Health data is the most sensitive personal data category under DPDP. Diagnoses, prescriptions, mental health records, test results, surgical history — all of it carries the highest protection requirements and the steepest penalties for mishandling. This applies to every level of Indian healthcare: solo doctors, multi-speciality clinics, hospitals, telemedicine platforms, pharmacies, fitness apps, and health-tech startups.
Applies to: Doctors & clinics • Hospitals • Diagnostic labs • Telemedicine platforms (Practo, Apollo 247, 1mg) • Pharmacies • Mental health platforms • Health & fitness apps • Ayurveda and alternative medicine practitioners.
Why Health Data Gets Special Treatment Under DPDP
Not all personal data is equal under DPDP. Health and medical data sits at the top of the sensitivity hierarchy — for reasons that are obvious once you think about it.
| Data Category | Sensitivity Level |
|---|---|
| Health / Medical data | Highest risk |
| Financial data | Very high |
| Children's data | Very high |
| Biometric data | High |
| Contact information | Standard |
Why is health data so sensitive?
- Employment discrimination: A leaked diagnosis (cancer, HIV, diabetes) can cost a patient their job
- Insurance consequences: Pre-existing condition data can be used to deny insurance or raise premiums
- Social stigma: Mental health records, addiction treatment, reproductive health — all carry social consequences if exposed
- Identity targeting: Health data combined with name and address creates detailed profiles that can be exploited
- Irreversibility: Once a diagnosis leaks, it cannot be undone — unlike a stolen password
⚠️ Real Consequence: A clinic's patient database leaks and reveals which patients are being treated for HIV, mental illness, or cancer. Those patients face discrimination from employers, insurers, and communities. The Data Protection Board can impose maximum penalties — and reputational damage to the clinic is permanent.
Who in Healthcare Must Comply?
DPDP applies across the entire healthcare ecosystem:
Entities Treating Patients
- Solo practitioners (GPs, specialists, dentists, physiotherapists)
- Multi-doctor clinics and polyclinics
- Hospitals (private, trust, corporate chains)
- Diagnostic labs and radiology centres
- Pharmacies (brick-and-mortar and online)
- Ayurveda, Homeopathy, Unani, and alternative medicine practitioners
- Mental health professionals (psychiatrists, psychologists, counsellors)
- Physiotherapy and rehabilitation centres
Digital Health Platforms
- Telemedicine platforms (Practo, Apollo 247, 1mg, Tata Health)
- Online pharmacy platforms (PharmEasy, Netmeds, 1mg)
- Health and fitness apps (HealthifyMe, CureFit, Niramai)
- Mental health apps (YourDOST, Wysa, iCall)
- Wearable health device apps (heart rate, sleep, glucose monitors)
- Hospital management software providers
- Electronic Health Record (EHR) platforms
- Femtech apps (period trackers, pregnancy apps)
🏥 Individual Doctor Reality Check: A solo doctor running a clinic with 20 patients a day, maintaining a paper register with names, ages, diagnoses, and prescriptions — that is processing sensitive personal data. DPDP applies. No revenue threshold, no patient count exemption.
What Patient Data Is Covered Under DPDP?
Identity & Contact Information
- Full name, date of birth, gender
- Address, phone number, email
- Aadhaar number (if collected for identification)
- Insurance policy numbers and details
- Emergency contact information
Clinical Information
- Diagnoses (current and historical)
- Prescriptions and medication history
- Lab test results (blood tests, urine tests, biopsies)
- Imaging reports (X-rays, MRIs, CT scans, ultrasounds)
- Surgical history and procedure records
- Mental health diagnoses, therapy notes, psychiatric evaluations
- Vaccination records
- Chronic conditions (diabetes, hypertension, cancer, HIV status)
- Reproductive health data (pregnancy, fertility treatments)
- Genetic information
Physical Measurements
- Height, weight, BMI
- Blood pressure, heart rate readings
- Blood glucose levels
- Fingerprints (if used for patient identification)
- Retinal scans (if used in advanced facilities)
- Wearable device data (steps, sleep patterns, oxygen levels)
Lifestyle & Preference Data
- Dietary habits and restrictions
- Exercise and activity data (from apps)
- Menstrual cycle data (period tracking apps)
- Sleep patterns
- Substance use history (alcohol, tobacco, drugs)
Patient Consent: What Healthcare Must Get Right
The General Rule: Consent for Data Collection
For routine medical treatment, consent to treat generally covers the data processing needed to provide that treatment. However, DPDP requires clear, informed consent for:
- Storing records in digital databases (not just paper)
- Sharing data with third parties (insurance companies, researchers, other hospitals)
- Using data for purposes beyond treatment (marketing, analytics, research)
- Sharing data cross-border (telemedicine with overseas doctors)
What a Valid Healthcare Consent Process Looks Like
At registration, patients must be informed of:
- What data you collect (identity + medical data)
- Why (treatment, billing, medical records)
- Who you may share it with (referring doctors, labs, insurance)
- How long you keep it
- How they can access or delete their records
Practical implementation: Add a consent section to your patient registration form. Patient signs or verbally confirms. For digital systems, add a clear consent checkbox at digital registration.
