The development of medical devices has extended the ability of physicians to diagnose and treat diseases, and has made great contributions to health by improving the quality of life of patients. Generally, medical devices would include any instrument, apparatus, machine, appliance, implant, in vitro reagent or calibrator, software, material or other similar or related article. However, in India, the medical devices employed in internal or external use in the diagnosis, treatment, mitigation or prevention of disease or disorder in human beings or animals are considered to be “drugs” as notified by the central government in its official gazette after consultation with the Drugs Technical Advisory Board. Those medical devices not notified as drugs only require an import or manufacturing license and no quality check system exist for them.

Regulatory framework

At the moment, in India there is no single comprehensive specific law regulating medical devices. The import, manufacturing, sale and distribution of medical devices are regulated under the Drugs and Cosmetics Act, 1940 (“India Act”), the Drugs and Cosmetics Rules, 1945 (“Rules”); and the Central Drugs Standard Control Organization (“CDSCO”). The Ministry of Health and Family Welfare (“Ministry”) is the principal regulator. A draft Bill on “Regulation of Medical Devices” (“the Bill”) has been pending since 2006. Once implemented, it will, perhaps, streamline the medical devices sector. Until such time, one has to refer to multifarious regulations.

With effect from March 1, 2006, the Ministry approved a set of procedures follow for the import as well as manufacture of medical devices in India. The Drugs Technical Advisory Board, which provides technical guidance to CDSCO, proposed certain changes in the Rules, which among others provides a categorization of medical devices into four classes. This classification is based on the risk level, intended use and on adverse effect of the devices on the human body based on the potential risks associated with the technical design and manufacture of these devices. The classes of devices are: (i) Class A: Low risk devices and equipment such as thermometers and tongue depressors; (ii) Class B: Low to moderate risk devices including hypodermic needles and suction equipment; (iii) Class C: Moderate to high risk equipment like lung ventilators and bone fixation plates; and (iv) Class D: High risk devices such as heart valves and implantable defibrillators. The regulatory control becomes stringent with each progressive class and the conformity assessments are proportionate to device classification.

Import of medical devices

Presently, the import of medical devices is largely unregulated and medical devices can be freely imported into India. The purchaser (whether it is a government hospital, a private hospital or a doctor) evaluates the quality of the product being purchased. Normally, the U.S. Food and Drug Authority (“FDA”) and the European Conformite Europeenne (“CE”) approved products are preferred because of their better quality and performance. It is necessary to follow the procedures for registering and obtaining a license as laid down under the Rules. Import licenses are conditional and granted for a period of three years. Breach of any of the stipulated conditions may lead to the cancellation of the license.

To be registered in India, the imported device must be approved for sale in the manufacturer’s country of origin. If the device has already received approval from an agency abroad, such as, the U.S. FDA, evidence of such approval must be provided along with a copy of quality standard ISO/EN certification which assesses the quality and risk of the devices manufacturing facility. Medical devices with prior approval from any of the recognized regulatory authorities, like FDA and CE are subjected to an abridged evaluation in India.

If a device is not approved for marketing in the country of origin, the importer has to submit additional evidence such as reports of clinical trials, details of sales, certificates of satisfactory use from medical specialists about the use of the device and details of product complaints, if any. If a device incorporates a medicinal product, which is likely to act upon the body in conjunction with the device, it is pertinent to provide relevant data on the safety, quality, and usefulness of the medicinal substance used along with data on compatibility with medicinal products, clinical data and published articles, if any. 

The manufacturer must also have complied with product standards and home country quality control requirements. The manufacturer of the devices, the importer or his agent must file an application to obtain a registration certificate with respect to the premises where the devices are manufactured and with regard to the devices. The product information and the undertakings with respect to product standards, safety and effectiveness requirements and quality systems in the country of origin are necessary to be furnished. Crucially, a brief description of the device, its intended use and method of use, medicals specialty in which the device is used, the qualitative and quantitative particulars of the constituents, device master file with details of the manufacturing process/flow chart and the component/material used and risk assessment as per ISO 14971 are necessary to be provided. Once a medical device reaches the market in India, the manufacturer has to adhere to requirements of post-marketing surveillance (“PMS”) norms to systematically monitor the performance of the device. PMS involves procedures for maintenance of records, complaint handling, adverse incident reporting and procedures for product recall.

