Beyond the DPDP Act: The Expanding Framework of Data Privacy in India’s Healthcare Sector Healthcare data is among the most sensitive categories of personal information. Unlike ordinary personal data, medical records expose an individual’s physical condition, mental health, genetic traits, reproductive choices, disabilities, and even financial vulnerabilities. In the digital era where hospitals, telemedicine platforms, insurance providers, pharmacies, wearable devices, and AI diagnostic systems continuously process patient information protecting healthcare data is no longer merely a compliance obligation. It has become a constitutional necessity and a question of public trust. Much of the recent discussion in India revolves around the Digital Personal Data Protection Act, 2023 (DPDP Act). While the DPDP Act undoubtedly forms the backbone of India’s emerging privacy regime, healthcare data privacy in India is governed by a far wider and fragmented legal ecosystem. Several sectoral laws, constitutional principles, ethical regulations, cybersecurity rules, and judicial precedents collectively shape the obligations of healthcare institutions. This article examines the broader legal architecture governing healthcare data privacy in India and argues that healthcare privacy must be viewed through a multi-layered regulatory lens rather than through the DPDP Act alone. Healthcare Data: Why It Requires Special Protection  Healthcare information differs fundamentally from ordinary personal data because of its permanence and sensitivity. A leaked password can be changed; a leaked diagnosis cannot. Medical data may expose conditions relating to HIV status, psychiatric illnesses, infertility treatment, gender transition, or genetic disorders information capable of causing discrimination, stigma, and social exclusion. The digitization of healthcare through electronic health records (EHRs), telemedicine, health-tech startups, and AI-driven diagnostics has significantly increased both the utility and vulnerability of health data. Cyberattacks on hospitals, unauthorized data sharing by applications, and insurance profiling practices have demonstrated that healthcare institutions are increasingly attractive targets for data exploitation. Consequently, legal protection of healthcare data is no longer only about confidentiality between doctor and patient; it is also about cybersecurity, consent architecture, algorithmic accountability, and informational self-determination. Constitutional Foundation: Privacy as a Fundamental Right  The legal foundation for healthcare data privacy in India originates not from the DPDP Act but from the landmark judgment in Justice K.S. Puttaswamy v. Union of India (2017), where the Supreme Court recognized privacy as a fundamental right under Article 21 of the Constitution. The judgment emphasized informational privacy and acknowledged that individuals must retain control over dissemination of personal information. Importantly, the Court recognized that medical records form part of the “zone of privacy” deserving constitutional protection. This constitutional recognition transformed data privacy from a contractual or statutory issue into a rights-based framework. Healthcare entities therefore do not merely handle data; they process constitutionally protected personal information. The DPDP Act, 2023: A General Framework, Not a Complete Code The DPDP Act introduced India’s first comprehensive data protection framework and applies to digital personal data processed within India. Healthcare providers, hospitals, laboratories, telemedicine companies, insurers, and health-tech platforms fall within its scope when processing patient information. The Act imposes obligations relating to: lawful processing of personal data; informed consent; purpose limitation; data minimization; reasonable security safeguards; and grievance redressal mechanisms. Healthcare organizations must also notify breaches and ensure that data is processed only for legitimate purposes. However, the DPDP Act is not healthcare-specific. It does not comprehensively address: medical confidentiality; doctor-patient privilege; genetic data governance; clinical research ethics; AI-based medical profiling; or cross-border health data interoperability. Therefore, relying solely on the DPDP Act provides an incomplete understanding of healthcare privacy obligations. Information Technology Act and SPDI Rules Before the DPDP Act, healthcare privacy was primarily regulated under the Information Technology Act, 2000 and the Sensitive Personal Data or Information Rules, 2011 (SPDI Rules). The SPDI Rules explicitly classify: physical health conditions; medical records; and biometric information as “sensitive personal data or information.” Under these rules, body corporates handling health data are required to: obtain consent before collection; maintain privacy policies; implement reasonable security practices; and prevent unauthorized disclosure. Although the DPDP Act has altered the legal landscape, the IT Act continues to remain relevant, especially in relation to cybersecurity obligations and compensation for negligent handling of sensitive information under Section 43A. In practice, hospitals may face overlapping obligations under both the IT framework and the DPDP regime until full regulatory harmonization occurs. National Digital Health Mission and ABDM Framework India’s healthcare ecosystem is undergoing rapid digitization through the Ayushman Bharat Digital Mission (ABDM), which seeks to create interoperable digital health infrastructure. The ABDM framework introduces: Health IDs; digital health records; consent managers; and health information exchanges. While the initiative promises efficiency and accessibility, it also creates unprecedented centralized repositories of medical data. The Health Data Management Policy under ABDM attempts to incorporate privacy principles such as: consent-based sharing; purpose limitation; audit trails; and user control. However, concerns remain regarding: re-identification risks; data centralization; private-sector access; cybersecurity vulnerabilities; and surveillance implications. The future of healthcare privacy in India will depend significantly on how ABDM balances innovation with constitutional privacy safeguards. Medical Ethics and Professional Confidentiality Long before data protection statutes emerged, patient confidentiality existed as an ethical obligation under medical jurisprudence. The National Medical Commission’s Code of Ethics imposes duties on medical practitioners to maintain confidentiality of patient information except in legally justified circumstances. This ethical obligation creates an additional layer of accountability. Even where statutory privacy provisions are ambiguous, healthcare professionals may still face disciplinary consequences for unauthorized disclosures. The principle of confidentiality also intersects with tort law, contractual obligations, and consumer protection claims. Telemedicine and Digital Health Platforms The rise of telemedicine platforms has expanded privacy concerns beyond traditional hospitals. Telemedicine Practice Guidelines issued by the Government of India require registered medical practitioners to maintain confidentiality and ensure secure handling of patient information during virtual consultations. However, digital health platforms often collect far more information than necessary, including: location data; behavioral patterns; device identifiers; and lifestyle metrics. Many health applications share data with advertisers, analytics companies, or third-party service providers without meaningful informed consent. This raises an important question: when healthcare becomes platform, should patient data be treated