DPDP for Healthcare: How India's Data Protection Law Applies to Hospitals, HealthTech, and Clinical Research
I have reviewed dozens of privacy policies from Indian hospital chains, diagnostic labs, and HealthTech platforms over the past year. The pattern is remarkably consistent: a privacy notice copied from a US-based SaaS template, referencing "HIPAA" or "GDPR" in the opening paragraph, with no mention of the Digital Personal Data Protection Act, 2023. Some of these organisations process the medical records of millions of patients across hundreds of facilities.
The DPDP Act does not create a separate category for health data. Unlike the EU's GDPR, which designates health data as a "special category" requiring elevated safeguards, India's law treats your patient's blood pressure reading with the same legal framework as their email address. This is a deliberate legislative choice, not an oversight. And it creates a compliance landscape where healthcare providers must navigate the Act's general obligations alongside sector-specific rules from IRDAI, the Ayushman Bharat Digital Mission, and CERT-In, all simultaneously.
Key Takeaways
- Every hospital, diagnostic lab, telemedicine platform, and HealthTech company that determines the purpose and means of processing patient data is a Data Fiduciary under the DPDP Act 2023.
- The DPDP Act does not classify health data as a distinct "sensitive" category. All personal data receives the same baseline protections under the Act.
- Section 7 of the DPDP Act permits processing patient data without consent in medical emergencies threatening life or health, including during epidemics and public health emergencies.
- Under the DPDP Rules 2025, clinical establishments, mental health establishments, and healthcare professionals are exempt from the children's data restrictions in Section 9(1) and 9(3) when processing data for treatment purposes.
- Healthcare providers face dual breach notification obligations: 72 hours to the Data Protection Board of India under DPDP, and 6 hours to CERT-In under IT Directions 2022.
- Section 17(2)(b) exempts processing for research, archiving, or statistical purposes, but the data must not be used to make decisions specific to any individual patient.
Why Does the DPDP Act Matter for Healthcare?
India's healthcare sector processes some of the most intimate personal data in existence: diagnostic reports, treatment histories, mental health records, genetic profiles, reproductive health information. The ICMR data exposure in 2023, which involved sensitive information of approximately 815 million citizens including COVID-19 test results and Aadhaar numbers, demonstrated that Indian healthcare infrastructure remains a high-value target for cyberattacks.
Under the DPDP Act 2023, every entity that determines the purpose and means of processing this data is a Data Fiduciary with full compliance obligations under Section 8. That includes:
- Hospitals and clinical establishments (government and private)
- Diagnostic laboratories and pathology chains
- Telemedicine and teleconsultation platforms
- HealthTech companies operating EHR/EMR systems, health apps, or wearable data platforms
- Pharmaceutical companies conducting clinical trials
- Health insurance companies processing claims and policyholder data
- Ayushman Bharat Digital Mission (ABDM) participants exchanging health records through the national digital health infrastructure
The compliance deadline is May 13, 2027. There is no sector-specific extension for healthcare.
What Consent Rules Apply to Patient Data Under DPDP?
The consent framework for healthcare operates on two tracks under the DPDP Act: the general consent requirement and specific carve-outs for medical emergencies and certain legitimate uses.
The General Rule: Informed, Specific Consent
Section 6 of the DPDP Act 2023 requires consent to be free, specific, informed, unconditional, and demonstrated through a clear affirmative action. For healthcare providers, this means:
- A patient registering at a hospital must receive a clear notice (under Section 5) specifying what personal data is being collected, for what purposes, and how they can exercise their rights
- Consent for treatment does not automatically include consent for marketing, research, or data sharing with third parties
- Each distinct purpose requires its own consent. Collecting a patient's phone number for appointment reminders is a separate purpose from sharing it with a health insurance company for claims processing
The practical challenge for hospitals is volume. A mid-sized hospital chain handling 10,000 patient interactions daily cannot operate a paper-based consent mechanism and remain compliant. The Act implicitly demands digital consent infrastructure at this scale.
The Medical Emergency Exception (Section 7)
Section 7 of the DPDP Act provides the critical healthcare carve-out. Personal data may be processed without consent for "certain legitimate uses," which include:
- Medical emergencies involving a threat to the life or immediate threat to the health of the Data Principal or any other individual
- Provision of medical treatment or health services during an epidemic, outbreak of disease, or any other threat to public health
This provision is narrower than it first appears. The emergency exception covers acute situations: a patient arriving at an emergency department, a disease outbreak requiring contact tracing, a public health crisis demanding rapid data sharing between facilities. It does not cover routine processing: scheduling follow-up appointments, running a wellness programme, or building a patient engagement platform. Those require standard consent.
Crucially, the "deemed consent" framework for medical emergencies does not exempt healthcare providers from other obligations. Even in an emergency, Section 8 obligations still apply: you must implement security safeguards, you must not retain data beyond the purpose, and you must notify breaches.