Manufacture of medical devices

The manufacture of medical devices in India requires a license from the government. An application for the license is made with a brief description of the manufacturing process, details of the manufacturing standards and “best practices” \ that will be followed by the company, as well as product evaluation, , standards, and procedures for testing the device. The Rules prescribed in Schedule M-III list mandatory “good manufacturing practices” that manufacturing companies must follow. The law provides that any manufacturing can be done under the direction and supervision of only a whole-time employee of the manufacturer and who is qualified to do so. India has several stringent industrial and labor laws that make the occupier of the manufacturing plant, responsible for any breach in compliance. The occupier is generally the managing director of the company that runs the manufacturing unit or a director on the board of directors and can be fined up to INR 0.2 million or imprisoned up to two years for any non compliance.

As proposed under the Bill, the regulatory authority sets up an expert committee to consider proposals and evaluate medical devices that do not have any benchmark certification. The committee after completing its assessment forwards its opinion regarding suitability of the device to the competent licensing authority which can grant of permission for the device to be launched in the market. The licensing authority after joint inspection and verification forwards the license to Central License Approving Authority (“CLAA “) for approval. The license is finally issued in form 28 of the Rules after due approval of CLAA. The stockist and retail sellers of medical devices are also required to obtain sales licenses from the respective state licensing authorities for medical devices.

Clinical investigations

At present, clinical trial studies are not regulated in India. However, a set of good clinical practices guidelines laid down by the CDSCO govern clinical trials and specify the responsibilities, inter alia, of sponsors, investigators, and ethics committees. In 2010, CDSCO released a guidance document on the requirements for conducting clinical trials of medical devices in India (“Guidance”). It is necessary to file an application with the CDSCO before conducting the study and the application should indicate the precise intent of the application (e.g. whether the application is for a feasibility study or a safety and efficacy study, or a post market study). The entity sponsoring the study must also submit a declaration on its letterhead prescribing the extent of delegation of responsibilities to an individual who is appointed as the Principle Investigator. It is also necessary to provide the global regulatory status of the device (particularly when 5 Global Harmonization Task Force (“GHTF “) countries i.e. U.S.A., Australia, Japan, Canada and European Union are involved) along with detailed technical data.

Though the document is still non-binding, it provides sufficient procedural information regarding the method to all stakeholders.

Medical devices: Quality standards

According to the Guidance, all medical devices sold in this country should carry the ICAC mark (Indian Conformity Assessment Certificate) to indicate their conformity with the provisions of the schedule of the Guidance to enable them to move freely within the country. CLAA adopts and recognizes quality standard BIS 15575 or its revisions and quality standard ISO 13485 in respect of the specifications to be followed for quality for the manufacturer to demonstrate conformity with the relevant regulatory requirements. Any reference to the harmonized standards includes the monographs of the Indian pharmacopoeia and U.S., EU pharmacopoeia wherever applicable, notably on surgical sutures and on combination of pharmaceutical and devices.

It is necessary that the labels on the packaging material for medical devices comply with the relevant ISO standards. It is also necessary to denote internationally accepted symbols regarding sterilization, single use etc, as per ISO 15223-1:2007. When medical devices are sold in bulk the packaging material of individual devices do not have to bear the date of manufacture, which must appear on the bulk packaging material.

