On 23rd November 2022, India's largest government hospital, AIIMS Delhi, found itself in the middle of one of the biggest cyberattacks in Indian healthcare history. Servers were encrypted, hospital operations froze, and the personal medical data of an estimated 40 million patients was compromised. For nearly two weeks, the hospital ran on paper. The attackers reportedly demanded around ₹200 crore in cryptocurrency.
If a similar incident were to happen today, the consequences would extend well beyond operational disruption. The hospital would now face statutory penalties of up to ₹250 crore — under India's new digital privacy regime.
India's Digital Personal Data Protection (DPDP) Act was passed in August 2023, and its detailed operational rules — the DPDP Rules 2025 — were notified by the Ministry of Electronics and Information Technology on 13th November 2025. Together they impose binding obligations on every hospital, clinic, diagnostic lab, telemedicine app, pharmacy and individual medical practitioner that handles patient data in digital form.
This article explains what the law says, who it applies to, what hospitals and doctors must do, and how to prepare for compliance. It is aimed at hospital owners, hospital managers, and doctors running private practice, who may not have the time to read the 80-plus page Rules document in full.
1. What is the DPDP Act and the DPDP Rules?
The DPDP Act, 2023 is India's first comprehensive data privacy law. It is grounded in the Supreme Court's K. S. Puttaswamy judgement (2017), which recognised the Right to Privacy as a fundamental right under Article 21 of the Constitution. The Act itself set out the principles. However, the operational details — formats, timelines, processes — were left to subordinate rules, which the Government notified in November 2025.
The Rules provide for a phased compliance window of approximately 18 months. Some rules took effect immediately (e.g. registration of Consent Managers, constitution of the Data Protection Board); the substantive obligations on healthcare and other data fiduciaries are scheduled to become enforceable around mid-2027. In other words, the clock has started — and 18 months is not a long time for an institution to re-organise its data practices.
2. Why this applies to your hospital or clinic
The Act uses a key term: Data Fiduciary. A Data Fiduciary is any person or organisation that decides the purpose and means of processing personal data. Under this definition, the following are all Data Fiduciaries:
- · Hospitals (both government and private)
- · Nursing homes and polyclinics
- · Individual doctors with digital appointment systems, EMRs, or even basic computerised patient registers
- · Diagnostic laboratories, pathology labs and imaging centres
- · Pharmacies that maintain customer records
- · Telemedicine platforms, health-tech startups, EMR vendors
- · Physiotherapists, dentists, mental health professionals, and allied health practitioners maintaining patient records on any digital device — including mobile phones
An important point that many practitioners miss: the Act applies to digital personal data, even if it was originally collected on paper and later digitised. So a clinic that maintains paper case sheets but scans them or types them into a software is fully within scope.
This is a paradigm shift. Until now, hospital data protection in India was governed by a patchwork of sector-specific rules — the Clinical Establishments Act, IT Act 2000, Mental Healthcare Act 2017, IRDAI regulations for insurance, the various licenses and permits hospitals already hold, and accreditation standards such as NABH. The DPDP Act adds a horizontal, cross-cutting layer that applies in addition to these existing rules.
3. The Six Key Obligations Every Healthcare Provider Must Meet
3.1 Itemised, specific consent
This is the biggest cultural change for Indian hospitals. The traditional admission form — where a patient signs once and the hospital uses that signature to justify treatment, billing, sharing with insurance company, sharing with the corporate referrer, sending marketing reminders, and even using the data in case studies — will no longer be valid.
Rule 3 of the DPDP Rules 2025 requires verifiable consent notices that are independent, in plain language, and that itemise exactly what data is being collected and precisely how it will be used. Each purpose needs its own consent, and the patient must be able to withdraw any one of them without affecting the others.
Hospitals that have already developed practices around general consent and informed consent will need to extend that thinking into the digital domain. A treatment consent is one thing; data sharing consent is a separate thing. Both will need to be documented properly.
3.2 Reasonable security safeguards
Rule 6 of the DPDP Rules 2025 prescribes the following as minimum security safeguards:
- · Encryption of personal data, both at rest and in transit
- · Multi-factor authentication (MFA) for users accessing systems
- · Role-based access controls so that only authorised personnel see data relevant to their function
- · Audit logs that are maintained for at least one year
- · Annual vulnerability assessments and penetration testing
- · Backup systems to ensure data continuity
The practical implication is uncomfortable for many Indian hospitals: the practice of having one shared password for the HIS that everyone — from the night-shift receptionist to the ward attender — uses, must end. Each staff member needs their own access credentials and a defined role-based permission set.
