Skip to main content
DPDPdata protectioncompliance

DPDP Act 2023: What Every Hospital Needs to Know

India's Digital Personal Data Protection Act 2023 changes how hospitals collect, store, and use patient data. Here's a plain-language guide to what's required and what the penalties look like.

SpatiaMed Team

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data protection legislation. It received Presidential assent in August 2023 and rules are being notified progressively. For hospitals, which routinely collect highly sensitive personal and health data from thousands of patients, compliance is not optional — and the penalty structure makes non-compliance expensive.

This guide focuses specifically on what the DPDP Act requires of hospitals, written for hospital administrators rather than legal professionals.

What Is "Personal Data" Under DPDP?

The DPDP Act defines personal data as "any data about an individual who is identifiable by or in relation to such data." For hospitals, this clearly includes:

  • Patient name, phone number, email address, date of birth, and address
  • Health data: diagnosis, medication, test results, procedure records
  • Health insurance information
  • Photographs (including X-rays, MRI scans, clinical photographs)
  • Biometric data captured for identification

Health data is not separately categorised as "sensitive" under DPDP (unlike the EU's GDPR which created a special category for health data), but it is clearly personal data subject to all DPDP requirements.

The Core Requirements for Hospitals

1. Consent before collection

You must obtain free, specific, informed, and unambiguous consent from a patient before collecting their personal data. The consent:

  • Must be in plain language, not buried in a multi-page document
  • Must specify the purpose for which data is being collected
  • Must be withdrawable at any time

A registration form that says "I consent to [Hospital] using my data for treatment and related communications" — where the patient can choose to accept or not accept — meets the basic requirement. A pre-ticked box does not.

2. Purpose limitation

Data collected for treatment purposes can only be used for treatment-related activities unless the patient explicitly consents to additional uses. Using patient phone numbers for marketing campaigns without separate consent violates purpose limitation.

This has direct implications for patient recall campaigns and marketing automation: you need a specific consent tick-box for marketing communications, separate from the treatment consent.

3. Data minimisation

Collect only the data you need for the stated purpose. If you're booking an OPD appointment, you don't need the patient's annual income. If you're collecting data for a health camp, you don't need their home address.

4. Data principal rights

Patients have the right to:

  • Access their personal data held by the hospital
  • Correction of inaccurate data
  • Erasure of data when it's no longer needed or consent is withdrawn
  • Grievance redressal

You must appoint a Data Protection Officer (or designate a responsible person) and provide a grievance mechanism. A patient who asks to see or delete their data must receive a response within a defined timeframe (specific timelines are being set in the rules).

5. Security safeguards

Hospitals must implement "reasonable security safeguards" to prevent breaches. The rules will define what this means in practice, but at minimum it implies:

  • Access controls on patient records (not every employee should see all patient data)
  • Encrypted storage for sensitive health records
  • Audit logs of who accessed which records

6. Breach notification

In the event of a data breach, the hospital must notify the Data Protection Board and affected patients "in the prescribed manner" (detailed procedures are in the rules).

Penalties

The DPDP Act establishes a Data Protection Board with authority to impose penalties. The penalty schedule:

  • Failure to implement safeguards: up to ₹250 crore
  • Failure to notify breach: up to ₹200 crore
  • Non-fulfilment of data principal rights: up to ₹50 crore
  • Other violations: up to ₹50 crore

These are the maximum penalties; the Board has discretion on the actual amount based on the nature and duration of the violation, repeat offences, and mitigating factors.

What Hospitals Should Do Now

While full rules are still being notified, the Act's core principles are clear. Hospitals should:

  1. Audit current data collection: List every touchpoint where you collect patient data (registration forms, call recording, WhatsApp, diagnostic portals) and ensure consent is being collected
  2. Update consent forms: Separate treatment consent from marketing consent — these must be distinct choices
  3. Map your data flows: Know where patient data goes after collection (which software systems, which third parties like labs or insurance companies)
  4. Appoint a DPO or designate responsibility: Someone in the organisation must own data protection compliance
  5. Create a patient rights procedure: How will you respond when a patient asks to see or delete their data?

SpatiaMed's platform is built with DPDP compliance in mind — consent capture at registration, purpose-limited data use, and audit logs of patient data access. Talk to us if you'd like to understand how the platform handles your compliance obligations.