By Sanjay Kumar
Currently, the Drugs Controller General of India (DCGI), under the Drugs & Cosmetics (D&C) Act, 1940 and Medical Device Rules (MDR), is not regulating medical mobile apps that could be brought within the purview of medical devices.
However, in view of the surge in mobile medical applications and the scope of their capabilities, including the threat to Electronic Health Records (EHRs) and individuals, the Ministry of Health and Family Welfare has been facilitating the implementation of standards in India in terms of the maintenance of such EHR while it is engaged in fine-tuning the drafts regulating the applications in their entirety.
A collaborative effort by healthcare leaders and providers, supported by the government, will go a long way in leveraging mobile technology to make the much-needed improvement in India’s health ecosystem.
The US Food and Drug Administration (FDA) distinguishes between a mobile app and a medical mobile app. In terms of the policy, a Mobile App is defined to mean a “software that can be run on a mobile platform or a web-based software application that is tailored to a mobile platform but is executed on a server”; whereas a Mobile Medical App is defined to mean “an app that meets the definition of device [in the FDCA] and is intended either (1) to be used as an accessory to a regulated medical device; or (2) to transform a mobile platform into a regulated medical device.” Any app that acts as an extension of one or more medical devices by connecting to such device(s) for controlling the device, or for use in active patient monitoring, or analyzing medical device data is regulated by the FDA. Thus, the FDA draws a distinct scope of what may constitute a mobile medical app, given that its intention is not to regulate a mobile platform that may host MMAs.
Entities that distribute MMAs (e.g., app stores like iTunes, Google Play) are mere facilitators and not considered medical device manufacturers.
Throughout the COVID-19 pandemic, mHealth apps became the select delivery channel for contact tracing and symptom monitoring. However, these apps are effective only if the community uses them to share good practices across different countries, enabling governments to learn from one another and thereby develop effective strategies for improving health outcomes in a collaborative effort to combat the pandemic.
Further, the growing penetration of smartphones is boosting the market potential of mHealth apps.
Mobile devices and their software applications are a big asset to the modern-day consumer, impacting the healthcare space in the 21st century. In 2020, Mobile Health Applications (mHealth apps) numbered approximately 325,000, and users totalled 247 million. With the global revenue from mHealth Apps growing on an upward curve, the mobile health market is expected to touch USD 311.98 billion by 20271. According to Statistics, the third quarter of 2020 registered around 47,140 mHealth apps on Google Play Store.
In this regard, the National Health Policy 2017 (NHP 2017) envisages the attainment of the highest level of health and well-being for all by leveraging digital technologies to increase access, improve the quality, and lower the cost of healthcare delivery. The NHP 2017 also prescribes the same urgency for efficiency and effectiveness of delivery of all the healthcare services in vital areas such as life expectancy, IMR, MMR, TFR, immunization, malnutrition, and disease control. Towards this end, NITI Aayog has launched the National Digital Health Mission (NDHM).
Some of the key features of NDHM include Unique Health Id (UHID), privacy and consent management, national portability, Electronic Health Records (EHR), applicable standards and regulations, health analytics and, above all, multiple access channels such as call centres, Digital Health India portal, and MyHealth App.
Medical Health Applications
As people become more mobile and travel becomes more accessible, patients will increasingly expect the healthcare record system to provide essential health information via mobile devices, which will give their treating physician basic information such as medical condition and drug/allergy information. Demographics, insurance data, medications, allergies, alerts in respect of new symptoms, and vital signs are some of the records recommended to be provided in at least read-only format and to the extent relevant for emergency care and quick reference. It is also possible that the patient will be able to provide certain clinical readings (BP, temperature, glucose count) and lifestyle data (steps walked, distance run, sleep duration and quality), which will serve as key clues and information on her/his overall health status. Notwithstanding a shadow of uncertainty in respect of the applicable rules and regulations of such mobile applications, the guidelines for their governance are clear.
Standards & Regulation of EHRs
While numerous applications falling outside the scope of the governance policy continue to offer their services, it is pertinent to note that applications and websites are required to comply with EHR standards in India. The objective of such notification by regulatory authorities is to introduce a uniform standard-based system for the creation and maintenance of EHRs by healthcare providers and its adoption in IT Systems by healthcare institutions/providers across the country.
Health Record IT Standards
All health record systems are required to adhere to certain standards for gleaning information related to patient demography and identifiers, including data standards for image, multimedia, document and waveform, summaries, and formats for e-prescriptions as notified by the Pharmacy Council of India. The road map for these requirements has been provided by the concerned authorities in numerous statutes and detailed guidelines.
Further, the medical and IT hardware used must meet the relevant applicable specifications from BIS, NEMA, IEEE, ISO, CE, RoHS, Energy Star, apart from Medical and IT standards for the equipment. The software for capturing, storing, retrieving, viewing, and analyzing healthcare records has also to conform to the specified standards.
Protected Health Information
Protected Health Information (PHI) includes any individually-identifiable information — whether oral or recorded, in any form or medium that is created or received by a stakeholder — relating to an individual’s past, present, or future physical or mental health conditions; the provision of health care to the individual; and past, present, or future payment for health care to the patient. Electronic Protected Health Information (ePHI) includes any PHI that is created, stored, transmitted, or received electronically.
As per the Information Technology Act 2000, Data Privacy Rules refer to ‘sensitive personal data or information’ (SPI) as the subject of protection, but also includes, with regard to certain obligations, ‘personal information’ (PI). Sensitive personal information is defined as a subset of personal information, even when a specific mention of PHI is not provided.
Responsibilities of a Healthcare Provider
The guidelines enumerate the responsibilities of healthcare providers, including the protection and security of the stored health information; ensure appropriate means of informing the patient of policies relating to her/his rights to health record privacy; and document all its privacy policies and ensure that they are implemented and followed.
(The author is Counsel, J Sagar Associates. The article is for informational purposes only. Views expressed are personal and do not reflect the official position or policy of the Financial Express Online.)