INTRODUCTION

Digital health- A broad umbrella term encompassing e-health as well as emerging areas such as using
advanced computing sciences in big data genomics and artificial intelligence – world health organization

India, the world’s largest demography is progressing in its initiatives to create national digital health
ecosystem that supports universal health cover. In its stride to achieve this mission and SDG 3 it has
taken a giant leap, using digital platform and AI in healthcare sector. Despite having high visions it also
faces issues in the legal phase in regards with privacy, accountability, certification, intellectual property,
discrimination, cyber threats, question of informed consent etcetera. In this article we will discuss about
the existing legal framework to regulate digital health its shortcomings and the way forward.

DIGITALIZATION AND AI IN HEALTHCARE SECTOR OF INDIA

Since the launch of digital India mission on 1st July 2015, digitalization of health care sector is also
advancing with the deployment of e-hospitals, online registration service, e-rakt kosh, e-bloodbank,
COWIN app, e-Sanjeevani, Arogya setu, Ayushman Bharath Digital mission(ABDM), SeHAT etcetera. They
are used in tele-consultataion of doctors, maintain personal health records(PHR), access to online lab
reports, know upcoming appointments with doctors.

Digitalization goes hand-in-hand with AI. They are used in hospital management systems. It has been
tested on pathology, used in radiology and imaging in AIIMS.

As a part of the vision of digital health in India, it also affirms to ensure security, confidentiality, and
privacy of health related personal information. Here the legal aspect comes into play ;and lets delve into
it.

LEGAL GENERE IN DIGITAL HEALTH CARE AND AI

The drug and cosmetics act,1940 regulates the import, manufacture, distribution and sale of
drugs and cosmetics in india .As digital healthcare and artificial intelligence was availed in a
larger rate ,MoHFW brought in some amendments to the medical devices rules. And hence as
per notification dated 11.02.2020 all medical devices are drugs according to medical devices
(ammendment rules), 2020.Thus, drug in this act includes all medical devices under section
3(b)(iv). The central licensing authority will enforce rules in matters related to
import ,manufacture , registration, test license etcetera; this also comprises regulations for
manufufacture, import, registration, of all classes of medical devices. section 8 pf d and c act
speaks about the standards of quality where the medical devices rules(2020) demands MD to
conform to standards laid down by bureau of Indian standards and in case of no relevant
standards MD should conform to ISO standards . Hence all MD imported should comply with
these standards
 License is mandated under section 18(c). If any MD is without valid license, then it shall be
punished for three to five years and fine which shall be imposed not less than 1 lakh rupees
under section 27(b)(ii). Central government can regulate restrict or prohibit manufacture sale
and distribution of MD that deems fit as under section 26A. Persons acting in contravention to
section 26(A) will be imposed with imprisonment which may extend upto three yearsanyears
and will be liable to pay fine which may extend to 5000 rupees.

the most recent legal development that regulates digitalized healthcare sector is the digital
personal data protection act,2023. This act touches the core need of PHI's, SDPI's or any
personal data; which is informed consent and privacy.In accordance with IT (reasonable
security practices and procedures and SPDI) rules; physical, physiological and mental health
conditions, medical records and history ate considered to be SPDI under rule 3. section 5 of
dpdp act mandates informed consent where the data principal is informed about all the
conditions for receiving the information.section 6(1) of DPDP act demands consent which
should be free, specific informed unconditional and unambiguous with a clear affirmative
action. the data principal has the right to withdraw the consent given under section 6(4). when
personal health data in regards with the child or person with disability is obtained consent is
mandated from the parent or lawful guardian under section 9. when there is a personal data
breach the data fidiciuciary shall give the data protection board and the data principal
intimation regarding the breach under section 8(6). In case if the data fiduciary fails to notify
the DPB regarding the breach it will be imposed with a fine of 200 crore under section 33.

This act also provides provisions for a clear adjudicating authority, where the DPB will be a civil
court with original jurisdiction under section 27 and 28. Any appeal will be yaketaken to TDSAT
under section 29 and firurther appreal will nbe ytaken to supreme court of India under section
14 of TRAI act. chapter 3 provides rights to access information,vcorrecti correction, updation,
erasure etcetera. it also binds the data fiduciary to take reasonable security measures to
prevent data breach and hence softwares and AI algorithms should be of privacy by design
models.

as ICT took a substantial role in patients healthcare services they pose new risk to security and
privacy of information and hence in 2016 the MoHWF established the EHR standards which
ensured protection, privacy, and presevarvation of PHI.In 2017 DOSHA act was proposed by
MoHFW,but it was not implemented ..it addressed key issues related to data privacy and
consent in healthcare.It also established National E-health authority and State E-health
authority.

Later in July 2018 NITI Aayog proposed NHS to create digital health records for all citizwns.then
in julJuly 2019 it came up with NDHB which is to manage core digital health data and
infrastructure required.later NDHM established were the strategy overviewhad statements
 which affirmed development of NHP in accordance with PDP Bill,2019. under the health data
legal framework it stated that health records are digitally signed equivalent to paper record. in
IT act and can be used in medico legal cases.

while the dpdp act deals with privacy and informed consent the Information Technology
act,2000 deals with security of the data. Here if the body corporate is negligent in
implementing and maintaining the reasonable security practices and procedures and if it
causes wrongful gain or loss to any person then the body corporate will be liable to pay
damages in the way of compensation.Thence if there any security breach of data in digital
health sector the body corporate will be liable under section 43A of IT act. When dpdp act is
enforced it will amend IT act where section 43A of ITact will be omitted

section 2(w) of ITact,2000 says who is an intermediary and section 79 gives exemption for
intermediaries under certain conditions.Therefore if any intermediary handling data's vizs-a-vis
health or medical records and acts with due diligence, doesn't initiate the transmission of
health information or doesn't modify the information, or limits itself by providing access to
health data's made available by third parties to transmit, temporarily store or health
information then the intermediary will not be liable.This section was uohepheld in the case of
Shreya singhal v Union of India

IT Rules,2021 points out the rules to be followed by intermediaries and permits them to
terminate the access in case of misuse. It also seeks to take reasonable security practices as in
IT rules 2011. It guides those who collect health or medical information to provide privacy
policies.It also mandatescosent and more precisely informed consent and it also allows the data
principal to withdraw the consent given.

SHORTCOMINGS

though the present laws regulate digitalization of healthcare, there are some grey area which
should be addressed. The" right to be forgotten " should be given access through a law.this
right was recognised in the case of jorawar singh mundy v Union of India.