DPDP Compliance for Hospitals: Patient Records, ABDM, and the 8-Year Retention Conflict

Two Mandates Govern the Same Patient Record

A discharged patient submits a request to erase their personal data. Section 12(3) of the Digital Personal Data Protection Act 2023 gives them that right. The National Health Authority’s Health Data Management Policy requires the hospital to retain patient health records for a minimum of eight years after the last encounter. Both obligations bind the hospital. Both carry consequences. They point in opposite directions over the same record.

This is the defining DPDP problem for hospitals and clinical establishments. India has more than 50,000 registered hospitals and clinical establishments, and every one that keeps a digital patient record is a Data Fiduciary under the Act. There is no exemption for size, ownership, or speciality. A two-doctor clinic with a practice management system carries the same statutory duties as a 2,000-bed chain.

The Act’s machinery is now in motion. The DPDP Rules were notified on 13 November 2025. The Consent Manager registration window opens in November 2026. Penalty enforcement is expected from May 2027. A hospital that starts mapping its patient data flows in 2026 controls its timeline. One that waits for the first Data Protection Board notice does not.

The Retention Conflict, Resolved Field by Field

The erasure right is not absolute. Section 8(7) of the DPDP Act preserves retention that is necessary for compliance with any law in force. The NHA Health Data Management Policy’s 8-year minimum is exactly that kind of mandate. The resolution is mechanical, not philosophical:

1. Classify each record category. Clinical records under the HDMP retention mandate sit on one side. Marketing preferences, camp registration lists, feedback forms, and loyalty data sit on the other.
2. Honour erasure for everything outside a mandate. A patient’s erasure request removes the non-mandated fields immediately.
3. Refuse erasure for mandated records, in writing, with the legal basis. The refusal must cite the specific retention obligation, not a general claim that hospitals keep records.
4. Keep a denial register. Every refused or partially refused request needs a documented entry: what was retained, under which mandate, for how long. This register is the evidence a Data Protection Board inquiry or health authority inspection will ask for.

The failure mode is treating the conflict as a reason to do nothing. A hospital that refuses all erasure requests because “medical records must be kept” violates the Act for every non-mandated field. One that erases everything on demand violates the HDMP. Only field-level classification satisfies both.

The same mechanism governs banks under RBI retention mandates. The pattern is identical: the retention conflict is resolved by statute, documented per request, and defended with a register.

Admission Consent Is Where Hospitals Fail First

The standard admission file contains one signature that covers treatment, diagnostics, data sharing with insurers, research participation, and sometimes promotional communication. That construction fails Section 6 of the DPDP Act, which requires consent that is free, specific, informed, and unambiguous for each purpose.

Bundled consent fails Section 6 in any sector. In a hospital it fails with aggravating factors: the data is health data, the patient is often in distress, and the alternative to signing is non-treatment. Consent given under those conditions for non-treatment purposes will not survive scrutiny.

The compliant structure separates the chains:

• Treatment, diagnosis, and prescriptions. Core clinical processing, consented at registration with a clear notice of purpose.
• Insurance and TPA processing. A separate consent, since the data leaves the hospital’s control.
• Clinical research and analytics. Fresh, purpose-specific notice and consent under Sections 5 and 6. Data collected for treatment cannot be repurposed for research, pharmaceutical partnerships, or underwriting on the strength of the admission signature.
• Marketing and follow-up programmes. Optional, refusable, and never a condition of care.

ABDM Integration Multiplies the Obligations

Hospitals integrated with the Ayushman Bharat Digital Mission create digital health records that move across systems. Health ID linkage, digital health record access, and PHR processing each carry an independent DPDP consent obligation, documented separately. The convenience of interoperability does not transfer the compliance duty to the NHA. The hospital that creates and shares the record remains the Data Fiduciary for it.

This extends to the processor network. Diagnostic laboratories, radiology centres, pharmacies, insurance TPAs, and ambulance operators all process patient personal data on the hospital’s behalf. Each is a data processor under the Act, and each relationship requires a data processing agreement that binds the processor to the hospital’s obligations. An unwritten referral arrangement with a lab is, in DPDP terms, an ungoverned transfer of health data.

Children’s Wards Carry the Heaviest Consent Duty

Section 9 requires verifiable parental or guardian consent before processing the personal data of anyone under 18. For a hospital this covers paediatric records, maternal and newborn data, vaccination histories, and school health camp records. Age verification and guardian consent must precede the processing, not follow it.

The penalty tier reflects the sensitivity: children’s data violations reach ₹200 crore. The full framework is covered in children’s data protection under the DPDP Act.

Breach Response: One Incident, Several Clocks

Hospital ransomware is no longer hypothetical, and a hospital breach is rarely reportable to one authority alone. The DPDP Rules require notification to the Data Protection Board within 72 hours, alongside notification to every affected patient. Health authority incident reporting and CERT-In obligations run in parallel on their own deadlines.

A hospital therefore needs one incident response workflow that satisfies every clock simultaneously: detection, classification, Board notification, patient notification, and authority reporting from a single evidence trail. Assembling this during the incident is not a plan. The mechanics of the 72-hour rule are detailed in breach notification under the DPDP Act.

Failure to notify carries its own penalty tier of up to ₹200 crore, separate from the ₹250 crore tier for the safeguard failure that caused the breach.

Large Chains Should Expect SDF Classification

Hospital chains processing high volumes of health data are natural candidates for notification as Significant Data Fiduciaries under Section 10. That classification adds an India-based Data Protection Officer, periodic Data Protection Impact Assessments, and an independent data auditor to the baseline duties. The volume and sensitivity thresholds are assessed by the government, not self-declared, so a chain should build to the SDF standard before the notification arrives. The criteria are covered in the Significant Data Fiduciary guide.

What a Hospital Should Do Now

The sequence is the same one any regulated Data Fiduciary follows, applied to clinical operations:

1. Map the patient data lifecycle. Admissions, treatment, diagnostics, pharmacy, billing, insurance, discharge, and post-care follow-up. Every system, every processor, every transfer.
2. Classify records against retention mandates. HDMP-retained clinical records on one side, erasable data on the other. This classification is the foundation of every erasure decision.
3. Rebuild the consent architecture. Purpose-separated chains at registration, guardian consent workflows in paediatrics, separate ABDM consent documentation.
4. Paper the processor network. Data processing agreements with every lab, TPA, pharmacy, and transport partner that touches patient data.
5. Stand up the denial register and breach workflow. Both are evidence-producing systems. Both will be examined.

The duties are statutory and the deadlines are published. Run the Gap Assessment to score your current posture against the Act’s obligations, or review the hospital compliance infrastructure that implements the Legal Obligation Override for the HDMP retention conflict.