gomedsIntelligent Healthcare Infrastructure
The DPDP Act and Your Healthcare Business: What You Actually Need to Do
Healthcare Regulations

The DPDP Act and Your Healthcare Business: What You Actually Need to Do

India's DPDP Act is here. If you run a clinic, hospital, or health-tech product, here's what changes for you — in plain language, not legalese.

Adv. Meghna Srinivasan17 March 20269 min read

A hospital CEO in Pune asked me last month: "We have been handling patient data for 20 years. Why do we suddenly need a privacy policy?"

Because until now, India did not have a comprehensive data protection law that applied to healthcare. The Digital Personal Data Protection (DPDP) Act, 2023, changes that. And while the full rules are still being notified in phases, the direction is crystal clear: patient data is no longer yours to handle however you please. It belongs to the patient.

If you run a hospital, clinic, diagnostic lab, pharmacy, or health-tech company, this article is for you. I am going to skip the legal jargon and tell you what the DPDP Act actually requires you to do.

The Big Shift: Patient Data Has an Owner Now

Before the DPDP Act, Indian healthcare providers operated in a regulatory grey zone when it came to patient data. The IT Act had some provisions. The Medical Council had guidelines. But there was no single, comprehensive law that said: "Here is how you must handle patient data. Here are the penalties if you do not."

Now there is.

Under the DPDP Act, patient data is "personal data" and health information is likely to be classified as "sensitive personal data" under the upcoming rules. Your patients are "Data Principals" (they own the data) and you are a "Data Fiduciary" (you process the data with their consent).

That legal language translates to three practical obligations:

  1. You need consent to collect and use patient data — and the consent must be informed, specific, and revocable
  2. You must protect the data with reasonable security measures
  3. Patients can request their data, correct it, or ask you to delete it

Hospital data privacy compliance with secure digital patient records

What "Consent" Means in Practice

This is where most healthcare providers get confused. You already get consent — the patient signs a registration form, right? But DPDP consent is different:

Consent Must Be Specific

"I consent to the hospital using my data" is not specific enough. You need to tell the patient:

  • What data you are collecting (name, medical history, test results, Aadhaar, contact details)
  • Why you are collecting it (treatment, billing, insurance claims, research)
  • Who will have access (treating doctor, billing team, insurance TPA)
  • How long you will keep it

Consent Must Be Freely Given

The patient should not feel coerced. "Sign this or we will not treat you" — if the consent includes purposes beyond treatment — could be challenged. Consent for treatment and consent for marketing are two different things and should be obtained separately.

Consent Can Be Withdrawn

If a patient says, "Stop using my data for marketing purposes," you must comply. This does not mean you delete their medical records — you still need those for clinical and legal reasons. But you must stop any secondary use they have revoked consent for.

The Healthcare Exception

Here is the good news. The DPDP Act recognises that healthcare has legitimate reasons to process data without explicit consent in certain situations:

  • Medical emergencies — if the patient is unconscious and needs treatment, you do not need to wait for a signed consent form
  • Public health purposes — disease surveillance, outbreak reporting
  • Legal obligations — maintaining records as required by the Clinical Establishments Act or state health regulations

But these exceptions are narrow. They do not cover marketing, research (without separate consent), or sharing data with third parties for commercial purposes.

The Security Obligation: What "Reasonable" Means

The DPDP Act requires "reasonable security safeguards" to protect personal data. But what is reasonable for a healthcare provider?

While the specific standards will be detailed in rules yet to be notified, here is what most legal experts expect will be the baseline:

Technical Measures

  • Encryption — patient data must be encrypted at rest (in your database) and in transit (when transmitted over networks). If your software vendor stores data without encryption, that is a problem.
  • Access controls — not everyone in your hospital should see every patient's records. Role-based access means the billing clerk sees billing data, the nurse sees nursing data, and the doctor sees clinical data. Nobody sees everything unless they need to.
  • Audit logs — who accessed which patient record, when, and from where. If a staff member snoops on a celebrity patient's records, the audit log catches it.
  • Regular backups — data loss is a security failure. Daily automated backups stored securely.

Organisational Measures

  • Staff training — your reception staff, nurses, and billing team handle patient data daily. They need to understand what they can and cannot do with it.
  • Vendor assessment — if you use cloud-based software (and most modern healthcare software is cloud-based), your vendor's security posture is your security posture. Ask about their data centre location, encryption standards, and security certifications.
  • Incident response plan — if there is a data breach, what do you do? Who do you notify? How quickly? The DPDP Act requires breach notification, and having a plan before it happens is essential.

Digital security interface showing encrypted patient data and access controls

Data Principal Rights: What Your Patients Can Ask For

Under the DPDP Act, your patients have specific rights:

Right to Access

"Show me all the data you have about me." You must be able to produce a summary of the personal data you hold about a patient and how you are using it.

If your records are scattered across paper files, billing software, lab systems, and a separate EMR — each maintained by a different department — producing a comprehensive response is going to be painful. This is where an integrated hospital management system makes compliance significantly easier.

