Regulatory & policy framework for digital health | Health policies in India

health policies

Healthcare is one of the fastest growing sectors in India with an increase in focus by private players and number of initiatives taken by the government. The market is worth around US$ 100 billion in January 2017 and is predicted to reach US $275 Billion in next ten years. Thus, it has become necessary for the government to implement health policies in India and provide a regulatory framework.

Mobile apps – Government health policies

Today, many patients expect that healthcare service providers to deliver quality care and wish to receive timely warnings alerts on wellness negligence. They also demand patient observance solutions that are empowered by mobile devices (such as smartphones, tablets, etc.) and with applications. Mobile apps are developed as a new tool to connect in the healthcare field. Mobile healthcare applications are nowadays replacing the inactive techniques, for instance, Patients can now schedule an appointment with a physician just with a click from the smartphone through the respective application.


The regulatory framework for digital health/applications

New entrepreneurs and multinational companies are eyeing boost in Healthcare industry through government initiatives like Digital India, Make in India and Start-up India. However, along with benefits there exists responsibility and obligations as well.  For instance, all e-health, m-health, telemedicine applications are subject to techno legal agreements. Currently, the healthcare sector and healthcare startups in India are acting more on the side of the violation than compliances.

Medical device firms and their applications must precisely obey Indian laws & principles. Medical device makers, application makers must also keep in mind the encryption laws of India and cloud computing related accords of India.

Furthermore, there are a very complex set of legal requirements for establishing online medicine store in India and for the online sale of prescribed medications in India. We have no dedicated online pharmaceutics, telemedicine, digital health, m-Health, data security, privacy and other related technical legal framework in India as on date. There are various legal risks allied with the online selling of medicines and all online pharmaceutical companies that aim to operate in India must accurately follow numerous regulatory provision related to this field.

Although there is no particular law involved for players in this industry, you need to comply with several requirements associated with it. The list includes privacy law agreement, data protection obligations, cloud computing compliances, encryption/decryption compliances, cyber law due diligence, etc. It is mandatory for all present players or establishments to comply with obligations set by Clinical Establishments (Registration and Regulation) Act 2010 and the Clinical Establishments (Central Government) Rules 2012.

With India’s dynamic initiative on development and implementation of digital health (eHealth) solutions, there is a need for a dedicated framework for communication between different stakeholders and regulations. Nonetheless, some positive initiatives are being taken by governments in India. For instance, the Electronic Health Record (EHR) Standards/Model of India is suggested along with a proposal for establishing a National E-Health Authority (NeHA) of India. Furthermore, if we remove the flaws in Digital India project, then the same can be used for digital health objectives as well. As of now, there is no mandatory obligation to provide e-delivery of services in India, and this is sufficient to avoid the same.

Recommended for you
Regulatory and policy framework for hospitals in India
Digital India initiative by Government of India 
Initiatives and policies governing startups in India

Why it is important to implement health policies

  1. To pass through regulatory filter before becoming accessible commercially
  2. To go through all laws and rules enforced for medical testing and procedures involved that are prescribed for drugs and medical products
  3. To satisfy terms associated with medical research under Drugs and Cosmetics Act, 2012
  4. To foster innovation without sacrificing security aspect, supplementing data privacy and safety requirements in agreement with the country’s law

India’s rural area is still facing a lack of quality & affordable health care; it is an evidently strong target market for healthcare applications. With the digital revolution, the world is becoming increasingly more linked and can solve more and more complex social problems through increased communication and information sharing.

India is also observing this revolution, encouraged by its growing smartphone and Internet penetration. The amount of smartphone usage and the Internet continues to increase YoY in India, currently at a 20–30% CAGR. With many applications increasing day by day, there should be compliance with development and usage. The first step toward contract is to align with regulatory policies of development. The regulatory authority of India is always accessible to new applications of medical devices.

Ten guidelines for healthcare application providers (private companies)

  1. Evaluate best regulatory markets according to investor business interests
  2. Make sure that your solution/service improves existent physician and clinic infrastructure
  3. Develop a comprehensive plan for the best penetration of mobile acceptance with stakeholders
  4. Make sure that the solution is simple to use by patients and doctors
  5. Establish a compensation model that is profitable for all partners and encourages patient to use it
  6. Make sure that solution incorporates with current technical platforms and is compatible with other brands of devices or versions
  7. Confirm that the application can safely transfer private information, such as patient medical records, and transactions.
  8. Develop a scheme for application or device to be compatible with e-commerce solutions like Online banking, or other payment methods.
  9. Make sure that application follows basic ethics of integration, intelligence, interoperability, socialization, outcomes, and engagement.
  10. Make sure that application/devices adhere nation’s security policies and laws.

