HealthTech Startup Insurance in India: Medical Device Liability and Clinical AI Risk

India's HealthTech sector spans a wide range, from teleconsultation apps and pharmacy aggregators to AI-powered diagnostic algorithms, in vitro diagnostic (IVD) device manufacturers, and Software as a Medical Device (SaMD) developers. Our earlier post addressed telemedicine platform insurance. This article focuses on the subset of HealthTech that sits closest to clinical practice: companies developing medical devices, diagnostic AI, clinical decision support tools, and digital health infrastructure integrated with the Ayushman Bharat Digital Mission (ABDM).

This segment carries the highest risk profile in the startup ecosystem, and it is not yet well served by the standard insurance products available in the Indian market. A diagnostic AI that returns a false negative on a cancer screening carries the same consequence as a radiologist's missed diagnosis: a delayed treatment, a worsened prognosis, and a patient who may have died earlier than they would have with a correct result. An IVD device that returns a wrong blood glucose reading can lead to an incorrect insulin dose. A clinical decision support tool that recommends the wrong drug combination can cause an adverse drug event. In each case, the HealthTech company faces claims that blend product liability, professional indemnity, and regulatory enforcement into a single complex event.

The regulatory framework governing this segment is the Medical Devices Rules (MDR), 2017 administered by the Central Drugs Standard Control Organisation (CDSCO), which is India's equivalent of the US FDA for medical devices. CDSCO classifies medical devices into four risk categories (Class A: low risk; Class B: low to moderate; Class C: moderate to high; Class D: high risk) and requires registration, quality management compliance, and post-market surveillance for each class. Software that performs a medical function is regulated as a medical device, a category increasingly referred to internationally as SaMD (Software as a Medical Device), and India's regulatory framework is progressively aligning with the International Medical Device Regulators Forum (IMDRF) SaMD guidelines.

Insurance for this segment must be built around three core risk categories: product liability for the device or SaMD itself, professional indemnity for the clinical services or recommendations the platform provides, and cyber liability for the health data the platform holds, generates, and transmits. Each category requires a tailored policy, and the three must be coordinated to ensure that claims which span multiple categories do not fall into inter-policy gaps.

Understanding CDSCO's registration framework under the Medical Devices Rules, 2017 is essential for understanding the insurance exposure of a HealthTech company developing medical devices or SaMD. The MDR 2017 replaced the earlier schedule M1 framework and brought software-based medical devices under formal regulatory oversight for the first time. CDSCO now maintains a list of notified medical devices and software that qualify as medical devices, and any company placing such a device on the Indian market must obtain CDSCO registration from the Central Licensing Authority.

For SaMD, the classification question is critical. A wellness app that tracks step counts is not a medical device. A software that analyses ECG data and identifies atrial fibrillation is a medical device (typically Class C or D). A dermatology AI that classifies skin lesions as benign or malignant is a medical device. A clinical decision support system that recommends antibiotic selection based on lab culture data is a medical device. The misclassification of SaMD as a mere wellness app, done to avoid regulatory burden, is a significant legal and insurance risk: if the product causes harm and the company is found to have circumvented registration requirements, the insurer may decline the claim on public policy grounds.

The MDR 2017 also requires post-market surveillance and adverse event reporting. A HealthTech company whose SaMD generates an adverse outcome (a missed diagnosis or a wrong drug recommendation) must report the event to CDSCO within a specified timeline (serious adverse events within 30 days). Failure to report is an offence under the Drugs and Cosmetics Act, 1940, and can attract prosecution of the company's directors. This creates a D&O liability exposure that must be covered.

The FDA 510(k) process in the US, which allows a new device to be cleared by demonstrating substantial equivalence to a predicate device, has an Indian equivalent in the MDR 2017's import and manufacture registration process. HealthTech companies that develop devices for both the US and Indian markets face dual regulatory exposure: a product that is FDA-cleared but not CDSCO-registered cannot be marketed in India, and a defect that triggers FDA action may simultaneously trigger CDSCO action. Insurance programmes for such companies should address both jurisdictions, and the professional indemnity and product liability policies should have worldwide territorial scope.