Where Consent Gets Complicated in Healthcare
Three scenarios consistently create confusion for healthcare compliance teams:
Scenario 1: Multi-provider referrals. A general practitioner refers a patient to a specialist, sharing diagnostic reports. The GP is the original Data Fiduciary. Under Section 8(2), the GP must have a valid contract (a Data Processing Agreement) with any entity processing data on their behalf. But the specialist is typically an independent Data Fiduciary, not a processor. Both bear separate compliance obligations. The patient's consent with the GP does not automatically extend to the specialist's data processing.
Scenario 2: Insurance claims processing. A hospital shares patient treatment data with a health insurance company for claims settlement. This involves two Data Fiduciaries sharing personal data. Each requires independent consent for their respective purposes. Bundling consent for treatment with consent for insurance data sharing into a single checkbox violates the "specific" requirement in Section 6.
Scenario 3: Telemedicine recordings. A teleconsultation platform records video consultations for quality assurance. The recording captures personal data (the patient's face, voice, medical complaints) for a purpose beyond treatment. This requires separate, specific consent. The platform cannot assume that consent to a video consultation implies consent to recording and storing it.
How Does DPDP Handle Children's Data in Healthcare?
Section 9 of the DPDP Act establishes heightened protections for children (anyone under 18). Section 9(1) requires verifiable parental or guardian consent before processing a child's personal data. Section 9(3) prohibits tracking, behavioural monitoring, and targeted advertising directed at children.
For healthcare providers, these restrictions created an immediate practical problem: paediatric care, adolescent mental health treatment, and child vaccination programmes all require processing children's data as a core function of care delivery.
The DPDP Rules 2025 resolved this through a targeted exemption. Under Rule 11, read with the Fourth Schedule, the following entities are exempt from Section 9(1) and Section 9(3) when processing data for healthcare services and treatment:
- Clinical establishments registered under the Clinical Establishments (Registration and Regulation) Act, 2010
- Mental health establishments under the Mental Healthcare Act, 2017
- Healthcare professionals registered with the National Medical Commission or relevant state medical councils
- Allied healthcare professionals under the National Commission for Allied and Healthcare Professions Act, 2021
| Children's Data Provision | Standard Application | Healthcare Exemption (DPDP Rules 2025) |
|---|---|---|
| Verifiable parental consent (Section 9(1)) | Required for all processing of children's data | Exempt for registered clinical/mental health establishments and healthcare professionals |
| No tracking or behavioural monitoring (Section 9(3)) | Absolute prohibition | Exempt when processing is for healthcare services and treatment |
| No targeted advertising to children (Section 9(3)) | Absolute prohibition | No exemption; advertising to child patients remains prohibited |
Note the boundary: the exemption covers processing for treatment and healthcare services. It does not cover processing for marketing, research unrelated to care, or commercial profiling. A paediatric hospital can maintain a child patient's treatment records without parental consent for each processing activity. That same hospital cannot use the child's data for a promotional wellness newsletter without navigating the full Section 9 requirements.
What Are the Breach Notification Obligations for Healthcare?
Healthcare providers in India face a dual reporting regime that no other sector encounters in quite this configuration.
Obligation 1: DPDP Act - Data Protection Board of India
Under Section 8(6) of the DPDP Act 2023, every Data Fiduciary must notify the Data Protection Board of India (DPBI) and each affected Data Principal of any personal data breach. The DPDP Rules 2025 specify a 72-hour notification window to the Board from the time the breach is identified.
Obligation 2: CERT-In Directions 2022 - Six-Hour Window
The Indian Computer Emergency Response Team (CERT-In) Directions of April 2022 require all entities, including healthcare providers, to report cybersecurity incidents within 6 hours of detection. This is substantially more aggressive than the DPDP timeline. The CERT-In requirement covers a broader range of incidents beyond personal data breaches: ransomware attacks, unauthorised access to systems, and data integrity compromises all require reporting.
How the Two Obligations Interact
| Parameter | DPDP Act (Section 8(6)) | CERT-In Directions 2022 |
|---|---|---|
| Reporting authority | Data Protection Board of India (DPBI) | CERT-In (cert-in@cert-in.org.in) |
| Timeline | 72 hours from identification | 6 hours from detection |
| Scope | Personal data breaches only | All cybersecurity incidents |
| Notification to individuals | Required (to each affected Data Principal) | Not required |
| Penalty for late reporting | Up to ₹200 crore (Schedule, Item 2) | Up to ₹17.6 crore per violation |
For healthcare organisations, this means a ransomware attack encrypting patient records triggers both obligations simultaneously. The CERT-In clock starts first (6 hours), and failing to meet it carries its own penalty. The DPDP obligation (72 hours) requires a separate, more detailed notification that includes communication to affected patients.
