DPDP for Healthcare
Patient Data, Consent & Compliance
Healthcare data protection under the DPDP Act 2023 requires hospitals, diagnostic laboratories, telemedicine platforms, and health insurers to implement rigorous consent mechanisms, secure data handling, and breach notification protocols for patient records. Unified Chambers and Associates advises healthcare institutions on DPDP compliance, ABDM data sharing requirements, and Data Protection Board representation. Advocate Subodh Bajpai, LLM, MBA (XLRI Jamshedpur), leads every healthcare data protection engagement.
Patient medical records — diagnosis history, treatment protocols, diagnostic reports, prescription data, insurance claims — constitute some of the most sensitive personal data processed in India. A single data breach at a hospital chain can expose millions of patient records and trigger DPDP penalties up to Rs 250 crore per contravention, alongside reputational damage that erodes patient trust.
Patient Records as
Protected Personal Data
Under the DPDP Act 2023, every hospital, clinic, nursing home, diagnostic laboratory, telemedicine platform, and health insurance company that collects and processes patient data is a data fiduciary. Patient records — including registration details, Aadhaar-linked identity verification, medical history, diagnosis notes, treatment protocols, prescription records, diagnostic reports, billing data, and insurance claims — are digital personal data protected by the Act.
Multi-speciality hospital chains operating across multiple cities process personal data at a scale comparable to large banks and NBFCs. A single hospital chain may hold electronic medical records for tens of millions of patients, each record containing deeply sensitive health information. These large healthcare fiduciaries are likely to be designated as Significant Data Fiduciaries under Section 10, triggering additional obligations: mandatory Data Protection Officer appointment, independent data auditor, and periodic Data Protection Impact Assessments.
The sensitivity of health data magnifies every compliance obligation. While a breach of financial data exposes account numbers and transaction history, a breach of health data exposes diagnosis, mental health records, HIV status, reproductive health, genetic information, and treatment history — information that can lead to discrimination in employment, insurance denial, and social stigma. The DPDP Act does not create a separate category for health data (unlike GDPR which explicitly identifies health data as a special category), but the sensitivity of the data influences the standard of "reasonable security safeguards" that the Data Protection Board will expect.
DPDP Requirements for
Healthcare Providers
Patient Consent Architecture
Informed, specific, granular consent for each processing purpose — treatment, insurance claims, research, marketing. Privacy notices in clear language at registration, OPD, and digital touchpoints. Mechanism for easy withdrawal of consent.
Electronic Medical Records (EMR)
DPDP-compliant storage, access controls, and audit trails for all electronic medical records. Data principal rights: patient access to records, correction of errors, and erasure where legally permissible under medical record retention requirements.
Telemedicine & Digital Health Data
Video consultation recordings, chat transcripts, prescription data, and remote monitoring data must comply with DPDP consent requirements. Cross-border data transfer assessment for platforms using international cloud infrastructure.
Health Insurance Data Sharing
Sharing patient data with insurance companies for claims processing requires separate, specific consent. Pre-authorisation data flows, claims documentation, and TPA data sharing arrangements must be DPDP-compliant.
Diagnostic Lab Data Governance
Pathology reports, radiology images, genetic test results, and associated patient identifiers require independent consent and secure data handling. Lab-to-hospital data sharing agreements must comply with DPDP.
Research & Clinical Trial Data
Using patient data for medical research, clinical trials, or AI model training requires explicit consent separate from treatment consent. Anonymisation and de-identification protocols must meet DPDP standards.
Ayushman Bharat Digital Mission
Meets Data Protection
The Ayushman Bharat Digital Mission (ABDM) is building India’s digital health infrastructure: ABHA (Ayushman Bharat Health Account) IDs for every citizen, Health Information Exchange and Consent Manager (HIE-CM) for interoperable health records, and a unified patient health record system that allows data sharing between hospitals, laboratories, pharmacies, and insurers. The DPDP Act adds a critical compliance layer to this architecture.
Every data sharing event within the ABDM ecosystem requires DPDP-compliant consent. When a patient visits Hospital A and their records are requested by Hospital B through the Health Information Exchange, the consent manager must ensure that the patient has given informed, specific, and revocable consent for that particular data transfer. The ABDM consent framework and the DPDP consent requirements must be aligned — and where they diverge, healthcare institutions need legal guidance on which standard prevails.
Healthcare providers participating in ABDM occupy dual roles under DPDP: they are data fiduciaries for patient data they generate (consultation notes, diagnostic reports, prescriptions) and effectively function as data processors for data received through the exchange from other providers. This dual role creates complex compliance obligations around data retention, purpose limitation, and security safeguards for both originated and received data.
