DPDP Act for Hospitals - Essential mandates from DPDP Act for healthcare industry

Relevance of the DPDP Act for Hospitals

Imagine this. A routine Hospital Management Software update in a large hospital accidentally exposes thousands of patient health records on the internet. Names, phone numbers, diagnoses, test reports, and even photos from surgery, everything is out there for anyone to see. One patient, a young mother who had visited for a routine check-up, started getting spam calls from insurance agents who somehow knew her exact medical history. She felt violated. The hospital's reputation took a hit, patients cancelled appointments, and the hospital's staff are now facing angry calls from families demanding answers.

Data privacy breaches are becoming common in Indian hospitals. The good news? The DPDP Act gives you clear rules to prevent them. In plain terms, the DPDP Act is India's law that makes every hospital responsible for protecting patients' digital personal information the same way hospitals protect their health.

Hospitals must pay attention right now because the DPDP Rules were notified in late 2025, and compliance is already mandatory. You handle the most sensitive patient data every single day, health records that people never want shared without permission. One breach of patient data can attract fines up to 250 crore INR and loss of trust that takes years to rebuild. For the hospital's management, patient health records are no longer IT department stuff. It is obviously a business survival issue.

Introduction to the DPDP Act for Hospitals and Healthcare

Think of the DPDP Act as a simple promise between your hospital and every patient. The hospital promises that it will only collect and process patients' personal information for a clear and specific reason, keep it safe, and let the patient control it.

Digital personal data means any information about a real person that is stored or handled on a computer, phone app, website, or even scanned paper records that later go digital. In a hospital, this includes name, phone number, Aadhaar, address, medical history, lab reports, appointment details, and anything that can identify a specific patient.

As per the DPDP Act, your hospital is the Data Fiduciary. That simply means you decide why you need the data and how you will use it. The patient or their parent or guardian is the Data Principal, the actual owner of their own information. Any of your vendors (e.g: Your EMR vendor) that accesses your patients' data is the Data Processor. To understand the obligations of data fiduciary and data processor, read this blog post.

The Data Protection Board of India can fine your hospital up to 250 crore rupees for serious violations like failing to secure data or misusing it without permission. The message is clear. Patient data is no longer free to use however you like.

Informed Consent in Hospitals (Patient's Data)

Consent is no longer a small tick box at the bottom of a registration form. Under DPDP, a valid consent should be sought from the patient. The patient must actively say yes, knowing exactly what they are agreeing to.

In practice, every hospital's digital registration flow, OPD app, or patient portal must now show a separate and easy-to-read consent notice before collecting data. The notice must list in plain language what data you are collecting, such as name, phone, and health details. It must explain the exact purpose, like treatment or billing. It must say who you might share it with, such as lab partner or an insurance company. It must mention how long you will keep it and how the patient can withdraw consent or complain.

For minors under 18 a parent or guardian must give verifiable consent. For patients who are unconscious or incapacitated, a legal guardian or family member appointed by law can consent. In real medical emergencies, the law allows legitimate use. You can treat and record data first and explain later once the patient is stable.

Deemed consent or legitimate uses apply in specific hospital situations, such as when a patient voluntarily walks in and gives you their details for treatment. You do not need a separate tick box for core care, but you still must give them a clear notice and the option to say no to extra uses like marketing.

Real scenario of an appointment booking app for patients:

A patient books an online appointment.

The app now pops up a simple consent screen.

The consent screen says, "We need your name, phone, and symptoms to book an appointment and send reports.

We will not use this for marketing unless you say yes.

Once the patient clicks on the "agree" button, it is deemed to be a valid consent under the DPDP Act.

Data Minimisation in Hospitals

Many hospitals still ask for Aadhaar numbers, full family history, or social media links on every form, just in case. That is now illegal under the DPDP data minimisation rule. Collect only what is strictly necessary for the stated purpose.

Practical changes for your hospital include the following:

• Registration form Ask for name, phone, age, gender, primary reason for the visit, and basic medical history relevant to today's visit. Skip Aadhaar unless legally required for a specific scheme.

• Onboarding new staff or vendors Collect only contact and role details, not full family medical history.

• Database cleanup Audit your EMR system. Delete old fields that are never used.

Real-world example: A diagnostic chain used to collect the full residential address and PAN card for every blood test. Now they only ask for phone and email to send reports. Patients finish registration faster, and the hospital reduces data privacy risk.

Purpose Limitation for Hospitals data

Purpose limitation means using the data only for what the patient consented for. Everything else needs fresh consent.

Common mistakes in hospitals today include

• Using treatment data to send promotional offers for wellness packages or tie-ups with pharma companies for marketing.

• Sharing full patient profiles with insurance partners for targeted campaigns without informing the patient.

• Running internal analytics to profile patients by disease for future upselling.

All of the above now require separate consent from the patient. If a patient gave consent to process personal data only for diagnosis and treatment, you cannot use it for marketing or any other purposes.

Prohibited actions include selling patient lists or using health data for unrelated commercial purposes. Fresh consent is mandatory every time the purpose changes.

Real-world scenario A cancer patient shares data for chemotherapy planning. The hospital later wants to invite her to a paid support group. That invitation can only go out if she separately agreed to marketing communications.

Confidentiality of Hospitals' patient data

Hospitals need to follow strict medical confidentiality under the Indian Medical Council's Professional Conduct Regulations and the Clinical Establishments Act. The DPDP act imposes additional obligations to hospitals.