For companies working with IVD devices (blood glucose monitors, rapid antigen test kits, pregnancy diagnostic kits, or point-of-care devices for sepsis or tuberculosis), CDSCO applies the IVD device classification separately from the general MDR 2017 classification grid. IVD devices used in professional clinical settings (Class C and D) carry the highest product liability exposure, particularly when the device's performance is critical to a treatment decision. An IVD device that returns a false negative for tuberculosis in a primary health centre could lead to a patient being discharged without treatment, infecting other household members, and eventually progressing to multidrug-resistant TB. The product liability claim in such a scenario can be multi-party and multi-claimant.

Regulatory note: CDSCO's quality management requirements under MDR 2017 align with ISO 13485 (Medical Devices Quality Management Systems). Companies that hold ISO 13485 certification can typically demonstrate a stronger quality process to both regulators and insurance underwriters, which may support better pricing on product liability cover.

Diagnostic AI represents the highest-consequence product category in the HealthTech space. A false negative from a cancer screening AI (failing to flag a malignancy that a trained radiologist would have identified) can delay treatment by months, potentially allowing the cancer to progress to an inoperable stage. A false positive triggers unnecessary biopsies, surgical procedures, and patient anxiety. Both outcomes generate liability, and neither is hypothetical: litigation against diagnostic AI companies in the US and UK is already underway, and it is only a matter of time before similar claims reach Indian courts and consumer forums.

Under the Consumer Protection Act, 2019, a product liability action can be brought against the manufacturer of a defective product, and a software product that performs a medical function and causes harm falls within this framework. The Act does not require proof of negligence: a strict liability standard applies if the product is defective or if the manufacturer failed to provide adequate warnings about the product's limitations. For a dermatology AI that achieves 92% sensitivity in clinical trials but has lower performance on darker skin tones (a documented bias in many computer vision models), failure to disclose this limitation in the product's instructions for use could constitute a manufacturing defect or inadequate warning.

Clinical decision support tools that recommend medications, dosages, or treatment protocols carry a slightly different liability profile. These tools typically integrate with hospital information systems (HIS) or electronic health records (EHR) and present recommendations to a clinician, who then makes the final decision. The HealthTech company may argue that the clinician's intervening judgment breaks the chain of causation. But if the recommendation interface is designed in a way that anchors the clinician's judgment (for example, by presenting a single highly confident recommendation rather than a range of options) and the clinician follows it without further evaluation, the platform may share liability for the outcome.

Product liability insurance for diagnostic AI must cover claims arising from algorithmic failures, including false negatives and false positives, performance disparities across demographic groups, and failures arising from model degradation after deployment (when the model's performance worsens because real-world data drifts from the training set). Standard product liability policies were not written with AI in mind and often define a defect as a manufacturing defect in a physical product. HealthTech companies must negotiate policy wordings that explicitly include software defects, algorithmic errors, and output inaccuracies as insured defect categories.

For a HealthTech company commercialising a cancer screening AI or a diagnostic imaging tool, product liability limits of INR 5 crore to INR 25 crore are appropriate, depending on the deployment volume and the clinical setting. Annual premiums for this cover in the Indian market typically range from INR 3 lakh to INR 15 lakh, with Class C and D SaMD attracting premiums at the higher end. Companies that conduct prospective clinical validation studies and publish performance benchmarks can support better underwriting terms by demonstrating the evidence base for the product's safety profile.

India has a growing domestic IVD manufacturing sector, including companies producing blood glucose monitoring strips, rapid antigen and antibody test kits for infectious diseases, home pregnancy tests, and point-of-care lipid panel analysers. Post-COVID, the home diagnostics category has expanded significantly, with HealthTech companies selling IVD kits directly to consumers through e-commerce channels. This distribution model creates a specific product liability exposure: the company is now responsible not only for the device's performance in a controlled clinical setting but also for its performance when used by a non-clinical user at home, without professional supervision.