In light of the growing usage of medical devices, stringent regulatory standards are essential to ensure that the devices are tested, safe and with minimum adverse reactions. Standards regarding safety, risk elements, effectiveness, efficiency and performance of the medical devices need to be well established. It will be interesting to see how the regulatory scenario changes if and when the Bill is enacted into law. Apart from the Bill, there are different proposals for regulating India’s medical devices sector by different regulatory bodies, like amending the India Act and Rules proposed by the Ministry. The intergovernmental dispute is a cause for concern and confusion for India’s medical devices industry.

Neeraj Dubey is a principal senior associate and commercial lawyer with PSA Legal Counselors. He heads the Food & Pharma and IPR practice areas of his firm. He may be contacted at n.dubey@psalegal.com.

By Neeraj Dubey

India has long been a highly popular destination for visitors from around the globe, and growth in the travel & tourism sector has been steadily increasing. But with all due respect to the heritage attractions of the country, the increase is attributable, in large part, to the increasing attraction of medical tourism. India has built hospitals with cutting edge medical technology, and boasts of physicians educated in the finest medical schools in the world. Medical procedures and hospital admissions cost a fraction of that in the U.S. Information about a patient can be sent in milliseconds from the patient’s home caregiver to the facilities in India, and back again when the procedure has been completed. Doctors on opposite sides of the globe can consult over the Internet or email in real time, sometimes even during surgery.

But what happens to that information in transit and in the offices of the physicians and hospitals?

Medical records are increasingly created, transmitted and stored in electronic formats. Recent media reports of personal data breaches, many from distinguished medical centers such as Stanford and University of California Los Angeles (“UCLA”), can serve to reduce trust in electronic medical record systems and, by extension, the caregivers themselves. This was not such a looming concern in the word of paper records but in the digital age, where information can be stolen, accessed or lost in milliseconds, and where identity theft is a constant shadow, the development of medical tourism may well be linked to the means by which patients’ health information – the most sensitive of personal data – is appropriately safeguarded through laws, and information management practices of India and the U.S.

Given these concerns about the security of their health information, a threshold question may arise as to why people would rush to India, a country in which information protection is still in an evolutionary state, for treatment. One simple reason is that medical treatment package prices in India are 35% to 40% less than the total treatment cost in U.S. or U.K. According to the Indian industry association, Associated Chambers of Commerce and Industry (“ASSOCHAM”), medical tourism industry is a growing sector in India. The medical tourism industry in India, which is currently poised at around Rs. 4,500 crore is likely to be worth Rs. 10,800 crore by 2015. The cost of certain surgical procedures is one-tenth of what it is in the U.S. and Western Europe and sometimes even lesser. According to a survey report conducted by Wockhardt Hospitals, the number of “outsourced patients” has nearly doubled in the last few years. No wonder: one of the patients of Wockhardt has said that his surgery cost him $11,000, a bargain-basement price that was a quarter of what hospitals in North Carolina were quoting. With the debate raging over health care reform, growing numbers of Americans aren’t waiting for Washington: they are, in effect, outsourcing their own medical care to India.

Yet, there are very few studies on the management of patient medical information, between India and the U.S. The absence of an internationally agreed definition of medical tourism, and of a common methodology for data collection, is one of the main reasons for the paucity of such data. It is possible, though, to compare the schemes for protection of the confidentiality and security of medical information in the U.S. and India, and in so doing ascertain potential effects of the distinctions in medical confidentiality on the future growth of Indian medical tourism.