The ICMR breach in 2023 illustrated how these overlapping timelines create operational pressure. When 815 million records are exposed, identifying every affected Data Principal and issuing individual notifications within 72 hours is an infrastructure challenge, not just a compliance exercise.
What Does Section 17 Mean for Medical Research and Clinical Trials?
Section 17(2)(b) of the DPDP Act exempts the processing of personal data when it is "necessary for research, archiving or statistical purposes," subject to two conditions:
- The personal data must not be used to make any decision specific to a Data Principal
- The processing must comply with prescribed standards (to be notified by the Central Government)
For clinical trials, epidemiological research, and public health surveillance, this exemption is critical. A cancer research institute analysing de-identified patient records to identify treatment efficacy patterns does not need individual consent from each patient, provided the research findings are not used to make decisions about any specific patient.
As of February 2026, the Central Government has not published the specific "prescribed standards" that govern this exemption. This creates an operational ambiguity: the exemption exists in the Act, but its precise boundaries remain undefined.
What Healthcare Research Can and Cannot Rely on This Exemption
| Research Activity | Likely Covered by Section 17(2)(b) | Likely Requires Standard Consent |
|---|---|---|
| Epidemiological studies using anonymised hospital records | Yes, if no individual decisions result | - |
| Post-market surveillance of pharmaceutical products | Yes, if aggregated and de-identified | - |
| Clinical trial involving named patient follow-ups | - | Yes, involves individual-specific decisions |
| Hospital quality improvement using patient outcome data | Likely yes, if purely statistical | - |
| Pharmaceutical marketing based on prescription patterns | - | Yes, commercial purpose with individual targeting |
| Academic research with identifiable patient records | Uncertain, pending prescribed standards | Recommend obtaining consent as a safeguard |
For pharmaceutical companies and clinical research organisations, the prudent approach while prescribed standards remain unpublished is to obtain consent where feasible and rely on the Section 17 exemption only for genuinely anonymised, population-level research.
How Does DPDP Interact with Existing Healthcare Regulations?
Indian healthcare operates under multiple overlapping regulatory frameworks. The DPDP Act does not replace these; it adds a data protection layer on top of them.
ABDM (Ayushman Bharat Digital Mission)
The ABDM's Health Data Management Policy establishes standards for health data exchange through the national digital health infrastructure, including ABHA (Ayushman Bharat Health Account) identifiers and the Health Information Exchange & Consent Manager (HIE-CM). Healthcare providers participating in ABDM must comply with both ABDM's data governance framework and the DPDP Act.
The key tension: ABDM emphasises interoperability and data portability across healthcare providers. The DPDP Act does not include a right to data portability (unlike GDPR's Article 20). Reconciling ABDM's data-sharing architecture with DPDP's consent requirements, where each Data Fiduciary needs independent consent for their processing purposes, requires careful consent architecture.
IRDAI (Insurance Regulatory and Development Authority of India)
Health insurance companies face IRDAI's Information and Cyber Security Guidelines (2023 edition) alongside DPDP obligations. IRDAI mandates that policyholder records be stored within India and that any disclosure occurs only under specific regulatory conditions. The DPDP Act's requirements, particularly around consent, retention, and breach notification, operate concurrently with IRDAI's framework.
NMC (National Medical Commission) and State Medical Councils
Medical practitioners have pre-existing confidentiality obligations under the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002. These ethical duties existed before the DPDP Act. The Act adds legal teeth: violating patient data confidentiality can now trigger penalties up to ₹250 crore under the DPDP penalty schedule, on top of any disciplinary action from the medical council.
| Regulatory Body | Key Data Requirements | DPDP Overlay |
|---|---|---|
| ABDM | Health data exchange standards, ABHA identifiers, interoperability | Each data exchange requires DPDP-compliant consent; no blanket data-sharing consent |
| IRDAI | Data localisation, claims data governance, cyber security measures | DPDP breach notification (72 hours to DPBI) runs parallel to IRDAI incident reporting |
| NMC | Professional confidentiality, patient record maintenance | DPDP adds financial penalties (up to ₹250 Cr) to pre-existing ethical obligations |
| CERT-In | 6-hour incident reporting, log retention for 180 days | DPDP adds 72-hour breach notification to DPBI plus individual Data Principal notifications |
| ICMR | Clinical trial data management, ethical review processes | Section 17 research exemption is relevant but boundaries remain undefined |
What Should Healthcare Providers Do Before May 2027?
The enforcement deadline is less than 15 months away as of February 2026. Healthcare organisations should focus on six priority areas.
1. Map every patient data flow. From registration to discharge, from lab results to insurance claims, from telemedicine recordings to research databases, you need a complete picture of where patient personal data exists, who accesses it, and why. This is the foundation of every other compliance activity.
