Prescriptions and Privacy: The Urgency to Regulate Medical E-Commerce

The tantalisingly elusive Digital Personal Data Protection (DPDP) Rules and the much-deferred enforcement of the DPDP Act, 2023 are keeping big businesses and data protection lawyers alike on tenterhooks. In the healthcare sector, however, patient data protection has long been a matter of utmost priority, deeply ingrained into healthcare jurisprudence and regulations.

The solemn duty to maintain confidentiality of patient information is engraved into the age-old Hippocratic Oath: “Whatever in connection with my professional practice, or not in connection with it, I see or hear, in the life of men, which ought not to be spoken of abroad, I will not divulge as reckoning that all such should be kept secret.”

This sentiment finds reflection in contract law and laws of evidence, where a doctor has a fiduciary relationship with their patient and doctor-patient communications are considered privileged and confidential. The National Medical Commission Act, 2019 (as well as the erstwhile Indian Medical Council Act, 1956) prescribes adherence to a high standard of ethics. The Code of Medical Ethics Regulations, 2002 develops this, stipulating that doctors cannot disclose patient secrets learned in the course of their profession, unless required by law or in public interest.

Gaps in patient confidentiality protections

While a patient’s right to privacy has been codified, primarily as an obligation of doctors, associated entities such as allied and healthcare professionals and nurses are also required, through law or contract, to uphold such rights. Similarly, pharmacists are obligated by law to maintain confidentiality of patient data, including prescription data.

It would be easy to assume, therefore, that health information is well protected. However, there are gaping loopholes that make it easy to breach confidentiality. For instance, the Ethics Code places no obligation on hospitals to maintain patient privacy, nor does the Clinical Establishment (Registration and Regulation) Act, 2010, the standard-setting legislation for hospitals, clinics, diagnostic facilities and nursing homes.

The other major gap in the privacy framework for patients has arisen as a result of technology: E-commerce has grown rapidly in India, facilitating ease of access to not just fast-moving consumer goods, electronics and appliances, but even perishables, including cooked food and groceries. The pharma sector has also entered the quick delivery race, with pharmacies redesigning themselves as online platforms.

The problem for such ‘e-pharmacies’ lies in the regulatory framework: drugs and medical devices can be sold only with a license. However, no law currently regulates the online sale of pharma products. This is in stark contrast with, say, food, where the regulatory authority promptly brought online businesses under its purview and notified a centralised application system for online sales licenses.

It has been argued that the laws governing sales of drugs do not distinguish between online and offline sales and, therefore, e-portals should be considered a regulated activity requiring a license. But several online medicine platforms have argued that they are not “sellers” at all – and many judgements by high courts have followed, often with conflicting views about how online sales of drugs and devices are to be regulated.

Litigation and regulation of e-pharmacies

In Dr Zaheer Ahmed vs. Union of India, on December 12, 2018, the Delhi High Court stopped the online sale of medicines without licences. The court has, since then, been giving the Union government time to frame a policy on the issue. In 2023, it observed that five years was sufficient time for this. Yet no regulation has still been issued. As a result, the court is now proceeding with the case.

On December 17, 2018, a single judge bench of the Madras High Court directed online traders not to sell drugs and cosmetics online until the Union government had notified rules for the business. In an appeal against this order filed on 20 December 2018, a Division Bench of the same court permitted online sale of drugs – until the regulations arrived. However, the court clarified that only sellers licensed under the existing laws may sell medicines online.

Also read: India Must Carefully Navigate Regulatory Challenges Posed by E-Pharmacies

In all these cases, online portals have primarily argued they are not liable to regulation because they are not the sellers of medicine – but simply a marketplace where other licensed sellers offer products to customers. This argument holds weight, because regulated activities under the drug law regime include selling, stocking and exhibiting, or offering for sale, manufacturing and distributing. Since the online pharma portals do not technically undertake any of these activities, it is possible to argue that they fall outside the purview of regulation.

