Telemedicine in India: Doctor’s Consultation is just a Phone call away!

India is making some major headway towards providing universal health coverage. However, a significant challenge is the limited number of qualified doctors and other healthcare professionals available in our country. Telemedicine is a solution to this limitation as it allows consultation, diagnosis, and treatment by healthcare professionals from remote locations with the help of technology

The requirement of telemedicine was starkly visible during the current COVID-19 pandemic and the resultant lockdown. It significantly helped in reducing hospital visits, waiting periods, and long travel to and from the hospital. Other benefits of telemedicine include timely and faster access to healthcare services, convenience, cost-saving, and adequate documentation of health records. Until recently, there was no legislation or guidelines on how telemedicine could be practiced in India. In view of the current pandemic, the Government of India has timely come up with the Telemedicine Practice Guidelines on 25th March 2020.  This guideline forms a part of the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002, and is numbered Appendix-5. With this, there is now some legitimacy attached to the service and the guidelines would pave the way for statutory legislation on the same lines in the future.

Evolution of Telemedicine in India

From the constitution of a Telemedicine Taskforce in the year 2005 by the Ministry of Health and Family Welfare, India has gradually progressed in telemedicine by budgeting for it, setting up various institutions, connecting Regional Cancer Centers with peripheral centers across India through the ONCO-NET India Project and networking of states and district headquarters and premier institutes as part of Integrated Disease Surveillance Project (IDSP).  The Government has further facilitated it through the establishment of the National Rural Telemedicine Network, mother, and child tracking system (MCTS), the establishment of National Telemedicine Network, National and Regional Resource Centers etc. Various indigenous software has also been developed to provide telemedicine solutions.

Scope of the Telemedicine Practice Guidelines, 2020

The Telemedicine Practice Guidelines introduced on 25th March 2020 provide norms and protocols pertaining to physician-patient relationship; issues of liability and negligence; evaluation, management, and treatment as well as informed consent. The provisions also deal with continuity of care; referrals for emergency services; medical records; privacy and security of the patient records and exchange of information; prescription; health education and counseling. These guidelines also provide information on technology platforms and telemedicine tools available to medical practitioners and how to integrate them into these technologies.

Guidelines for Registered Medical Practitioner

  • Information Exchange: A Registered Medical Practitioner (“Doctor”) is empowered by these guidelines to provide telemedicine consultation to patients from any part of India, and the same professional norms, ethics, and standards apply. All physical examinations cannot be done via video/audio/text messages. Therefore, it is left to the Doctor’s professional judgment as to whether he/she can provide a technology-based consultation or an in-patient consultation. In addition, doctors are restrained from providing telemedicine when the physical examination is critical for consultation. Doctors are also mandated to uphold the same standard of care as in-patient consultation. Both Doctors and patients are required to provide their identification to the other as may be deemed appropriate.   Since prescriptions are based on the age of the patient, a Doctor is required to explicitly ask for the age, and if necessary, seek proof thereof.  In the case of a minor, teleconsultation can only be done when the minor is accompanied by an adult whose identity is also required to be verified.
  • Informed Consent: Patient consent is mandatorily required for a telemedicine consultation. Consent is implied when telemedicine is initiated by the patients themselves. If it is initiated by a health worker, another Doctor, or caregiver, explicit consent of the patient must be procured and recorded.  Health education, counseling, and prescription of medicines can be done through telemedicine. If a caregiver is not present with the patient and does not have authorization, Doctors cannot provide telemedicine consultation. In the case of a health worker, he/she should have obtained informed consent from the patient to obtain consultation from Doctor.
  • Prescription of Drugs: The guidelines categorize drugs into four lists, List O (over the counter medications), List A (can be prescribed during the first consultation and has relatively low potential of abuse), List B (when an in-patient consultation is already done, and drugs have to be prescribed in follow up consultation), Prohibited Drugs (high potential for abuse). Doctors cannot prescribe prohibited drugs. Doctors can only prescribe List A drugs if the consultation is done through video as it involves the first consultation. If the gap between two successive consultations is more than 6 months or if the consultation is for a different health condition, it would be construed as a first consultation. Signed prescription or e-prescription can be sent to the patient digitally (or to the pharmacist after the explicit consent of the patient).
  • Confidentiality, Privacy and Data Protection: Doctors are required to abide by their professional conduct regulations, IT Act, Data protection and privacy laws in India, and other applicable rules. The guidelines specify a certain inclusive list of actions constituting misconduct by Doctors such as insisting on telemedicine when a patient is willing to travel, misusing patient data, prescription of medicine from the restricted list, and solicitation of telemedicine. Further, doctors will not be held responsible for breach of confidentiality if there is a piece of reasonable evidence to believe that patient’s privacy and confidentiality has been compromised by a technology breach or by a person other than the Doctor. However, doctors should ensure that a reasonable degree of care is undertaken during hiring such services. Penalties for violation would be as per the IMC Act, ethics, and other prevailing laws.
  • Documentation: Doctors are required to maintain digital trails and documentation of the telemedicine consultation such as logs of telemedicine interaction; patient records, reports, diagnostic data, etc., utilized during telemedicine consultation, and prescriptions for such period prescribed from time to time. Fees for telemedicine consultation should be treated in the same way as in-patient consultation, and a fee receipt should be provided to the patient.