Privacy of Medical Information in the United States

A physician or medical center that sends patient information to caregivers in India must do so in a manner that complies with applicable law, and must safeguard any such information received from India with regard to their patients. Privacy law in the U.S. healthcare system is defined by the basic law for healthcare confidentiality, the Health Information Portability and Accountability Act of 1996 (“HIPAA”). HIPAA is most widely known for its regulations governing medical confidentiality, the HIPAA Privacy Rule and the HIPAA Security Rule. The former comprises of more than 800 pages of standards and requirements that, distilled to their essence, require the caregiver to implement practices to assure that patient-identifiable health information is not disclosed to anyone without authorization of the patient, except for uses of that information that concern treatment, payment or operations of the particular caregiver, and other derogations. In this way, HIPAA greatly resembles the privacy scheme of the European Union in Privacy Directives EC 94/46. The HIPAA Security Rule, which is far shorter, was promulgated to enable privacy in the age of digital medical records. Its standards require physical, technical and administrative (policy and procedure) safeguards for uses, disclosures and storage of electronic medical information. Examples of such safeguards include encryption of patient-identifiable information in storage and transit; access controls, including passwords or biometrics; and due diligence in the selection of business associates who may access that information or to whom it is disclosed. The Privacy and Security Rules are enforced by the Office For Civil Rights of the U.S. Department of Health and Human Services (“DHHS”), which has the authority, after appropriate administrative proceedings, to levy fines of up to $1,000,000 USD per violation. It recently has imposed a number of monetary sanctions, and has begun a program of “spot” (surprise) audits of medical facilities.

HIPAA was supplemented and strengthened in 2009 by the HITECH Act (Health Information Technology for Economic and Clinical Health), which became effective in February, 2010. HITECH sets forth requirements for responses to data breaches, including notification to affected patients. If the breach comprises more than five hundred patients, the entity is required to also notify the media and the Secretary of DHHS. HITECH also gave states attorneys general jurisdictions to bring proceedings for HIPAA violations if DHHS declines to do so. The HITECH Act extends the reach of HIPAA to “Business Associates,” such as law firms, consulting firms and outsourced medical records and billing entities in the U.S. and, significantly, it also provides a basis for liability to healthcare providers if they fail to exercise due diligence in selecting Business Associates who then breach patient confidentiality through data breaches.

HIPAA is a minimum standard for the security and privacy of medical information. U.S. states may impose stricter requirements that HIPAA and many have done so (these include California, Massachusetts, North Carolina and New York, among others).

Medical Information Privacy in India

Protections for medical information in India may be found in the Constitution and two legislative Acts. The key to whether this network of provisions can provide sufficient protection to assure U.S. patients of confidentiality, however, depends upon the rigor of enforcement.

India has a strong network of provisions that cover medical information privacy. Article 21 of Constitution of India, 1950 states that “No person shall be deprived of his life or personal liberty except according to procedure established by law.” The Right to Privacy has been read into this Section, as an integral part of the fundamental right to live life with dignity. Courts in India have held that the Right of Privacy may, apart from contract, also arise out of a particular specific relationship that may be commercial, matrimonial, or even political. A doctor-patient relationship is considered fiduciary in nature, but is also professionally a matter of confidence. Therefore, doctors are morally and ethically bound to maintain confidentiality. In such a situation, public disclosure of even true private facts may amount to an invasion of the Right of Privacy, which may sometimes lead to the clash of one person’s right to be let alone” with another person’s right to be informed.

The Right to Privacy is an essential component of right to life envisaged by Article 21. The right however, is not absolute. It may be lawfully restricted for the prevention of crime, disorder or protection of health or morals or protection of rights and freedom of others, as in the case of Mr. X v. Hospital Z [(1998) 8 SCC 296], wherein the apex court of India held that the hospital owes a ‘duty of care’ to disclose the HIV positive condition of the patient to the person he was likely to be married to. Such disclosure was held to be a ‘reasonable restriction’ on the right to privacy of the patient.

Apart from the essential fundamental right to privacy granted to citizens under the Constitution of India, specific protections have been granted to information relating to medical history, records, biometric information, physical and mental condition etc. under two important enactments, namely, the Indian Medical Council Act, 1956 and the Information Technology Act, 2000 and the rules formulated thereunder, as detailed hereafter.

The Indian Medical Council Act, 1956

Regulations 2.2 and 7.14 framed under the Indian Medical Council Act hold that information about a patient’s ailment cannot be disclosed without patient consent.

Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Privacy Rules”)

These Rules have been formulated under the Information Technology Act, 2000, and are the first of its kind in relation to data protection and privacy in India.

