DPDP Act for Hospitals - Essential mandates from DPDP Act for healthcare industry

Introduction to DPDP Act, 2023

Last month a busy multi-speciality hospital in Delhi discovered a major problem. A routine software update accidentally exposed thousands of patient files on the internet. Names, diagnoses, test reports, and even photos from surgery, everything was out there for anyone to see. One patient, a young mother who had visited for a routine check-up, started getting spam calls from insurance agents who somehow knew her exact medical history. She felt violated. The hospital reputation took a hit, patients cancelled appointments, and the owner is now facing angry calls from families demanding answers.

This kind of data privacy failure is becoming common in Indian hospitals. The good news? The DPDP Act gives you clear rules to prevent it. In plain terms, the DPDP Act is India's law that makes every hospital responsible for protecting patients' digital personal information the same way you protect their health.

Hospitals must pay attention right now because the DPDP Rules were notified in late 2025, and compliance is already mandatory. You handle the most sensitive data every single day, health records that people never want shared without permission. One breach or one wrong use of data can bring fines up to 250 crore rupees, plus loss of trust that takes years to rebuild. As a hospital owner, this is no longer IT department stuff. It is your business survival issue in 2026.

What is the DPDP Act? (Simplified)

Think of the DPDP Act as a simple promise between your hospital and every patient. We will only touch your personal information for a clear reason, keep it safe, and let you control it.

Digital personal data means any information about a real person that is stored or handled on a computer, phone app, website, or even scanned paper records that later go digital. In a hospital, this includes name, phone number, Aadhaar, address, medical history, lab reports, appointment details, and anything that can identify a specific patient.

Your hospital is the Data Fiduciary. That simply means you decide why you need the data and how you will use it. The patient or their parent or guardian is the Data Principal, the actual owner of their own information.

The law says you can process this data only in two ways. With clear patient permission, called consent or in a few special legitimate use situations such as a medical emergency, when the patient cannot give permission.

Break the rules and penalties are serious. The Data Protection Board of India can fine your hospital up to 250 crore rupees for serious violations like failing to secure data or misusing it without permission. Smaller mistakes still carry heavy fines. The message is clear. Patient data is no longer free to use however you like.

Informed Consent from Hospitals (Patient's Data)

Consent is no longer a small tick box at the bottom of a registration form. Under DPDP, consent must be free, specific, informed, unconditional, and clear. The patient must actively say yes knowing exactly what they are agreeing to.

In practice every hospital digital registration flow, OPD app, or patient portal must now show a separate easy to read consent notice before collecting data. The notice must list in plain language what data you are collecting such as name, phone, health details. It must explain the exact purpose like treatment or billing. It must say who you might share it with such as lab partner or insurance company. It must mention how long you will keep it and how the patient can withdraw consent or complain.

For minors under 18 a parent or guardian must give verifiable consent. For patients who are unconscious or incapacitated a legal guardian or family member appointed by law can consent. In real medical emergencies the law allows legitimate use. You can treat and record data first and explain later once the patient is stable.

Deemed consent or legitimate uses applies in specific hospital situations such as when a patient voluntarily walks in and gives you their details for treatment. You do not need a separate tick box for core care but you still must give them a clear notice and the option to say no to extra uses like marketing.

Real scenario. A patient books an online appointment. The app now pops up a simple screen. We need your name, phone and symptoms to book the doctor and send reports. We will not use this for marketing unless you say yes. One click to agree or cancel. That is compliant consent.

Data Minimisation in Hospitals

Many hospitals still ask for Aadhaar number, full family history, or social media links on every form, just in case. That is now illegal under DPDP data minimisation rule. Collect only what is strictly necessary for the stated purpose.

Practical changes for your hospital include the following. Registration form. Ask for name, phone, age, gender, chief complaint, and basic medical history relevant to today's visit. Skip Aadhaar unless legally required for a specific scheme. Onboarding new staff or vendors. Collect only contact and role details, not full family medical history. Database cleanup. Audit your EMR system. Delete old fields that are never used.

Real-world example: A diagnostic chain used to collect the full residential address and PAN card for every blood test. Now they only ask for phone and email to send reports. Patients finish registration faster, and the hospital reduces data privacy risk.

Purpose Limitation for Hospitals data

Purpose limitation means use the data only for what you told the patient. Anything else needs fresh consent.

Common mistakes in hospitals today include

• Using treatment data to send promotional offers for wellness packages or tie-ups with pharma companies for marketing.

• Sharing full patient profiles with insurance partners for targeted campaigns without telling the patient.

• Running internal analytics to profile patients by disease for future upselling.

All of these now require separate specific consent. If a patient gave data only for diagnosis and treatment, you cannot suddenly use it for marketing.

Prohibited actions include selling patient lists or using health data for unrelated commercial purposes. Fresh consent is mandatory every time the purpose changes.

Real scenario. A cancer patient shares data for chemotherapy planning. The hospital later wants to invite her to a paid support group. That invitation can only go out if she separately agreed to marketing communications.

Confidentiality of Hospitals' patient data

Hospitals already follow strict medical confidentiality under the Indian Medical Council Professional Conduct Regulations and the Clinical Establishments Act. DPDP does not replace these. It adds digital teeth to them.

Staff controls mean every doctor, nurse, and receptionist must have role based access. A receptionist sees only appointment details. A doctor sees full history. Log every single access.

Third party vendor risks are important. Your cloud EMR provider, lab software company, or WhatsApp Business API partner is a data processor. You must sign a proper Data Processing Agreement with them that forces them to follow the same DPDP rules.

Common leakage vectors in hospitals include old paper records scanned without proper redaction, staff sharing reports on personal WhatsApp, unencrypted laptops taken home, and default passwords on hospital software.

Fix these and you meet both medical ethics and DPDP.

Security Measures (Technical)

The law requires reasonable security safeguards, not the most expensive system but practical protection that fits your hospital size.

For a small hospital or single clinic under 50 beds use encrypted cloud storage or basic EMR with built in encryption. Turn on two factor login for all staff. Keep simple access logs that show who opened which file and when.

For a large hospital chain with multi speciality and 200 plus beds implement full encryption at rest and in transit. Use role based access control with automatic lockouts. Set up 24 by 7 monitoring and intrusion alerts. Conduct annual vulnerability testing and penetration tests.

Hospital specific examples include encrypting all lab reports before emailing. Mask sensitive fields such as HIV status or mental health notes for non treating staff. Keep audit logs for at least one year so you can prove who accessed what during any investigation.

Organisational Measures

Appoint a Data Protection Officer or DPO if your hospital is classified as a Significant Data Fiduciary because of large patient volume or highly sensitive data processing. Most multi speciality chains and health tech linked hospitals will need one. The DPO oversees compliance and reports directly to you.

Mandatory actions include training every staff member once a year on what not to do with patient data. Include real hospital breach stories in the training. Sign proper agreements with every vendor such as labs, insurance TPAs, and cloud providers. Appoint a Grievance Officer. This can be the same person as DPO in smaller setups. Provide a simple email or portal for patients to raise complaints. You must reply within a reasonable time with maximum 90 days in most cases. Run an internal data audit every year. Map what data you hold, why, and how long.

These steps turn DPDP from a legal headache into smooth daily operations.

Patient's (Data Principal) Rights

Patients now have strong rights. They can ask for access to a copy of all their data and who it was shared with. They can request correction to fix wrong phone numbers or diagnosis entries. They can seek erasure to ask you to delete their data subject to legal retention rules. They can withdraw consent to stop you from using their data for any non treatment purpose.

Your hospital must build a simple process, ideally a patient portal or dedicated email, where patients submit requests with basic proof of identity. Acknowledge within a few days and act within 30 days for most requests. Take longer only if legally justified.

Realistic workflow. Patient emails grievance officer. Team verifies identity. Doctor reviews if erasure would harm ongoing care. Reply with action taken and log it.

Record Retention and Disposal. The DPDP Compliant Way

Here is the unique regulatory conflict that most generic DPDP guides miss.

The Clinical Establishments Act and National Medical Commission guidelines require hospitals to keep medical records for a minimum period. Typically 3 years for OPD records and 3 to 5 years for IPD records. Some states or medico legal cases require longer up to 10 years. You cannot delete these records early even if the patient asks.

DPDP says erase data when the purpose is served. But the law also says legal retention requirements win. So you must keep records for the statutory period then securely delete or anonymise them.

Practical guidance includes creating a clear retention policy. OPD records kept 3 years from last visit as per CEA then deleted. After the period ends securely wipe digital records and shred physical ones using certified disposal services. Document every deletion so you can prove compliance during an audit.

This balanced approach satisfies both patient rights under DPDP and your medico legal protection under existing hospital laws.

Final thoughts

Hospital owners you do not need to do everything overnight but you must start this week. Here is a simple 3 step action plan.

First this week audit your current registration forms and patient consent language. Replace blanket consents with clear DPDP style notices.

Second next 30 days appoint a Grievance Officer, sign data processing agreements with your top three vendors, and run one staff training session on data dos and donts.

Third next 60 days map your data flows, set retention timers in your EMR, and test a patient rights request process.

Take these steps and you turn DPDP compliance into a competitive advantage. Patients will choose hospitals they can trust with their most private information. Start today and protect your patients, your reputation, and your hospitals future.

FAQs

Does the DPDP Act apply only to digital records or also to paper files in hospitals?

It applies to any data that ends up in digital form including scanned paper records or data entered from physical forms into your EMR system.

Can a patient force my hospital to delete their full medical records under DPDP?

Not always. You must retain records for the minimum period required by the Clinical Establishments Act usually 3 to 5 years. After that you can delete if they request it and no other law requires keeping them.

What is the penalty if my hospital gets a data breach?

Fines can reach up to 250 crore rupees depending on the severity. You must also notify affected patients and the Data Protection Board quickly.

Do small clinics with fewer than 50 beds need to appoint a Data Protection Officer?

Only large hospitals or those notified as Significant Data Fiduciaries need a DPO. Most small clinics focus on basic security, consent notices, and grievance handling.

How does DPDP change the way we share reports with insurance companies?

You can share only with specific patient consent or under legitimate use for claim processing. Blanket sharing without telling the patient is no longer allowed.

Start implementing these changes now. Your patients will thank you!