The Consumer Protection Act, 2019 imposes a duty on product manufacturers to ensure that their products are safe for the use described on the label and that adequate instructions and warnings are provided. A home blood glucose monitor that gives readings with a systematic positive bias (consistently reading higher than the actual glucose level) could lead a diabetic patient to under-dose insulin, resulting in hyperglycaemia and potentially diabetic ketoacidosis. A product liability claim in this scenario would allege manufacturing defect, design defect, and failure to warn, naming the IVD manufacturer, the platform that sold the kit, and potentially the cloud analytics service that interpreted the readings.

Insurance for IVD manufacturers must cover the full distribution chain. The product liability policy should name downstream distributors and e-commerce platforms as additional insureds where required by distribution agreements, and it should include a product recall extension covering the cost of withdrawing a defective batch from the market. A product recall for an IVD kit distributed to 5 lakh consumers (including logistics, replacement, customer communication, and lost revenue during the recall period) can cost INR 1 crore to INR 5 crore independent of any personal injury claims. Product recall insurance is often written as an extension to the product liability policy.

Quality management under MDR 2017 requires IVD manufacturers to maintain device master records, batch records, and adverse event logs. If an IVD device causes harm and the manufacturer cannot produce these records, the insurer may resist the claim on the ground that the company's non-compliance with regulatory quality requirements contributed to the loss. Maintaining ISO 13485-compliant quality management systems is therefore not just a regulatory obligation: it is an insurance defence.

Premiums for product liability cover for an IVD device manufacturer with annual sales of 10 lakh units typically range from INR 4 lakh to INR 12 lakh for limits of INR 5 crore to INR 15 crore, depending on the risk classification of the devices manufactured and the distribution channels used. Companies selling directly to consumers online (rather than through registered medical laboratories or hospitals) should expect underwriters to apply a loading to reflect the absence of professional supervision over device use.

HealthTech companies integrating with the Ayushman Bharat Digital Mission (ABDM) infrastructure handle some of the most sensitive personal data in the Indian context: health records linked to an individual's Ayushman Bharat Health Account (ABHA) number, diagnostic reports, prescription histories, and discharge summaries. The ABDM framework requires Health Information Providers (HIPs) and Health Information Users (HIUs) to comply with a Health Data Management Policy that specifies consent architecture, data minimisation obligations, and data sharing restrictions. A breach of patient health data accessible through the ABDM ecosystem would involve records that are both highly sensitive and linked to a government-issued identifier, amplifying the reputational and regulatory consequences.

The Digital Personal Data Protection Act, 2023 applies to all personal data processed in India, including health data. While health data is not separately classified as a special category under the DPDP Act (unlike the approach taken by the EU's GDPR), the Data Protection Board of India has the power to designate certain categories of data fiduciaries as significant data fiduciaries, with enhanced obligations. HealthTech companies processing health records for millions of patients are likely to be designated as significant data fiduciaries, attracting penalties of up to INR 250 crore for data breaches and up to INR 200 crore for failure to comply with data erasure or consent obligations.

Cyber insurance for ABDM-integrated HealthTech platforms must cover the full range of breach scenarios. ABDM's consent manager architecture means that health data is shared between HIPs and HIUs with patient consent, but a technical failure in the consent verification layer could result in records being shared without valid consent. This would not be a traditional data breach (no external attacker was involved) but would still constitute a privacy violation that the Data Protection Board could investigate. The cyber policy's breach trigger must be broad enough to include unauthorised sharing, consent failure, and API-level exposures, not just ransomware or external hacking.

The National Health Authority's Health Data Management Policy also specifies data localisation requirements for health data. HealthTech companies that process ABDM-linked data must store that data on servers located in India. If a cloud infrastructure arrangement involves data being processed in a non-Indian region (even temporarily, during content delivery network caching), the company may be in breach. Insurance cannot remedy this compliance gap, but regulatory liability cover can mitigate the financial consequence of an enforcement action.