Staff controls mean every doctor, nurse, and receptionist must have role based access. A receptionist sees only appointment details. A doctor sees full history. Log every single access.

Third-party vendor risks are important. Your cloud EMR provider, lab software company, or WhatsApp Business API partner is a data processor. You must sign a proper Data Processing Agreement with them that forces them to follow the same DPDP rules.

Common leakage vectors in hospitals include old paper records scanned without proper redaction, staff sharing reports on personal WhatsApp, unencrypted laptops taken home, and default passwords on hospital software.

Security Measures (Technical)

The law requires reasonable security safeguards, not the most expensive system, but practical protection that fits your hospital's size.

For a small hospital or single clinic under 50 beds, use encrypted cloud storage or basic EMR with built in encryption. Turn on two factor login for all staff. Keep simple access logs that show who accessed which patient's file and when.

For a large hospital chain with multi-speciality and 200-plus beds, implement full encryption at rest and in transit. Use role-based access control with automatic lockouts. Set up 24/7 monitoring and intrusion alerts. Conduct annual vulnerability testing and penetration tests.

Hospital-specific examples include encrypting all lab reports that are stored, masking sensitive fields such as HIV status or mental health notes for staff other than physicians, keeping audit logs for at least one year so you can prove who accessed what during any investigation.

Organisational Measures

Appoint a Data Protection Officer or DPO if your hospital is classified as a Significant Data Fiduciary because of large patient volume or highly sensitive data processing. Most multi-speciality chains and health tech-linked hospitals will need one. The DPO oversees compliance and reports directly to your board.

Mandatory actions include:

• Training every staff member once a year on what not to do with patient data. Include real hospital breach stories in the training.

• Sign proper agreements with every vendor such as labs, insurance TPAs, and cloud providers. Appoint a Grievance Officer. This can be the same person as the DPO in smaller setups.

• Provide a simple email or portal for patients to raise complaints. You must reply within a reasonable time and within 90 days 90 days.

• Run an internal data audit every year.

• Map what data you hold, why, and how long.

Patient's (Data Principal) Rights

Patients now have data privacy rights, as mentioned below:

• Patients can ask for access to a copy of all their data and who it was shared with.

• Patients can request corrections to fix wrong phone numbers or diagnosis entries.

• Patients can seek erasure to ask you to delete their data, subject to legal retention rules.

• Patients can withdraw consent to stop you from using their data for any non-treatment purpose.

Your hospital must build a simple process, ideally a patient portal or dedicated email, where patients submit requests with basic proof of identity. Acknowledge within a few days and act within 30 days for most requests. Take longer only if legally justified.

Realistic workflow of patient grievance redressal:

1. Patient emails grievance officer.

2. Team verifies identity.

3. The doctor reviews whether erasure would harm ongoing care.

4. Reply with action taken and log it.

Record Retention and Disposal - The DPDP Compliant Way

Here is the unique regulatory conflict that most generic DPDP guides miss.

The Clinical Establishments Act and National Medical Commission guidelines require hospitals to keep medical records for a minimum period. Typically 3 years for OPD records and 3 to 5 years for IPD records. Some states or medico-legal cases require longer up to 10 years. You cannot delete these records early, even if the patient asks.

DPDP says erase data when the purpose is served. But the law also says legal retention requirements win. So you must keep records for the statutory period, then securely delete or anonymise them.

Practical guidance includes creating a clear retention policy. OPD records kept 3 years from last visit as per CEA then deleted. After the period ends securely wipe digital records and shred physical ones using certified disposal services. Document every deletion so you can prove compliance during an audit.

This balanced approach satisfies both patient rights under DPDP and your medico legal protection under existing hospital laws.

Final thoughts

Hospital owners you do not need to do everything overnight but you must start this week. Here is a simple 3 step action plan.

First this week audit your current registration forms and patient consent language. Replace blanket consents with clear DPDP style notices.

Second next 30 days appoint a Grievance Officer, sign data processing agreements with your top three vendors, and run one staff training session on data dos and donts.

Third next 60 days map your data flows, set retention timers in your EMR, and test a patient rights request process.

Take these steps and you turn DPDP compliance into a competitive advantage. Patients will choose hospitals they can trust with their most private information. Start today and protect your patients, your reputation, and your hospitals future.

FAQs

Does the DPDP Act apply only to digital records or also to paper files in hospitals?

It applies to any data that ends up in digital form including scanned paper records or data entered from physical forms into your EMR system.

Can a patient force my hospital to delete their full medical records under DPDP?

Not always. You must retain records for the minimum period required by the Clinical Establishments Act usually 3 to 5 years. After that you can delete if they request it and no other law requires keeping them.

What is the penalty if my hospital gets a data breach?

Fines can reach up to 250 crore rupees depending on the severity. You must also notify affected patients and the Data Protection Board quickly.

Do small clinics with fewer than 50 beds need to appoint a Data Protection Officer?

Only large hospitals or those notified as Significant Data Fiduciaries need a DPO. Most small clinics focus on basic security, consent notices, and grievance handling.

How does DPDP change the way we share reports with insurance companies?

You can share only with specific patient consent or under legitimate use for claim processing. Blanket sharing without informing the patient is no longer allowed.

Start implementing these changes now. Your patients will thank you!

Loooking for DPDP Act Compliance for your Hospital?

Bellwether's data privacy consultants have experience working with over hospitals and healthcare companies across the globe to establish data privacy compliance with the DPDP Act and other relevant global data protection regulations.

Request for a free 1-1 meeting with an expert DPDP Act Consultant.