e-Pharmacies and Right to Privacy: Need for Robust Regulatory Framework

The government of India decided to stop the sale of medicines through unlicensed online platforms considering the fact that most of these platforms don’t have the necessary license to sell medicines online as required under the law. The government also said that this direction will be effective until it finalizes the draft rules seeking to regulate these online platforms. Under the Drugs and Cosmetics Act, 1940, no person can sell any drug without obtaining the necessary license from the concerned authority. But the problem is that the current regulatory framework is pegged to the sale of medicines by a physical store and not by the online sale of medicines.

When a person goes to purchase medicine from a pharmacist, the patient just needs to hand over the prescription, and the pharmacist gives the required medicine and returns the prescription. The pharmacist does not retain or takes a copy of the prescription with him. But under the sale of medicines online, a patient is required to upload the prescription on the website of the concerned company and then the company sends back the prescription to a registered pharmacist who after checking the authenticity of the prescription delivers the drugs to the patient’s address. During this entire process, the contents of the prescription are saved in the database of both the company as well as of the pharmacist and are never deleted. The prescription of a patient contains sensitive information like name, address, the disease one is suffering from, the doctor treating him, what medicine he required for his treatment, etc. All these comprise sensitive information and has vast potential of being misused.

Under the Drugs and Cosmetic Rules, 1945, doctors and pharmacists are mandated to preserve the confidentiality of the patient. The Regulation 7.14 of the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002 clearly imposes an obligation on the registered practitioner from disclosing the medical records of the patient without the express consent of the patient. The para 7.14 of the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002 reads as:

The registered medical practitioner shall not disclose the secrets of a patient that have been learnt in the exercise of his / her profession except –

  1. in a court of law under orders of the Presiding Judge;
  2. in circumstances where there is a serious and identified risk to a specific person and/or community; and
  • notifiable diseases.

Also Regulation 9 of the Pharmacy Practice Regulations, 2015 which deals with the duties of the registered pharmacist, clearly states that the registered pharmacist is bound to maintain the confidentiality of the patient all the time while undergoing the pharmaceutical assessment of the patient’s prescription.

Also in the landmark judgment delivered by the constitution bench of Supreme Court in right to privacy judgment, the court while referring to a paper, cautioned about how private sector entities including banks, telecom companies, and hospitals are collecting the sensitive information of their clients which left tremendous scope for both personal and commercial exploitation of such information. Such information can be easily released or traded in public which may cause irreparable harm to the privacy of the concerned individual. The paper referred to by the court also noted that though there exist some provisions under the IT Act for protection of sensitive information, no legislation exists which completely protects the privacy of the individuals for the information available in hands of private entities. Justice Chandrachud also noted in his separate but concurring judgment that every person has a reasonable expectation of privacy about his medical information and any unauthorized parting of the medical records of any patient without his express approval will amount to an invasion of privacy. The judge stated that:

Both anonymity and privacy prevent others from gaining access to pieces of personal information yet they do so in opposite ways. Privacy involves hiding information whereas anonymity involves hiding what makes it personal. An unauthorised parting of the medical records of an individual which have been furnished to a hospital will amount to an invasion of privacy. On the other hand, the State may assert a legitimate interest in analysing data borne from hospital records to understand and deal with a public health epidemic such as malaria or dengue to obviate a serious impact on the population.

Right to privacy over one’s medical history and records has also been guaranteed by the legislators through the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Section 3 of the said rules classify medical records and history of the patient as sensitive information and such information cannot be disclosed without the express approval of the provider of the information.

Most of the online pharmacies are funded by foreign entities through the FDI route and since presently these pharmacies are operating without any license, there is a very high possibility that data of the patients can be traded or sold to any foreign country or any third party. Such trading of sensitive information amounts to blatant infringement of the right to privacy but since there is no law prohibiting them from storing such information, the online pharma companies are able to store such sensitive information. In any ordinary case, a registered pharmacist does not retain the prescription of the patient and returns it once he hands over the medicine but the online pharma companies are permanently storing the prescriptions of the individuals in the absence of any law prohibiting them from doing the same.

Last year, the government circulated the draft rules relating to the regulation of e-pharmacies. The government sought to insert section 67K to the rules which seek to protect the privacy of the individual concern. Though section 67K of the draft rules prohibit e-pharmacies from disclosing the information of the patient to any other party for any of the purpose, it fails to address the legitimate point that e-pharma companies are still in possession of the prescription and same can be utilized by the company (or its employee) for personal or commercial gain. The draft rules also state that the information of the patient can be disclosed to the government for the purpose of public health but the rules fail to provide any guiding principle while interpreting the term “public health”. Also under the Right to Privacy judgment, the court laid down minimum designation of the authority which can order for disclosure of information but under the draft rules no such designation of authority exists which further makes the sensitive information much vulnerable to “arbitrary” disclosure.

Addressing the privacy concerns of the individual is very important which the draft rules clearly fail to address and make the sensitive information of the information very prone to abuse, and it can only be hoped that government will come with suitable amendments to the draft rules to address the privacy concerns of the individuals.


Anirudh Agrawal


Anirudh Agrawal is pursuing BA LLB (Hons) at NALSAR University of Law, Hyderabad. His areas of interest and expertise are constitutional law, administrative law, and insolvency law. He is also a regular contributor to several commercial and public law blogs.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at WordPress.com

%d bloggers like this: