日本人

The DPDP Act and Healthcare Sector: What Healthcare Providers Need to Know

Home     Articles      The DPDP Act and Healthcare Sector: What Healthcare Providers Need to Know

The DPDP Act and Healthcare Sector: What Healthcare Providers Need to Know

May 27, 2026

By Swetha Dasu, Associate

Introduction

The Digital Personal Data Protection Act, 2023 (“DPDP Act” or the “Act”) and the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”), notified by the Ministry of Electronics and Information Technology (MeitY) on November 13, 2025, together, constitute India’s first comprehensive legal framework for governing digital personal data, and their implications for the healthcare sector are profound. With full compliance obligations taking effect from May 13, 2027, every hospital, diagnostic laboratory, telemedicine platform, health insurer, and health technology company in India faces a significant and time-bound compliance obligation.

I.  The Digital Health Landscape and Why Data Protection Matters Now

Under the Ayushman Bharat Digital Mission (ABDM), the government has issued nearly 74 crore Ayushman Bharat Health Account (ABHA) digital health IDs, building a unified identity layer for longitudinal patient records. Telemedicine has moved from novelty to mainstream, with the Telemedicine Practice Guidelines (2020) providing the legal scaffolding for remote consultations. Artificial intelligence tools are now deployed for radiology, pathology, and risk scoring. Wearable devices continuously transmit health metrics to cloud servers. The digital health market in India, valued at approximately USD 8.7 billion in 2024, is projected to grow at a compounded annual rate of nearly 18% through 2033.

This digitalisation generates enormous quantities of deeply personal information and exposes it to risks that India’s previous regulatory architecture was wholly unequipped to address. The dangers are not theoretical. On November 23, 2022, a ransomware attack paralysed AIIMS Delhi, one of India’s most prominent public hospitals, for nearly two weeks. Patient registration, billing, laboratory, and discharge systems were all forced offline; the attackers reportedly encrypted approximately 1.3 terabytes of data, including the records of an estimated four crore patients. Earlier investigations had documented prescription data being routinely shared with pharmaceutical companies for marketing purposes, and laboratory reports circulated over unsecured messaging platforms. A 2021 industry report identified India as the second most attacked nation globally in the healthcare cybersecurity context, accounting for nearly 30% of all healthcare cyberattacks in the Asia-Pacific region.

The legal response to these vulnerabilities was fragmented. Health data protection existed, in piecemeal form, across the IT Act 2000, the SPDI Rules 2011, the Clinical Establishments Act 2010, the National Medical Commission Act 2019, the Mental Healthcare Act 2017, and IRDAI insurance regulations none of which formed a coherent, enforceable data protection framework. The DPDP Act changes this fundamentally. It also builds on the constitutional foundation laid by the Supreme Court in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017), which held that privacy is a fundamental right under Article 21 of the Constitution of India.

II.  Scope and Applicability: Who Is Covered?

The DPDP Act governs the processing of digital personal data broadly defined under Section 2(t) as any data about an identifiable individual, whether originally collected digitally or subsequently converted from physical records. In healthcare, this captures an exceptionally wide range of information: OPD and IPD records, diagnostic reports, prescriptions, surgical notes, teleconsultation logs, mental health files, genetic data, insurance claim records, and even fitness metrics from wearable devices.

Any entity that determines the purpose and means of processing such data is defined as a “Data Fiduciary” under Section 2(i) and is directly bound by the Act. In the healthcare context, this definition encompasses:

  • Hospitals, nursing homes, and clinics both private and public;
  • Diagnostic laboratories, imaging centres, and pathology services;
  • Pharmacies, retail drug chains, and pharmacy platforms;
  • Telemedicine and digital health applications;
  • Health insurers, Third-Party Administrators (TPAs), and InsurTech platforms;
  • Pharmaceutical companies processing patient data for trials or marketing;
  • Medical device companies collecting data through connected or IoT-enabled products; and
  • Research institutions and clinical trial sponsors.

