The DPDP Act for Clinics in India is equivalent of GDPR. For a clinic, the 5 things that change are: explicit patient consent for data collection, clear purpose for every data use, data minimisation, the patient’s right to delete or export their data, and significant penalties (up to 250 crore rupees) for breaches. Most clinics do not need to panic. They need to update 5 routine practices and pick a clinic software that handles the technical bits by default.
What is the DPDP Act and does it apply to my clinic?
The Digital Personal Data Protection Act, 2023 governs how any Indian organisation collects, stores, uses, shares, and deletes the personal data of Indian residents. Patient health data is “sensitive personal data” under the Act, which gets stricter handling than ordinary personal data. The Act applies to clinics of every size. There is no small business exemption.
The DPDP Act is India’s equivalent of the European GDPR. A comprehensive framework that gives individuals meaningful rights over their personal data and places enforceable obligations on the organisations that collect it.
For clinics, the key distinction is this: patient health data is not ordinary personal data. Under India’s data protection framework, medical records, health conditions, and treatment histories are classified as sensitive personal data which means they attract stricter handling requirements than, say, a customer’s email address or purchase history.
The Act applies from the moment a patient registers at your clinic. The name, date of birth, phone number, address, and certainly the diagnosis, prescription, and lab results all of it falls within the DPDP Act’s scope the moment it is collected digitally.
What rights do patients have under the DPDP Act?
Patients called Data Principals in the Act have five specific legal rights over their health data. These rights are exercisable at any time and must be facilitated by your clinic without unnecessary friction or delay.
1. Right to information.
Patients have the right to know what personal data you have collected, what you are using it for, and who you have shared it with. This is not an on-request courtesy, it is a legal entitlement.
2. Right to correction and erasure.
A patient can ask you to correct inaccurate data (for example, a wrong date of birth or a mis-entered allergy) and, subject to legal retention requirements, to delete their records. Your clinic software should be able to execute both within a reasonable time frame.
3. Right to grievance redressal.
Patients must have a clear, accessible contact point for raising data-related complaints. A named grievance email or a reception contact is sufficient for most clinics.
4. Right to nominate.
Patients can designate another person to exercise their data rights on their behalf. Relevant for elderly patients, children, or patients with cognitive impairments.
5. Right to withdraw consent.
A patient who gave consent to collect their data can withdraw it. Consent withdrawal does not erase legally mandated records, but it does mean you cannot continue using the data for purposes beyond what the law requires you to retain.
What obligations does the DPDP Act place on my clinic?
Clinics are Data Fiduciaries under the Act, the entity that determines why and how patient data is collected. This creates eight specific obligations, most of which are common-sense data hygiene practices that good clinics already follow informally.
The obligations, translated from legal language into clinic workflow language:
1. Collect only what you need:
If you are doing a blood pressure check, you do not need the patient’s employment history. Data minimisation is the formal term. Common sense is the practical test.
2. Get explicit, informed consent for each purpose:
Consent for medical care is not the same as consent for marketing. Each purpose needs its own consent. The consent must be freely given not buried in a form that the patient cannot skip.
3. Provide a clear privacy notice.
Patients must be able to find out, without effort, what data you collect, why, and how long you keep it. An A4 print at reception, a line on the registration form, and a reference to your grievance contact satisfies this for most small clinics.
4. Keep data only as long as needed.
Medical records have statutory retention periods under Indian law (typically 3–7 years depending on the clinical context). Beyond those periods, data that is no longer needed should be deleted.
5. Implement security safeguards.
The Act requires reasonable security practices. For digital records, this means encryption, access controls, and audit logging at minimum. The right clinic software handles this by default.
6. Notify of breaches.
If patient data is compromised, the clinic must notify both the Data Protection Board of India and affected patients. The timeline is defined by the Act promptly, and in plain language.
7. Appoint a Data Protection Officer if required.
Only Significant Data Fiduciaries entities processing large volumes of sensitive data need a formal DPO. Most individual clinics and small practices will not meet this threshold.
8. Facilitate patient rights without friction.
When a patient asks to access, correct, or delete their data, the obligation is to respond not to make the process difficult.
What actually changes in my clinic’s day-to-day workflow?
Five practical updates. None of them require a technology overhaul, none disrupt OPD operations, and most can be implemented in a single afternoon.
