Beyond the DPDP Act: The Expanding Framework of Data Privacy in India’s Healthcare Sector
Healthcare data is among the most sensitive categories of personal information. Unlike ordinary personal data, medical records expose an individual’s physical condition, mental health, genetic traits, reproductive choices, disabilities, and even financial vulnerabilities. In the digital era where hospitals, telemedicine platforms, insurance providers, pharmacies, wearable devices, and AI diagnostic systems continuously process patient information protecting healthcare data is no longer merely a compliance obligation. It has become a constitutional necessity and a question of public trust.
Much of the recent discussion in India revolves around the Digital Personal Data Protection Act, 2023 (DPDP Act). While the DPDP Act undoubtedly forms the backbone of India’s emerging privacy regime, healthcare data privacy in India is governed by a far wider and fragmented legal ecosystem. Several sectoral laws, constitutional principles, ethical regulations, cybersecurity rules, and judicial precedents collectively shape the obligations of healthcare institutions.
This article examines the broader legal architecture governing healthcare data privacy in India and argues that healthcare privacy must be viewed through a multi-layered regulatory lens rather than through the DPDP Act alone.
Healthcare Data: Why It Requires Special Protection
Healthcare information differs fundamentally from ordinary personal data because of its permanence and sensitivity. A leaked password can be changed; a leaked diagnosis cannot. Medical data may expose conditions relating to HIV status, psychiatric illnesses, infertility treatment, gender transition, or genetic disorders information capable of causing discrimination, stigma, and social exclusion.
The digitization of healthcare through electronic health records (EHRs), telemedicine, health-tech startups, and AI-driven diagnostics has significantly increased both the utility and vulnerability of health data. Cyberattacks on hospitals, unauthorized data sharing by applications, and insurance profiling practices have demonstrated that healthcare institutions are increasingly attractive targets for data exploitation.
Consequently, legal protection of healthcare data is no longer only about confidentiality between doctor and patient; it is also about cybersecurity, consent architecture, algorithmic accountability, and informational self-determination.
Constitutional Foundation: Privacy as a Fundamental Right
The legal foundation for healthcare data privacy in India originates not from the DPDP Act but from the landmark judgment in Justice K.S. Puttaswamy v. Union of India (2017), where the Supreme Court recognized privacy as a fundamental right under Article 21 of the Constitution.
The judgment emphasized informational privacy and acknowledged that individuals must retain control over dissemination of personal information. Importantly, the Court recognized that medical records form part of the “zone of privacy” deserving constitutional protection.
This constitutional recognition transformed data privacy from a contractual or statutory issue into a rights-based framework. Healthcare entities therefore do not merely handle data; they process constitutionally protected personal information.
The DPDP Act, 2023: A General Framework, Not a Complete Code
The DPDP Act introduced India’s first comprehensive data protection framework and applies to digital personal data processed within India. Healthcare providers, hospitals, laboratories, telemedicine companies, insurers, and health-tech platforms fall within its scope when processing patient information.
The Act imposes obligations relating to:
- lawful processing of personal data;
- informed consent;
- purpose limitation;
- data minimization;
- reasonable security safeguards; and
- grievance redressal mechanisms.
Healthcare organizations must also notify breaches and ensure that data is processed only for legitimate purposes.
However, the DPDP Act is not healthcare-specific. It does not comprehensively address:
- medical confidentiality;
- doctor-patient privilege;
- genetic data governance;
- clinical research ethics;
- AI-based medical profiling; or
- cross-border health data interoperability.
Therefore, relying solely on the DPDP Act provides an incomplete understanding of healthcare privacy obligations.
Information Technology Act and SPDI Rules
Before the DPDP Act, healthcare privacy was primarily regulated under the Information Technology Act, 2000 and the Sensitive Personal Data or Information Rules, 2011 (SPDI Rules).
The SPDI Rules explicitly classify:
physical health conditions; medical records; and biometric information as “sensitive personal data or information.”
Under these rules, body corporates handling health data are required to:
obtain consent before collection; maintain privacy policies; implement reasonable security practices; and prevent unauthorized disclosure.
