DPDPA for Indian Healthcare: Patient Data Fiduciary Obligations

Compliance

India's Digital Personal Data Protection Act passed in August 2023 and rules are expected through 2024. For hospitals, clinics, and HealthTech firms, the engineering and consent implications are significant.

By Arjun Raghavan, Security & Systems Lead, BIPI · March 25, 2024 · 8 min read

The Digital Personal Data Protection Act 2023 received presidential assent in August 2023, and the implementing rules are working through the Ministry of Electronics and IT consultative process during 2024. For Indian healthcare providers and HealthTech platforms, DPDPA is the most consequential privacy regulation since IT Rules 2011. The obligations layer on top of ABDM, NDHM, MCI guidelines, and the Clinical Establishments Act in ways that need careful engineering.

Healthcare as data fiduciary

Hospitals, diagnostic chains, telemedicine platforms, and HealthTech apps almost certainly qualify as data fiduciaries under DPDPA. Several will be designated as Significant Data Fiduciaries once the rules clarify thresholds. SDF status brings heavier obligations including mandatory Data Protection Officers, independent audits, and Data Protection Impact Assessments.

Health data is not separately classified under DPDPA the way it is under GDPR Article 9. The Act treats personal data uniformly, with sensitive categories likely to come through subordinate rules. Plan as if a sensitive data category will be defined and your healthcare processing will sit in it.

Consent architecture

DPDPA consent requirements are strict. Consent must be free, specific, informed, unconditional, and unambiguous. Notice has to be in clear and plain language with itemized purposes. Bundled consent is prohibited. For a hospital admission, this means decoupling consent for treatment delivery from consent for research participation, insurance claim sharing, ABDM integration, and marketing communications.

• Decouple treatment consent from secondary use consent
• Maintain time-bound consent records with verifiable evidence of capture
• Implement consent withdrawal workflows with the same ease as consent capture
• Honor consent boundaries when sharing data with insurers, pharmacies, or labs
• Integrate with Consent Manager service provider ecosystem under the Data Empowerment and Protection Architecture

Parental consent for minors

DPDPA defines a child as anyone under 18, which is significantly broader than GDPR's 16-year threshold and US COPPA's 13-year threshold. For pediatric care, parental consent has to be verifiable. The implementing rules will clarify what counts as verifiable, but expect Aadhaar-based or government-ID-based verification to feature prominently.

Behavioral monitoring and targeted advertising aimed at children are prohibited outright. For pediatric digital therapeutics platforms, this means engineering changes to recommendation engines and notification systems. Educational content recommendations may still be permissible, but the line between educational and behavioral is going to be tested in early enforcement actions.

ABDM integration considerations

The Ayushman Bharat Digital Mission ecosystem already requires consent under DEPA. DPDPA layers additional fiduciary obligations on top. When a hospital pushes a discharge summary to a patient's Health Locker via ABDM, the patient's DEPA consent covers the transfer, but the hospital remains a data fiduciary for its own records. Both regimes apply simultaneously.

ABDM consent artifacts have a standardized JSON schema with explicit purpose, data range, and expiry. Hospitals integrating with ABDM should treat these artifacts as the canonical consent record for ABDM data flows, and maintain a separate DPDPA consent ledger for non-ABDM processing.

Cross-border transfer realities

DPDPA allows cross-border transfers by default, with the government able to specifically restrict transfers to designated countries. The likely shape of restrictions is unclear, but healthcare data has been mentioned in consultative drafts as a candidate for heightened restrictions. Indian healthcare AI startups training models on cloud GPUs in US or European regions should plan a data residency contingency.

Engineering roadmap

1. Stand up a consent management platform with itemized purposes
2. Tag every data column in your EMR with the consent it relies on
3. Build subject rights workflows for access, correction, and erasure with 30-day SLA
4. Implement breach detection and notification capability to the Data Protection Board
5. Run DPIAs on every new use of patient data, especially AI-driven clinical decision support
6. Prepare for SDF status with DPO appointment and audit readiness

Timeline expectations

The Data Protection Board has been constituted and the rules are expected to be notified in stages through 2024. The grace period for compliance will likely be 12 to 18 months from rule notification. Hospitals should not wait. Patient trust and audit posture both reward early adoption, and the engineering work is substantial enough that compressing it into a 12-month sprint is painful.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.