2. Rebuild consent mechanisms. Paper consent forms that bundle treatment consent with data processing consent are insufficient. Build digital consent infrastructure that captures specific, purpose-limited consent and allows patients to withdraw consent as easily as they gave it (Section 6(4)). For medical emergencies, document the Section 7 basis for processing without consent.
3. Establish dual breach notification protocols. Your incident response plan must account for both timelines: 6 hours to CERT-In and 72 hours to the DPBI. Build templates, designate responsible personnel, and run tabletop exercises. A hospital discovering a breach at 2 AM on a Saturday needs a process that does not depend on any single person being available.
4. Review every third-party data sharing arrangement. Every entity that processes patient data on your behalf, from cloud hosting providers to diagnostic equipment vendors with remote access, needs a valid Data Processing Agreement under Section 8(2). Your responsibility for their handling of patient data is not contractable away.
5. Prepare for Data Principal rights at scale. Patients will have the right to request access to their health data, correction of inaccuracies, and erasure after the purpose is fulfilled. Build intake mechanisms, response workflows, and audit trails now. A hospital system with 50 facilities and 10 million patient records needs infrastructure, not spreadsheets.
6. Address children's data processing. Verify that your organisation qualifies for the DPDP Rules 2025 healthcare exemption from Section 9. If you are not a registered clinical establishment or a registered healthcare professional operating within the exemption's scope, separate parental consent mechanisms are required for every paediatric patient interaction.
Frequently Asked Questions
Does the DPDP Act treat health data as a special category like GDPR does?
No. Unlike GDPR, which designates health data as a "special category" under Article 9 requiring explicit consent and additional safeguards, the DPDP Act 2023 does not create a distinct classification for health or medical data. All digital personal data, whether a patient's diagnostic report or their email address, receives the same baseline protections under the Act. The earlier Personal Data Protection Bill, 2019 had proposed a "sensitive personal data" category that included health data, but this classification was removed in the final DPDP Act.
Can a hospital process patient data in an emergency without consent?
Yes. Section 7 of the DPDP Act 2023 permits processing personal data without consent for medical emergencies involving a threat to life or immediate threat to the health of the Data Principal or another individual. This extends to epidemics, disease outbreaks, and public health emergencies. However, the emergency exception does not exempt the hospital from other obligations under Section 8, including security safeguards, data minimisation, and breach notification.
Are clinical trials exempt from DPDP consent requirements?
Partially. Section 17(2)(b) exempts processing for research, archiving, or statistical purposes, provided the data is not used to make decisions specific to any individual Data Principal and the processing follows prescribed standards. As of February 2026, the prescribed standards have not been published. Clinical trials involving named patient follow-ups and individual treatment decisions likely require standard DPDP consent in addition to the existing ICMR ethical review process.
What is the penalty for a healthcare data breach under DPDP?
A failure to implement reasonable security safeguards leading to a personal data breach carries a maximum penalty of ₹250 crore under Item 1 of the Schedule to the DPDP Act 2023. Failure to notify the DPBI and affected Data Principals of the breach carries an additional maximum penalty of ₹200 crore under Item 2. These are per-violation ceilings, not annual caps. Healthcare organisations also face separate penalties under CERT-In Directions 2022 for late reporting: up to ₹17.6 crore per incident for failing to report within the 6-hour window.
Do telemedicine platforms have additional DPDP obligations?
Telemedicine platforms bear the same Data Fiduciary obligations as any other healthcare provider under the DPDP Act. However, they face additional practical complexities: video consultations involve real-time processing of biometric and health data; recordings require separate, specific consent beyond the consent for the consultation itself; and cross-border data transfers (if any servers are outside India) must comply with Section 16 restrictions on data transfers to countries not approved by the Central Government. Telemedicine platforms operating through ABDM must also comply with the Mission's data governance standards concurrently.
Simplify Your DPDP Compliance
This article is for informational purposes and reflects the DPDP Act 2023 and DPDP Rules 2025 as understood at the time of writing. For guidance specific to your business, we recommend consulting a qualified data protection professional.
Building DPDP-compliant consent mechanisms, breach notification workflows, and Data Principal rights infrastructure across a healthcare organisation does not need to be a multi-year project. ComplyZero provides a self-serve compliance platform with automated consent management, privacy notices in 22 Indian languages, and audit-ready records, designed for Indian businesses navigating the DPDP Act without needing to hire a consultancy.
Simplify Your DPDP Compliance
This article is for informational purposes and reflects the DPDP Act 2023 and DPDP Rules 2025 as understood at the time of writing. For guidance specific to your business, we recommend consulting a qualified data protection professional.
ComplyZero handles the complexity for you: consent management, privacy notices in 22 languages, DSR workflows, and audit-ready compliance records. Get your business DPDP-ready in minutes, not months.