Guidelines for Technology Platforms

It is the responsibility of technology platforms such as websites, mobile apps, etc., assisting in telemedicine services to:

  1. Ensure that the telecommunication is with a Doctor who is duly registered with the national or state medical councils.
  2. Conduct Due Diligence before listing Doctors in online portals. The technology platform should provide the name, qualification, registration number, and contact details of every Doctor.
  3. Report any non-compliance to the Board of Governors of MCI.
  4. Ensure that Artificial intelligence or machine learning is not utilized to counsel patients. However, such technologies can be used to assist Doctors in inpatient evaluation, diagnosis, management, and prescription.
  5. Ensure that the technology platform has a proper mechanism to address the queries and grievances of patients.

Any violation by the Technology Platform would lead to blacklisting of them by the Board of Governors or MCI, and thereafter, no Doctor shall use such a platform to provide telemedicine services.


In the wake of the coronavirus pandemic and the heavy toll it is taking on the healthcare sector across the world, the telemedicine guidelines had to be brought in to limit hospital visits and avoid the transmission of diseases significantly. The guidelines are designed to regulate unauthorized use and assist Registered Medical Practitioners to provide their services in an uninterrupted manner and to remote locations.  The provision for blacklisting technology platforms that do not abide by these guidelines is a welcome step to ensure due care from their end and was necessary to inculcate faith in these platforms. However, it is unjust on the part of the Government of India to only empower doctors who practice modern medicine to provide telemedicine services and not bring practitioners of Indian Medicine under its ambit.  As the definition of Registered Medical Practitioner in the guidelines state, it is only for doctors enrolled in the State Medical Register or Indian Medical Register as per the Indian Medical Council Act 1956.  Practitioners of Ashtang Ayurveda, homeopathy, Siddha, Unani, Tibb, or Sowa-Rigpa who are registered under other enactments have been overlooked.

That said, several initiatives by the Government of India on providing greater bandwidth connectivity, optical fiber connectivity, and National Knowledge Network connecting more than 800 institutions including medical institutions would encourage Telemedicine and Telehealth significantly. With people across the country in isolation and quarantine, Telemedicine is a viable alternative for patients to get immediate medical attention for minor health issues. With the assistance of technologies like fitness trackers, smartwatches, and plasters that are capable of monitoring heart rate, breathing rate, body temperatures, and generating ECG reports, it is time to harness Telemedicine for faster and timely access to healthcare services.


Image Credits: Photo by National Cancer Institute on Unsplash

In the wake of the coronavirus pandemic and the heavy toll it is taking on the healthcare sector across the world, the telemedicine guidelines had to be brought in to limit hospital visits and avoid the transmission of diseases significantly. The guidelines are designed to regulate unauthorized use and assist Registered Medical Practitioners to provide their services in an uninterrupted manner and to remote locations.  The provision for blacklisting technology platforms that do not abide by these guidelines is a welcome step to ensure due care from their end and was necessary to inculcate faith in these platforms.


