Health Data & The DPDP Act—Navigating India's Healthcare Privacy Frontier

With the Indian government notifying the much-awaited Digital Personal Data Protection Act, 2023 ("DPDP Act") and rules thereunder, patient privacy is no longer just a compliance requirement but a core aspect of ethical healthcare and responsible business practice.

The DPDP Act read with the Digital Personal Data Protection Rules, 2025 ("DPDP Rules") creates a data protection framework for all digital personal data, including health data.

I. What is Health Data?

Unlike its initial draft, the DPDP Act does not provide a separate category for health data. However, guidance on what constitutes heath data can be taken from the following policies/regulations:

1. Health Data Management Policy under the Ayushman Bharat Digital Mission;1
2. Electronic Health Record (EHR) Standards for India, 2016;2

Additionally, the Ministry of Health and Family Welfare had also sought to define health data under its draft legislation Digital Information Security in Healthcare Act, 2018 ("DISHA"), resembling the Health Insurance Portability and Accountability Act, 1996 commonly known as HIPAA of the United States of America. This initiative was, however, shelved in favour of a more comprehensive legislation i.e. the DPDP Act.

All the above-mentioned frameworks broadly refer to health data as any information that relates to the physical or mental health of an individual, the healthcare services provided to them, or payments made for such services. It generally includes identifiers that can directly or indirectly link the information to a specific individual, such as demographic details, contact information, medical records, diagnostic reports, treatment histories, and administrative or transactional data.

Health Data Governance under the DPDP Act and DPDP Rules

Digital health data that includes personal information comes under the purview of the DPDP Act read with the DPDP Rules. Healthcare providers are data fiduciaries3 and are obligated to process all digital personal data in accordance with the provisions of the DPDP Act. Hence, processing should be for a lawful purpose and for which the patient, i.e. Data Principal,4 has given consent in the prescribed manner:

i. Collection. At the time of collection of personal data, a separate written notice in plain and clear language providing itemised description of personal information required and the purposes for which it will be used should be given. Additional information to be included in the notice is: (a) how a Data Principal may exercise their rights; and (b) manner in which they may file a complaint with the Data Protection Board of India ("Board"). This is a shift from existing practices under which notices bundled with other terms and conditions were pushed for consent and itemized data type and use was not a requirement.

ii. Consent. Consent must be free, specific, informed, unconditional and unambiguous that signifies agreement to processing of personal data for specified purposes. The consent provision becomes stricter when obtaining consent for processing of personal data related to children and persons with disability. For processing personal data of a child or a person with disability, the new law requires obtaining verifiable consent from a parent or lawful guardian. They must also verify the identity of the consenting adult using reliable details or virtual tokens (such as Digital Locker Service Provider).5

iii. Exemptions for processing a child's data: Processing children's personal data requires verifiable parental consent. However, as per the provisions of the DPDP Act, the central government may notify specific classes of data fiduciaries who are exempt from (a) the requirement to obtain verifiable parental consent and (b) the restriction on tracking or behavioural monitoring of children. Such data fiduciaries may include certain healthcare providers, such as, clinical establishments, mental health facilities, and medical professionals. This is not a blanket exemption. It applies only when the government formally notifies these healthcare providers, and only when the child's data is being processed to deliver essential, lawful health or welfare services in the child's best interest.6

iv. Data breach of patients: If a healthcare provider becomes aware of a data breach, they must inform every affected patient of the nature of breach and its likely impact on them. Within 72 (seventy-two) hours of the breach, information regarding breach is also required to be given to the Board clearly explaining the nature of the breach, the potential risks to the patient, steps being taken to resolve the issue, along with the report regarding intimations given to the patients.7

v. Grievance redressal system: All healthcare providers and, where applicable, consent managers must publish their grievance redressal system through which patients can submit their grievances. The healthcare provider must respond to grievances received through such published channels within 90 (ninety) days.8 However, it is important to understand that this 90 (ninety) days period applies only to resolving grievances. It does not extend to situations where a patient seeks to exercise their other rights under the DPDP Act, such as requesting access to their data, asking for corrections, seeking erasure, or withdrawing consent. These rights-based requests follow a separate framework under the DPDP Act and DPDP Rules. There is no prescribed period for replying to data principal rights requests and data fiduciaries are free to determine their own response time (which should be published on their website) and to ensure compliance with the same.

vi. Personal medical data used for research, archiving, or statistical purposes: Healthcare organisations can avail an exemption from the applicability of the DPDP Act when they process personal health data for research, archiving, or statistical purposes, provided they comply with the Second Schedule of the DPDP Rules9 and if the personal data is not to be used to take any decision specific to the concerned Data Principal.

Additionally, the DPDP Act establishes a separate category of data fiduciary, called as Significant Data Fiduciary ("SDF") based on the scale, volume and sensitivity of the data they process. If healthcare providers such as hospitals and insurance companies are designated as SDF by the central government, due to the processing of huge amounts of sensitive data by them, the following additional obligations will have to be complied with:

1. Appoint a data protection officer who is based in India;
2. Appoint an independent data auditor to carry out data audit;
3. Undertake periodic Data Protection Impact Assessment, once in every period of 12 (twelve) months and furnish its findings to the Board;
4. Conduct due diligence to verify that the technical measures adopted by it do not risk the rights of Data Principals; and
5. Ensure that its personal health data is not transferred outside India.10

To view the full article please click here.

Footnotes

1 Para 4(y), 4(z) & 4(aa) of National Digital Health Mission: Health Data Management Policy available at https://abdm.gov.in/publications/policies_regulations/health_data_management_policy

2 See 'PERSONAL HEALTH INFORMATION' at page 19 of ELECTRONIC HEALTH RECORD (EHR) STANDARDS FOR INDIA, 2016 available at https://esanjeevani.mohfw.gov.in/assets/guidelines/ehr_guidlines.pdf

3 Section 2(i) 'Data Fiduciary' of DPDP Act.

4 Section 2(j) 'Data Principal' of DPDP Act.

5 Section 9 'Processing of personal data of children' of DPDP Act read with Rule 10 'Verifiable consent for processing of personal data of child' and Rule 11 'Verifiable consent for processing of personal data of person with disability who has lawful guardian' of DPDP Rules.

6 Rule 12 'Exemptions from certain obligations applicable to processing of personal data of child' of DPDP Rules.

7 Rule 7 'Intimation of personal data breach' of DPDP Rules.

8 Rule 14 'Rights of Data Principals' of DPDP Rules.

9 Rule 16 'Exemption from Act for research, archiving or statistical purposes' of DPDP Rules

10 Section 10 'Additional Obligations of Significant Data Fiduciary' of DPDP Act read with Rule 13 'Additional Obligations of Significant Data Fiduciary' of DPDP Rules

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.