Although the DPDP Act has altered the legal landscape, the IT Act continues to remain relevant, especially in relation to cybersecurity obligations and compensation for negligent handling of sensitive information under Section 43A.
In practice, hospitals may face overlapping obligations under both the IT framework and the DPDP regime until full regulatory harmonization occurs.
National Digital Health Mission and ABDM Framework
India’s healthcare ecosystem is undergoing rapid digitization through the Ayushman Bharat Digital Mission (ABDM), which seeks to create interoperable digital health infrastructure.
The ABDM framework introduces:
- Health IDs;
- digital health records;
- consent managers; and
- health information exchanges.
While the initiative promises efficiency and accessibility, it also creates unprecedented centralized repositories of medical data.
The Health Data Management Policy under ABDM attempts to incorporate privacy principles such as: consent-based sharing; purpose limitation; audit trails; and user control.
However, concerns remain regarding: re-identification risks; data centralization; private-sector access; cybersecurity vulnerabilities; and surveillance implications.
The future of healthcare privacy in India will depend significantly on how ABDM balances innovation with constitutional privacy safeguards.
Medical Ethics and Professional Confidentiality
Long before data protection statutes emerged, patient confidentiality existed as an ethical obligation under medical jurisprudence.
The National Medical Commission’s Code of Ethics imposes duties on medical practitioners to maintain confidentiality of patient information except in legally justified circumstances.
This ethical obligation creates an additional layer of accountability. Even where statutory privacy provisions are ambiguous, healthcare professionals may still face disciplinary consequences for unauthorized disclosures.
The principle of confidentiality also intersects with tort law, contractual obligations, and consumer protection claims.
Telemedicine and Digital Health Platforms
The rise of telemedicine platforms has expanded privacy concerns beyond traditional hospitals.
Telemedicine Practice Guidelines issued by the Government of India require registered medical practitioners to maintain confidentiality and ensure secure handling of patient information during virtual consultations.
However, digital health platforms often collect far more information than necessary, including: location data; behavioral patterns; device identifiers; and lifestyle metrics.
Many health applications share data with advertisers, analytics companies, or third-party service providers without meaningful informed consent.
This raises an important question: when healthcare becomes platform, should patient data be treated as a commercial asset?
The answer will likely define the future trajectory of Indian healthcare regulation.
Cybersecurity: The Emerging Frontline
Healthcare institutions are increasingly vulnerable to ransomware attacks and data breaches. Hospitals often operate outdated systems while storing enormous volumes of highly valuable information.
Cyberattacks on healthcare systems can disrupt: emergency services; surgeries;
diagnostic systems; and patient treatment.
Data privacy in healthcare therefore cannot be separated from cybersecurity governance.
CERT-In directions, cybersecurity incident reporting obligations, and security standards under the IT framework are becoming critical compliance requirements for healthcare entities.
Future healthcare regulation in India will likely move toward mandatory cybersecurity audits, encryption standards, breach simulations, and AI risk assessments.
Artificial Intelligence and Predictive Healthcare
AI systems are transforming diagnostics, insurance risk assessment, and patient profiling. Yet these technologies create profound privacy concerns.
AI systems trained on medical datasets may:
- infer sensitive conditions;
- reinforce discriminatory biases;
- generate opaque decisions; or
- compromise anonymization standards.
Indian law currently lacks a dedicated regulatory framework for AI in healthcare. The absence of explainability obligations and algorithmic accountability standards creates regulatory uncertainty.
Healthcare privacy discussions must therefore expand beyond data collection to include automated decision-making and ethical AI governance.
Healthcare data privacy in India cannot be understood through the DPDP Act alone. The legal framework extends across constitutional jurisprudence, the IT Act, SPDI Rules, medical ethics, cybersecurity regulations, telemedicine guidelines, and digital health policies.
As healthcare becomes increasingly data-driven, privacy must evolve from a compliance checkbox into a foundational principle of healthcare governance. The future challenge for India is not merely collecting health data efficiently, but ensuring that technological progress does not come at the cost of dignity, autonomy, and trust.
In the end, healthcare privacy is not only about protecting information it is about protecting the individual behind the data.