DPDP Act 2023 and Patient Data: What Every Indian Clinic Needs to Know
Shahul Hameed
India now has a data protection law. And if you run a clinic or hospital that stores patient records digitally — which, in 2026, is almost every clinic — it applies to you.
The Digital Personal Data Protection Act, 2023 (DPDP Act) received Presidential assent in August 2023. The implementation rules — the DPDP Rules 2025 — were notified by the Ministry of Electronics and Information Technology (MeitY) on November 13, 2025. Enforcement is now being phased in.
Most conversations about the DPDP Act have been aimed at tech companies and e-commerce platforms. Very little has been written for the clinician who just wants to know: what does this mean for my practice, and what do I need to do?
This post answers that — in plain language, without the legal jargon.
What this article covers:
What the DPDP Act 2023 is and when it applies to clinics
What Indian clinics are required to do as Data Fiduciaries
What the DPDP Rules 2025 (notified November 2025) added
How to evaluate AI tools and software vendors for DPDP compliance
A practical checklist for clinics to start now
Answers to the most common questions Indian clinicians are asking
What Is the DPDP Act?
The Digital Personal Data Protection Act, 2023 is India's first comprehensive law governing how personal data is collected, stored, and used in digital form. Before this, clinics operated under the Information Technology Act, 2000 and its associated rules — a framework designed for a different era that offered limited guidance for healthcare specifically.
The DPDP Act changes that. It establishes clear obligations for any organisation that collects or processes digital personal data — including hospitals, clinics, diagnostic centres, and health technology platforms.
Patient data — names, medical histories, diagnoses, treatment records, session recordings — is personal data under the Act. If your clinic stores any of this digitally, you are a Data Fiduciary under the law. That is a specific legal term with specific responsibilities attached to it.
What Does "Data Fiduciary" Mean for a Clinic?
A Data Fiduciary is any entity that determines why and how personal data is collected and used. As a clinic or hospital, you decide that patient data is collected for the purpose of treatment. That makes you the Data Fiduciary.
Your responsibilities as a Data Fiduciary include:
Obtaining valid consent. You must tell patients clearly what data you are collecting and why, before you collect it. Blanket consent buried in an admission form is no longer sufficient. The consent must be specific, informed, and freely given. Patients also have the right to withdraw consent at any time.
Purpose limitation. You can only use patient data for the purpose it was collected — treatment and care. Using it for research, marketing, or sharing it with third parties without explicit consent is a violation.
Data minimisation. You should only collect the data you actually need. Collecting excessive personal information "just in case" creates liability.
Security safeguards. The Rules require reasonable technical and organisational measures to protect patient data. This includes encryption, access controls, and secure storage.
Breach notification. If patient data is compromised, you are required to notify affected patients and the Data Protection Board of India promptly. The expected window is 72 hours.
Patient rights. Patients now have the right to access their data, request corrections, and ask for erasure. Your systems need to be able to handle these requests.
What About Mental Health Data Specifically?
This is worth addressing directly because mental health records carry an additional layer of sensitivity.
Unlike GDPR in Europe, the DPDP Act does not create a separate "sensitive data" category. All personal data is governed by the same framework. However, the Act's consent and purpose-limitation requirements apply with full force — and regulators, clinicians, and legal scholars have noted that mental health data warrants particular care given the real-world consequences of exposure: employment discrimination, insurance denial, family and social harm.
The DPDP Act also includes specific provisions around children's data. Clinical and mental health establishments are given some exemptions from verifiable consent requirements when processing children's data strictly for the purposes of providing health services — but this does not exempt them from the broader consent and security obligations.
What About AI Tools and Third-Party Vendors?
This is the question most clinic admins are not yet asking — but should be.
If your clinic uses a third-party software tool that processes patient data — an AI scribe, an EMR, a telemedicine platform, a scheduling system — that vendor is a Data Processor under the Act. You, as the clinic, remain the Data Fiduciary. You are responsible for ensuring your vendors handle patient data in a DPDP-compliant manner.
Concretely, this means asking any software vendor you work with:
Is patient data stored in India?
Is the data encrypted at rest and in transit?
Is patient data used to train AI models?
What is your breach notification process?
Can patient data be deleted upon request?
If a vendor cannot answer these questions clearly, that is a compliance risk for your clinic — not just for them.
At RxNote, patient data is stored in India, never used for model training, and encrypted throughout. You can see how RxNote handles clinical data — we can answer every one of these questions in writing.
The DPDP Rules 2025 — What Changed in November?