Right to Correction

"My blood group is wrong in your records. Fix it." You must correct inaccurate data when the patient points it out.

Right to Erasure

"Delete my data." This one is tricky in healthcare. You have legal obligations to maintain medical records for specific periods (varying by state, typically 3 to 10 years). You cannot delete clinical records just because a patient asks. But you must delete data you no longer have a legitimate reason to keep — old marketing preferences, expired consent records, or data from services the patient no longer uses.

Right to Nominate

Patients can nominate someone to exercise their data rights on their behalf — important for elderly patients or those who may become incapacitated.

What This Means for Your Software

If you are buying or evaluating healthcare software, add these to your checklist:

DPDP RequirementSoftware Feature Needed
Consent managementDigital consent capture with purpose-specific tracking
Data access requestsAbility to export a patient's complete data in a readable format
Data correctionEasy editing with audit trail (original value preserved)
Role-based accessGranular permission controls by department and role
Audit loggingComplete log of who accessed what and when
Data encryptionEncryption at rest and in transit (AES-256 minimum)
Breach detectionAnomaly alerts for unusual access patterns
Data retentionConfigurable retention periods with automated archival

If your current software cannot do most of these, you will be spending significant manual effort on compliance — or risking non-compliance.

The Penalties Are Real

The DPDP Act prescribes penalties of up to Rs 250 crore for significant breaches. While this maximum is unlikely for a small clinic, the penalties are designed to scale with the severity and size of the organisation.

More importantly, a data breach at a healthcare organisation is not just a fine. It is reputational damage. In healthcare, trust is everything. A newspaper headline about patient data leaking from your hospital will cost you more than any regulatory penalty.

A Practical Compliance Checklist

Here is what I tell my healthcare clients to do right now:

  1. Audit your data flows. Map where patient data enters your organisation, where it is stored, who has access, and where it goes. Most hospitals discover data in places they did not expect — old laptops, personal email accounts, WhatsApp groups.

  2. Update your consent forms. Make them DPDP-compliant — specific about what data, why, and how long. Get separate consent for non-clinical uses like marketing.

  3. Review your software vendor's security. Ask for their data processing agreement, security certifications, and breach notification process. If they cannot provide these, consider switching.

  4. Implement access controls. If everyone in your hospital uses the same login, fix that immediately. Individual accounts with role-based permissions.

  5. Train your staff. A one-hour session on what patient data is, why it matters, and what the rules are. Annual refresher.

  6. Appoint a Data Protection Officer (if your processing volume warrants it — the threshold will be defined in the rules). Even if not legally required, having someone responsible for data protection is good practice.

The Bottom Line

The DPDP Act is not going to turn Indian healthcare upside down overnight. The rules are being rolled out in phases, and enforcement will be gradual. But the direction is unmistakable — patient data privacy is now a legal requirement, not a best practice.

Healthcare providers who invest in proper systems now — integrated software with built-in consent management, access controls, and audit trails — will find compliance natural. Those who wait until a breach happens or an inspection catches them will find it expensive and disruptive.

If you are looking for healthcare software built with DPDP compliance in mind, GoMeds AI includes role-based access, audit logging, encryption, and consent management across all modules. Talk to our team about how it maps to your compliance requirements.

Adv. Meghna Srinivasan is a technology and data privacy lawyer based in Bengaluru. She advises hospitals, health-tech companies, and diagnostic chains on regulatory compliance including the DPDP Act, Telemedicine Practice Guidelines, and ABDM regulations.

Tags

DPDP Act Indiahealthcare data privacypatient data protectiondigital health compliancehealth data security

Share this article

LinkedInTwitterWhatsAppEmail

Written by Adv. Meghna Srinivasan

Published on 17 March 2026

Related Articles

Continue exploring healthcare software insights

Appointment Scheduling for Indian Clinics: How to Fill Every Slot Without a Full-Time Receptionist on the PhoneClinic Management

Appointment Scheduling for Indian Clinics: How to Fill Every Slot Without a Full-Time Receptionist on the Phone

No-shows, double bookings, and phone tag are killing your clinic's efficiency. Here's how online appointment scheduling works for Indian clinics — and why it pays for itself in the first month.

12 April 202612 min read
Multi-Branch Clinic Management in India: How to Scale Without Losing ControlClinic Management

Multi-Branch Clinic Management in India: How to Scale Without Losing Control

Expanding your clinic to a second or third location? Here's what breaks when you scale — and how the right software keeps your operations, finances, and patient care consistent across branches.

11 April 202611 min read
Pharmacy Analytics in India: The Numbers Your Billing Software Is Not Showing You (And Why They Matter)Pharmacy Software

Pharmacy Analytics in India: The Numbers Your Billing Software Is Not Showing You (And Why They Matter)

Your pharmacy generates lakhs of data points every month. Here's how a sales analytics dashboard turns that data into decisions — about stock, margins, staff, and growth.

10 April 202611 min read