Bulk Data Sharing & Procedure Notification - A Data Breach?

In this digital era, data has become one of the most valuable assets to own. Elections have been won and international alliances have toppled because of support that could be garnered by utilizing data analytics. While heated debate surrounding data breaches by private entities baffles the world, at home, it is accused that the Indian Government has monetized from sale of personal data of Individuals, in the pretext of public purposes” under a notification released by the Ministry of Road Transport and Highways in March 2019 titled “Bulk Data Sharing & Procedure”.

In July 2019, a parliamentary debate pertaining to “sale of data” by the State was raised because the Government had provided access to databases containing driving license and vehicle registration details to private companies and Government entities and generated revenue out of them.  The two databases of Ministry of Road Transport and Highways named Vahan and Sarathi were under discussion.  These databases contained details such as vehicle owner’s names, registration details, chasis number, engine number, and driving license related particulars of individuals.  These details amount to personal information by which an individual could be identified (“Personal Data”).  

The sale of data was pursuant to a notification released by the Ministry of Road Transport and Highways in March 2019 titled Bulk Data Sharing & Procedure wherein a policy framework on sale of bulk data relating to driving license and vehicle registration was introduced.  Among other things, this writeup discusses whether such sale of Personal Data for revenue generation is acceptable in light of privacy as a fundamental right and the Data Protection Bill 2018? and whether such access constitutes data breach? 


Bulk Data Sharing & Procedure Notification 

The “Bulk Data Sharing & Procedure” notification by the Ministry of Road Transport and Highways states the purpose for which bulk data access would be  provided: 

it is recognized that sharing this data for other purposes, in a controlled manner, can support the transport and automobile industry.  The sharing of data will also help in service improvements and wider benefits to citizens & Government. In addition, it will also benefit the country’s economy”.  

As per the notification, only such entities that qualify the eligibility criteria would be provided access to bulk data.  The eligibility criteria are that an entity should be registered in India with at least 50% Indian ownership, such bulk data should be processed/stored in Servers/Data Centers in India, and the entity should have obtained security pre-audit report from CERT-In empanelled auditor.  The bulk data access would be provided for a price.  

Commercial organizations could have such data for an amount of INR 3 crores and educational institutions could have them for 5 lakhs.  As per the notification, the bulk data will be provided in encrypted form with restricted access.  Such entities would be restricted from any activity that would identify individuals using such data sets.  The entities would be required to follow certain protocols for data loss prevention, access controls, audit logs, security and vulnerability.  Violation of these protocols is punishable under the Information Technology Act, 2000. 

The Ministry of Road Transport and Highways has in accordance with this policy framework provided database access to 87 private companies and 32 government entities for a price of 65 crores resulting in Personal Data of all individuals being accessible to them.  The Data Principal (the individual whose information is in the database) has no knowledge or control over any use or misuse of his/her information.   

In any data protection framework worldwide, the Data Principal’s consent should be sought stating the purpose for which data ought to be used.  It is only pursuant to Data Principal’s consent that any information can be processed.  On the contrary, providing access to Personal Data to third party private companies without any consent of the Data Principal will keep them out of effective control.  This is against the basic principles of data protection. 


Proposed Legislation for Data Protection 

India is on the verge of a new Data Protection Act as the bill is being placed in the Parliament.  The Data Protection Bill, 2018 contains certain provisions to address the above-mentioned issues.  Section 5 of the Data Protection Bill states when personal data can be processed.  Personal Data shall be allowed only for such purposes that are  clear, specific, and lawful.  Section 5 is extracted below: 

  1. Purpose limitation— (1) Personal data shall be processed only for purposes that are clear, specific and lawful. (2) Personal data shall be processed only for purposes specified or for any other incidental purpose that the data principal would reasonably expect the personal data to be used for, having regard to the specified purposes, and the context and circumstances in which the personal data was collected.

