At a glance
Every hospital, clinic, lab, pharmacy and health app is a Data Fiduciary under India’s DPDP Act — and the data you hold is the most consequential kind, because a leaked diagnosis can’t be changed like a password. The Act fits healthcare with real nuance: emergencies and epidemics are legitimate uses that don’t wait for consent, and medical-council record norms govern retention alongside the erasure duty. The routine work is where the exposure is: reports on WhatsApp, over-collecting front desks, and records kept forever by default.
Educational resource only. This explains how India’s Digital Personal Data Protection Act, 2023 (DPDP Act) applies to healthcare providers and health apps; it is not formal legal advice.
The situation
Healthcare runs on personal data the way it runs on electricity — registration desks, case sheets, lab systems, insurance desks, follow-up calls — and much of it moves through the most casual channels in Indian professional life: reports WhatsApped to patients, scans in doctors’ group chats, registers at reception photographing IDs. The DPDP Act doesn’t ask medicine to slow down; it asks the data layer to grow up. And because health data is the one category whose leak changes how a person is treated — by insurers, employers, families — the gap between healthcare’s data sensitivity and its data habits is the widest in any sector.
Does DPDP apply to your practice, hospital or app?
Yes — from a solo clinic to a hospital chain to a fitness app, deciding why and how patient data is used makes you a Data Fiduciary. There’s no small-practice exemption: a single-doctor clinic with a register and a WhatsApp number carries the same baseline duties as a corporate hospital — notice, a lawful basis, security safeguards, breach reporting, retention limits, and answerability for vendors (the lab down the street, the billing software, the cloud your app runs on). Health apps sit fully inside this too, with an extra edge: an app that profiles health behaviour at scale is processing sensitive data in volume — the profile of business the government can notify as a Significant Data Fiduciary, which brings audits and impact assessments on top.
The patient data healthcare actually handles
Identity data, clinical data, and payment data — three sensitivities in one file, plus everyone who isn’t the patient. A typical provider holds:
- Registration and identity — names, contact details, IDs collected at the desk, ABHA (Ayushman Bharat Health Account) numbers where used.
- Clinical records — case sheets, diagnoses, prescriptions, lab and imaging reports, discharge summaries: the data whose content is the sensitivity.
- Payment and insurance — billing, policy details, claim files that fuse financial and medical data.
- Other people’s data — emergency contacts, family medical histories, donors, attendants — people who never signed your forms.
- Staff data — the employment file, sitting on the employment ground rather than patient consent.
The clinical layer deserves the plainest statement: a diagnosis, a psychiatric prescription, a fertility record — these are facts about a person that stay true forever. Security for this data isn’t an IT nicety; it’s the whole game.
The obligation that actually bites: consent for the routine, carve-outs for the crisis
The Act gets medicine’s rhythm right — emergencies don’t wait for consent forms — but the carve-outs are for crises, not for convenience. Routine care runs on the normal machinery: notice at collection and consent for the purposes you process (Section 6), purpose-bound — treatment data used for treatment. Then the legitimate uses do the humane work: processing without consent is permitted to respond to a medical emergency threatening life or health, and for public-health measures during an epidemic or outbreak (Section 7). An unconscious accident victim’s data flows without a form; a disease-surveillance obligation doesn’t queue behind an opt-in.
The bite is in the boundaries:
- The carve-out ends when the crisis does. Emergency processing doesn’t convert into marketing permission or a general licence over that patient’s file; post-crisis, routine purposes need their routine basis.
- Children are the default patient class with extra rules. Anyone under 18 needs verifiable parental consent, and the Rules’ narrow healthcare exemptions are scoped to providing health services — a paediatric app’s engagement features don’t ride on them.
- New purposes need new consent. Using patient contact details for camps and promotions, or clinical data for research beyond the treatment purpose, is a fresh ask — the follow-up-call habit isn’t a consent.
Where DPDP sits alongside medical-council and health-system rules
Medical confidentiality is centuries old — DPDP adds a regulator, enforceable patient rights, and breach duties on top, and the record-keeping rules interlock. Doctors already owe confidentiality under medical-council ethics; what the DPDP Act adds is statutory: a Data Protection Board, rights the patient can enforce (access, correction, erasure), and penalties that reach the top tier for security failures. On records, the two systems reconcile the way tax law does for accountants: medical-council norms require patient records to be retained for a minimum period (with patients entitled to copies of their own records on request), and holding records a rule requires is a recognised legal-obligation ground — while everything beyond those requirements follows the purpose-and-erasure logic. A written, per-record-type retention schedule squares both. Providers in the ABDM (Ayushman Bharat Digital Mission) ecosystem will find its consent-driven architecture points the same direction the DPDP Act does: patient-controlled, purpose-specific sharing. And a cyber-incident at a hospital can trigger the Indian Computer Emergency Response Team’s (CERT-In) 6-hour reporting under the IT Act alongside the DPDP breach duties — parallel clocks, not alternatives.
Common mistakes healthcare providers make
The exposure is in the routine, not the operating theatre.
- Reports over WhatsApp — lab results and scans to patients (and into doctors’ group chats), leaving diagnoses in galleries and backups on every side.
- The over-collecting front desk — full ID photocopies and every phone number “for the file,” where registration needs far less.
- One consent for everything — a registration signature treated as covering treatment, promotions, camps and research alike.
- Records kept forever by default — beyond what medical-council norms require, with no schedule and no owner.
- Vendors on a handshake — labs, TPAs (third-party administrators), billing and telehealth platforms handling patient data with no contract binding security, breach notice and deletion.
- Treating the emergency carve-out as a general pass — “it’s healthcare” isn’t a lawful basis; the carve-outs are specific.
Collecting and sharing patient data compliantly
One controlled intake at registration, one secure channel for reports, and a retention schedule — that’s most of the fix. A notice-and-consent step at registration that names purposes plainly (treatment; billing and insurance; each optional extra separately), collection trimmed to what each purpose needs, reports delivered through a portal or the provider’s own system rather than personal chat threads, and a written schedule reconciling medical-council retention with everything else’s erasure. The channel-and-consent mechanics are common to every professional practice, so the detail lives in the dedicated guide — see secure client document collection for professionals — and the patient-side mirror of all this is the medical-reports sharing guide your patients are reading.
FAQ
Does a small clinic really fall under the DPDP Act?
Yes — any practice deciding why and how patient data is used is a Data Fiduciary, regardless of size. Scale changes exposure and the odds of Significant Data Fiduciary designation, not the existence of the duties.
Do we need consent to treat someone in an emergency?
No — responding to a medical emergency threatening life or health is a legitimate use, as is public-health processing during an epidemic. The carve-out covers the crisis; routine purposes before and after run on notice and consent.
Can we WhatsApp reports to patients if they ask?
Patient convenience doesn’t cure the channel: copies persist in chats, galleries and backups on both sides. A portal, the provider’s own delivery system, or at minimum protected files are the defensible routes — and the habit to break internally is clinical images in staff group chats.
How long must we keep patient records?
Medical-council norms set the required minimum for clinical records, and patients are entitled to copies of their own. Beyond required periods, the DPDP Act’s erasure logic applies — a written retention schedule per record type is what reconciles the two.
Do children’s records need special handling?
Yes — patients under 18 need verifiable parental consent, and the Rules’ healthcare exemptions are scoped to delivering health services, not to everything a paediatric provider or app might want to do with the data.