However, the e-commerce marketplace model is a far more recent development than these laws. Even the proposed amendments to the Drugs and Cosmetics Rules, issued in 2018, intending to regulate the online sale of drugs through e-pharmacies, overlooked the marketplace model while laying out a definition for e-pharmacies.

In August 2018, the Union government issued draft rules to regulate medicine sales through e-pharmacies. While recognising the role of ‘e-pharmacy portals’, these rules did not account for portals operated by third parties who are not the sellers. The draft e-pharmacy rules provide for registration and compliance obligations of e-pharmacies that are recognised as online versions of the entities regulated in their brick and mortar forms – manufacturers, distributors, sellers, stockists and those offering or exhibiting drugs for sale. However, the draft rules do not provide for regulation of marketplace pharma portals.

The Drugs, Medical Devices and Cosmetics Bill, 2022 (Drugs Bill), long pending introduction in parliament, envisages the regulation of online sale of drugs and devices “by any other person on their behalf”. However, it does not detail such regulation, leaving that for subordinate legislation to flesh out. Further, the Drugs Bill has been in abeyance since it was opened to public consultation in August 2018, with no progress.

News reports indicate that its latest draft reportedly had a provision to regulate, restrict or ban the online sale of any drugs by notification. This version was reportedly close to being introduced in parliament two years ago, but that never happened.

Absent duty of care

Without regulation under the healthcare law framework, it is easy for online medicine platforms to escape patient confidentiality obligations. The primary objective of licensing is to create compliance mechanisms that ensure patient safety and privacy. Not being licensed under the Drugs and Cosmetics Act or Pharmacy Act, online medicine platforms have no obligations to maintain patient confidentiality.

Many pharma portals collect prescriptions voluntarily, so that sellers on their platform can ensure that drugs are sold only to legitimate patients. What is ignored, however, is that prescriptions are a storehouse of medical information and, without strict confidentiality obligations, e-pharmacies and online pharma portals can easily pass on such information to other commercial interests. For instance, an e-pharmacy can share a prescription with an insurance company and it may use that information to increase a customer’s premium.

Photo: Nick Youngson, Creative Commons.

Existing data protection requirements are limited to seeking consent for sharing and transferring personal information, including sensitive personal information such as medical history and records. But in a standard ‘terms and conditions’ agreement – where a consumer’s only option is to click on “I agree” in order to use a digital service – the nature of consent obtained is highly questionable.

The standard of free, specific, informed, unconditional and unambiguous consent is not only absent from the current data protection regime, but also open to interpretation in the DPDP framework.

Also read: US Sanctions Two Indian Nationals For Supplying Counterfeit Prescription Pills With Fentanyl, Other Drugs

Businesses would argue that their terms and conditions for providing services are clearly laid out and consumers who disagree are under no obligation to contract with them. This argument, however, ignores the reality of our times, with smaller families living in a tech-dependent environment – one in which a patient usually has just one caregiver, often unable to leave the patient’s side to visit a pharmacy every time a medicine is required. E-commerce is no longer a luxury but a need.

Healthcare laws oblige regulated entities to perform a duty of care towards patients. While a doctor’s duty of care to a patient is clearly laid out in the fiduciary nature of the relationship, common law has long held that every person should take reasonable care to avoid acts and omissions that may cause harm to persons likely to be closely or directly affected by such acts. This implies a higher burden on contracting parties to ensure that regulated entities, including pharmacists, proactively protect patient confidentiality – not something they can brush aside with a standard-format contract.

Online medicine platforms are distancing themselves from the drug consumer by refusing to be included within the healthcare ecosystem and positioning themselves as mere service providers to sellers. They are avoiding the duty of care they owe to patients.

Guardrails in other regulatory frameworks

As marketplace e-commerce entities, online medicine platforms are obliged under the Consumer Protection (E-commerce) Rules, 2020. However, confidentiality protection (beyond existing data protection requirements) is not included in them. Unlike healthcare laws, which place confidentiality obligations in addition to other regulations, consumer protection laws do not overlap with data protection provisions. Therefore, the existing regulation of e-commerce marketplaces is insufficient to protect patient confidentiality.

