Does DPDPA apply to small clinics and solo GP practices?

Yes. DPDPA applies to any entity that processes digital personal data of Indian citizens, regardless of size. A solo GP using a digital EMR, an online appointment system, or even a WhatsApp-based booking system is a data fiduciary under DPDPA. However, smaller clinics are unlikely to be classified as "significant data fiduciaries" and will have a lighter obligation set.

What counts as personal data under DPDPA for clinics?

Personal data includes any data that identifies or can identify a patient — name, phone number, address, email, Aadhaar number, health records, prescription history, and genetic or biometric data. Health data is classified as sensitive personal data and attracts stricter protection requirements.

When does DPDPA come into force for clinics?

The DPDPA received Presidential assent in August 2023. Rules are being notified in phases by MeitY from 2024. Clinics should treat the obligations as active now — particularly consent, notice, and breach notification — and use the phased rollout as time to implement security controls and data mapping.

Do clinics need to hire a Data Protection Officer under DPDPA?

Significant data fiduciaries must appoint a Data Protection Officer based in India. Ordinary data fiduciaries (most smaller clinics) are not required to have a DPO but must appoint a Grievance Officer with published contact details and respond to grievances within 30 days.

What is the difference between DPDPA and the IT Act for healthcare data?

The IT Act 2000 and SPDI Rules 2011 already required reasonable security practices for sensitive personal data including health records. DPDPA goes further: it codifies explicit consent requirements, patient rights (access, correction, erasure), breach notification timelines, and an enforcement body (Data Protection Board). DPDPA supersedes the SPDI Rules for data protection obligations.

Can a clinic use patient data for medical research under DPDPA?

Yes, but with restrictions. Research purposes can qualify as "public interest" processing under DPDPA but typically require anonymisation of the data, patient consent where identifiable data is used, and ethical committee approval for clinical research. Blanket "research" claims without anonymisation will not satisfy the purpose limitation requirement.

Security & Compliance

DPDPA Compliance for Indian Clinics: 8 Obligations Every Doctor Must Know (2026)

Anexshe Revedha·Cofounder & COO, CuraVerto·22 May 2026·9 min read

The Digital Personal Data Protection Act 2023 (DPDPA) is India's first comprehensive data privacy law, enforceable from 2024–2025 as rules are phased in by MeitY. For clinics — who collect health data, Aadhaar numbers, contact information, and genetic data — the law creates eight binding obligations, four categories of patient rights, and penalties that reach ₹250 crore for serious violations. Every clinic with patients on a digital system is a data fiduciary under DPDPA and must comply.

What is DPDPA 2023 and who does it apply to?

The Digital Personal Data Protection Act 2023 governs how organisations collect, store, process, and share personal data of Indian citizens. A clinic is a "data fiduciary" — an entity that determines the purpose and means of processing personal data. Patients are "data principals." Health data is classified as sensitive personal data, which attracts stricter rules. The Act applies to any clinic processing digital personal data, regardless of size.

8 DPDPA Obligations Every Clinic Must Meet

1. Notice — Tell patients exactly what data you collect and why

Before collecting personal data, clinics must provide a clear notice describing what data is collected, the purpose, how patients can exercise their rights, and the grievance officer's contact. The notice must be in plain language — not legal boilerplate — and embedded in intake forms and WhatsApp registration flows.

2. Consent — Obtain free, specific, and informed consent

Data collection requires valid consent: freely given, specific to the stated purpose, informed, and as easy to withdraw as it was to give. Oral consent, implied consent through form submission, or blanket "by visiting this clinic" consent is insufficient. Clinics must record the consent action with a timestamp and the exact notice version presented.

3. Purpose Limitation — Use data only for stated purposes

Patient data collected for appointment booking cannot be used for marketing without separate consent. Data collected for a specific consultation cannot be shared with a pharmaceutical company without explicit consent for that specific purpose. Clinics that share patient lists with labs or pharma reps without additional consent are in direct violation.