Update 1: Add a consent line to your patient registration form
Your registration form already collects patient data. It just probably does not include explicit consent statement. A single sentence added to the existing form satisfies this requirement for most clinics.
Sample consent line: “I consent to [Clinic Name] collecting and storing my personal and health information for the purpose of providing medical care and related billing. I understand I can withdraw this consent or request correction or deletion of my data at any time by contacting [grievance contact].”
Update 2: Display a privacy notice in the reception area
An A4 printed notice in the waiting area or at the registration counter is sufficient. It should state: what data you collect, why you collect it, how long you keep it, and who to contact with a grievance. This does not need to be a legal document. Plain language is better.
Update 3: Verify your clinic software logs record access
The DPDP Act’s audit requirements mean you need to be able to answer the question: who accessed which patient’s record and when? Most modern clinic software maintains this log automatically. If yours does not, this is one of the strongest reasons to switch.
Update 4: Train reception and nursing staff on two rules
A 30-minute training session is enough. Two rules:
Never share patient data with anyone the patient has not authorised
Never use patient phone numbers for non-clinical purposes. Appointment reminders are clinical. Marketing messages, unsolicited health tips, or promotional clinic updates are not
Update 5: Switch to WhatsApp Business with a clear opt-in
If you use WhatsApp for patient communication, switch to WhatsApp Business with a clear opt-in flow. Sending appointment reminders is fine. Sending unsolicited offers is not.
What to ask your Clinic Software Vendor
A clinic software vendor handles much of the technical compliance for you. Ask these 7 questions before signing up or renewing.
- Where is the patient data hosted? (Should be in India.)
- Is the data encrypted at rest and in transit? (AES-256 and TLS 1.3 are the current standards.)
- Are there role-based access controls and audit logs?
- What is the data retention default, and can I change it?
- How fast can a patient’s record be exported in a standard format if they request it?
- How fast can a patient’s record be deleted if they withdraw consent?
- What is the breach notification process, and what is the SLA?
If a vendor cannot answer any of these in writing, that is a flag.
Penalties and what they mean for a small clinic
The Act allows penalties up to 250 crore rupees for serious breaches. Realistic enforcement against a single small clinic is low likelihood, but realistic enforcement against a clinic chain or a software vendor is highly likely.
The right mental model is: small clinics will rarely be the target, but small clinics whose software vendor has a breach can be caught in the same investigation. Pick your software well.
What to do next?
DPDP compliance is partly a clinic responsibility and partly a software responsibility. Medisray’s clinic management software is DPDP-aligned. India-hosted, AES-256 encrypted, audit-logged, and patient-data-portable. Read more about Medisray security.
Frequently Asked Questions
Is DPDP Act the same as HIPAA?
No. HIPAA is the US healthcare privacy law. DPDP is India’s general data protection law. DPDP applies more broadly than HIPAA in some ways and less in others.
Do I need to appoint a Data Protection Officer?
Only if your clinic is classified as a Significant Data Fiduciary. The classification depends on data volume and sensitivity. Most small clinics will not be.
Is WhatsApp messaging patient data legal under DPDP?
Yes, with explicit patient consent and a clear purpose (such as appointment reminders). Marketing or non-clinical messages without specific consent are not.
What about my paper records?
The DPDP Act applies primarily to digital data specifically digital personal data. Paper records are not directly within the Act’s technical scope. However, the moment a paper record is scanned, digitised, or entered into a digital system, it falls within the Act’s scope.
Can a patient ask my clinic to delete their entire medical record under the DPDP Act?
Patients have a right to erasure under the DPDP Act, but this right is not absolute. Clinics are legally required to retain medical records for defined periods under Indian medical law, typically 3 to 7 years depending on the clinical context.
How long do Indian clinics have to notify patients and the Data Protection Board after a data breach?
The DPDP Act requires Data Fiduciaries to notify both the Data Protection Board of India and affected individuals “in the prescribed manner” as soon as a breach is discovered.
Does the DPDP Act apply to a clinic that keeps paper records and does not use any software?
The DPDP Act applies specifically to digital personal data. A clinic that operates entirely on paper; no EMR, no digital registration, no WhatsApp communication is technically outside the Act’s direct scope. But most paper-only clinics have at least one digital touchpoint, which brings them in.