Why telemedicine and health tech providers need to improve their regulatory preparedness

The COVID-19 pandemic has put telemedicine and health tech in the spotlight. This has opened up avenues of care, spurred innovation and investments in these segments as well as ushered newer operating models. But, along with growth prospects, there are challenges too in the current ecosystem. So, Jitesh Agarwal, Founder, Treelife recommends measures that telehealth and health tech companies should take to improve their preparedness to navigate the new normal and avoid pitfalls, especially legal, as they try to tap into emerging trends and capitalise opportunities  

The focus on telehealth has intensified since the outbreak of the COVID-19 pandemic. Tell us how prepared are start-ups, companies in this space to capitalise the opportunities that this crisis has created for them?

Telemedicine has been around in India since the early 1990s. However, only because of the effects of the COVID-19 pandemic are we noticing mass adoption of this model of providing medical care. The publishing of the Telemedicine Practice Guidelines is another major reason why this form of medical practice has witnessed a surge and is the reason that telemedicine practice will stay. In effect, the Guidelines have made the practice of text/audio/video-based medical care legal and regulated, and thus have given platforms (apps and websites alike) as well as doctors the standards to adhere.

Start-up companies in the telemedicine space are the ones who facilitate, i.e. provide a platform for telemedicine. For these companies, being prepared means adhering to two things: a) regulatory preparedness and b) competitive preparedness.

Regulatory preparedness: It would come from compliance with the IT Act, 2000 (as it is the standard data protection legislation in India at present), the Drugs and Cosmetics Act and Rules, and the MCI Act and Rules and Code, primarily. From our estimate, the more diverse the telemedicine offering of a company is, the more they are prepared to tackle the situation. Essentially, the diversity here means the bundling of a telemedicine service offering along with other health tech or healthcare service offerings. For example, if a start-up plans to offer and add a telemedicine software, to its already existing offerings which involves software for healthcare CRMs, clinical software and patient management systems, and does not have an interface that requires such start-up to deal directly with consumers, the regulatory preparedness would be greater. Compare this to a start-up that is just getting into the telemedicine space and because of its business model will be handling more data on its own but may not be as regulatory prepared even though it should be, ideally. This could be a drawback of telemedicine in India where everyone is clamouring to provide this service.

Competitive preparedness: It is a result of being more strategically aware in terms of business. In a way, tier I and II cities, already have a robust telemedicine offering. As this space becomes more mature, it will be tougher for newer entrants to simply be a telemedicine offering. They would need to strategise to create a value proposition, and something along the lines of diversity as specified above could be a starting point. Moreover, in tier I cities, medical professionals are already beginning to limit the number of telemedicine platforms they sign on to. This may create a supply problem for telemedicine platforms as well, as there are only so many platforms on which medical professionals can provide their advice.

What are the measures that India’s health tech industry needs to implement for tapping into the emerging trends, capturing new markets and serving evolving consumer needs?

To ensure that the Indian healthcare ecosystem does not miss out on the current wave, a few things should be worked around:

Promote research: The Indian ecosystem does not support research. This is evidenced by the lack of intellectual property protections that medical inventions have in India. With the onset of PE money/backing into the health tech industry, there is a chance that research, innovation and invention are not fostered on a larger scale in India, and instead, our tech solutions mirror the ones used outside the country. The GoI would need to give this a push, not only through a policy level but through monetary support as well. In January this year, Microsoft launched a $40 million fund to focus on ‘accelerating medical research’, ‘increasing the shared understanding of mortality and longevity’ and ‘reducing health inequity’. These philanthropic efforts need to be mirrored by way of government policy as well. Spending on healthcare in India, including both public and private spend is only 3.6 per cent of the GDP, as compared to 16.9 per cent in the US.