One of the best ways to ensure these guidelines get followed is to open a communication channel between regulatory bodies and stakeholders.

Policy of electronic data exchange

In Healthcare, the Privacy Standards and Security Standards are two important principles. Any health record system requires shields to ensure that the data is accessible when needed and that the information is not used, disclosed, retrieved, altered, or deleted improperly while being stored or transmitted. The Security Standards work concurrently with the Privacy Standards to create appropriate controls and security. Health sector bodies that are required to comply with the Privacy Standards must also obey the Security Standards.

Healthcare firms must reckon several components while adopting security measures. Companies need to implement appropriate safeguards to ensure confidentiality, integrity, and availability of all information they cover. They need to make sure that they are misused or disclosed, and their workforce complies with all security rules and principles.

Ministry of Electronics and Information Technology deals with all aspects of electronic data exchange.


These Security Standards fall into three categories viz. Technical, Physical and Administrative.

Technical security standards

Department of National Cyber Safety and Security Standards handles all matters related to technical security.


Healthcare provider must implement technical safeguards as part of its security plan to protect technical information of end users. It involves protecting technical information with the help of technology.

  1. Authentication: Access to system and network is granted to authorized user, according to standards
  2. Automatic Log-Off: An electronic session after a fixed time of inaction must be forcibly terminated, and to login back he/she will have to be a new session
  3. Access control: Typically, only medical care providers should have access rights to a person’s clinical records. Management must record an audit log of all actions on user-defined events
  4. Integrity: During data transfer, it must ensure that the electronic healthcare information is not altered in transit in agreement with the standards specified
  5. Encryption: Generally, all electronic medical information must be suitably encrypted and decrypted during data exchange as preference defined by organization
  6. Digital Certificates: Digital Certificates usage for recognition and digital signing is advisable in health record system

Physical security standards

Physical standards are used to safeguard healthcare provider’s electronic information systems, related equipment, and the buildings housing the systems from hazards, and unauthorized invasion

  1. Facility access control standard to limit actual physical access to electronic information systems and their facilities
  2. Workstation use standard, to control the physical nature of a particular workstation or group of workstations, to maximize safety
  3. A workstation security standard to execute physical guards to prevent the illegal access of a workstation
  4. Device and media controls standard, to regulate the transfer of any electronic media containing protected health information from, to or within the facility

Administrative security standards

Administrative safeguards are proposed to ensure full range of security. Hence they need to develop and execute a safety management process that involves policies and procedures which address security concerns.

  1. Security governed standard which blocks security violations
  2. Assigned security officer for the overall management
  3. Workforce security management to ascertain end-user access privileges
  4. Training staff members about security awareness
  5. Establishing events procedures to handle security incidents
  6. Incident planning to protect health information during unexpected event
  7. Evaluation standards to evaluate security safeguards of an enterprise [1]

Laws & Regulations

Medical device industry is highly unfettered; only 15 products sanctioned as regularised. The Indian government has described the steps to increase policy framework, infrastructure, research & development. These modifications are expected to increase openings for both domestic as well as global stakeholders. [2]

The National Health Policy approved by Ministry of Health and Family Welfare in March 2017, directs large-scale deployment of digital tools for improving the effectiveness and outcome of the health care system and envisaged the establishment of National Digital Health Authority (NEHA) to regulate, develop, and deploy digital health across the continuum of healthcare.

There is also focus on developing regulatory mechanisms realizing the need to regulate the use of medical devices to ensure security and quality compliance as per the standard norms.

India is yet to start acting on these aspects on the fronts of technology and legal frameworks. But there are reports that the Health Ministry of India has planned out a detailed e-health project under Digital India program of the government. The project would include hospitals, electronic exchange of health record, online distribution of solutions, citizen portal, online monitoring procedures for services and others.

Regulatory support will ease the approval process for devices and medical apps. The development of applications capacity standard is an essential factor in gaining the assurance and confidence of healthcare suppliers, patients and players involved.

Contact details

Ministry of Health and Family Welfare administers any subject on regulations of health care.
Contact: 011-23063024
For Digital healthcare, the government has established one portal to get any contact information:
Toll-free number: 1800-180-1104

Image credit:


Leave a reply

Your email address will not be published. Required fields are marked *


© 2018 Dr. Hempel Digital Health Network

Dr. Hempel Digital Health Network is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to


Log in with your credentials

Forgot your details?