Regulation of Pricing by Private Hospitals

Background

Since public health is of paramount concern in India, the government has to balance the interests of the public’s access to affordable, quality healthcare and investment to encourage growth and innovation in the hospital industry. Given the rising healthcare costs, capping of pricing is frequently at the forefront of this conundrum, particularly in emergency situations.

Generally, in India, privately owned and operated hospitals and clinical establishments are free to price their services without being subject to caps, other than in scenarios such as where land for the hospital has been allocated by the government, or where there are specific local schemes implemented to provide better pricing or specific bed capacity for the economically weaker sections of society or certain types of government employees or armed forces personnel. Pricing is typically determined based on a variety of factors including the nature and complexity of the procedures, the socio-economic status of the patient, whether the patient is insured or not, sophistication of the hospital’s infrastructure and services, location of the hospital, if the hospital is standalone or a part of a larger chain, and the seniority and experience of doctors and staff involved in treatment. Therefore, when addressing capping prices, a variety of factors are to be kept in mind, as well as any spillover consequences.

The Constitution of India (the “Constitution”) contains Directive Principles of State Policy which, while not enforceable in court, are fundamental in the governance of the country, and it is the State’s duty to apply these principles in making laws. One of the Directive Principles requires the State to raise the level of nutrition and the standard of living of its people and improve public health, as its primary duties.

It was in the context of this Directive Principle that the Government of India enacted the Clinical Establishments (Registration and Regulation) Act, 2010 (CEA) and the Clinical Establishment (Central Government) Rules, 2012 (the “CE Rules”). The primary intent of the CEA and CE Rules was to regulate clinical establishments to ensure they meet at least the minimum standards prescribed for the hospital facilities and the services intended to be provided. However, health is a matter under the “state list” under the Constitution, and individual state governments have exclusive power to make laws for matters in relation to such matters. Given that the CEA is a central legislation, it only applies to states which have adopted the CEA. As at the date of writing, the CEA has only been adopted by 12 states and seven union territories (the “CEA States and UTs”).

Price capping under the CEA

The CE Rules state that the Central Government (in consultation with the respective state governments) has the power to prescribe the range of rates for each type of procedure and services that may be charged by clinical establishments. However, for almost ten years after the CEA was enacted, no specific rates were prescribed.

Hence, in 2020, the Veterans Forum for Transparency in Public Life (the “Petitioner”) filed a petition in the Supreme Court of India (the “Petition”) for the Supreme Court to direct the Government of India to determine the rates of fees chargeable to the patients under Rule 9 of the CE Rules. Given the fixing of rates requires co-ordination between both the Central and the respective state governments, there appears to be an impasse in this regard. The Petitioner suggested that as an interim measure, until the rates are notified by the Central Government under the CE Rules, it may notify the rates applicable to Central Government Health Scheme (CGHS) empanelled hospitals for the purposes of Rule 9 of the CE Rules. The CGHS governs medical care provided to Central Government employees and pensioners enrolled under the scheme and is typically at a discount to the rack rates charged by hospitals.

How the Government of India will implement the Supreme Court’s directives remains to be seen but it is unlikely that a stop-gap solution suggested above will be viewed favourably either by private clinical establishments or investors proposing to invest in these entities, as this directly impacts hospital revenues and will result in confusion. Markets have therefore reacted adversely to this news and stock prices of publicly listed companies engaged in the hospital business have dropped significantly.

There are several stakeholders involved in the process: the patients, insurers, the hospital and healthcare systems, services providers, investors and the regulator, as well the legislature. They key would be to manage the transparency in pricing, against ensuring there is sufficient headroom for hospitals to innovate and provide quality services. Given the various perspectives, potential investors should consider the following factors.