The Act also has extra-territorial reach: foreign entities offering goods or services to persons located in India including international health-tech firms fall squarely within its ambit. This is particularly significant for global telemedicine providers and multinational hospital groups operating in the Indian market.

A point many healthcare entities have not yet absorbed: under Section 8(1), a Data Fiduciary remains primarily liable for compliance, even when data processing is outsourced to a third-party vendor or cloud provider (termed a “Data Processor” under the Act). The legal obligation does not transfer to the vendor. Outsourcing storage to Amazon Web Services or a Hospital Information System provider does not relieve the hospital of its accountability and the contractual arrangements with vendors must reflect this allocation of responsibility.

IV.  Core Obligations for Healthcare Data Fiduciaries

A.  Consent: The End of the Fine-Print Era

Under Section 6, consent to process personal data must be free, specific, informed, unconditional, and unambiguous. It must flow from a clear affirmative act not silence, not a pre-ticked box, and not a clause buried in an admission form’s fine print.

The DPDP Rules operationalise this by requiring that every Data Fiduciary, before collecting personal data on the basis of consent, provide the individual with a standalone notice in plain language  independent of any other document  that clearly states: (i) what specific personal data is being collected; (ii) the precise purpose for which it will be processed; (iii) how the individual may withdraw consent; and (iv) how they may file a complaint with the Data Protection Board of India (DPBI). This notice must be available in English or any of the 22 languages listed in the Eighth Schedule of the Constitution, a requirement of particular operational significance for hospitals serving linguistically diverse patient populations.

Healthcare entities must also address pre-existing data. Section 5(2) of the Act requires that where data was collected before the Act’s commencement, entities must, as soon as practicable, notify patients of what was collected and for what purpose. Legacy databases accumulated over years cannot be presumed to carry valid consent under the new framework.

The Act does carve out limited “legitimate uses” under Section 7 where processing is permitted without consent most relevantly, in response to a medical emergency or epidemic. These carve-outs are purposive and narrow. They do not operate as a general licence to process health data without consent for routine clinical or administrative purposes, and they certainly cannot justify commercial data sharing without patient knowledge.

Equally significant is the right to withdraw. Under Section 6(4), withdrawal of consent must be as simple and accessible as the act of giving it. A patient who grants consent through a digital form must be able to withdraw it through an equally accessible mechanism. Data Fiduciaries cannot place procedural barriers in the path of withdrawal.

B.  Data Minimisation: Collect Only What is Genuinely Necessary

The DPDP Act requires that personal data collection be limited to what is strictly necessary for the stated purpose. A general physician does not require a patient’s employment details to treat a respiratory infection. A telemedicine platform does not require access to a user’s device contact list to facilitate a remote consultation. A diagnostic laboratory does not need to retain a patient’s banking information after the billing transaction is complete. This obligation requires healthcare entities to re-examine every data collection touchpoint from a purpose-first lens: why exactly do we need this specific piece of information, and does the purpose for which it is collected genuinely justify its collection? Patient registration forms, app onboarding flows, and insurance proposal documents are the immediate areas for review.

C.  Data Retention and the Right to Erasure

Under Section 8(7) of the Act, personal data must be erased once the purpose for which it was collected is fulfilled, unless retention is mandated by law. Patients are additionally granted a right to request erasure of their data under Section 12. Healthcare entities must build technically functional erasure workflows not merely policies to honour these obligations.

However, medical records are often retained for clinical continuity, medico-legal purposes, and accreditation requirements, with the Clinical Establishments Act and National Medical Commission norms specifying their own retention periods. Where a law mandates retention, the retention is lawful under the DPDP framework. But where no such obligation exists, indefinitely storing patient data “for potential future use” or “for analytics” without specific consent will constitute a violation.