3.3 Breach notification within 72 hours
This is perhaps the most operationally demanding obligation. If a hospital experiences a personal data breach — whether it's a ransomware attack, a stolen laptop, an employee leaking records, or a misconfigured server — it must:
- · Notify each affected patient without delay, in plain language, telling them what happened, what data is exposed, what risks they face, and what they should do
- · Send an initial intimation to the Data Protection Board of India
- · Submit a detailed report to the Board within 72 hours of becoming aware of the breach
The 72-hour clock starts when the hospital becomes aware of the breach, not when its investigation is complete. This means hospitals must have incident detection mechanisms, an internal escalation process, and pre-drafted breach communication templates ready in advance. This is similar in spirit to disaster and emergency preparedness planning — you need the plan ready before the emergency strikes, not during it.
3.4 Purpose limitation and erasure
Personal data may be used only for the purpose for which it was collected. Once that purpose is fulfilled, or the patient withdraws consent, the data must be erased. The Rules require that the patient be given at least 48 hours' prior notice before erasure.
Here lies an interesting tension: the Clinical Establishments Act, the Indian Medical Council regulations, and IRDAI rules generally require medical records to be preserved for 3 to 5 years (or longer for specific cases such as medico-legal records or paediatric records). Hospitals will need to map every category of data against the strictest applicable retention rule and document the rationale for keeping data beyond its initial purpose.
3.5 Patient rights handling
Patients (whom the Act calls Data Principals) now have legally enforceable rights to:
- · Access a summary of their personal data held by the hospital
- · Have errors in their data corrected
- · Demand erasure of data when no longer necessary
- · Raise grievances through a defined mechanism
- · Nominate another person to exercise these rights on their behalf, particularly in case of death or incapacity
This list is conceptually consistent with the patients' rights framework that NABH and the MoHFW have been advocating for many years (see my earlier comments on the draft Charter of Patients' Rights). But the DPDP Act gives these rights statutory teeth, with monetary penalties for non-compliance. Hospitals will need to designate a contact officer who handles these requests, and have an internal workflow to respond within a reasonable time.
3.6 Vendor and processor contracts
Most modern hospitals rely on external vendors: cloud storage providers, EMR / HIS software vendors, outsourced laboratory partners, medical transcription services, billing software providers, teleradiology services, and so on. Under the DPDP Act, these vendors are Data Processors, and the hospital — as the Data Fiduciary — remains liable for what they do with patient data.
This means every vendor contract must be reviewed and updated. The contract must explicitly require the vendor to:
- · Process personal data only for the purpose defined by the hospital
- · Implement equivalent security safeguards
- · Cooperate in breach notification
- · Delete or return data at the end of the engagement
- · Submit to audits if required
4. Healthcare-specific exemptions in the law
The law is not blind to clinical realities. The DPDP Rules 2025 contain important carve-outs that healthcare providers should be familiar with:
Medical emergencies: When a patient arrives in the Emergency Department unconscious or in a critical condition, the hospital may process their personal data — including medical history retrieved from previous records — for the purpose of saving life or providing urgent medical treatment, without going through the formal consent process. This exemption flows from Section 7 of the Act.
Public health responses: During an outbreak, epidemic, or other public health emergency, government health authorities can process personal data without individual consent — for example, contact tracing during a viral outbreak, or registering patients for emergency vaccination.
Children's data — the biggest healthcare carve-out: Section 9 of the Act treats anyone under 18 years as a "child" and requires verifiable parental consent for processing their data. This would have made paediatric practice nearly impossible. However, Rule 12 and the Fourth Schedule of the DPDP Rules 2025 specifically exempt clinical establishments, mental health institutions, healthcare professionals, and allied health practitioners from the full verifiable parental consent framework when processing children's data for the purpose of providing health services. The exemption is narrow — it applies only for treatment-related processing. Marketing, research, or any commercial use of paediatric data still requires verifiable parental consent.
Statutory disclosures: Where a hospital is required by law to share data — such as notifying communicable diseases under public health laws, reporting birth and death data, complying with court orders, or sharing data for the Ayushman Bharat Digital Mission — these disclosures are protected.
Vulnerable patients: Care of vulnerable patients — including those who cannot give consent due to mental incapacity, unconsciousness, or being a minor without guardian — needs additional thought. The Rules permit a lawful guardian to provide consent on behalf of a person with disability who cannot make legal decisions even with support. Hospitals will need protocols to verify guardianship in such cases.
5. Are you a Significant Data Fiduciary?
The Government may designate certain Data Fiduciaries as Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of data they process, risk to electoral democracy, security of the State, and other factors. Large hospital chains, major diagnostic laboratory networks, and big health-tech platforms are expected to be designated as SDFs.
SDFs have additional obligations:
- · Conduct annual Data Protection Impact Assessments (DPIA) and submit them to the Board
- · Undergo annual independent data audit
- · Appoint a full-time Data Protection Officer (DPO) based in India
- · Conduct algorithmic fairness assessment of any decision-making algorithms used
The last point is particularly important for hospitals that are starting to deploy artificial intelligence — for example, AI-based image interpretation in radiology, AI-driven triage tools, or predictive analytics for ICU early-warning. Such tools will need to be assessed for bias across gender, age and demographic groups before deployment.