• Non-uniform applicability of the CEA – given only a handful of states and union territories have adopted the CEA, the Supreme Court ruling, when delivered, will impact only establishments in these states. Therefore, if a hospital chain has a pan-India presence, the pricing (on account of price restrictions) for procedures and services in the same hospital chain may vary between hospitals in different states. Strategic investors will need to keep this in mind when considering hospital acquisitions and expansions.
• State-specific legislation – certain states have issued notifications which apply for special situations – for example, for the COVID-19 pandemic, pursuant to which prices charged to COVID-19 patients were capped. The broad tendency (including that of courts) has been to limit such pricing controls only to the period during which the epidemic is prevalent and also only to cases directly affected by the epidemic disease, and not otherwise.
• Details and specifics of pricing caps, and carve-outs for more specialised treatments – it remains to be seen whether pricing controls, where applied, apply for the entire gamut of services provided by hospitals and may be limited to core areas such as charges for hospital beds, key services and tests for the purposes of the procedures. It may be noted that there are instances where major interventions, high-end investigations, etc, have been carved out from pricing caps.
• Unintended consequences of pricing – affordable healthcare should be weighed against other considerations including building quality healthcare infrastructure, and adequately remunerating the personnel involved to retain quality talent. A standardised price cap does not consider the difference in infrastructure and quality of services provided and could potentially disincentivise healthcare companies from investing in research and development and other healthcare infrastructure given that potential returns will be limited on account of any thresholds/maximum rates prescribed. Certain other unintended consequences could be a decrease in the quality of services provided to meet the pricing requirement or hospitals loading the prices onto other uncapped services or procedures to ensure revenue margins are met.

Healthcare M&A Transactions in Light of the DPDP Act

Any diligence exercise and the eventual acquisition of a healthcare target will either involve handling personal data and other confidential information, or would include the use of such personal information as one of the vital factors driving such acquisition – for example, for the purposes of research and development. The sensitivity, volume and type of personal data collected in the healthcare industry has a direct bearing on the data privacy risks in each transaction. The current regime of current data protection laws – ie, Section 43A of the Information Technology Act, 2000 (the “IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 (the “SPDI Rules”) are not as robust or at par with international data protection legislation. The recently enacted Digital Personal Data Protection Act, 2023 (the “DPDP Act”), once in force, may be an important force to reckon with and very relevant for healthcare companies undertaking M&A transactions to be mindful of.

While DPDP Act has been enacted, the provisions are not in force currently. The Government of India is in the process of framing the rules as well as setting up the Data Protection Board (DPB), which will be the regulating authority under the DPDP Act. Once the provisions of the DPDP Act come into force, the DPDP Act will replace Section 43A of the IT Act and the SPDI Rules which currently govern the data protection landscape in India. This part of the article covers certain key highlights of the DPDP Act in light of M&A transactions in the Indian healthcare sector.

Processing personal data in the context of M&A transactions

The DPDP Act introduces the terms “data fiduciaries” and “data processor”, similar to “controller” and “processor” under the European Union General Data Protection Regulation. As per the DPDP Act, a data fiduciary is a person who (whether alone or with others) determines the purpose and means of processing personal data, while data processors are persons who process data on behalf of data fiduciaries.

Section 17 (1) of the DPDP Act exempts certain M&A transactions which require the approval of a court, tribunal or competent authority (such as mergers, demergers, transfer of undertaking or reconstruction of companies) (“Exempted M&As”) from the data fiduciary obligations imposed under the DPDP Act. Some of these obligations, which do not have to be complied with for Exempted M&As, are as follows:

• the obligations of data fiduciaries to provide notice to the data principals/subjects for obtaining consent, processing personal data with a lawful basis and for a specified purpose, entering into data processing agreements with data processors, etc;
• responsibility of the data fiduciaries to correct, complete, update or erase personal data of a data principal if the data principal wishes to do so, provide a grievance redressal mechanism, provide the option to data subjects to withdraw consent, etc; and
• exemption from the applicability of Section 16 of the DPDP Act on processing of personal data outside India which states that the Central Government may, by notification, restrict the transfer of personal data to a country or territory outside India.

However, liability of data fiduciaries for data processing activities carried out by data processors on behalf of data fiduciaries, and the obligation of data fiduciaries to protect personal data in its possession or control, including any processing activities undertaken by a data processor on behalf of the data fiduciary, continue to apply to Exempted M&As.

Importantly, for M&A transactions which are not Exempted M&A – eg, for acquisitions of shares of companies, it appears that the provisions of the DPDP Act will continue to apply. Thus, any personal data processing activities further to share purchases, business transfers, share subscriptions or divestments or invitations of bids preceding transactions or any other transactions which do not require the approval of the competent authority, will not benefit from this exemption.

Types of personal data and consent requirements during healthcare M&A transactions

As discussed above, M&A transactions (other than Exempted M&A) will need to comply with all aspects of the DPDP Act, including the obligation to obtain consent from data principals for transfer of their personal data.

