Why healthcare organisations face the highest DPDPA exposure
Of all the sectors in India subject to the DPDPA, healthcare organisations face the most significant compliance exposure — for two reasons that operate simultaneously.
First, health data is among the most sensitive categories of personal data that the Act governs. Patient records, diagnostic results, prescription histories, and health platform usage data all fall squarely within the Act's definition of personal data — and the sensitivity of this data means that breaches, consent failures, and processing violations carry both the highest penalty exposure and the most direct harm to the individuals affected.
Second, healthcare organisations in India are subject to an overlapping regulatory environment. The DPDPA sits alongside the Digital Information Security in Healthcare Act (DISHA), the National Digital Health Mission (NDHM) framework, and existing obligations under the Information Technology Act. Managing compliance across these frameworks simultaneously requires an understanding of where they align, where they differ, and where obligations are additive rather than redundant.
What counts as health data under DPDPA
The Act does not create a separate legal category for health data — all personal data is subject to the Act's requirements, and health data is personal data. However, health data warrants specific attention because of the sensitivity of the information and the operational complexity of how it is collected, stored, and shared in healthcare settings.
Health data covered by the Act includes — but is not limited to:
Clinical data — diagnoses, treatment records, prescription histories, surgical records, lab results, imaging data, discharge summaries, and any other data generated in the course of clinical care.
Health platform data — appointment bookings, symptom inputs, health questionnaire responses, telemedicine consultation records, health monitoring data from connected devices, and any other data collected through digital health products.
Administrative health data — patient registration information, insurance details, payment records where linked to healthcare services, and contact details collected in a healthcare context.
Genetic and biometric data — where collected in a healthcare context, these categories carry additional sensitivity obligations and should be treated with the highest level of data governance controls.
DPDPA and DISHA — where they overlap and where they differ
DISHA — the Digital Information Security in Healthcare Act — is a draft framework specifically designed for health data in India. At the time of writing, DISHA has not been enacted as law. The DPDPA is the operative legislation. However, the two frameworks share significant conceptual overlap, and healthcare organisations should understand both.
| Area | DPDPA 2023 (operative) | DISHA (draft) |
|---|---|---|
| Scope | All personal data of Indian residents | Health data specifically — narrower scope, deeper obligations |
| Consent | Free, specific, informed, unambiguous — required for each purpose | Explicit consent required for health data — higher standard than DPDPA baseline |
| Data localisation | Not mandated generally — rules may specify categories | Health data localisation within India required |
| Breach notification | Mandatory notification to Board and affected individuals | Mandatory — with shorter prescribed timelines |
| Enforcement body | Data Protection Board of India | National Electronic Health Authority (proposed) |
| Current status | In force — Rules notified January 2025 | Draft — not yet enacted |
Core DPDPA obligations for healthcare organisations
Every digital touchpoint where patient data is collected — appointment booking flows, health questionnaires, telemedicine platforms, health monitoring apps — must obtain valid consent that is free, specific, informed, and unambiguous. The consent must be separate from any terms of service acceptance. In clinical settings where multiple data purposes exist — treatment, billing, research — each purpose requires its own consent mechanism.
Section 6 — DPDPA Act 2023Healthcare organisations must provide a notice that specifies the personal data collected, the purpose of processing for each data category, how patient rights can be exercised, the identity and contact details of the grievance officer, and how consent can be withdrawn. Generic healthcare privacy notices and notices adapted from hospital templates frequently fail to meet this standard — particularly the requirement to specify purposes for each category of health data collected.
Section 5 — DPDPA Act 2023Every third-party platform processing patient data — electronic health record systems, telemedicine platforms, diagnostic software, cloud providers, laboratory information systems, hospital management systems — must operate under a written Data Processing Agreement that specifically governs data handling. Commercial software licences and standard SaaS terms do not satisfy this requirement. This gap is extremely common among both hospitals and health-tech companies.
Section 8(3) — DPDPA Act 2023Health data may only be used for the specific purposes disclosed at collection. Using patient data for secondary purposes — research, anonymised analytics, product improvement, partner data sharing — without separate, specific consent is a violation. Healthcare organisations that aggregate patient data for research or population health analytics must ensure that each secondary use is separately consented to and disclosed.