The aggregation risk is particularly acute in ABDM. A patient who links their ABHA ID across a general hospital, a diagnostic lab, a mental health counsellor, and a pharmacy creates an extensive longitudinal health profile. The combined dataset is far more sensitive than any individual record — and its protection under DPDP requires security safeguards commensurate with the aggregated sensitivity. Healthcare institutions integrating with ABDM need legal advisory that addresses both the ABDM regulatory framework and DPDP consent architecture simultaneously.
Heightened Scrutiny for
Patient Data Breaches
While the DPDP Act prescribes the same penalty tiers for all data fiduciaries regardless of sector, healthcare data breaches will attract heightened regulatory scrutiny for several reasons. Patient medical records expose not just identity and contact details — they reveal diagnosis history, mental health conditions, HIV status, reproductive health, genetic predispositions, substance abuse treatment, and psychiatric evaluations. A breach of this data can lead to employment discrimination, insurance denial, social stigma, and personal distress far exceeding that caused by a financial data breach.
The penalty exposure for healthcare institutions is cumulative. A hospital data breach could simultaneously trigger: failure to implement reasonable security safeguards (up to Rs 250 crore, Schedule Sl.1), failure to notify the Board and affected patients (up to Rs 200 crore, Schedule Sl.2), and breach of additional Significant Data Fiduciary obligations (up to Rs 150 crore, Schedule Sl.4). If the breach involves children’s health data — paediatric records, neonatal care, child psychiatry — a further Rs 200 crore penalty for Section 9 violations applies (Schedule Sl.3).
Beyond monetary penalties, healthcare data breaches trigger CERT-In mandatory reporting within 6 hours, potential investigation by the Ministry of Health, media scrutiny, and erosion of patient trust. Healthcare institutions need a data breach response plan that integrates DPDP notification obligations with CERT-In reporting, internal forensic investigation, patient communication, and media management. Unified Chambers provides 24/7 breach response for empanelled healthcare clients, ensuring that legal obligations are met within the statutory timelines while protecting the institution’s regulatory position.
Paediatric Records Under
Heightened Protection
Section 9 of the DPDP Act imposes the strictest obligations on processing personal data of children — defined as individuals under 18 years of age. For healthcare providers, this creates a distinct compliance framework for paediatric hospitals, neonatal intensive care units, child psychiatry and psychology practices, paediatric diagnostic labs, and children’s health monitoring applications.
The core requirement is verifiable parental or guardian consent before processing a child’s medical data. This means a paediatric hospital cannot rely on the general registration consent signed by a parent — it must obtain specific consent for each category of data processing involving the child’s records. If the hospital shares the child’s diagnostic report with a specialist, an insurer, or a school health programme, each sharing instance requires separate consent from the parent or guardian.
Section 9 also prohibits processing that is detrimental to the well-being of the child. In a healthcare context, this could restrict: (a) sharing children’s health data with third-party marketing platforms; (b) using paediatric patient data for commercial research without explicit consent; (c) behavioural tracking in children’s health apps that monitors usage patterns beyond clinical necessity. The prohibition on tracking and monitoring is particularly relevant for digital health platforms targeting children — fitness apps, mental health chatbots, medication reminder apps, and wellness trackers.
Penalties for children’s data violations reach Rs 200 crore per contravention (Schedule Sl.3, Section 9). Healthcare institutions with significant paediatric patient populations need specialised consent architecture, data handling protocols, and compliance documentation that specifically addresses Section 9 requirements. Unified Chambers advises paediatric hospitals and children’s healthcare providers on building Section 9-compliant data governance frameworks.
Is Your Healthcare Organisation DPDP-Ready?
If your healthcare organisation has gaps in any of these areas, contact Unified Chambers for a DPDP compliance assessment. We work with hospital legal teams, IT departments, and compliance officers to build data protection frameworks tailored to healthcare data flows.
DPDP for Healthcare — Key Questions
Are hospitals and clinics classified as data fiduciaries under the DPDP Act?
Yes. Under the Digital Personal Data Protection Act 2023, any hospital, clinic, nursing home, diagnostic laboratory, or healthcare provider that determines the purpose and means of processing patient personal data is classified as a data fiduciary. This includes: collecting patient registration details (name, age, address, Aadhaar, phone number), maintaining electronic medical records (EMR), processing diagnostic reports, billing and insurance data, and telemedicine consultation records. Multi-speciality hospital chains, which process personal data at massive scale across multiple locations, are likely to be designated as Significant Data Fiduciaries with additional obligations under Section 10 — including mandatory DPO appointment and periodic DPIA.
What patient consent is required under the DPDP Act for medical records?
The DPDP Act requires healthcare providers to obtain informed, specific, and granular consent from patients (data principals) before processing their personal data. This means: (a) a privacy notice in clear language explaining what data is collected, the purpose of processing, and who it will be shared with; (b) separate consent for each purpose — treatment, insurance claims, research, marketing; (c) the ability for patients to withdraw consent at any time through an accessible mechanism. However, Section 7(a) provides an exemption for medical emergencies — personal data can be processed without consent where the data principal is unable to give consent and the processing is necessary for medical treatment. This exemption does not extend to post-emergency marketing, insurance upselling, or research use of the data collected during the emergency.