D.  Security Safeguards: Rule 6 and the Technical Standard

Rule 6 of the DPDP Rules requires every Data Fiduciary to implement reasonable security safeguards to prevent data breaches. In the healthcare context, this means: encryption of data at rest and in transit; role-based access controls ensuring only clinically relevant personnel can view specific patient records; multi-factor authentication for access to sensitive systems; audit logging; and annual vulnerability assessments. Data processors (cloud vendors, HIS providers, laboratory information systems) must be bound by contractual obligations to maintain equivalent standards.

The AIIMS ransomware attack of November 2022, which compromised an estimated four crore patient records and disrupted hospital operations for nearly a fortnight, is the starkest illustration of what inadequate cybersecurity means in practice not just reputational damage and regulatory liability, but direct harm to patient care. Under the DPDP Act, a breach of this nature would trigger mandatory notifications and significant financial penalties.

E.  Breach Notification: 72 Hours, Without Exception

If a personal data breach occurs, the DPDP Rules require the Data Fiduciary to notify the DPBI without delay upon becoming aware of the breach, and to submit a detailed breach report within 72 hours. Every affected patient must also be individually notified with sufficient detail about the nature of the breach and its likely impact on them. There is no materiality threshold: all breaches must be reported, regardless of their apparent gravity or the number of individuals affected.

F.  Children’s Data: A Heightened Duty of Care

Under Section 9 of the Act, processing the personal data of any individual below 18 years of age requires verifiable parental or guardian consent. Tracking, behavioural monitoring of children, and targeted advertising directed at minors are categorically prohibited. For paediatric hospitals, child health applications, school health programmes, and mental health providers serving young patients, this adds a meaningful layer of complexity to intake processes.

Rule 12 of the DPDP Rules provides conditional exemptions for certain classes of healthcare providers delivering essential child health or welfare services most critically for paediatric emergencies where delay in obtaining parental consent would compromise care. However, these exemptions are not self-executing; they apply only when the Central Government formally notifies the relevant class of healthcare provider. Until such notification is issued, the default requirement of verifiable parental consent applies.

V.  Significant Data Fiduciaries: Elevated Obligations for High-Risk Entities

The Act introduces a tiered compliance structure by creating the category of Significant Data Fiduciaries (SDFs) under Section 10. The Central Government may designate any Data Fiduciary as an SDF on the basis of factors including the volume and sensitivity of data processed, the potential risk to data principals, national security considerations, and the public interest implications of the entity’s data practices.

In the healthcare context, large hospital chains, health-tech platforms serving millions of users, major health insurers, pharmaceutical companies conducting large-scale clinical trials, and any entity with access to population-level health data are natural candidates for SDF designation. The official SDF list has not yet been notified. SDFs face four additional obligations beyond the standard framework:

  • Appointing a Data Protection Officer (DPO) who is an individual based in India, reports directly to the Board of Directors, and serves as the primary point of contact for the DPBI and for patient grievance redressal;
  • Engaging an independent data auditor to evaluate compliance with the Act and report findings;
  • Conducting periodic Data Protection Impact Assessments (DPIAs) for processing activities that present a high risk to the rights of data principals; and
  • Reporting significant compliance observations and gaps to the DPBI on a periodic basis.

VI.  Rights of Patients Under the DPDP Act

The DPDP Act’s most transformative contribution may be the enforceable set of rights it creates for individuals termed Data Principals under the law. For patients, these rights represent a legal entitlement they have never previously held:

  • Right to Information (Section 11): Patients may request that a healthcare entity confirm what personal data it holds about them, how it is being processed, and who it has been shared with.
  • Right to Correction and Erasure (Section 12): Patients may request correction of inaccurate or incomplete data and erasure of data that is no longer required for its original purpose.
  • Right to Grievance Redressal (Section 13): Where a Data Fiduciary fails to honour a patient’s rights, the patient may approach the entity’s grievance mechanism and, thereafter, the DPBI.
  • Right to Nominate (Section 14): A patient may nominate another individual to exercise their data rights in the event of their death or incapacity a provision of particular relevance in long-term care and end-of-life contexts.