Cyber insurance limits for ABDM-integrated HealthTech platforms should reflect the volume of patient records handled. A platform integrated with ABDM and processing records for 10 lakh or more patients should carry cyber limits of at least INR 10 crore, with a regulatory proceedings sublimit of INR 5 crore specifically for Data Protection Board and National Health Authority enforcement actions. Annual premiums for this level of cover typically range from INR 4 lakh to INR 10 lakh.

HealthTech companies that employ or directly engage doctors, nurses, physiotherapists, dietitians, or other regulated health professionals within their platform structure face professional indemnity exposure that is distinct from pure-play software companies. When a clinician employed by a HealthTech company provides a clinical recommendation that causes patient harm, the employer-company bears vicarious liability for that clinician's acts and omissions. This vicarious liability does not disappear because the interaction occurred through an app interface rather than in a physical clinic.

The Indian Medical Council Act, 1956 (now superseded by the National Medical Commission Act, 2019) holds registered medical practitioners to a standard of care that can be assessed by their professional body. The NMC and State Medical Councils can initiate disciplinary proceedings against a doctor employed by a HealthTech company, and the company may become a party to those proceedings if its systems, protocols, or commercial pressures are found to have contributed to the substandard care. Insurance covering regulatory proceedings costs for NMC and State Medical Council actions should be included in the professional indemnity policy or in the D&O policy's regulatory investigation extension.

For HealthTech companies that employ doctors for second opinion services, chronic disease management programmes, or remote ICU monitoring, the professional indemnity policy must cover medical malpractice claims, not just technology-related E&O. Standard IT professional indemnity policies do not cover medical malpractice: this requires a specific medical malpractice or healthcare professional liability endorsement. The distinction matters: a patient who receives an incorrect drug dosage recommendation from the company's employed doctor has a different claim path than a patient whose data was breached.

Allied health professionals employed in HealthTech platforms (speech therapists in telerehabilitation apps, physiotherapists in musculoskeletal management platforms, dietitians in chronic disease management programmes) each have their own professional liability exposure. The professional indemnity policy should list all categories of healthcare professionals employed or engaged by the platform and confirm that each category's professional activities are covered under the policy's professional services definition.

Premiums for healthcare professional indemnity cover depend heavily on the volume of clinical interactions and the risk profile of the specialities involved. A telerehabilitation platform employing physiotherapists faces lower per-interaction risk than a HealthTech company employing oncologists for second opinion services on cancer staging. As a benchmark, a platform with 100 employed clinicians conducting 10,000 clinical interactions per month should consider professional indemnity limits of INR 10 crore to INR 25 crore, with annual premiums in the range of INR 5 lakh to INR 15 lakh.

HealthTech companies developing novel diagnostic AI or IVD devices must conduct clinical validation studies, and companies developing truly novel diagnostics may conduct first-in-human or pivotal trials. India's Indian Council of Medical Research (ICMR) guidelines and the New Drugs and Clinical Trial Rules, 2019 (which apply to medical devices undergoing clinical trials under CDSCO's oversight) require ethics committee approval, informed consent documentation, and adverse event reporting for clinical research. Each trial phase carries distinct insurance requirements.

Clinical trial insurance (also called clinical trial indemnity) covers the liability of the trial sponsor (which in a HealthTech context is the device developer) for adverse events suffered by trial participants. This includes adverse events arising from the experimental diagnostic procedure itself, from the use of a comparator device, or from diagnostic errors made using the investigational device during the trial. ICMR's ethical guidelines require that all trial participants be covered by adequate insurance or indemnity before the trial begins, and this is also a prerequisite for most ethics committee approvals.

For diagnostic AI trials, the risk profile differs from therapeutic drug trials. A diagnostic AI trial involves exposing participants to a diagnostic process (for example, AI-assisted imaging analysis) and comparing outcomes to a standard diagnostic approach. The primary risk is not a toxic drug reaction but a diagnostic error: a false negative that leads a participant to be told they are disease-free when they are not, resulting in delayed treatment. This risk must be explicitly covered in the clinical trial insurance policy, as some standard wordings only cover adverse events arising from the experimental treatment, not from diagnostic failures during the trial.