Adopt EHRs: For health tech to grow, the solutions provided need to work for the Indian population and solve issues specific to India. Such solutions would only be able to grow once they have an actionable set of data to work from. Electronic health records (EHR) present a great opportunity to increase patient visibility and decrease patient recruitment time

Bring in standardisation across healthcare records: Standards for healthcare data need to be defined and implemented because different codes exist for storage of medical data across hospitals, pharmacies, diagnostic labs etc. Without standardisation, there is bound to be chaos in case of data records’ portability

Health data needs to be understood as India’s prized possession, and should be regulated differently: The IT Act, 2000 is hardly a standard to protect health data of patients. India up till 2018 (at least) was pondering a separate bill for digital health data of patients. This seems to have been subsumed under the PDP Bill, 2019. For a plethora of reasons, the healthcare sector needs legislation which is healthcare specific, as far as data protection is concerned. While regulatory sandboxing is a novel concept under the PDP Bill, there is no implied bar from government exemptions on it, i.e. the government will have the power to access data, or use data in a manner beneficial to it, or to its schemes, irrespective of the benefits provided to a company from strict adherence to the provisions of the PDP Bill.

Is the demand for remote monitoring solutions and non-contact technologies for patient care just a by-product of the health crisis or are we likely to see the influence of these technologies in the healthcare sector long after the pandemic ends? If yes, why?

Yes, remote monitoring solutions are here to stay, after the pandemic ends. Health tech start-ups have already used the opportunity presented by the pandemic to offer solutions that are convenient for the average city-dwelling customer/patient in India. Telemedicine is one, m-tech through IoT devices and/or wearables technology is another. In fact, there are companies that are using these solutions and packaging them as their unique solutions creating an environment that permits efficient access to health monitoring for patients.

Convenience to customers is one reason. The fact that PE/VC has recognised this is another. There is expected to be a significant inflow of investor money into this space, and where investor money goes, process standardisation follows. Once health care provides start providing standardised solutions to patients, patients will know what to expect, and the ecosystem as a knock-on effect of the same will become more dependable – and this is what PE/VC money will be counting on.

Which are the new areas where health tech must focus on to build new capabilities? Which will be the most viable segments that will draw investors? Why?

The Indian healthcare ecosystem should build upon key focus areas such as standardising pharma supply chains and delivery, including for e-pharma. Drug/medication delivery to patients needs to be more standardised, regularised and the scope of the same should be extended to beyond tier I and II cities.

There needs to be standardisation of health data across India. Niti Aayog’s National Health Stack push is already being implemented to an extent. Companies have already won bids to create a national health exchange which shall permit controlled transfer and sharing of health data. Moreover, institutions such as iSpirit, have taken it upon themselves to foster collaboration in the space of creating open-source APIs for the handling of health data, including the creation of an ecosystem of permissions for access to patient-related health data. Of course, for a countrywide adoption, a lot of work needs to be done.

Another focus area should be digital research. Advances in AI and ML, and deep learning have provided us with the tools to interpret data. Today, we can simulate how cells – and even complex organs like the heart – may respond to drug treatment. If data creation, generation and storage are standardised (as mentioned above), it will lead to greater data availability and insight generation capabilities. This could benefit, inter alia, processes involved in in-vitro testing. Computational results can inform in vitro research for a faster, more targeted, drug discovery approach.

Clinical trials help to assess the efficacy and safety of drug candidates. The lengthy, high-risk and expensive process of drug discovery and development can take a total of 10 to 15 years. Digitising clinical trials will validate better drugs, faster. The reduction of this timeframe will deliver life-enhancing medications faster to patients in need. There is a need to improve clinical trial efficiency. There are several pain points in the research and development process that technology can address. Together with the establishment of EHRs, clinical trials, once digitised, may also be paired up with the existing technology of wearable tech and virtual care. This would help with the creation of more efficient drugs for treating underlying medical conditions.

Along with opportunities, there could be pitfalls too, especially legal. What are they likely to be and how can companies safeguard themselves against them?

Companies providing different technologies and different product/service offerings will require to have different safeguards in place.