In the healthcare industry, the target company may be collecting different types of personal data, including (i) patient-level data; (ii) employee (current and retired) and job applicant data; (iii) personal data of doctors/scientists nurses/hospital staff; (iv) end-customer data; (v) business partner, consultant, supplier and vendor data, etc, all through various data collection touchpoints.

Per the DPDP Act, the target company will be required to obtain consent from data principals to transfer personal data, as long as such disclosure/transfer of personal data is necessary for the M&A transaction, and it has been identified for such specified purpose in the consent notices. The current data protection laws of Section 43A of the IT Act and the SPDI Rules also require collection of consent prior to disclosure and transfer of sensitive personal data or information, which includes medical records, biometric data, and financial information.

Role of data fiduciaries and data processors vis-à-vis healthcare M&A transactions

The DPDP Act provides that the data fiduciary is responsible for ensuring a data processor’s compliance with the DPDP Act, in respect of any processing undertaken by the data processors. Therefore, for any violations by the data processor, the data fiduciary could be held liable as the data principal has no privity with the data processor.

The DPDP Act also states that it is the responsibility of the data fiduciary to protect the personal data in its possession or control, including any processing activities undertaken by a data processor on behalf of the data fiduciary, such that reasonable security safeguards can be put in place to prevent a personal data breach.

In an M&A transaction, each party will need to independently assess the role they plan – ie, whether a data fiduciary or a data processor, as this will determine the obligations imposed on such party. For example, when the information flows from a target company to the bidders/acquirers, the target company is the data fiduciary which determines the means and processing of personal data and the bidders/acquirer are data processors processing data. Similarly, financial or other advisers whose scope of work is limited to review of documentation and consultations on specific aspects of the deal could be categorised as data processors.

The DPDP Act requires data fiduciaries to execute contracts with their data processors to process data on its behalf. Thus, parties in an M&A transaction should enter into data processing agreements, as necessary, to ensure purpose limitation, adequate security measures, notification and non-disclosure requirements are taken care of. Putting in place data processing agreements will be critical for M&A transactions in the healthcare sector in view of the volume of data flow and sensitivity of the personal data shared.

The roles and responsibilities of data fiduciaries towards data principals must also be kept in mind. Any rights exercised by data principals against the data fiduciaries will lead to a follow-on obligation on data processors. In such cases, data fiduciaries should have back-to-back arrangements with the data processors where the relevant data fiduciary obligations will have to be contractually imposed on the data processor. For example, if a data principal revokes consent and requests erasure of their personal data, then both the data fiduciary and data processor will be required to carry out such a request.

For risk mitigation, it may be advisable for target companies to share or disclose only redacted or anonymised data to third parties during transactions. The DPDP Act imposes a penalty of up to INR250 crores (USD30 million) for a data fiduciary’s failure to take reasonable security safeguards to prevent a data breach and a penalty of up to INR50 crores (USD6 million) for non-compliance with any provisions of the DPDP Act.

Data breaches and cybersecurity incidents

The DPDP Act states that a personal data breach (which has been broadly defined to include “any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data”) is required to be reported to both the data principal as well as the DPB. The form and manner of the reporting to be made to the DPB will be prescribed in the enabling rules.

However, the DPDP Act encounters a regulatory overlap with the cybersecurity directions issued by the Ministry of Electronics and Information Technology on 28 April 2022 (the “CERT-In Directions”). While the DPDP Act does not prescribe any time for reporting a personal data breach, the CERT-In Directions state that all mandatory cybersecurity incidents which includes data breaches, must be reported to the Indian Computer Emergency Response Team (CERT-In) within six hours of notice. The CERT-In Directions are applicable to all service providers, intermediaries, data centres, body corporates and government organisations.

Conclusion

Given the growing importance of the healthcare industry, special attention will need to be paid to these new developments. As these are not yet in place, it will be interesting to see developments in this regard and the real-world ramifications of applying these principles. Any pricing framework will require an in-depth analysis of the sector and how pricing can be made more transparent while keeping in mind the profitability of the hospitals, working with the key stakeholders to understand their concerns and monitoring the progress in an agile and progressive manner to ensure both accountability and profitability. With respect to the new data protection laws, since diligence, transaction and the post-closing aspects will be impacted, parties will need to co-ordinate and work through solutions to ensure compliance with the regulations which will come into force.