Also read: What the Draft Data Protection Rules Lack

The DPDP Act and its Draft Rules, currently under consideration by the Union government, impose incremental obligations for data protection over the existing privacy framework – but even those can be consented away. The DPDP Act exempts the consent requirement for instrumentalities of the state, medical emergencies and other specified circumstances. While such exemptions have a role in specific circumstances – such as treating accident victims – there are no confidentiality obligations to balance the lack of consent. Still, some hope remains in this new law

The DPDP Act or its Draft Rules indicate that granular consent is required and a statement by Ashwini Vaishnaw, the Minister of Electronics and Information Technology, in August 2023, in the context of targeted advertisements for adults, indicate that seeking unnecessary consent will be considered illegal. Vaishnaw, speaking to the Hindustan Times, had said, "Anything beyond the consent framework for which a citizen has given data will be illegal. So, there will be big accountability that will come for Big Tech..."

Also read: Vaccine: Bhopal Patients Say ‘Weren’t Given Consent Forms or Told It Was a Trial’

The requirement for consent to be free, specific, informed, unconditional and unambiguous and tied to a specified purpose will hopefully compel businesses – including online medical platforms – to modify their take-it-or-leave-it approach and seek informed clause-by-clause consent.

Beyond standard data protection

Globally, healthcare information has always received a higher degree of protection than other forms of personal data. The Health Insurance Portability and Accountability Act, 1996 (HIPAA), the sectoral privacy law in the United States, obliges e-pharmacies, among others, to maintain confidentiality of prescription data and not seek consent for disclosures of more than the “minimum necessary” data.

However, like the draft e-pharmacy rules and the proposed Drugs Bill, HIPAA does not regulate marketplace e-commerce platforms but only entities that dispense medicine and fill out prescriptions over the internet. Similarly, the European Union regulates only offer for sale and sale of medicines over the internet and not a marketplace model for drugs.

Legal data protection measures are based on the cornerstone of consent. Standard take-it-or-leave-it agreements make it easy for businesses, including hospitals and pharmacies, to make customers accept their information-sharing terms. Such agreements do not leave scope for negotiation, and rarely is a customer allowed to choose terms and conditions they are comfortable with while excusing themselves from the rest.

Most consumers sign up for whatever terms and conditions are set by platforms or apps, simply because they lack any other alternative but to agree. Sectoral regulations matter in this context, for they can make confidentiality obligations mandatory for a regulated entity – whether or not the consumer wishes to.

It is, therefore, essential that online pharmacies and medical marketplaces are regulated with a strict eye towards patient confidentiality, in line with the duty of care the legal framework typically places on all other parts of the healthcare system.

Way forward

The convenience of e-pharmacies camouflages the risks of easy access to sensitive personal data through prescriptions. Once data is uploaded, it can be retained for inordinately long periods, even after a user has deleted their account. The risk of data breaches is particularly concerning in the case of online medicine platforms and e-pharmacies, given the nature of data involved.

While the Draft E-pharmacy Rules proposed to restrict the disclosure of prescription data, they did not oblige marketplace platforms to do so. Moreover, these rules are yet to be notified. The retention of such sensitive data and potential disclosure by e-pharmacies and online pharma platforms pose a serious risk to the privacy and dignity of patients and customers of these platforms.

While data protection norms will provide some protection to patients’ prescription data, in the absence of confidentiality as a compliance obligation, the risk of e-pharmacies obtaining consent for disclosure through fine print will remain a practice of much concern.

Online medical portals must be regulated under healthcare laws that require e-pharmacies and online medical marketplaces to adhere to confidentiality obligations, irrespective of patient consent. The European Union adopted e-pharmacy laws only last year, so India has not missed the bus. It can still work to protect people from their prescription information being overshared and patient confidentiality being breached.

Protiti Roy is a public policy and regulatory affairs lawyer working on healthcare and social development. Raghav Tankha is a lawyer practising in Delhi. The views expressed are personal.

The Wire is now on WhatsApp. Follow our channel for sharp analysis and opinions on the latest developments.