Get in Touch
November 20, 2025

Health Data and the DPDP Act: A Practical Guide

The Digital Personal Data Protection Act, 2023, and its accompanying Rules have fundamentally altered the compliance landscape for India’s healthcare sector. For hospitals, diagnostic centers, and telemedicine platforms processing patient data, the stakes have never been higher.

With penalties reaching up to ₹250 crore for serious contraventions and regulatory enforcement now operational, the time for proactive compliance is now. This guide distills the essential legal and operational requirements for healthcare entities handling high-risk health data.

Understanding Health Data Under the DPDP Framework

The DPDP Act does not create a separate statutory category for “sensitive personal data.” Instead, it adopts a risk-based approach where the potential for harm determines compliance rigor. Health data, encompassing medical histories, diagnoses, prescriptions, lab results, imaging, genetic information, mental health records, biometric identifiers, teleconsultation recordings, and wearable device data, is unequivocally high-risk.

A data breach involving patient records can lead to discrimination, social stigma, insurance denial, and profound psychological distress. The 2022 AIIMS Delhi ransomware attack, which compromised over 40 million patient records and paralyzed hospital operations for weeks, exemplifies the operational and reputational catastrophe that inadequate data protection can trigger.

Consequently, entities processing health data will face heightened scrutiny from the Data Protection Board of India (DPBI) and are highly likely to be designated as Significant Data Fiduciaries (SDFs), triggering additional obligations including mandatory appointment of a Data Protection Officer (DPO) in India, independent audits, and Data Protection Impact Assessments (DPIAs).

The Consent Architecture: DPDP Act, Rules, and Telemedicine Guidelines

a. Core DPDP Requirements

Consent under the DPDP Act must be:

  • Free: No coercion or conditioning of service on unrelated consent
  • Specific: Tied to clearly stated purposes; blanket consents are invalid
  • Informed: Preceded by a clear notice in plain language
  • Unambiguous: A clear affirmative action (no pre-ticked boxes)
  • Revocable: As easy to withdraw as to give
 

b. Notice Requirements (Per DPDP Rules)

Before collecting data, provide a concise notice stating:

  • What data is collected (including audio/video recordings in teleconsults)
  • Specific purposes (diagnosis, treatment, billing, ABDM exchange, quality assurance)
  • Third-party sharing (laboratories, pharmacies, insurance TPAs, referral specialists, ABDM entities)
  • Retention periods and legal basis
  • Patient rights (access, correction, erasure, grievance redressal, nomination)
  • DPO contact details (for SDFs)

The Rules mandate multilingual accessibility and layered design for complex processing scenarios.

c. Telemedicine-Specific Consent (TPG 2020 + DPDP)

The Telemedicine Practice Guidelines distinguish between:

  • Patient-initiated consultations: Consent is implied under TPG. However, DPDP compliance requires presenting the notice before the consultation begins; the patient’s action of proceeding constitutes the “clear affirmative action.”
  • Provider-initiated consultations: Explicit consent is mandatory. Capture this through: In-app acknowledgment with timestamp Email/SMS confirmation Recorded verbal consent at consultation start (“Dr. Singh calling regarding your test results. Do you consent to proceed with this teleconsultation? Please say yes for the record.”)
 

d. Children and Vulnerable Populations

For patients under 18 or those with legal guardians:

  • Implement robust age verification
  • Obtain verifiable parental/guardian consent through documentary proof or digital verification methods prescribed in the Rules
  • Build transition workflows so patients can review and ratify consents upon reaching majority
 

e. ABDM Integration

If participating in the Ayushman Bharat Digital Mission:

  • Use HIE-CM (Health Information Exchange-Consent Manager) compliant consent artifacts specifying purpose, data categories, frequency, duration, and expiry
  • Provide patient-accessible consent dashboards with audit trails
  • Honor consent revocation in real-time across all ABDM HIPs (Health Information Providers) and HIUs (Health Information Users)
Security Safeguards: Meeting the "Reasonable" Standard

For health data, “reasonable security safeguards” means best-in-class controls proportionate to risk:

a. Technical Controls

  • End-to-end encryption for data in transit (TLS 1.3+) and at rest (AES-256)
  • Role-based access control (RBAC) with least privilege, a nurse cannot access a surgeon’s operative notes; billing staff cannot view clinical data
  • Multi-factor authentication (MFA) for all system access
  • Immutable audit logs recording all data access with “break-glass” provisions for emergencies, subject to retrospective review
  • Network segmentation separating clinical, administrative, and development environments
  • Regular Vulnerability Assessment and Penetration Testing (VAPT)
 

b. Organizational Controls

  • Documented incident response plan integrating both DPBI breach notification (timeline expected in Rules) and CERT-In’s 6-hour reporting for cyber incidents
  • Vendor due diligence and Data Processing Agreements (DPAs) with security obligations, sub-processor transparency, and breach cooperation clauses
  • Regular security awareness training including phishing simulations
  • Offline, immutable backups to mitigate ransomware
 

c. Breach Notification

The Rules will prescribe specific timelines (likely 72 hours, analogous to GDPR). Prepare now:

  • Designate a breach response team
  • Draft template notifications for DPBI and patients
  • Establish evidence preservation protocols
  • Coordinate with CERT-In reporting obligations (already operational)
Patient Rights: Operationalizing the DPDP Framework

Patients have enforceable rights that must be supported by accessible interfaces:

a. Right to Access

Provide a self-service portal for patients to download:

  • Complete medical records in interoperable format (HL7 FHIR per EHR Standards 2016)
  • Consent history with timestamps
  • Data sharing log (who accessed what, when)
 

b. Right to Correction and Erasure

Build workflows for:

  • Clinician-verified corrections to diagnoses, medications, or allergies
  • Erasure upon consent withdrawal or purpose completion, subject to legal retention requirements
 

c. Critical Point on Retention

Clinical Establishments Rules, NABH standards, and state regulations mandate multi-year retention of inpatient records, imaging, operative notes, and medico-legal documentation. Document these legal bases when declining erasure requests.

d. Right to Grievance Redressal

The Rules will prescribe timelines (expect 7-30 days based on draft frameworks). Establish:

  • Dedicated grievance email and toll-free number
  • Ticketing system with acknowledgment and resolution tracking
  • Clear escalation path to DPBI for unresolved complaints
 

e. Right to Nominate

Allow patients to nominate an individual to exercise their rights upon death or incapacity which is critical for hospital settings. Integrate into admission forms and patient portals.

Compliance Roadmap for HealthTech and Hospitals

a. Immediate Actions (Quarters 1-2)

  1. Data Mapping: Audit all personal data flows across EHR, LIS, PACS, telemedicine, billing, ABDM, and third-party integrations
  2. Consent Overhaul: Implement granular consent management with ABDM compatibility, multilingual notices, and one-click withdrawal
  3. Security Hardening: Deploy encryption, MFA, RBAC, audit logging, and VAPT; test incident response including DPBI/CERT-In tracks
  4. Governance: Form a privacy committee; if likely SDF (most hospitals and scaled telemedicine platforms), appoint a qualified DPO in India

b. Medium-Term Actions (Quarters 3-4)

  1. Vendor Diligence: Review all cloud providers, telemedicine SDKs, AI transcription/triage tools, and billing partners; execute DPAs with security and breach notification clauses
  2. Patient-Facing Tools: Launch consent dashboard, records download, correction request, and grievance portal
  3. Training Program: Deliver role-based training for clinicians, front-desk staff, IT, and management with scenario-based exercises
  4. DPIA and Audit: For SDFs, conduct DPIAs for high-risk processing and commission independent audits

c. Ongoing Discipline

  1. Retention Reviews: Quarterly audits to delete data beyond retention schedules; document legal bases for extended retention
  2. Rule Monitoring: Track DPBI notifications on SDFs, restricted jurisdictions, breach timelines, and verification methods
  3. Penetration Testing: Annual VAPT with remediation tracking
Sectoral Coordination: DPDP + TPG + ABDM + CERT-In

Healthcare compliance is multi-layered. Harmonize:

  • DPDP Act and Rules: Consent, security, patient rights, breach notification to DPBI
  • TPG 2020: Implied/explicit consent protocols, RMP recordkeeping, prescription rules
  • ABDM: HIE-CM consent flows, ABHA integration, FHIR interoperability
  • CERT-In Directions: 6-hour cyber incident reporting, log retention, time synchronization
  • NABH/Clinical Establishments Rules: Record retention minimums, confidentiality standards
Enforcement Reality

The DPBI is operational with investigation, adjudication, and penalty powers. Penalties include:

  • Up to ₹250 crore for failure to implement reasonable security leading to breach
  • Up to ₹200 crore for failing to notify breaches or violating children’s data rules
  • Up to ₹150 crore for breach of general data fiduciary obligations

Professional consequences (NMC disciplinary action) and accreditation risks (NABH suspension) compound financial penalties.

Conclusion

For India’s healthcare sector, DPDP compliance is not a compliance exercise, it is the foundation of digital trust and clinical safety. The convergence of DPDP, TPG, ABDM, and cybersecurity mandates creates a demanding but navigable framework.

Build consent-first, security-by-design systems, invest in patient-facing transparency tools, and prepare for SDF obligations. The institutions that embed data protection into their clinical and operational DNA will lead India’s digital health transformation; those that delay risk regulatory action, operational disruption, and irreparable harm to patient trust.

Please reach out to us at rohit.lalwani@amlegals.com in case of any query.

Leave a Reply

Your email address will not be published. Required fields are marked *

 

Disclaimer & Confirmation

As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:

    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.

However, the user is advised to confirm the veracity of the same from independent and expert sources.

I Agree I Disagree