The landscape of healthcare data privacy in India has undergone a fundamental shift with the notification of the Digital Personal Data Protection (DPDP) Rules, 2025. These rules bring critical parts of the DPDP Act, 2023 into force, setting a countdown for its remaining provisions. Hailed as the most significant privacy reform since the Information Technology Act of 2000, this legislation aims to embed respect for individual rights and data accountability into the system. Its impact on the healthcare sector is set to be profound, though the path forward is paved with both promise and complex challenges.
A New Era of Patient Rights and Provider Duties
The Act fundamentally redefines the relationship between patients and healthcare providers. Every entity, from a massive multi-specialty hospital and a small clinic to a diagnostic lab and a telemedicine application, is now classified as a "data fiduciary". This classification comes with significant legal responsibilities for handling personal data. Conversely, patients are empowered as "data principals", granting them enforceable rights to access, correct, and even request the erasure of their medical information.
On paper, this marks a move away from the traditional model where signing a hospital consent form was often an act of blind faith. The DPDP Act mandates transparency, forcing the system to make consent an informed choice. However, the reality of medical care introduces immediate complications. The law wisely carves out an exception for medical emergencies and public health crises, allowing data processing without explicit consent when a patient's survival is at stake. Yet, it remains silent on numerous post-emergency scenarios, such as prolonged ICU care, management of chronic illnesses, and follow-up treatments, leaving a significant grey area in the consent architecture.
The Devil in the Details: Deletion, Retention, and Ambiguity
While the Act's core principles are laudable, their practical application in healthcare reveals several critical gaps. A key provision allows individuals to withdraw consent or request the deletion of their personal data. While suitable for sectors like e-commerce, this creates a potential conflict in healthcare. If a patient asks for their data to be erased, the provider is obligated to stop processing it. This raises a crucial question: who is then responsible for the patient's ongoing treatment and health outcomes?
The Act does place the onus of consequences for consent withdrawal on the data principal (the patient). However, it does not absolve healthcare providers of their overarching legal and ethical duty of care. Furthermore, the definition of "processing" within the Act includes "erasure" and "destruction", which could paradoxically require consent to delete data, creating a logical loop.
Another major uncertainty lies in data retention periods. While Schedule III of the 2025 Rules prescribes timelines for certain sectors, healthcare is conspicuously absent from this list. Medical records are often needed for decades for future treatment, legal purposes, or insurance claims. The lack of clear retention norms leaves hospitals guessing, potentially leading to inconsistent practices and leaving patients vulnerable if data is purged prematurely.
The Look-Back Conundrum and the Road Ahead
A further operational hurdle is presented by Section 5(2) of the Act, which deals with data collected before the law commenced. It requires data fiduciaries to notify data principals about their rights "as soon as it is reasonably practicable". This vague phrasing, without a defined time ceiling, could theoretically obligate hospitals to review and bring all historical digital records under the Act's purview, a task of monumental and unclear scope.
Despite these challenges, the DPDP Act represents a serious and necessary attempt to give Indian healthcare a privacy backbone. It sends a clear message: patient data is a right, and digital stewardship is now part of a provider's duty of care. Experts like advocates Tishampati Sen and radiologist Harsh Mahajan argue that some provisions need revisiting. Given the life-and-death consequences of medical data, the healthcare sector may deserve a sector-specific rulebook or detailed guidelines, rather than being governed by the same broad framework as online gaming or retail companies. The journey towards robust health data privacy has begun, but the map for navigating its complexities is still being drawn.