The DPDP Rules 2025, notified on November 13, 2025, operationalise the Act. Key additions relevant to clinics:
Consent Manager framework. Rules now define how consent must be obtained and managed digitally — relevant as clinics move toward digital intake forms and patient portals.
Phased enforcement. Not all provisions are active simultaneously. The Data Protection Board of India is being constituted now (Phase 1). Substantive compliance obligations for clinics will come into force in subsequent phases. This does not mean you can wait — it means now is the right time to prepare.
Penalties. The Act prescribes penalties of up to ₹250 crore for significant non-compliance. Smaller violations carry proportionate penalties, but the framework establishes that enforcement will be real.
A Practical Checklist for Clinics
You do not need a compliance team to begin. Here is where to start:
Audit what data you collect and where it lives. Make a list of every system that stores patient data — your EMR, your AI scribe, your tele-medicine platform, your WhatsApp backups. Know where patient data is.
Review your consent process. Does your current patient intake form clearly explain what data is collected and why? Is it specific enough to meet the DPDP standard? If not, update it.
Talk to your vendors. Ask the questions listed above. Get answers in writing. If a vendor cannot confirm data residency in India, treat that as a risk.
Assign a responsible person. Someone in your clinic should own the question of data compliance — even if it is the clinic admin or the practice manager. For larger hospitals, a Data Protection Officer (DPO) may be required.
Document your data practices. Keep a simple record of what data you collect, why you collect it, how long you retain it, and who has access. This is your foundation if ever asked to demonstrate compliance.
Frequently Asked Questions
Is the DPDP Act applicable to small clinics and solo practitioners? Yes. Any entity that collects and processes patient data in digital form is a Data Fiduciary under the Act — regardless of size. A solo psychiatrist, a rheumatologist in private practice, or a homeopathic physician using digital records or an AI scribe is covered.
Does the DPDP Act apply to patient audio recordings? Yes. Audio recordings of consultations that are stored digitally are personal data under the Act. They must be stored securely, with patient consent, and retained only as long as necessary for the stated clinical purpose.
Is WhatsApp communication with patients covered under DPDP? Yes. If you share patient information over WhatsApp — reports, prescriptions, session summaries, discharge instructions — that data is covered. This is a grey area many clinics have not yet addressed and one of the most common sources of unintentional non-compliance.
What is the penalty for non-compliance with the DPDP Act? The Act prescribes penalties of up to ₹250 crore for significant breaches. Smaller violations carry proportionate penalties. The Data Protection Board of India is being constituted now and will handle enforcement.
Does the DPDP Act require patient data to be stored in India? The Act allows for cross-border data transfer to countries approved by the central government. However, storing patient data in India remains the safest and most defensible position for clinics — and is what RxNote.ai does by default.
How is the DPDP Act different from HIPAA? HIPAA is a United States law applicable to US healthcare providers. Indian clinics have no obligation to be HIPAA compliant — and HIPAA compliance does not mean DPDP compliance. The DPDP Act 2023 is India's equivalent and the regulation that actually applies to your practice. When evaluating any healthcare software vendor, ask about DPDP compliance specifically — not HIPAA.
Can patients ask a clinic to delete their data? Yes. The DPDP Act gives patients the right to erasure. Clinics need to have a process for handling such requests. However, data that is required to be retained under other laws — such as clinical records for medico-legal purposes — may be exempt from erasure requests for the relevant retention period.
Does the DPDP Act cover telemedicine consultations? Yes. Tele-medicine sessions generate patient data — audio, video, chat transcripts, clinical notes. All of this is covered under the Act if stored digitally. Telemedicine platforms you use as a clinic are Data Processors under the Act, and you remain responsible for ensuring they are compliant.
The Bigger Picture
The DPDP Act is not a bureaucratic burden. It is a signal that patient data in India is finally getting the legal protection it deserves — and that clinics that take it seriously will earn a level of patient trust that those who ignore it will not.
For clinicians who have always been careful with patient confidentiality as a professional ethic, the Act simply codifies what good practice already looks like. The main adjustment is making that care systematic and documentable rather than informal.
India's healthcare system is digitising rapidly. AI tools, telemedicine platforms, and digital health records are becoming standard. The DPDP Act and Rules ensure that this digitisation happens in a way that protects patients — and the clinicians who serve them.
RxNote.ai is built for Indian clinicians. Patient data is stored in India, never used for model training, and processed in compliance with the DPDP Act 2023 and DPDP Rules 2025. If you have questions about how RxNote.ai handles your clinic's data, book a 20-minute call, and we will walk you through it.
Related reading: How Shadithya Psychiatric Hospital cut documentation time with RxNote → Shadithya Psychiatry Hospital