From a telemedicine perspective, platforms/tech providers would need to ensure compliance with laws surrounding not only data privacy, but also laws that govern the medical profession, pharmacies and telemarketing. The compliance and liability burden would depend on the kind of service offering made by the telemedicine platform providers. Are they merely providing a mode of connection between the patient and medical profession or are they going beyond that? Even then, there will not be a one size fits all solution to meet the regulatory requirements.

With the evolution of the medical device regime in India, companies that provide medical devices are going to be more heavily regulated. All kinds of devices offering some kind of benefit (whether assistive, operative or invasive) are now regulated as medical devices. More importantly, and rather ambiguously, the government has chosen to regulate software as medical devices – without providing a determination as to what software is sought to be regulated, thus leaving that door open. Read with the drug pricing regulation in India, which permits caps on the prices of all medical devices as well, and this may hamper the growth and deployment of novel and India-centric software solutions to treat medical conditions and conduct medical research. Moreover, from next year, i.e. October 2021, all stakeholders within the medical device supply chain will need to be amenable to a lot more compulsory regulation by way of registrations as well as for applying and acquiring licenses. This will lead to a cost-to-benefit analysis for the deployment of medical technology, and this should certainly not be the way to promote evolution in this sector.

One of the most immediate changes that health tech companies may need to be prepared for is the cost of compliance – with the Personal Data Protection (PDP) Bill 2019. As of the current interpretation of the text of the PDP Bill, 2019 (which effectively can get signed into law at any time) there is no period provided to affected companies to comply with the data protection measures in the Bill. The requirement of having a privacy-by-design system in place means that for a lot of companies the cost of compliance will go up as they would have to upgrade/overhaul their data protection systems and software. This change would be akin to the one experienced by European companies when they needed to comply with the General Data Protection Regulation (GDPR), but at least, in that case, there was a period prescribed within which companies were permitted to overhaul their security systems.

Along with the changes mentioned above, generally, companies in the health tech space would need to be aware of the changes in the laws and regulations that govern this sector. It is anticipated because of the overhaul needed within the system, combined with the lack of innovation and regulation in the past (most of the regulation we are seeing now has come about as a response to COVID-19), will lead to a situation where regulations and policies will need to be chopped and changed as the eco-system matures.

Data security will be one of the biggest challenges in times of telemedicine and digital healthcare. How can companies ensure the privacy of their data to protect their patients and uphold their credibility?

The short answer is complying with the data privacy law of India, as is present at a particular point in time.

If the compliance is under the IT Act, 2000, the deployment of the IS/ISO/IEC 27001 on ‘Information Technology – Security Techniques – Information Security Management System – Requirements’ standard is a compliance requirement, along with the principles espoused under the IT Act and Rules for protecting and sharing data.

If we are to move under the PDP regime, the changes proposed to India’s date protection ecosystem are revolutionary and would require a greater level of compliance. Some of these are: the principles of accountability by the company to the user whose data is being used; providing the right to data erasure; facilitating data audits and data protection impact assessments, and most of all ensuring localised (i.e. in India) data storage.

The best way for companies to protect data would be to (and this is not only from a cost-saving perspective though that should also be considered) streamline their processes, and have a holistic business plan in terms of service offerings, scaling and tie-ups/partnerships. By way of an example, if a hospital is looking to optimise its process or improve upon their offerings, any method employed to do the same should be viewed from a data protection impact assessment angle. In the due diligence that is being done by the hospital, policies surrounding data protection of its partners and potential partners needs to be done so that there is an alignment of the same. The objective is that there must be harmony between the processes involved. A failure to achieve such harmony may lead to increased costs, penalties, liabilities and also a loss of credibility, including a potential loss to data of its patients.

lakshmipriya.nair@expressindia.com

laxmipriyanair@gmail.com 

COVID-19COVID-19 druge-pharmaInformation Security Management SystemInformation TechnologyPE moneyPersonal Data Protection (PDP) Billstart-uptelemedicineTelemedicine guildlines
Comments (0)
Add Comment