Every Data Fiduciary must establish a publicly accessible grievance redressal mechanism and respond to patient complaints within 90 days. This mechanism must be accessible via a website, application, or other digital channel using an identifier provided by the entity not just a generic complaints email buried on a hospital’s website.

VII.  The Regulatory Mosaic: DPDP Act and Existing Health Laws

The DPDP Act does not operate in isolation. A single episode of patient care in India can simultaneously implicate multiple regulatory frameworks: the DPDP Act governs data processing; the Clinical Establishments Act 2010 prescribes confidentiality obligations and EMR requirements; the National Medical Commission Act 2019 imposes doctor-patient confidentiality duties; the Mental Healthcare Act 2017 creates a parallel consent structure for psychiatric care and data disclosure; IRDAI regulations govern the processing of health data by insurers and TPAs; and the ABDM’s Health Data Management Policy applies specifically to data processed within its ecosystem.

The interaction between the DPDP Act and the Mental Healthcare Act 2017 (MHCA) deserves particular attention. The MHCA already grants individuals with mental illness the right to confidentiality in respect of their psychiatric records under Section 23(1). The DPDP Act adds a distinct, separate layer of consent specifically for the processing of that data in digital form. Mental health professionals operating digital platforms must therefore navigate a dual consent framework one governing therapeutic consent under the MHCA and a separate one governing data processing consent under the DPDP Act. These are legally distinct obligations and must be addressed independently.

For the Ayushman Bharat Digital Mission, the Health Data Management Policy already requires consent before sharing health data within the ABDM ecosystem. The DPDP Act strengthens this requirement and gives it statutory force. Healthcare entities integrated into ABDM must ensure their ABHA-linked data flows satisfy the new consent architecture under the Rules.

Regarding data localisation: as of April 2026, the DPDP Act does not impose a blanket requirement to store health data within India. However, health data processed within the ABDM ecosystem must be stored in India under the Health Data Management Policy. Telemedicine platforms and health-tech companies using foreign cloud infrastructure should closely monitor any further notifications from the Central Government, which retains the power to impose localisation requirements at any time.

VIII.  Penalties: What Non-Compliance Costs

The DPDP Act’s penalty schedule is set out in its Schedule and assessed by the DPBI on a case-by-case basis, having regard to the nature, gravity, duration, and recurrence of the non-compliance. The scale is significant:

  • Up to INR. 250 crore per instance: for failure to implement reasonable security safeguards (Rule 6) or to fulfil obligations regarding children’s data (Section 9).
  • Up to INR. 200 crore per instance: for failure to notify the DPBI of a personal data breach.
  • Up to INR. 150 crore per instance: for failure to fulfil additional obligations applicable to Significant Data Fiduciaries.
  • Up to INR. 50 crore per instance: for failing to honour Data Principal rights or maintain an adequate grievance redressal mechanism.

IX.  The Compliance Timeline: Three Phases, One Deadline

The DPDP Act and Rules are being implemented in three structured phases.

Phase 1 — November 13, 2025 (Already in force)

The Data Protection Board of India has been formally constituted and its digital infrastructure is operational. Entities may already file complaints. The DPBI is building enforcement capacity and has signalled that it intends to pursue meaningful enforcement from the outset. What healthcare entities should be doing right now: conduct a data mapping exercise to understand what personal data is held, where it sits, and how it flows; review all vendor and cloud provider contracts to ensure appropriate Data Processor obligations are included; designate an internal privacy lead or privacy committee; and assess existing consent mechanisms for compliance gaps.

Phase 2 — November 13, 2026

Registration of Consent Managers opens. Consent Managers are a novel institution created by the Act Indian-incorporated intermediaries that can hold and manage consent on behalf of patients. Health-tech platforms and large hospital groups should evaluate whether interfacing with a Consent Manager is appropriate for their data model. What healthcare entities should be doing by this point: complete the redesign of consent notices and intake workflows; train all patient-facing staff on the new consent processes; draft and implement a breach response protocol; and assess whether the organisation is likely to be designated an SDF.