4. Data Quality — Keep records accurate and complete

Clinics must maintain accurate, complete, and up-to-date patient records. A patient who provides an update — new address, new diagnosis, medication change — must have their record corrected promptly. Outdated data leading to harm creates both a DPDPA violation and a clinical liability.

5. Storage Limitation — Delete data when purpose is served

Personal data must not be retained longer than necessary. This is balanced against the Medical Council of India's requirement to retain records for 3 years (5 years for IP records). Once the retention period expires, data must be deleted or anonymised. Clinics with decade-old inactive patient records need a formal data retention and deletion policy.

6. Security — Implement reasonable security safeguards

Clinics must implement "reasonable security safeguards" — encryption at rest and in transit, access controls limiting who can view patient data, activity logs, and a documented incident response procedure. Hosting patient data on unencrypted laptops or WhatsApp groups is a clear violation.

7. Breach Notification — Report breaches to MeitY and affected patients

A personal data breach must be reported to the Data Protection Board of India and affected patients — expected within 72 hours of becoming aware. The notification must describe what data was breached, likely consequences, and remedial action taken. Clinics with no breach detection mechanism cannot comply because they cannot detect a breach in the first place.

8. Grievance Redressal — Appoint a grievance officer and respond within 30 days

Every data fiduciary must appoint a Grievance Officer, publish their contact details on the website, and respond to patient grievances within 30 days. The Grievance Officer must be a named individual with authority to investigate data complaints and liaise with the Data Protection Board if a complaint escalates.

Patient Rights Under DPDPA

Patient Right	What it Means for the Clinic	Response Window
Right to Access	Patient can request a summary of all personal data held about them	30 days
Right to Correction	Patient can request correction of inaccurate or outdated data	30 days
Right to Erasure	Patient can withdraw consent and request deletion (subject to legal retention requirements)	30 days
Right to Nominate	Patient can nominate a person to exercise rights on their behalf	At registration
Right to Grievance Redressal	Patient can file a complaint and escalate to the Data Protection Board	30 days to respond

DPDPA Penalties for Clinics

Violation	Maximum Penalty
Failure to protect personal data (breach due to inadequate security)	₹250 crore
Failure to notify a breach to the Data Protection Board and patients	₹200 crore
Processing children's data without parental consent or age verification	₹200 crore
Violation of obligations by significant data fiduciaries	₹150 crore
Other violations (purpose limitation, data quality, grievance redressal)	₹50 crore

Source: Digital Personal Data Protection Act 2023, Schedule. Penalties are per violation and can compound across multiple violations arising from the same incident.

90-Day Action Plan for Clinics

Days 1–15: Data mapping — list every system holding patient data (EMR, WhatsApp, paper registers, lab software, billing) and what data each holds.
Days 16–30: Draft and publish a Patient Privacy Notice in plain language. Add it to your intake form, website, and WhatsApp registration flow. Appoint a Grievance Officer and publish their contact details.
Days 31–60: Audit consent collection. For existing patients, implement a re-consent workflow. For new patients, build consent into digital registration with timestamps.
Days 61–75: Implement security controls — encrypted storage, access logging, role-based access (only treating doctor sees full record), and a deletion policy aligned with MCI retention requirements.
Days 76–90: Set up a breach detection and notification procedure. Train reception staff on patient data rights requests. Test the 30-day response workflow with a simulated access request.

Check your clinic's DPDPA readiness in 5 minutes

Answer 12 questions about your data practices. Get a personalised report with your compliance gaps and a prioritised action list — free, no sign-up required.

Take the free DPDPA check →Talk to us about compliance

More from the blog

IVF & Fertility

IVF EMR vs General Clinic Software: 5 Critical Differences (2026)

IVF & Fertility

IVF Clinic Software Cost in India: ₹9,999–₹3,60,000/year Compared (2026)

IVF & Fertility

Best IVF EMR Software in India 2026: Buyer's Checklist for Fertility Clinics