Is health data treated differently under the DPDP Act?

The DPDP Act does not create a separate category for health data. However, health data is inherently sensitive, and regulators are expected to impose stricter enforcement. Companies processing health data at scale are likely SDF candidates.

How does ABDM integration affect DPDP compliance?

ABDM creates digital health records that are personal data under the DPDP Act. Integration with ABDM does not exempt you from consent, rights fulfilment, or breach notification obligations.

Can patients request deletion of their health records?

Yes, under Section 12. However, medical record retention requirements under other laws may provide a legal basis exception. You must document this basis and inform the patient of the retention reason.

HealthTech

DPDP Compliance for HealthTech Companies

Health data is among the most sensitive categories under the DPDP Act. Diagnostic records, prescriptions, and patient identifiers require explicit consent with granular purpose specification.

Critical Risk: Sensitive health data processing

600M+

Ayushman Bharat Digital Mission health IDs created

10,000+

HealthTech startups operating in India

250 Cr

Maximum DPDP penalty per incident

Obligations

Your DPDP Obligations as a HealthTech Company

The DPDP Act 2023 imposes specific requirements based on how your organisation processes personal data. These are the obligations most relevant to healthtech operations.

Explicit Health Data Consent

Section 6 requires informed consent for each processing purpose. Health data used for diagnosis, treatment, research, and insurance claims each require separate consent records.

Breach Notification

Section 8 mandates breach notification to the Board and affected individuals. Health data breaches carry severe reputational damage and potential class-action liability.

Data Principal Rights

Patients have the right to access, correct, and erase their health records under Sections 11-14. Medical record retention requirements must be reconciled with erasure requests.

Purpose Limitation

Health data collected for diagnosis cannot be repurposed for marketing, research, or insurance without fresh consent. Section 5 imposes strict purpose boundaries.

Security Safeguards

Section 8 requires reasonable security measures proportional to data sensitivity. Health data demands encryption, access controls, and audit trails exceeding baseline requirements.

Cross-border Transfers

ABDM integration and international telemedicine platforms may transfer health data across borders. DPDP cross-border provisions restrict transfers to approved jurisdictions.

Timeline

Your Compliance Roadmap

Key milestones between now and full DPDP enforcement in May 2027.

Now

Audit health data flows

Map all personal health information across EHR systems, telemedicine, diagnostics, and billing.

Q3 2026

Consent framework deployment

Implement purpose-specific consent for diagnosis, treatment, research, and administrative processing.

Nov 2026

Consent Manager registration

Deadline to register with the Data Protection Board as a Consent Manager.

Q1 2027

Rights fulfilment workflows

Deploy patient data access, correction, and erasure systems with medical retention exemptions.

May 2027

Full DPDP enforcement

The Act is fully enforceable. Health data violations carry penalties up to 250 crore.

Penalty Exposure for HealthTech Companies

Section 33 of the DPDP Act prescribes penalties based on violation type. These are the maximum amounts per incident.

Health data breach (failure to implement safeguards) Up to ₹250 Cr

Failure to notify affected patients Up to ₹200 Cr

Processing without valid consent Up to ₹50 Cr

Calculate your specific exposure

Recommended Plan

Growth for HealthTech

Growth tier provides the consent granularity and audit trail depth required for health data processing with up to 500K patient records.

Implementation

₹75,000 one-time

₹7,499 /month

Up to 500K data principals
Granular consent management
Full audit trail with exports
Priority support
Rights fulfilment workflows

Start with a free assessment Compare all plans

Resources

Essential Reading for HealthTech

Deep dives into the DPDP provisions most relevant to your sector.

Compliance Areas

Breach Notification Under the DPDP Act: The Rules Every Business Must Follow

The DPDP Act 2023 mandates prompt breach notification to the Data Protection Board and affected individuals. Delayed reporting carries independent penalties.

6 min read min read

Data Principal Rights

Data Principal Rights Under the DPDP Act: What Your Customers Can Demand

The DPDP Act 2023 grants individuals enforceable rights over their personal data. Every Indian business must build systems to honour these rights within defined timelines.

7 min read min read

Implementation Guides

DPDP Compliance Checklist for Indian Businesses

A structured checklist covering every obligation under the DPDP Act 2023. Use this to audit your current compliance posture and prioritise remediation.

8 min read min read

Understand your healthtech compliance position.

The free DPDP Gap Assessment takes 10 minutes. You receive a personalised compliance report with your score and a prioritised action list.

Get Your Free Assessment Talk to a compliance specialist