Rule 3 provides an inclusive definition of ”Sensitive Personal Data or Information.” It states that sensitive personal data or information includes, amongst other things, “(c) Physical, physiological and mental health condition, (d) Sexual orientation, (e) Medical records and History, (f) Biometric information, (g) any details relating to above clauses as provided to body corporate for providing service and (h) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.”

Rule 6 sets forth that disclosure of sensitive personal data or information by a body corporate to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation.

Rule 8 requires “Reasonable Security Practices and Procedures” to be maintained by bodies corporate. A body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. In the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies. The Rule provides that the International Standard IS/ISO/IEC 27001 on Information Security is one such standard that may be followed by bodies corporate. If a body corporate chooses its own standards of self-regulation, it is required to get its codes of best practices duly approved and notified by the Central Government for effective implementation.

Information Technology Act, 2000 (“IT Act”)

Section 43 A of the IT Act permits “Compensation for failure to protect data.” Where a body corporate is negligent in implementing and maintaining reasonable security practices and procedures regarding sensitive personal data and thereby causes wrongful loss or wrongful gain to any person, it shall be liable to pay damages by way of compensation to the person so effected. However, this must be read with the Privacy Rules, which provide that a body corporate or person on its behalf, who has implemented ‘reasonable security standards and procedures’ as prescribed under Rule 8 above, shall be deemed to have complied with the expected duty of care under the IT Act.

Section 66 E of the IT Act prescribes punishment for violation of privacy”. It states that whoever intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person shall be punished with imprisonment, which may extend to three years or with fine not exceeding Rs. 2,00,000, or with both.

Section 72 of the Information Technology Act, 2000 lays down the penalty for breach of confidentiality and privacy, as imprisonment for a term which may extend to two years, or fine which may extend to Rs. 1,00,000, or with both.

Section 72 A of the Information Technology Act, 2000 lays down the punishment for disclosure of information in breach of lawful contract, and provides for penalties for intentional unauthorized access to personal information of another.

Although there may have been numerous civil and criminal proceedings initiated against the violators of the IT Act, enforcement of these provisions may still be characterized as “work in progress.” The legislature has created various statutory bodies/courts to try matters related to the IT Act, but it is underutilized. Breaches under the Privacy Rules have not been reported, consequently giving rise to a lack of jurisprudential data on the efficacy of enforcement. Accordingly, patients may take little comfort from the presence of a robust legislative mechanism to enforce the IT Act and Privacy Rules until there is evidence of specific proceedings to enforce the Privacy Rules.

India has various statutes, rules and regulations that govern and regulate the protection of personal data, information, and privacy of individuals, and. the Constitution of India has been read to include a ‘right to privacy’ as a part of the fundamental right to life of individuals,, But it is the enforcement of these laws that will eventually determine whether medical tourism “consumers” will retain sufficient confidence in the privacy of their medical information transmitted between India and the U.S. to fuel the growth of the medical tourism industry.

Kenneth N. Rashbaum, Esq., is Principal of Rashbaum Associates, LLC, in New York (www.rashbaumassociates.com). He focuses his practice on information governance and data protection compliance for multinational corporations and healthcare providers. A counselor, litigator and trial lawyer with over twenty-five years experience in representation of life sciences entities, Ken is an active member of the American Bar Association Section of International Law, and writes and speaks extensively on international data protection and data privacy issues. He can be contacted at krashbaum@rashbaumassociates.com

Sajai Singh is a Partner with J. Sagar Associates (JSA), a full service corporate law firm in India. As a head of the Technology Practice of JSA, he focuses on emerging technologies, business process outsourcing and biotechnology. He also undertakes transactional work with a focus on representing emerging technology companies in areas of inbound investments in India, venture capital investments, joint ventures, strategic alliances, mergers and acquisitions. He can be contacted at sajai@jsalaw.com.

By Kenneth N. Rashbaum and Sajai Singh