DPDP Act Compliance for Indian Clinics: A Practical Guide (2026)

Quick answer

The Digital Personal Data Protection Act 2023 (DPDP) is India's comprehensive data protection law. For Indian clinics, DPDP requires: (1) explicit, informed consent before processing patient personal data; (2) purpose limitation — use the data only for the purpose consented to; (3) data residency in India for sensitive personal data including health; (4) patient rights including access, correction, and erasure; (5) breach notification to the Data Protection Board within a defined window; (6) opt-in defaults for AI-driven communication rather than opt-out. Most modern clinic management platforms — including Healthcare with AI — ship DPDP-aligned defaults that handle the bulk of compliance automatically.

What DPDP actually says (briefly)

The DPDP Act applies to any "Data Fiduciary" (the entity deciding the purpose and means of processing personal data) handling personal data of Indian individuals. A clinic is a Data Fiduciary — it decides why patient data is collected and how it is processed.

Key requirements relevant to a clinic:

1. 1.Consent must be free, specific, informed, and unconditional. The patient must know what data is collected, why, and for how long. Consent for one purpose (e.g., booking an appointment) cannot be bundled with consent for unrelated purposes (e.g., marketing).

1. 1.Right to withdraw consent. A patient can withdraw consent at any time; the clinic must stop processing data for that consented purpose, although it may retain data for legal/clinical record-keeping obligations.

1. 1.Purpose limitation. Data collected for clinical care cannot be used for unrelated commercial purposes without separate consent.

1. 1.Data accuracy and erasure. Patients have the right to correct inaccurate data and request erasure where no overriding legal obligation requires retention.

1. 1.Reasonable security safeguards. The clinic must protect patient data from unauthorised access, use, or disclosure.

1. 1.Data Breach notification. Breaches must be reported to the Data Protection Board within the prescribed timeframe.

1. 1.Children's data. Patients under 18 require parental/guardian consent. Verifiable consent mechanisms must be in place.

What this means in practice for a clinic

For a typical Indian clinic in 2026, DPDP compliance breaks down into these operational pieces:

At registration / first visit:

• Collect explicit consent for patient registration and clinical care. This is the base consent.
• Separately collect consent for AI-driven follow-up calls/messages if you plan to use them. This must be opt-in, not opt-out.
• Separately collect consent for any marketing communication.
• Record consent timestamps and the exact terms consented to.

Ongoing operations:

• Honour withdrawal of consent within the legal timeframe.
• Provide patients access to their own records on request.
• Provide a clear data-deletion path if requested (subject to clinical retention obligations).

Technology side:

• Patient data hosted in India (data residency).
• Encryption in transit and at rest.
• Role-based access control (only authorised clinic staff see clinical records).
• Audit trail of who accessed which record when.

Breach response:

• If a data breach occurs, notify the Data Protection Board within the prescribed window and inform affected patients.

What changes from the pre-DPDP norm

Pre-DPDP, many Indian clinics ran on informal data practices: paper records left on the front desk, WhatsApp messages from personal numbers, patient data exported to spreadsheets for marketing. DPDP makes these increasingly risky:

• Consent is now a documented obligation, not a casual courtesy. Verbal consent at the front desk is harder to demonstrate later if questioned.
• Default settings matter legally. An "opt-out" defaults that auto-enrolled patients in marketing is now non-compliant; opt-in is the legal baseline.
• Data residency is enforced. Cloud-based clinic software hosted outside India is now in a grey zone for clinic patient data.
• Patient-facing AI without explicit consent is risky. Sending automated AI follow-up calls without prior opt-in is a DPDP exposure.

What clinic software must do

A DPDP-aligned clinic management platform should ship the following by default:

1. 1.Patient consent capture at registration. Structured consent records with timestamp, terms version, and signature/checkbox.
2. 2.Opt-in by default for AI features. Patient-facing AI follow-ups, AI auto-replies, and similar features should be off by default and require explicit per-patient opt-in.
3. 3.India data residency. All patient records hosted on Indian infrastructure.
4. 4.Role-based access. Doctor, staff, admin roles with appropriate read/write scoping.
5. 5.Audit trail. Who accessed which record when, with retention.
6. 6.Patient data export + deletion endpoints. Patient requests should be machinable, not manual paperwork.
7. 7.Encryption in transit and at rest. TLS for transport, AES-256 or similar for storage.

How Healthcare with AI handles DPDP

Healthcare with AI ships DPDP-aligned defaults out of the box:

• Patient-facing AI is opt-in by default. Patient auto-follow-up calling and AI assistant features are off by default; tenant admin must enable per their consent flow.
• Data residency in India. Patient records and AI conversation logs are hosted on Indian cloud infrastructure.
• Role-based access. Doctor, staff, admin, and super-admin roles with appropriate scoping.
• Encrypted in transit and at rest. TLS for transport, server-side encryption for storage.
• Patient consent records. Captured at registration; can be exported on request.

Frequently asked questions

Is DPDP enforced today?

The DPDP Act 2023 has been notified and rules are being operationalised over 2025-2026. While enforcement is ramping, the legal exposure exists today — clinics with non-compliant practices face increasing risk.

Do small solo clinics need to comply?

Yes. DPDP applies to all Data Fiduciaries regardless of size. Some smaller obligations are scaled (e.g., the Data Protection Officer requirement is sized-by-volume) but the consent, residency, and rights obligations apply universally.

What is the penalty for DPDP violations?

DPDP provides for financial penalties up to ₹250 crore for certain violations, scaled by severity. For most clinics, the practical exposure is reputational and patient-trust damage rather than maximum penalties.

Does DPDP apply to patient data shared with insurance companies?

Yes. Sharing patient data with an insurance company requires explicit consent for the specific purpose. The clinic should not bundle insurance-data consent with general clinical-care consent.

How is DPDP different from HIPAA?

HIPAA is US-specific and does not apply in India. DPDP is the Indian equivalent. Some principles overlap (consent, security, breach notification) but the legal mechanisms and penalties differ significantly.

Can patients request their full medical record under DPDP?

Yes. The right to access is part of DPDP. Clinics should be able to deliver a patient's full record on request within the legally defined timeframe.

Closing note

DPDP is not optional. The good news for most clinics: if you have moved to a modern, India-hosted clinic management platform with opt-in defaults, you are already operating in DPDP-aligned mode. The harder situations are paper-based clinics, clinics running on personal WhatsApp accounts, or those using cloud software hosted outside India — these need active remediation in 2026.

Talk to your clinic management software vendor about their DPDP posture before assuming you are compliant. The defaults the software ships with — opt-in vs opt-out, India hosting vs offshore, consent capture vs informal — are what determines your practical exposure.