Moreover, the relevant enactment regulating driving license and vehicle registration i.e. Motor Vehicle Act does not explicitly permit the State to sell or provide third parties access to Personal Data for generation of revenue.  Therefore, there is no clear, specific, or lawful indication of such access in the enactment.  The question arises whether access to bulk Personal Data can be interpreted as an “incidental purpose” that “data principal would reasonably expect”.  The data principal has provided this information only for the purpose of grant of motor vehicle license and vehicle registration.  The Data Principal ought not have expected his/her data to be sold by the Government. 

Section 13 of the Data Protection Bill is also of relevance here because it authorizes the State to process Personal Data for provision of services, benefit or issuance of certification, licenses or permits.  Section 13 is extracted below: 

Section 13 – Processing of personal data for functions of the State. — Personal data may be processed if such processing is necessary for excise of the functions of the State authorised by law for: (a) the provision of any service or benefit to the data principal from the State. (b) the issuance of any certification, license, or permit for any action or activity of the data principal of the State. 


By this section, the State is authorized to use Personal Data for grant of license or permits or to provide any benefit or service.  However, whether the State is authorized to give access to Personal Data to third party private companies is unclear. 

Section 17 of the Data Protection Bill tries to shed some light on this anomaly.  The section states that Personal Data may be processed for “reasonable purposes” after considering if there is any public interest involved in processing the same.  What constitutes reasonable purpose is yet to be specified by the Data Protection Authority to be constituted.  Section 17 is extracted hereunder: 

  1. Processing of data for reasonable purposes. — 

(1) In addition to the grounds for processing contained in section12 to section 16, personal data may be processed if such processing is necessary for such reasonable purposes as may be specified after taking into consideration— 

(a) the interest of the data fiduciary in processing for that purpose; 

(b) whether the data fiduciary can reasonably be expected to obtain the consent of the data principal; 

(c) any public interest in processing for that purpose; 

(d) the effect of the processing activity on the rights of the data principal; and 

(e) the reasonable expectations of the data principal having regard to the context of the processing. 

(2) For the purpose of sub-section (1), the Authority may specify reasonable purposes related to the following activities, including— 

(a) prevention and detection of any unlawful activity including fraud; 

(b) whistle blowing; 

(c) mergers and acquisitions; 

(d) network and information security; 

(e) credit scoring; 

(f) recovery of debt; 

(g) processing of publicly available personal data; 

(3) Where the Authority specifies a reasonable purpose under sub-section (1), it shall: (a) lay down such safeguards as may be appropriate to ensure the protection of the rights of data principals; and (b) determine where the provision of notice under section 8 would not apply having regard to whether such provision would substantially prejudice the relevant reasonable purpose. 


Section 17, therefore, clarifies that when there is any public interest involved, the State may provide access to publicly available personal data to third parties.  This read with Section 13 indicates that State is not required to get the consent of Data Principal in order to provide services and benefits.   


Whether the State has provided access to personal data for public interest or to provide services and benefits? 

The Bulk Data Processing & Procedure notification states that the purpose of providing access of bulk Personal Data is to “support the transport and automobile industry” & “help in service improvements and wider benefits to citizens & Government”.  Supporting the transport and automobile industry and improving services may qualify as public interest, whereas, mere revenue generation will not.  However, there is no clarification from the Government as to how these private companies to whom database access is being provided assist in public interest.  Further, whether all driving license and registration details related data can be classified as publicly available information is again contentious and questionable as the information provided therein is intended to be provided only to license holders & vehicle owners and is partially masked. 

In the event if this Personal Data is not construed as public data or these public companies have been given access to personal data in the absence of any public interest, it would result  in personal data breach by the Government Departments where the head of Department will be held liable as per section 96 of the Data Protection Bill. 

It is quite preposterous to note that on the one hand Data Protection Bill is being tabled in parliament and on the other, the Government is selling Personal Data of the general public for economic gains.  Whether it results in the exploitation of personal and private data on the pretext of public interest without an individual’s consent needs to be ascertained. 

Image Credits:

Photo by Markus Spiske on Unsplash


It is quite preposterous to note that on the one hand Data Protection Bill is being tabled in parliament and on the other, the Government is selling Personal Data of the general public for economic gains.