How does ABDM (Ayushman Bharat Digital Mission) interact with the DPDP Act?
ABDM creates a digital health infrastructure with ABHA (Ayushman Bharat Health Account) IDs, Health Information Exchange, and unified patient health records across providers. The intersection with DPDP is significant: (a) ABDM facilitates data sharing between hospitals, labs, and insurers — each sharing instance requires DPDP-compliant consent; (b) the Health Information Exchange protocols must align with DPDP data principal rights (access, correction, erasure); (c) healthcare providers participating in ABDM are data fiduciaries for the data they generate and data processors for data received through the exchange; (d) patients who link their ABHA ID across multiple providers create extensive health profiles — the aggregation of this data requires heightened security safeguards under DPDP. Healthcare institutions integrating with ABDM need legal advisory on both the ABDM regulatory framework and DPDP consent architecture to ensure compliance at every data sharing touchpoint.
What are the penalties for a healthcare data breach under the DPDP Act?
Healthcare data breaches attract the standard DPDP penalty framework: up to Rs 250 crore for breach of security safeguards (Schedule Sl.1, Section 8(5)), up to Rs 200 crore for failure to notify the Data Protection Board and affected patients of the breach (Sl.2, Section 8(6)), and up to Rs 50 crore for any other contravention (Sl.7). However, healthcare breaches carry heightened regulatory scrutiny because: (a) patient medical records are among the most sensitive categories of personal data; (b) a breach exposes not just identity data but diagnosis, treatment history, and health conditions — information that can be used for discrimination in employment and insurance; (c) large hospital chains processing millions of patient records face cumulative penalties per contravention, meaning a single breach affecting multiple patients could trigger multiple penalty tiers simultaneously. CERT-In notification within 6 hours remains mandatory alongside the DPDP Board notification.
Does the DPDP Act apply to telemedicine platforms and health apps?
Yes. Telemedicine platforms, health monitoring apps, mental health platforms, fertility tracking apps, and digital wellness services all process digital personal data and are covered by the DPDP Act. These platforms face unique compliance challenges: (a) they often collect real-time health data (heart rate, blood pressure, sleep patterns, menstrual cycles) that constitutes personal data under the Act; (b) many transmit data to cloud servers, potentially triggering cross-border transfer restrictions; (c) several use AI/ML algorithms for health recommendations, which involves automated processing of personal data; (d) consent mechanisms in apps must meet DPDP standards — pre-ticked consent boxes and bundled consent (accept all or use nothing) are not DPDP-compliant. Healthcare technology companies should conduct a DPDP compliance audit of their data collection, processing, storage, and sharing practices before the Data Protection Board becomes operational.
What extra protections apply to children's health data under DPDP?
Section 9 of the DPDP Act imposes heightened obligations for processing personal data of children (under 18 years). For healthcare providers, this means: (a) verifiable parental or guardian consent is mandatory before processing a child's medical records, diagnostic reports, or treatment data; (b) processing that is detrimental to the well-being of the child is prohibited — this could restrict certain data sharing with third parties; (c) tracking and behavioural monitoring of children is restricted, which affects paediatric health apps and child wellness monitoring platforms; (d) targeted advertising directed at children using their health data is prohibited. Paediatric hospitals, child psychiatry practices, neonatal care units, and children's health apps face the strictest compliance requirements under the combined effect of Section 9 and the general DPDP obligations. Penalties for children's data violations can reach Rs 200 crore per contravention (Schedule Sl.3, Section 9).
Do diagnostic laboratories need separate DPDP compliance?
Yes. Diagnostic laboratories — pathology labs, radiology centres, genetic testing labs, and imaging centres — are independent data fiduciaries under the DPDP Act. Even when a lab processes samples referred by a hospital, the lab determines the means of processing the diagnostic data and maintains its own patient records. Compliance requirements include: (a) obtaining consent for processing patient samples and associated personal data; (b) secure storage of diagnostic reports and patient identifiers; (c) data sharing agreements with referring hospitals that comply with DPDP; (d) breach notification obligations if patient reports or data are compromised; (e) data retention policies aligned with DPDP purpose limitation principles and medical record retention guidelines. Large diagnostic chains operating across multiple states face additional complexity in ensuring uniform DPDP compliance across all centres.
Protect Patient Data
Before the Board Acts
WhatsApp Advocate Subodh Bajpai directly with details of your healthcare organisation, patient data volumes, and compliance requirements. Senior Partner response within one business day. Minimum engagement: Rs 50 lakhs.