Hospital
DPDP Readiness Infrastructure for Hospitals and Clinical Establishments
When a health authority inspection reviews your patient data governance posture, your answer must be documented and verifiable. The National Health Authority Health Data Management Policy mandates 8-year minimum retention of patient health records. The DPDP Act gives patients the right to erasure. ConsentOS implements a Legal Obligation Override that satisfies the NHA HDMP retention mandate and DPDP erasure rights simultaneously, giving your clinical governance committee a printable readiness report and your inspector a verifiable compliance position.
50,000+
Hospitals and clinical establishments registered in India
8 years
NHA HDMP minimum patient record retention mandate
250 Cr
Maximum DPDP penalty per incident
NHA HDMP Inspection Readiness
Health authority inspections and NABH accreditation reviews are beginning to include DPDP patient data governance as a standard compliance checkpoint. The answer "we are still assessing our obligations" is not a defensible position for a clinical governance committee. ConsentOS gives your committee a printable readiness report and your inspector a documented, verifiable answer.
Obligations
Your DPDP Obligations as a Hospital Company
The DPDP Act 2023 imposes specific requirements based on how your organisation processes personal data. These are the obligations most relevant to hospital operations.
NHA HDMP / DPDP Retention Conflict
The NHA Health Data Management Policy mandates minimum 8-year retention of patient health records post last encounter. The DPDP Act requires erasure on demand. Legal Obligation Override documents the NHA HDMP statutory exception and generates denial evidence for each rejected erasure request.
Patient Consent for Data Processing
ABDM-integrated hospitals create digital health records that are personal data under the DPDP Act. Treatment, diagnosis, prescription, and surgical records each require purpose-specific consent chains. Bundled admission consent does not satisfy Section 6 of the Act.
Health Data Purpose Limitation
Patient data collected for treatment cannot be repurposed for clinical research, insurance underwriting, pharmaceutical partnerships, or health analytics without fresh, purpose-specific consent under Section 5.
Third-Party Processor Governance
Diagnostic laboratories, radiology centres, pharmacies, insurance TPAs, and ambulance operators all process patient personal data. Each is a data processor under the DPDP Act. Hospitals must maintain data processing agreements for every processor relationship.
Minor and Guardian Consent
Paediatric health records, maternal data, and records of minor patients require parental or guardian consent under Section 9. Age verification and guardian consent workflows are required before any data processing.
Breach Notification
Patient data breaches trigger both MoHFW-mandated incident reporting and DPDP breach notification obligations to the Data Protection Board and affected patients. A single unified incident response workflow must satisfy both deadlines simultaneously.
ABDM Integration Compliance
Integration with the Ayushman Bharat Digital Mission creates cross-system data sharing obligations. ABDM health ID linkage, digital health record access, and PHR processing each carry independent DPDP consent obligations that must be documented separately.
Timeline
Your Compliance Roadmap
Key milestones between now and full DPDP enforcement in May 2027.
Now
Build your NHA HDMP inspection readiness position
Map all patient data processing across admissions, treatment, diagnostics, pharmacy, and discharge. Document your DPDP posture before your next NABH or health authority inspection cycle.
Q3 2026
Implement Legal Obligation Override
Deploy the Compliance Vault: classify NHA HDMP-retained patient records, isolate from DPDP erasure flow, configure denial register.
Nov 2026
Consent Manager registration
Register with the Data Protection Board as a Consent Manager if operating digital patient consent infrastructure.
Q1 2027
Patient rights workflows
Implement patient data access, correction, and erasure workflows with NHA HDMP statutory exemption handling.
May 2027
Full DPDP enforcement
The Act is fully enforceable. Patient health data violations carry penalties up to 250 crore.
Penalty Exposure for Hospital Companies
Section 33 of the DPDP Act prescribes penalties based on violation type. These are the maximum amounts per incident.
Recommended Plan
Compliance Vault for Hospital
Hospitals operating under NHA HDMP retention mandates require the Legal Obligation Override, retention schedule dashboard, and denial register that only the Compliance Vault tier provides.
₹5,00,000 one-time
- Legal Obligation Override (RBI / PMLA)
- Retention schedule dashboard — per data category
- Denial register for statutory erasure exceptions
- DPBI-ready audit evidence packs
- 72-hour breach notification pipeline
- Dedicated compliance support manager
Resources
Essential Reading for Hospital
Deep dives into the DPDP provisions most relevant to your sector.
HealthTech DPDP Compliance: ABDM and Health Data Rules in India
How the DPDP Act 2023 applies to health data processing, ABDM interoperability, telemedicine platforms, and clinical trial consent requirements in India.
10 min read min read
Compliance AreasDPDP Breach Notification: 72-Hour Rule & India Reporting Mandates
India's DPDP Act mandates breach notification to the Data Protection Board within 72 hours and to affected individuals promptly. Delayed reporting carries independent penalties.
6 min read min read
Data Principal RightsDPDP Act 2023: All 8 Data Principal Rights with Templates (India)
India's DPDP Act grants 8 enforceable rights to data principals — access, correction, erasure, nomination, grievance redress. Includes mandatory response timelines.
7 min read min read
When the Health Authority Asks, Have the Answer Ready
The free Compliance Vault Assessment takes 10 minutes. You receive a personalised compliance report with your score and a prioritised action list.