Industry
HealthTech
Legal counsel for digital health in Pakistan — where DRAP, provincial healthcare commissions, and professional regulation all predate the products, and the honest advice includes what the law has not yet decided.
Digital health in Pakistan is built on top of a regulatory system designed for hospitals, pharmacies, and paper files. The statutes are real and enforced — the Drugs Act 1976, the DRAP Act 2012, provincial healthcare commission laws, professional regulation through the PM&DC — but none of them was written with a consultation app, a home phlebotomy service, or a diagnostic algorithm in mind. The result is a sector where the central legal skill is honest characterization: deciding what each product is under laws that predate it, saying clearly which questions have settled answers and which do not, and building the operating model so the company is defensible under the reading a regulator is most likely to adopt.
What the product is, legally
Every healthtech engagement starts with classification, because everything else follows from it. Software that diagnoses or directs treatment raises the medical-device question under the Medical Devices Rules 2017; the definition is capable of reaching software, though its application to standalone digital products remains thinly developed in Pakistan [TO BE VERIFIED BY REVIEWING LAWYER]. A platform that organizes care raises the healthcare-establishment question under the provincial commission statutes — the Punjab Healthcare Commission Act 2010 for a Lahore-based operator, with parallel regimes in Sindh, KP, and Islamabad. A pharmacy marketplace raises the drug sale licensing question under the Drugs Act 1976, administered provincially and silent on the internet. In each case the classification is driven less by the technology than by claims and conduct: what the marketing says the product does, and who actually exercises clinical judgment. We scrutinize the intended-use language as hard as the architecture, because regulators will. Health advertising carries its own rules — therapeutic claims for products sit within DRAP's remit, and exaggerated outcome claims by platforms invite both regulatory attention and complaint jurisdiction — so the review covers the campaign, not just the product.
The gray areas, stated honestly
Some of what healthtech clients most want settled is not settled, and we think the credible position is to say so. Telemedicine has no dedicated Pakistani framework as of mid-2026: no telehealth licence, no statutory standards for remote consultation, no explicit rules on e-prescribing. That does not make it unlawful — registered practitioners consulting remotely operate within the general law of medical practice — but it means the guardrails are the platform's to build: verified PM&DC registration for every practitioner, documented consent that explains the limits of remote care, consultation records kept to the standard a commission inquiry would expect, escalation pathways for cases that need physical examination, and restraint on remote prescribing of higher-risk categories. Platforms that build these guardrails hold two advantages. They are defensible under current law, and they are positioned for the framework Pakistan will eventually adopt, which is unlikely to demand less. Cross-border models add a further unsettled layer — a Pakistani patient consulting a foreign-registered doctor, or a Pakistani platform serving diaspora patients abroad, raises registration and jurisdiction questions no Pakistani instrument currently answers, and we structure those models around the strictest plausible reading rather than the most convenient one.
Patient data as an existential asset
A healthtech company's data practices deserve more care than the statute book currently compels. Pakistan's general data-protection legislation remains pending as of mid-2026, so the binding obligations around patient data come from an assembly of sources: the confidentiality that practitioners owe as a matter of professional ethics and that platforms inherit through them, the contracts with patients, hospitals, labs, and insurers, and the offences in PECA 2016 around unauthorized access to and disclosure of data. We convert that assembly into a single written standard for each client — lawful basis and consent flows, role-based access, retention and deletion rules, vendor terms for every processor touching health records, and a breach-response plan with names in it. The commercial logic is blunt: health platforms run on trust, a breach is the fastest way to destroy it, and the company's conduct in the first week after an incident will be judged against the standard it wrote for itself.
How we serve healthtech companies
We act for telehealth platforms, diagnostics and lab-tech companies, pharmacy and e-commerce health models, and hospital-facing software vendors — on classification and regulatory strategy, commission and DRAP interactions, the practitioner and partner agreements that carry the clinical risk, and the data standard underneath all of it. Where the law is unsettled we give clients the honest map: the defensible route, the aggressive route, and the difference in exposure between them. The regulatory position described here is stated as of mid-2026 — DRAP rulemaking, provincial commission practice, and the pending data legislation are all capable of moving — and each engagement begins by confirming the instruments then in force.
The Five Recurring Problems
The problems this sector keeps producing.
- 01
Not knowing whether your software is a medical device
The Medical Devices Rules 2017 under the DRAP Act 2012 bring devices — a definition capable of reaching software with diagnostic or therapeutic purposes — into registration and enlistment requirements [APPLICATION TO SOFTWARE — TO BE VERIFIED BY REVIEWING LAWYER]. A symptom checker, a diagnostic algorithm, and a wellness tracker may sit on different sides of that line, and the line itself is not crisply drawn in Pakistan. Classifying the product wrongly means either needless regulatory burden or an unregistered device on the market.
- 02
Telemedicine without a telemedicine framework
As of mid-2026 Pakistan has no dedicated statute or licensing regime for telemedicine [TO BE VERIFIED BY REVIEWING LAWYER]. Consultations happen at scale anyway, governed by the general rules: practitioners must hold PM&DC registration, professional-conduct standards apply however the consultation is delivered, and questions such as remote prescribing and cross-border consultations sit in genuinely unsettled territory that platforms should address by policy and disclosure rather than pretend is resolved.