Phase 3 — May 13, 2027 (Full enforcement deadline)

All substantive obligations become enforceable: standalone consent notices, data minimisation, security safeguards under Rule 6, the 72-hour breach notification requirement, all Data Principal rights, SDF-specific obligations (DPO, DPIA, independent audit), data erasure workflows, and grievance redressal mechanisms. Penalties apply from this date, and there is no grace period. The critical point: building compliant consent systems, overhauling EMR integrations, training clinical and administrative staff, auditing dozens of vendor relationships, and standing up a breach response infrastructure across a healthcare organisation is not achievable in the final months before a deadline.

Conclusion

The DPDP Act does not impose an unreasonable burden on India’s healthcare sector. What it imposes is an accountability that was always morally necessary but never legally codified: the obligation to treat patient data with the same deliberateness, care, and respect that we claim to bring to clinical care itself. A misdiagnosis harms one patient. A serious data breach can harm millions, with consequences that are permanent and, in the context of sensitive health information, irreversible.

For patients, the Act finally provides legal recognition of something they always deserved: the right to know who holds their most intimate information, why it is being used, and how they can take it back. For healthcare entities, it is a call to move from the informal and often exploitative practices that have characterised India’s health data landscape unsecured messaging platforms, bundled consent buried in admission paperwork, patient records sold to pharmaceutical companies without disclosure toward a culture of documented, auditable, and patient-respecting data governance.

Compliance with the DPDP Act is not just a legal imperative. For any healthcare institution that depends on patient trust, it is a strategic necessity. The question, for every hospital board, compliance team, and legal advisor in India, is not whether to build that culture. It is how much of the window they are willing to use. The transition window before full enforcement is therefore not simply a compliance timeline; it is an opportunity for the healthcare sector to redefine its relationship with patient data on principles of responsibility, transparency, and respect.

Categories

Join Our List To Stay In Touch

Leave your email id to receive regular updates on
corporate law changes that have impact on businesses.

    Samisti Logo

    Samisti Legal is a corporate law firm with an experienced set of inter-disciplinary legal professionals with an unwavering focus on providing advice based on the business intent.

    PRACTICE AREAS

    OFFICES

    Hyderabad | Mumbai | Bangalore

    Thank you for visiting our website.

    For regular updates, please follow us on:

     

    As per The Bar Council of India Rules and The Advocates Act, 1961, an advocate cannot approach his/her client or advertise or promote his profession by way of advertisements or solicitation. Thus the materials on this website are intended for informational purposes only. The materials on this website are neither intended to be, nor should they be interpreted as, legal advice or opinion. The reader should not consider this information to be an invitation to an attorney client relationship, should not rely on information presented here for any purpose, and should always seek the legal advice of counsel in the appropriate jurisdiction. Transmission and receipt of the information in this site and/or communication with the Samisti Legal LLP (“Samisti Legal / Firm”) via e-mail/ chat / blog or any other mode is not intended to solicit or create, and does not create, an attorney-client relationship between Samisti Legal and any person or entity. The information provided under this website is solely available at your request for informational purposes only, should not be interpreted as soliciting or advertisement…

    By accessing and using this site, the user expressly agrees with, and acknowledges, the following:

    • The user wishes to gain more information about Samisti Legal for his/her/its own information and use.
    • The user has not received any unsolicited invitation from Samisti Legal or any of its members or authorized representatives to view this website.
    • There has been no advertisement, personal communication, solicitation, invitation or inducement of any sort whatsoever to the user from Samisti Legal or any of its members or any authorized representative to solicit any work, including through this website.
    • The information about Samisti Legal is provided to the user only on his/her/its specific request, and any information obtained or materials downloaded from this website is completely at the user’s own volition.
    • Samisti Legal assumes no liability for the interpretation and/or use of the information contained or referred to on this website, nor does it offer a warranty of any kind, either expressed or implied.

    Agree Disagree