6. The penalties — what's at stake
The Schedule to the DPDP Act lays down maximum penalties that the Data Protection Board may impose. These are not nominal sums — they are large enough to materially affect even big hospital chains:
- · Up to ₹250 crore for failure to implement reasonable security safeguards
- · Up to ₹200 crore for failure to notify a personal data breach
- · Up to ₹200 crore for non-compliance with provisions for children's data
- · Up to ₹150 crore for failure to meet SDF obligations
- · Up to ₹10,000 on the patient for filing frivolous complaints or providing false data
The Board has discretion in setting the actual penalty, considering factors such as the nature of the data, the gravity and duration of the breach, whether it was repetitive, and the steps taken by the Data Fiduciary to mitigate the harm. Even at fractions of the maximum, these penalties can disrupt the finances of any hospital.
The reputational damage from a publicised healthcare data breach often exceeds the regulatory penalty. Patients trust hospitals with the most intimate information about themselves — their diseases, their mental health, their reproductive choices, their genetic profile. A breach erodes that trust in ways that are very hard to repair.
7. Preparing your hospital or clinic — a 10-point action plan
Compliance is not a one-time activity. It requires institutional change. Here is a practical 10-point action plan that any hospital — large or small — can begin working on right away:
| # | Action | Responsibility |
|---|---|---|
| 1 | Appoint a privacy officer (or a full Data Protection Officer if the hospital is large) | Hospital management / Board |
| 2 | Map every patient data flow: registration, OPD, IPD, lab, pharmacy, billing, insurance, ABDM, telemedicine, research | Privacy Officer + IT + Operations |
| 3 | Rewrite all consent forms — itemised, plain language, multilingual where needed | Privacy Officer + Medical Director + Legal |
| 4 | Review and renegotiate vendor contracts (EMR, cloud, lab, transcription, telerad, etc.) | Privacy Officer + Procurement + Legal |
| 5 | Implement encryption, MFA, role-based access, and audit logs | IT Department |
| 6 | Build a 72-hour breach response playbook and conduct mock drills | Privacy Officer + IT + Communications |
| 7 | Train all staff — especially front-desk, nursing, billing, and pharmacy | HR + Privacy Officer |
| 8 | Set up a patient rights request handling workflow with documented response times | Privacy Officer + Medical Records Department |
| 9 | Map retention rules across DPDP, Clinical Establishments Act, MCI norms, IRDAI, Mental Healthcare Act | Privacy Officer + Legal + Medical Records |
| 10 | If designated as an SDF — initiate the annual DPIA, independent audit, and algorithmic fairness assessment process | Board + DPO + External auditor |
8. A word for doctors in private practice
The Act does not exempt single-doctor clinics. If you maintain digital appointment records, send prescriptions over WhatsApp, store ultrasound images on Google Drive, or use a basic clinic software — you are a Data Fiduciary under the law.
For solo practitioners, the practical priorities should be:
- · Move off personal Gmail and personal Google Drive for patient data. Use a dedicated clinic software or a paid business cloud account with proper access controls.
- · Stop using personal WhatsApp for patient communication. Either use WhatsApp Business with documented consent or a HIPAA/DPDP-aware messaging platform.
- · Update your consent forms to itemise treatment, billing, insurance, and communication-related consents separately.
- · Lock down your devices — encrypt your laptop hard drive, use device-level passcodes, and enable MFA on all accounts you use for clinic work.
- · Get written agreements from your receptionist, attender, and any other person who has access to patient data — about confidentiality and data handling.
- · Define a retention period for inactive patient records based on applicable law, and put a process in place to delete data after that period.
9. Conclusion
The DPDP Act, when stripped of its legal language, is making a simple point: patient data is sensitive, patients have rights over it, and hospitals are trustees of that data. None of this is conceptually new for healthcare. The Hippocratic Oath has been saying something similar for over 2,000 years. What the Act does is to convert these long-standing ethical principles into legally enforceable obligations with serious monetary consequences.
Hospitals and clinics that begin preparing now will find compliance manageable. Those that wait until the enforcement deadline approaches will struggle, both because vendors and consultants will be in short supply and because the cost of catching up gets higher with every passing month.
The AIIMS attack of 2022 was a warning shot. The next major incident in Indian healthcare will not be just a cybersecurity story — it will be a regulatory enforcement story too. Better to be ready.
Disclaimer: This article is intended for informational purposes only and does not constitute legal advice. Hospitals and healthcare providers should consult qualified legal counsel for advice on their specific circumstances. Some details of the DPDP Rules 2025 may be amended by the Government, and readers are advised to check the latest notifications from the Ministry of Electronics and Information Technology and the Data Protection Board of India.
Further reading on this blog:
· General Consent and Informed Consent in Hospitals
· Fulfilling patients' rights in hospital
· Licenses, permits and other legal documents required to open and operate a hospital
· Taking Care of Vulnerable Patients
· Uniform Care Policy for Hospitals