Additional requirements for online consultations:
- Consent to session being conducted online (data transmitted over internet)
- Consent to any session recording (if recorded for quality/medical review)
- Consent to prescription being sent digitally
- Information about data security measures in place
When You Do NOT Need Fresh Consent
- ✅ Sharing with a referring specialist for treatment purposes
- ✅ Sharing with diagnostic labs to process ordered tests
- ✅ Sharing with hospital during emergency admission
- ✅ Maintaining your own records for ongoing patient care
When You ALWAYS Need Explicit Consent
- ❌ Sharing with insurance companies (even for claims — get consent)
- ❌ Using patient data for research studies or clinical trials
- ❌ Sharing with pharmaceutical companies for marketing
- ❌ Using patient photos or case studies for educational/marketing content
- ❌ Sending promotional health content via SMS or WhatsApp
- ❌ Sharing with third-party wellness or fitness apps
Sector-Specific Compliance Guides
Solo Doctors & Small Clinics
Paper Records
DPDP applies to paper patient records too. You must:
- Store records in locked cabinets with restricted access
- Never leave patient files where other patients can see them
- Shred records when retention period expires (don't just throw in trash)
- Retention: Keep medical records for 7-10 years after last visit, then securely destroy
Digital Records (Computers, Tablets)
- Password-protect your computer and patient management software
- Enable screen lock (auto-locks when you leave the desk)
- Do not leave patient records visible on screen in waiting areas
- Regular backups to encrypted storage
- 2FA on email accounts that receive patient records
Privacy Policy
- Display a brief privacy notice in your waiting room
- If you have a website with appointment booking: publish full privacy policy
Diagnostic Labs
- Patient data collected for tests must be used only for test processing and reporting
- Do not share test results with anyone other than the patient and referring doctor without consent
- Test result portals must have patient authentication (OTP, password) before results are displayed
- Do not use patient contact details for promotional marketing without explicit opt-in
- Retention: Lab reports may be required to be kept for 5-7 years — then securely destroyed
- Lab technicians should only access data relevant to tests they are processing
Telemedicine Platforms
- End-to-end encryption for all consultation sessions
- Patient authentication before accessing health records
- Doctors on the platform must also individually comply with DPDP for data they access
- Clear consent for session recording (if sessions are recorded)
- Do not use consultation data for AI training without explicit, separate patient consent
- Cross-border data transfers (overseas doctors) require additional safeguards
- Prescription data must be stored securely and accessible only to authorised parties
Online Pharmacies
- Prescription uploads contain extremely sensitive data — encrypt at rest and in transit
- Prescription images must not be accessible beyond the pharmacist processing the order
- Delete prescription images after order is dispensed (do not retain indefinitely)
- Purchase history (which medicines ordered) reveals health conditions — treat as sensitive data
- Do not use medication purchase history for targeted advertising without consent
- Clear consent before sending promotional emails or SMS
Mental Health Platforms
Mental health data is among the MOST sensitive under DPDP. It requires the highest level of protection:
- Therapy session notes must be accessible ONLY to the treating therapist and patient
- Do NOT share mental health diagnoses or session content with employers, insurers, or family without explicit patient consent
- Anonymous reporting and anonymous mode options for users who fear stigma
- Session recordings (if any) require explicit consent and must be stored with maximum encryption
- Strict access controls: No staff member should access session content unless directly involved in care
- Breach of mental health data triggers the highest reputational and legal consequences
Health & Fitness Apps
- Step counts and activity data = personal data under DPDP
- Sleep patterns, heart rate, menstrual data = sensitive health data
- Explicit consent before sharing any health data with third parties (insurance, employers)
- Femtech / period tracking apps: reproductive health data is particularly sensitive — never share without explicit consent
- Do NOT monetise health data (sell to advertisers) without explicit, informed consent
- Users must be able to download all their health data and delete their account
The WhatsApp Problem in Indian Healthcare
WhatsApp is deeply embedded in Indian healthcare delivery. Doctors send prescriptions via WhatsApp, labs send reports, hospitals share discharge summaries. This is convenient — and a significant DPDP risk.
The Problem with WhatsApp for Medical Data
- WhatsApp messages are backed up to Google Drive or iCloud — your patient data lives in their cloud accounts
- WhatsApp Web sessions left open = patient data accessible on unprotected computers
- Forwards are trivially easy — a prescription sent to one person can be forwarded to thousands
- No audit trail — you cannot prove who accessed or forwarded what
- Group chats with patient data = massive breach risk if group membership is uncontrolled
What You Must Do if Using WhatsApp in Healthcare
- Get explicit patient consent: "May I send your prescription/report via WhatsApp?" — get a yes before sending
- Enable disappearing messages for chats containing medical data
- Never create WhatsApp groups containing multiple patients' medical data
- Lock WhatsApp with biometric/PIN on your phone
- Log out of WhatsApp Web after each session on shared computers
- Ideally: Switch to a secure, DPDP-compliant alternative for sending medical documents (encrypted email, secure patient portal)
⚠️ Common Mistake: Doctor adds patient to a "regular patient" WhatsApp group that includes multiple patients. Now every patient in the group can see every other patient's name and profile picture. This is a privacy violation affecting all group members.
