Indian healthcare gets privacy backbone from new data protection rules

The Digital Personal Data Protection Act 2023, along with the recently notified Rules of 2025, marks India's most significant privacy reform since the IT Act 2000. These measures promote respect for individual rights and data accountability. In healthcare, every clinic, hospital, laboratory, and telemedicine application is elevated to the status of a "data fiduciary," without distinction based on size. Personal data in digital form, or later digitized, falls under the Act's scope.

Patients become "data principals" entitled to access, correct, and erase their medical information. Hospital consent forms have often relied on blind faith rather than informed choice, but the DPDP Act introduces transparency. During medical emergencies or public health crises, data processing without consent is permitted. However, ambiguities persist in areas like post-operative ICU care, chronic illness management, and follow-up treatments.

Withdrawing consent or requesting data erasure creates complications for healthcare providers. Fiduciaries must delete the data and cease processing it, yet legal obligations in healthcare remain intact. The Act's definition of "processing" includes "erasure," potentially requiring consent even for deletions. Schedule III of the Rules prescribes data retention timelines for various sectors, but healthcare is notably absent, leaving institutions uncertain about record-keeping.

For data collected before the Act's commencement, fiduciaries must notify principals "as soon as reasonably practicable," with no defined time limit. According to authors Tishampati Sen, an advocate at the Supreme Court, and Harsh Mahajan, founder of Mahajan Labs and FICCI health mentor, the healthcare sector warrants sector-specific guidelines due to its critical nature. Overall, the law empowers patients by affirming their data rights and reminds providers that duty of care now extends to digital realms.