DPDP Act 2023 · Digital Personal Data Protection

Maximum fine

₹250 Cr

Per incident · Schedule I, §33 · not a cap

India's first comprehensive data privacy law holds every clinic accountable.

The Digital Personal Data Protection Act 2023 is in force. Enforcement and fines begin 13 May 2027. Most clinics have not taken a single compliance step.

Check if your clinic is ready →What is DPDP? ↓

Read what it means for your practice

The Act

Plain-language guide for clinicsReviewed by the CuraVerto compliance teamLast updated 14 June 2026

India's first law that gives patients legal rights over their digital health data.

The Digital Personal Data Protection Act 2023 was passed in August 2023 and establishes the first comprehensive legal framework for data privacy in India. For clinics and healthcare providers, it creates mandatory obligations around how patient data is collected, stored, used, shared, and deleted.

Under the Act, your patients become Data Principals (they have legal rights over their data). Your clinic becomes a Data Fiduciary (you are legally responsible for protecting it). There is no opt-out and no minimum size threshold. A solo GP practice has the same obligations as a 500-bed hospital.

Passed August 2023 · Enforcement rules notified 2024–25

Applies to all digital personal data of Indian residents

Health data is classified as Sensitive Personal Data, the highest protection tier

Your clinic is a Data Fiduciary from day one, regardless of size

The consequences

Non-compliance is not a paperwork problem.

The Data Protection Board of India will have the power to levy these fines from the date of enforcement. They apply per incident, not per year.

Security failures

₹250 Cr

Failure to implement reasonable security safeguards, including inadequate access controls, unencrypted patient records, or insecure third-party integrations.

Breach notification

₹200 Cr

Failure to notify the Data Protection Board and affected patients within 72 hours of a confirmed data breach.

Children's data violations

₹200 Cr

Processing data of patients under 18 without verified parental consent, or without the heightened protections required under §9.

Data rights violations

₹10,000per patient

Failure to respond to a patient's rights request (access, correction, or erasure) within the prescribed timeline.

Scope

If you collect patient data digitally, this law applies to you.

General Practice / OPD

Dental clinics

IVF & Fertility clinics

Multi-specialty hospitals

Diagnostic centres

Teleconsultation platforms

Physiotherapy clinics

Pharmacy chains

Ayurveda & wellness clinics

Exemptions exist only for personal use, certain government processing, and pre-digitisation records. A clinic that uses any software (EMR, billing, WhatsApp) is within scope.

What it requires

Seven things the Act requires your clinic to do.

These are legal obligations, not best-practice suggestions. Each gap is an independent ground for a fine.

Written notice before any data collection

Before you collect a patient's name, phone number, or health information, you must give them a written notice specifying exactly what data you are collecting, why, and for how long. The notice must be in plain language. A form saying "I agree to terms" is not sufficient.

Mandatory, no exceptions

Purpose-specific, granular consent

You must get separate consent for each distinct use of patient data. Consent for treatment does not cover referrals. Consent for referrals does not cover marketing. A single blanket consent form covering all uses violates the Act.

Mandatory, no exceptions

Patient access within 48 hours

Any patient can formally request a copy of all personal data you hold on them. You must produce it within 48 hours. You need a documented process, not just the intention to comply, because you will need to prove it in the event of an audit.

Enforcement risk: high

Data deletion on request

Patients have the right to request erasure of their data once your treatment relationship ends. Clinical records must be retained for 3 years under MCI guidelines; all other data (contact details, billing history, communications) must be deletable on request.

Enforcement risk: high

Written data retention & deletion policy

You must have a documented policy specifying retention periods for each type of patient data. When data has served its purpose, it must be deleted, not archived indefinitely. "We never delete anything" is a compliance failure.

Enforcement risk: medium

Data Processing Agreements with every third party

Every lab, pharmacy, insurance company, and software vendor that receives patient data from you must sign a Data Processing Agreement. You remain liable for how they handle the data you share. "We trust them" is not a legal defence.

Mandatory, no exceptions

72-hour breach notification capability

If you experience a data breach (leaked patient records, hacked EMR, lost device), you must notify the Data Protection Board within 72 hours. This requires a written incident response plan in place before the breach happens, not after.

Mandatory, time-critical

Questions clinics ask

DPDP Act FAQs for clinics & hospitals

Plain-language answers to the questions doctors and practice managers ask most about the Digital Personal Data Protection Act 2023.

What is the DPDP Act 2023?

The Digital Personal Data Protection Act 2023 is India’s first comprehensive data privacy law, passed in August 2023. It gives individuals legal rights over their personal data and makes any organisation that handles that data — including every clinic and hospital — a legally accountable Data Fiduciary.

Does the DPDP Act apply to small clinics and individual doctors?

Yes. The Act sets no minimum-size threshold. A solo GP practice carries the same core obligations as a 500-bed hospital. If you collect any patient data digitally — through an EMR, billing software, or even WhatsApp — your clinic is a Data Fiduciary and falls within scope.

What are the penalties for DPDP non-compliance for a clinic?

Penalties are set in the Act’s Schedule and apply per incident, not per year. Failing to maintain reasonable security safeguards can attract up to ₹250 crore. Failing to notify a data breach, or to protect children’s data, can each attract up to ₹200 crore.

When does DPDP enforcement begin in India?

The Act is already in force, but the Data Protection Board of India’s power to investigate clinics and levy fines begins 13 May 2027. Clinics that prepare before that date have adequate time; clinics that wait until notices arrive do not.

Is patient health data covered under the DPDP Act?

Yes. Any digital personal data of a patient — name, phone number, diagnosis, prescription, or billing record — is covered. Because health information is among the most sensitive data a clinic holds, regulators are expected to scrutinise medical Data Fiduciaries closely.

What does a clinic need to do to comply with the DPDP Act?

Core duties: give patients a plain-language notice before collecting data, obtain purpose-specific consent, honour access and erasure requests, sign Data Processing Agreements with every vendor, keep a written data-retention policy, and be able to report a breach to the Board within 72 hours.

What is a Data Fiduciary under the DPDP Act?

A Data Fiduciary is any person or organisation that decides why and how personal data is processed. Your clinic becomes a Data Fiduciary the moment it collects patient data, making it legally responsible for protecting that data and for proving compliance during an audit.

Do I need patient consent to store medical records under DPDP?

Yes, with limits. You must give notice and obtain consent for each distinct purpose — treatment, referrals, and marketing each need separate consent. Clinical records you are legally required to retain, for example under medical-council guidelines, may be kept for the mandated period.

How can a clinic check if it is DPDP-ready?

CuraVerto offers a free DPDP Readiness Check: 14 clinic-specific questions that produce a personalised report and prioritised action list in about five minutes, with no login required. It shows exactly which obligations your practice has met and which still carry risk.

Not sure where your clinic stands?Run the free readiness check →

Enforcement begins

13 May 2027

On 13 May 2027, the Data Protection Board of India becomes fully empowered to investigate clinics, levy fines, and order remediation. Clinics that act now have adequate time. Clinics that wait until notices arrive do not.

Check your clinic's readiness in 5 minutes →

Free, always

No login required

14 questions, clinic-specific

Personalised report with action list

Enforcement: 13 May 2027·Fines up to ₹250 crore · Every clinic is affected

Check your clinic's readiness →