Sponsor liability for indemnification of participating hospitals and investigators is another requirement. Hospitals and clinical research organisations (CROs) that partner with HealthTech companies for trial conduct typically require the sponsor to indemnify them against claims arising from the trial. This indemnity must be backed by a clinical trial insurance policy that names the hospital and CRO as additional insureds, or by a side letter confirming that the sponsor's policy extends to cover their vicarious liability for investigator conduct.

Premiums for clinical trial insurance in India depend on the trial design, the number of participants, the phase of the trial, and the risk classification of the investigational device. For a Phase III pivotal trial of a diagnostic AI with 5,000 participants, annual premiums typically range from INR 5 lakh to INR 20 lakh for limits of INR 5 crore to INR 25 crore. Companies conducting multi-site trials across three or more states should ensure the policy covers all trial sites and all investigators under a single programme, rather than relying on site-specific policies that may have conflicting terms.

A complete insurance programme for a medical device or clinical AI HealthTech startup should include six lines of cover, coordinated through a single broker who understands both the HealthTech sector and CDSCO's regulatory framework. The six lines are: product liability (covering the device or SaMD), professional indemnity (covering clinical services and employed clinicians), cyber liability (covering health data breaches and DPDP Act enforcement), D&O liability (covering directors and officers for regulatory and investor claims), clinical trial insurance (if validation studies are underway), and commercial general liability (covering premises and general operations).

D&O liability for HealthTech companies deserves particular attention. CDSCO can initiate enforcement actions against directors for placing unregistered medical devices on the market. The Drugs and Cosmetics Act, 1940 provides for criminal prosecution of the company's owner and responsible persons for regulatory violations, and the D&O policy's defence costs component is essential in these situations. The policy's regulatory investigation extension should cover formal investigations and proceedings by CDSCO, the NMC, state medical councils, the Data Protection Board of India, and the National Health Authority, without being tied to any specific statute or regulatory body.

NABH (National Accreditation Board for Hospitals and Healthcare Providers)-accredited digital hospital platforms, which operate fully digital care delivery organisations rather than just software tools, face a unique liability profile that combines the platform's technology risk with the operational liability of a hospital. A NABH-accredited digital hospital platform that provides consultations, diagnostics, and care management through a single app interface has a duty of care comparable to a physical hospital and must carry medical malpractice cover, clinical trial insurance (if research is conducted), and facility liability cover in addition to the standard technology insurance lines.

For programme design, here are realistic premium benchmarks for a Series A HealthTech company developing a Class C diagnostic SaMD (annual revenue INR 15 crore to INR 50 crore, pre-revenue from device sales, validation trials underway): product liability at INR 5 crore limit (premium approximately INR 3 lakh to INR 6 lakh), professional indemnity at INR 5 crore limit (premium approximately INR 2.5 lakh to INR 5 lakh), cyber insurance at INR 5 crore limit (premium approximately INR 2 lakh to INR 4 lakh), D&O at INR 5 crore limit (premium approximately INR 2 lakh to INR 5 lakh), and clinical trial insurance at INR 10 crore limit for an active trial (premium approximately INR 5 lakh to INR 15 lakh). Total programme cost: approximately INR 15 lakh to INR 35 lakh per annum.

For a Series B company with CDSCO-registered devices in commercial distribution and an ABDM integration (annual revenue INR 50 crore to INR 200 crore), limits should be scaled upward across all lines, with product liability at INR 15 crore to INR 25 crore and D&O at INR 10 crore to INR 20 crore. Total programme cost at this stage typically ranges from INR 30 lakh to INR 80 lakh per annum.

The most important operational discipline is mid-term disclosure. When a HealthTech company receives a CDSCO notice, an adverse event report triggers regulatory review, a clinical trial site reports a serious adverse event, or a data breach is discovered, the relevant insurer must be notified promptly, within the policy's notification period (typically 30 days from discovery for most events, and within the policy period for claims-made covers). Late notification is the primary reason that HealthTech insurance claims are disputed, and implementing an internal incident response protocol that routes all clinical and regulatory events to the risk management team within 24 hours is the most effective structural safeguard available.