Section 6(1) — DPDPA Act 2023Patients have the right to access their health data, correct inaccuracies, and request erasure. These rights must be operationally fulfillable — meaning the process must work across all systems holding the patient's data, including EHR systems, diagnostic databases, billing systems, and any third-party platforms. A patient rights request that results in deletion from one system but not others does not satisfy the obligation.
Sections 11–13 — DPDPA Act 2023Given the sensitivity of health data, the Act's "reasonable security safeguards" requirement must be interpreted stringently. This includes encryption at rest and in transit for all patient data, strict role-based access controls, audit logs for data access, and security measures that extend to all processors handling health data. Healthcare organisations that have implemented security for their primary clinical systems but not for administrative systems, analytics tools, or third-party platforms have a material gap.
Section 8(5) — DPDPA Act 2023A personal data breach involving health data requires notification to both the Data Protection Board and the affected patients. Given the sensitivity of the data involved, the reputational and regulatory consequences of a health data breach are significantly greater than in most other sectors. Healthcare organisations must have a documented, practiced breach response process — not merely a policy — that can be activated immediately.
Section 8(6) — DPDPA Act 2023Specific considerations for health-tech platforms
Health-tech platforms — telemedicine providers, digital diagnostics, health monitoring apps, wellness platforms, and health data aggregators — face a distinct set of compliance challenges compared to traditional healthcare providers.
Consent at digital scale
Health-tech platforms collect personal and health data through digital flows at a scale and speed that traditional clinical consent processes were not designed for. The challenge is implementing consent mechanisms that are both legally valid under the Act and operationally compatible with product onboarding flows that prioritise low friction. These two objectives are reconcilable — but require intentional design, not retrofit.
Third-party integrations and health data flows
Health-tech platforms typically integrate with a large number of third-party services — cloud providers, analytics tools, payment processors, diagnostic lab APIs, insurance verification services, and communications platforms. Each integration that involves personal data flow requires a Data Processing Agreement. The volume of integrations in a typical health-tech stack means this gap is almost universal among organisations that have not conducted a formal compliance review.
Anonymisation and research use
Many health-tech platforms use patient data for research, product improvement, or aggregate health analytics — on the assumption that anonymised data is outside the Act's scope. This assumption deserves careful scrutiny. Truly anonymised data — where re-identification is not technically feasible — may be outside scope. But pseudonymised data, data sets that can be re-identified through combination with other data, and data processed under inadequate anonymisation methods remain personal data under the Act.
Which healthcare organisations this applies to
The DPDPA applies to any organisation that processes personal data of Indian residents in a digital form. In the healthcare sector, this includes — but is not limited to:
Hospitals and multi-specialty clinics that maintain electronic patient records, process appointment bookings digitally, or use third-party platforms for any aspect of clinical or administrative operations.
Diagnostic centres and pathology labs that deliver results digitally, maintain patient records electronically, or use laboratory information systems connected to patient data.
Telemedicine platforms — including platforms connecting patients to doctors, mental health platforms, and any service delivering clinical consultations digitally.
Health monitoring and wellness apps that collect symptom data, health metrics, fitness data, or any other health-related personal data from users.
Health insurance platforms and TPAs that process claims data, health records, and other sensitive personal data in the course of insurance administration.
Health data aggregators and analytics platforms that process health data from multiple sources for research, population health, or commercial purposes.
Where to start
For healthcare organisations, the starting point is an accurate, documented picture of how personal and health data flows through your organisation — across clinical systems, administrative systems, third-party platforms, and research or analytics use cases.
This is more complex than in most other sectors, because the data flows in healthcare are more numerous, the vendor ecosystem is larger, and the sensitivity of the data means that gaps carry higher consequences. An informal self-assessment is unlikely to identify all material gaps — particularly in vendor agreement coverage and secondary data use.
Privara's DPDPA Readiness Review is designed to provide exactly this picture — a structured operational assessment in 10–20 working days, with documented findings and a clear set of immediate priority actions. For healthcare organisations with more complex data environments, the Operational Compliance Audit provides a more comprehensive eight-area assessment.