- 03
The healthcare-establishment question before provincial commissions
The Punjab Healthcare Commission Act 2010 and its Sindh, KP, and Islamabad counterparts license healthcare establishments and hear service-delivery complaints. Whether a telehealth platform, an at-home sampling service, or a clinic aggregator is itself an establishment requiring registration — or merely a marketplace — is a threshold question with real consequences, and the commissions' own answers are still forming.
- 04
Holding the most sensitive data with no data statute behind it
Health records are the data category with the highest human cost of breach, and as of mid-2026 Pakistan has no general data-protection law in force to govern them. Obligations arise instead from professional confidentiality duties, contract, and the criminal provisions of PECA 2016 — a patchwork that platforms must convert into a coherent internal standard, because the reputational judgment after an incident will not be patient with the patchwork.
- 05
Medicines online under a Drugs Act written in 1976
Pharmacy platforms operate against the Drugs Act 1976 and provincially administered licensing that never contemplated internet sale; DRAP's rulemaking on online pharmacy has moved in drafts [STATUS — TO BE VERIFIED BY REVIEWING LAWYER]. The allocation of responsibility between platform, licensed pharmacy, and dispensing pharmacist is the whole legal question, and it must be built into the operating model, not the terms of service alone.
The Regulators That Matter
Who you answer to — and for what.
- DRAP
- Federal regulator of therapeutic goods under the DRAP Act 2012 — drugs, medical devices, and the registration and enlistment regimes a health product may fall into.
- Provincial healthcare commissions
- The Punjab Healthcare Commission and its counterparts license healthcare establishments, set service standards, and hear complaints — the front line for anything that looks like care delivery.
- PM&DC
- Registers medical and dental practitioners and holds the professional-conduct jurisdiction that follows a doctor onto a platform.
- Provincial health departments
- Administer drug sale licensing under the Drugs Act 1976 and much of the operational health regulation platforms encounter on the ground.
Mapped Services
The practices this industry draws on.
- Technology Law The platform-side analysis — what the product legally is, before a regulator characterizes it less charitably.
- Data Privacy A defensible health-data standard assembled from confidentiality duties, contract, and PECA while the data statute is pending.
- Compliance DRAP, commission, and licensing obligations tracked as a program across the provinces the platform operates in.
- Licensing Establishment registrations, drug sale licences, and the partner-licence structures pharmacy and diagnostics models depend on.
- Commercial Contracts Practitioner, hospital, lab, and pharmacy agreements that allocate clinical responsibility the way the law will.
- Risk Advisory Incident planning for the two events that define a healthtech company — a patient-harm claim and a data breach.
Questions, Answered
What clients in this industry ask.
It depends on what the software does. Products with diagnostic or treatment functions may fall within the medical-device regime under the Medical Devices Rules 2017, while general wellness tools usually sit outside it — but the software boundary is not sharply settled in Pakistan [TO BE VERIFIED BY REVIEWING LAWYER]. We analyze the intended use claims first, because the marketing copy often decides the classification.
There is no law prohibiting it and no framework licensing it, as of mid-2026. Practice runs on the general rules: PM&DC-registered practitioners, professional standards, informed consent, and record-keeping. We advise platforms to operate as if a framework existed — credential verification, consultation records, escalation protocols — both because it is defensible and because it is where regulation is likely to land.
Registered practitioners prescribe as an incident of practice, and remote prescribing is not separately regulated as of mid-2026 — which is a gap, not a green light. Controlled and prescription-only categories under the drug laws need particular care, and the platform should confine e-prescriptions to defined categories with verification steps. This is one of the genuinely gray areas, and we say so to clients plainly.
If the platform itself delivers or organizes care — rather than merely listing independent providers — the establishment question under the Punjab Healthcare Commission Act 2010 is live and should be answered deliberately, in dialogue with the commission where warranted. The answer differs by model and by province. Getting it wrong invites both registration enforcement and complaint jurisdiction you did not plan for.
There is no general data-protection statute in force as of mid-2026, so the enforceable obligations come from confidentiality duties owed through the practitioners, your own contracts and policies, and PECA 2016's provisions on unauthorized data access and disclosure. We build platforms a written health-data standard — consent, access controls, retention, breach response — that will read well the day it is examined.
Expect claims to name everyone — practitioner, platform, and any facility involved — and expect the platform's characterization of itself to be tested against how it actually operates. Liability allocation lives in the practitioner and partner agreements, the consent flow, and insurance, and it must match the operating reality. A marketplace disclaimer does not survive a platform that assigns doctors and sets protocols.
Related Insights
Prepared by The First Counsel · As of 2026-07-12 · Pending professional review — statements flagged in the text are being verified
This publication is provided for general information only. It is not legal advice, and neither reading it nor corresponding with the firm about it creates a lawyer–client relationship. The position stated must be verified against current law before it is relied upon.
