The Digital Personal Data Protection (DPDP) Act 2023 has introduced a new legal regime for patient privacy, and India’s healthcare industry must comply immediately. Under this law, protecting patient information is now a binding obligation, not an option. Every hospital, clinic, diagnostic lab, healthtech company, and healthcare service provider is treated as a “data fiduciary” under DPDP. This means any entity handling digital patient data, from doctors’ offices to telemedicine startups, must meet stringent DPDP standards or face severe penalties. The Act was notified in August 2023, with draft rules issued in January 2025, effectively starting the compliance clock for healthcare providers. DPDP compliance is therefore a legal must in the Indian healthcare sector.

The DPDP Act applies to all forms of personal health information in the digital age. DPDP covers patient records, medical images, lab reports, pharmacy data, wearable device readings, and even teleconsultation logs. Importantly, DPDP grants patients (data principals) fundamental rights – they can access, correct, or request erasure of their health data. Healthcare organizations must now obtain explicit, informed consent for every use of patient data, limit data collection to what is strictly necessary, and implement strong security controls. In short, DPDP makes patient data privacy a legal requirement, backed by heavy fines for non-compliance.

Who Must Comply In The Healthcare Industry? 

DPDP compliance extends to all healthcare stakeholders who handle patient data. Every hospital (public or private), nursing home, clinic, diagnostic center, pharmacy chain, insurance provider, telemedicine platform, and medical device firm is a data fiduciary under the law. Even smaller entities, such as independent physicians, dentistry clinics, Ayurvedic and homeopathy centers, or standalone labs, fall under DPDP if they collect or process digital patient information. The law explicitly states “ignorance of the law is no excuse,” so every healthcare player must act now. 

Third-party vendors and cloud service providers are also in scope: if an external IT company stores or processes any patient health records, the healthcare organization must ensure that the vendor also meets DPDP requirements. Administrators and IT teams in the healthcare industry should treat DPDP compliance as a top priority across the board.

Personal Health Data Covered by DPDP

Healthcare generates some of the most sensitive personal data, and the DPDP Act casts a broad net over it. Personal data under DPDP is any information that identifies an individual. In a medical context, this includes obvious items like names, addresses, phone numbers, insurance IDs, and government IDs in health files. It also covers highly sensitive medical data such as patient histories, diagnoses, prescriptions, genetic and biometric data, medical scans, test results, and even fitness tracker data linked to an individual. Though DPDP does not explicitly label health data as a special category, it effectively treats highly sensitive health information as needing extra care. 

Indeed, international norms (such as GDPR) consider health data as a “special category” requiring explicit consent. In practice, any digital health record or analytics data used by the healthcare industry, for treatment or research, is subject to DPDP protection. The radiology community puts it clearly: healthcare data must be “handled with the utmost care and security”. Under DPDP, nothing less will suffice.

Cyber Security Squad – Newsletter Signup

DPDP Requirements for Healthcare Providers

Meeting DPDP rules means implementing strong data-privacy practices. At the core is consent: providers must secure clear, informed consent from patients before collecting or using their personal health data. Blanket or implied consents are no longer valid. Healthcare IT systems should be updated to record this consent and its scope. Providers must collect only what is needed for care and use it only for that purpose, unless fresh consent is given.

On the security side, the DPDP Act requires “reasonable security safeguards” for all personal data. For healthcare, this means robust encryption of medical records, secure user authentication for systems, strict access controls, regular security audits, and incident monitoring. The law even mandates breach protocols: any data breach must be reported promptly to the new Data Protection Board of India and to affected patients, typically within 72 hours. Healthcare organizations are expected to put in place Data Protection Officers (DPOs) if they handle large volumes of sensitive data, and to perform Data Protection Impact Assessments (DPIAs) for high-risk processing

These obligations can be summarized as the main duties for healthcare entities under DPDP:

  • Valid Patient Consent: Obtain explicit, informed consent for every use of patient data. Patients must be told what data is collected and why.
  • Security Safeguards: Implement strong technical and organizational measures (encryption, firewalls, access logs, regular audits) to keep data confidential and intact.
  • Breach Notification: Establish procedures to quickly report any data breach to the authorities and patients.
  • Data Retention Policies: Retain personal health records only as long as needed for care, then delete or anonymize them.
  • Patient Rights Management: Provide clear channels for patients to access, correct, or delete their records. Systems must enable these requests securely.
  • Data Protection Officer: Where required, appoint a DPO or compliance lead to oversee DPDP adherence.
  • Vendor Oversight: Ensure all third-party vendors (labs, cloud hosts, software providers) comply with DPDP via contractual safeguards.

Book Your Free Cybersecurity Consultation Today!

People working on cybersecurity

How Kratikal Can Help You With DPDP Compliance?

Kratikal offers comprehensive support to organizations navigating the complex requirements of the DPDP Act, blending deep cybersecurity expertise with practical compliance solutions. As a CERT-In empanelled security auditor with extensive experience in regulatory compliance and risk management, Kratikal helps healthcare providers and other businesses assess their current data practices, strengthen security controls, and align their privacy policies with DPDP obligations.

Through services such as compliance audits, consent and data governance frameworks, employee training, breach readiness planning, and policy development, Kratikal ensures that organizations not only meet statutory requirements but also build robust data protection cultures that protect patient trust and minimize legal and financial risks under India’s data protection regime.

FAQs

  1. What is the DPDP Act in healthcare?

    The Digital Personal Data Protection (DPDP) Act, 2023, together with the 2025 Rules, establishes a strict data-privacy framework for India’s healthcare and life sciences sector, which manages highly sensitive personal health information.

  2. What are the requirements for DPDP compliance?

    To meet the requirements of the Act, organisations must first assess how it applies to their operations, create a complete inventory and map of the personal data they handle, and put appropriate technical and organisational safeguards in place.