Top DPDP Violations in Healthcare
The mistake: A 5,000-patient clinic database is hacked. The owners discover it but delay notifying the Data Protection Board for 2 weeks, hoping to "fix it quietly."
Why illegal: DPDP requires breach notification to the DPB within 72 hours. Health data breach involving thousands of patients = maximum penalties.
Fix: Create a breach response plan. Designate who notifies the DPB. Know the notification process before a breach happens.
The mistake: Hospital routinely shares full patient medical records with insurance companies when processing claims — without getting patient consent for this specific sharing.
Why illegal: Sharing health data with insurance companies requires explicit patient consent. The patient consented to treatment, not to insurer access.
Fix: Add insurance data sharing consent to your intake forms. Patients must separately agree to sharing records with insurers.
The mistake: A diagnostic lab sells anonymised (but re-identifiable) patient data to pharmaceutical companies for drug marketing targeting. Or a clinic allows a pharma rep to access patient records to identify potential customers for a new drug.
Why illegal: Patient data cannot be used for commercial purposes beyond treatment without explicit, informed consent.
Fix: Never share or sell patient data to pharma companies. If approached, decline.
The mistake: Doctor posts "interesting case" on Instagram with X-ray images, noting patient's age, condition, and treatment — patient is identifiable from the context even without name.
Why illegal: Using patient health data (even "anonymised") for promotional or educational content without explicit consent is a violation.
Fix: Get written, specific consent from patients before using any case for educational or promotional content. Ensure true anonymisation (age, gender, and city together can identify a patient).
The mistake: A hospital's patient management system is accessible to all staff — receptionists, janitors, billing, and clinical staff all use the same login with no role-based restrictions. A billing clerk can view psychiatric records. A cleaner can see HIV test results.
Why illegal: Failure to implement reasonable security safeguards = up to ₹250 crore.
Fix: Implement role-based access controls. Clinical staff see clinical data. Billing staff see billing data. No one sees more than they need.
The mistake: A health app uses patient symptom search history and app usage patterns to serve targeted pharmaceutical advertisements within the app — without disclosing this or getting consent.
Why illegal: Using health data for advertising without consent. If any minor users are profiled, penalties jump to ₹200 crore.
Fix: Do not use health data for advertising. If advertising is part of your model, get explicit, informed consent for this specific use.
Healthcare DPDP Compliance Checklist
| Compliance Item | Status |
|---|---|
| Privacy policy published (website, patient registration, waiting room notice) | ☐ |
| Patient consent process (clear consent at registration for data collection) | ☐ |
| Separate consent for insurance data sharing | ☐ |
| Role-based access controls (staff see only what they need) | ☐ |
| Patient records encrypted (digital records at rest and in transit) | ☐ |
| Physical records secured (locked cabinets, restricted access) | ☐ |
| No third-party sharing without consent (pharma, employers, insurers) | ☐ |
| WhatsApp usage reviewed (consent before sending medical data) | ☐ |
| No patient case studies without written consent | ☐ |
| Data retention policy set (delete records after retention period) | ☐ |
| Breach response plan ready (72-hour notification process known) | ☐ |
| Patient data deletion process (can delete on patient request) | ☐ |
| Staff trained (basic DPDP awareness for all who handle patient data) | ☐ |
| Privacy contact active ([email protected] for patient requests) | ☐ |
FAQ for Doctors & Health Platforms
Does DPDP apply to individual doctors and small clinics?
Yes. Any doctor maintaining patient records — paper or digital — is processing personal data. Health data's sensitivity means the compliance obligations are strict regardless of practice size.
Is patient health data sensitive under DPDP?
Yes — it's the most sensitive category. Diagnoses, prescriptions, test results, mental health records, and medical history all fall under the highest protection tier.
Can doctors share patient information with other doctors?
Yes, for treatment purposes. Referring to a specialist or sharing with the treating hospital is permitted. Sharing with non-treating parties (insurers, employers, pharma) without explicit patient consent is a violation.
Does DPDP apply to telemedicine platforms?
Yes. Telemedicine platforms are Data Fiduciaries with full DPDP compliance obligations. Individual doctors using these platforms also have their own obligations for data they access.
Can I send prescriptions via WhatsApp?
Only with patient consent. Ask before sending: "May I send your prescription via WhatsApp?" Get a yes. Enable disappearing messages. Be aware of the security limitations of WhatsApp for sensitive medical data.
How long should patient records be kept?
Indian medical regulations require records to be kept for at least 3 years (outpatient) to 10 years (inpatient) depending on the type. Check applicable MCI/NMC and state health regulations. After the retention period, securely destroy — don't just keep forever.
What if a patient asks to delete their medical records?
You must balance the right to deletion against your legal obligation to maintain medical records. You can retain records required by law — but must delete everything else (marketing preferences, unnecessary personal data). Explain to the patient what you're legally required to keep.