top of page
  • Writer's pictureRemote Lawyer

Drafting Privacy Policies for Health-Tech Startups: Practical Considerations.

Updated: Sep 4, 2022

India’s health-tech sector is an integral part of its fight against the pandemic. From tele-consultations to ordering medicines online, health-tech has revolutionized the way we think and perceive medical services in India. However, if you are an early-stage health-tech start-up founder or a potential health-tech startup founder, you also need to keep in mind certain legal requirements, before you can launch your services on a full-fledged basis. Health-tech services essentially lead to sharing of a lot of confidential information between the service providers and the end-users. Such confidential information may also include personal data of both the patients and the service providers. Information related to health, falls within the ambit of personal and sensitive information. The Information Technology Act, 2000 (“IT Act, 2000”) mandates every online service provider to have a proper privacy policy in place, which should be displayed on their website. Hence, it becomes pertinent for all health-tech start-ups to have a robust privacy policy in place. We bring to you, the practical considerations which should be taken into account, prior to drafting a privacy policy for a health-tech startup.

Confidentiality and Data Privacy

A health-tech startup as mandated by the Telemedicine Guidelines, 2020, is required to disclose the identity of the doctor to the patient and vice versa. This leads to the communication of personal data which includes but is not limited to medical information, contact details, records of past medical health-related information. Some considerations which you should keep in mind are:

  1. Obtain consent of both, the end-user and the doctors you are on-boarding for the collection of their personal information. Hence, you should have a privacy policy which regulates the collection of information vis-à-vis end-users and another which regulates the collection of personal information of the health-care service providers you are onboarding.

  2. You shall be sharing the personal information of the end-users as well as the doctors and hence, it is important to let them know that this sharing would be strictly for the purposes of the services being offered and for no other reason.

  3. If any end-user or health care service provider is located outside India, then global data privacy laws such as GDPR, HIPAA etc. also come into consideration.

What Information is to be collected?

A health-tech company, can provide a number of services ranging from online delivery of medicines to connecting patients with doctors. The information which is being collected is not restricted to name, contact details and medical history/prescription, it can also include demographic information, location, financial information etc. Hence, it is imperative that a detailed list of what information is being collected, be included in the privacy policy. This would offset the risk of the end-user coming up later and alleging that he/she was not aware that what all information is being collected.

Third-Party Beneficiary

Many of us order medicines for our parents or older relatives. In such cases, we share their personal information through the health-tech services. This can give rise to the risk that the third-party for whom the end-user is raising request, may not even know that his/her personal information is being shared. This potential concern can be tackled in the following two ways:

  1. Prohibit the end-user from placing orders for third-parties.

  2. Ensure that the end-user has obtained the necessary consent from the third-party and shall indemnify the company, if any such allegations of data breach is made by the third-party whose data is being shared.


Does your health-tech company require its end-users to create accounts? If yes, then you have to make sure that they are not compromising on the security of their accounts and allowing any unauthorized person to use the service.

Drafting a privacy policy is not a one-size-fits-all approach. It has to be drafted with the services being offered in mind. We, at Remote Lawyer, understand this aspect and curate customized privacy policies for your company. If you have any query regarding how to draft privacy policies for your startup, you can contact us by clicking the button below.

9 views0 comments


bottom of page