difficult to effectively perform such services. At the same time, it also acts as a deterring factor for new entrants to venture into this field. It has become abundantly clear that the large scale adoption of e-Health is the need of the hour in a country whose population is in need of better access to healthcare.

Some of the policy changes that would go a long way in ensuring the smooth adoption of e-Health services and digital in healthcare in India. The government, the Ministry of Health and Family Welfare, and the National Medical Commission should all be vigilant of the changing dynamics of the healthcare industry with the coming of digital technologies. The current laws were written in an era of no digital tech, hence many of them may require updating, modification or complete deletion as traditional methods change and/or become obsolete. The interests of the patients will have to be borne in mind as their personal information lies in the hands of companies who, for the lack of proper regulations, may take their liberties with this sensitive data. The risks need to be recognized here as is the need for stringent regulation. The National Electronic Health Authority (NeHA), which is coming up with the passing of DISHA, will have a huge responsibility on its shoulders to supervise, manage and regulate the ever evolving digital healthcare landscape. With these evolving digital technologies, the doctors also need to step up their game and constantly be updated on the exciting new innovations every day. The NMC will have to rethink the MCI code of professional conduct, etiquette and ethics for doctors to include virtual practice of medicine and its dos and donts in its tenets.

The e-health companies also have a responsibility of exploring the seemingly limitless potential of digital in healthcare in a conscientious manner and be respectful of the data entrusted to them by the patients. Digital also has the capability to connect all the different aspects of the industry like emergency care, hospitals, diagnostics, insurance providers, medical device companies, pharmaceuticals, patients, healthcare professionals seamless across the continuum of care (from prevention, diagnosis, treatment to recovery) and provide all citizens of the country with the healthcare that they deserve rather than a privileged few.

About Author

Dr. Sneha Singh: A doctor (MBBS) by eduction and with an MBA, she is currently working in Healthcare marketing with a prominent MNC. She can be reached at drsneha2121@gmail.com.


[1] SearchCIO. (2014) SMAC (social, mobile, analytics and cloud). Retrieved from http://searchcio.techtarget.com/definition/SMACsocial-mobile-analytics-and-cloud

[2] World Bank data, PwC analysis

[4] F. Zamin-Malik (2017, September 15), Let’s Get A Grip On Artificial Intelligence In Healthcare, Retrieved January 5, 2018, from https://www.accenture.com/us-en/blogs/blogs-lets-get-grip-artificialintelligence-healthcare

[5] PwC (2018). An overview of the changing data privacy landscape in India. Retrieved from https://www.pwc.in/publications/2018/an-overview-of-the-changing-data-privacy-landscape-in-india.html

[6] ENS (2016, December 3), Maharashtra website hacked: Diagnostic lab details of 35,000 patients leaked, Retrieved January 5, 2018, from http://indianexpress.com/article/india/diagnostic-lab-detailsof-35000-patients-leaked-hiv-reports-4407762/

[7] Rule 3 of the Data Protection Rules defines Sensitive personal data or information of a person to mean such personal information which consists of information relating to (i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details; (iii) physical, physio­logical and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) Biometric information 

[8] F.No Z-18015/23l2017-eGov Government of lndia; Ministry of Health & Family welfare (e-Health Section). Retrieved from https://mohfw.gov.in/newshighlights/comments-draft-digital-information-security-health-care-actdisha

[9] https://www.practo.com/company/terms

[10] PwC (2018). An overview of the changing data privacy landscape in India. Retrieved from https://www.pwc.in/publications/2018/an-overview-of-the-changing-data-privacy-landscape-in-india.html

[11] Jacob Mathew v. State of Punjab & Anr. (2005) 6 SCC 1 

[12] https://www.practo.com/company/terms

[13] Laxman Balkrishna Joshi v. Trimbak Bapu Godbole and Anr. 1969 SCR (1) 206 

[14] INR 5.9 Crore plus interest; Balram Prasad v. Kunal Saha; (2014) 1 SCC 384 

[15] Section 304-A of the IPC  

[16] Section 336 of the IPC  

[17] Regulation 8.7 of the MCI Code  

[18] Regulation 8.8 of the MCI Code  

[19] Regulation 7.2 of the MCI Code  

[20] Regulation 7.16 of the MCI Code  

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.