Introduction
India’s healthcare system has a plethora of rules that regulate the flow of patient data. The DPDP Act 2023, The Clinical Establishments Act 1970, The Mental Healthcare Act 2017, IRDAI Regulations, and The National Commission for Allied and Healthcare Professions (NCAHP) Act 2021, all apply to records made during a single hospital visit. This complicated regulatory structure is both a challenge and an opportunity. Hospitals that can handle convergence have a competitive edge, while those that work in silos face fragmentation, compliance gaps, and a lack of trust from patients. 

Why privacy has significance in healthcare 

The foundation of trust is patient privacy. Patients expect their health information to be kept private, safe, and handled with respect when they provide it. When privacy is violated, it doesn’t just reveal humiliating information; it can also make it impossible to get care. Patients often hide their symptoms, fail to provide information, and refrain from asking for help if they are concerned about their information being misused or judged. Such conduct directly harms public health and therapeutic results. India’s regulatory strategy, which has changed over the past thirty years, understands this. The DPDP Act of 2023 puts this idea into action on a national level, while sectoral frameworks give domain-specific guidelines.

The DPDP Act, 2023: The Overarching Framework 

The DPDP Act establishes consent-driven, rights-based data protection across all sectors. Key provisions impacting healthcare are as follows: 

• Sections 4 & 5: Consent and Transparency. Hospitals must obtain explicit, informed consent before collecting, processing, or sharing patient data. The DPDP Rules 2025, Rule 3 defines that “verifiable consent” notices must be independent, in plain language, itemising what data is collected and precisely how it’s used. Generic blanket consent is insufficient. 

• Section 8: Fiduciary Duty. Healthcare providers become data fiduciaries, bearing trustee responsibility. Rule 6 mandates “reasonable security safeguards”: encryption, multi-factor authentication, role-based access controls, audit logging for one year, and annual vulnerability assessments. Data processors (cloud vendors, EMR providers) must contractually commit to the same standards. 

• Section 9(4) & Rule 12: Child Data. Clinical establishments can process a child’s health data without parental consent “to the extent necessary for protection of health”, which is critical for emergency paediatric care. This acknowledgement of medical necessity strikes a balance between privacy and the protection of life. 

• Section 8(6) & Rule 7: Breach Notification. Hospitals must notify affected patients and the Data Protection Board of India within 72 hours of discovering a breach, providing a detailed description of its nature, extent, likely consequences, and mitigation measures. This clause transforms breach response from an IT incident to a regulatory mandate. 

• Sections 11-14 & Rule 14: Patient Rights. Patients can access records, correct inaccuracies, withdraw consent, and file grievances within 90 days. Hospitals must establish patient portals and grievance systems operationalising these rights.  

NCAHP Act 2021: Regulating Allied Healthcare Professionals 

The NCAHP Act gives the National Commission for Allied and Healthcare Professions the power to oversee physiotherapists, nurses, technicians, and paramedics. Although focused on professional norms, it significantly affects DPDP compliance. The Act says that there must be online state and central registers of competent practitioners. This public information helps with professional credentials and patient openness. When checking a practitioner’s credentials, patients can view personal information that is protected by DPDP, including registration numbers, qualifications, and institutional affiliations. Allied health institutions must clearly outline consent protocols; patients may verify credentials without requiring consent for data processing. 

For instance, the NCAHP 2025 professional conduct codes mandate confidentiality. This follows the rules for processing data set by DPDP and the NCAHP’s code of ethics.

Mental Healthcare Act 2017: Double-Consent Complexity 

The Mental Healthcare Act (MHCA) 2017 gives people with mental illness the right to keep their mental health care, treatment, and physical health private (Section 23(1)). This predates DPDP by six years but aligns philosophically. The junction makes it more difficult to obtain the approval of both parties. Mental health service providers currently deal with MHCA consent rules for treatment, nominations, and guardianship. The DPDP Act introduces a distinct, clear layer: consent for data processing, separate from therapeutic consent. Digital mental health platforms are under unique pressure: telemedicine consultations require agreement for audio/video recording (DPDP), consent for treatment (MHCA), and consent for data retention/sharing (DPDP Rules). This triumvirate is challenging to deal with, but important because mental health data is very private. Patients also have the right to see their medical information and choose representatives under MHCA Section 22. DPDP strengthens this by giving people the right to see, change, and delete their data. Convergence is necessary: mental health professionals must create consent processes that meet the needs of both frameworks.

Clinical Establishments Act 1970: Foundational Record-Keeping 

The Clinical Establishments Act says that hospitals must keep medical records safe and for a certain amount of time. In the past, this was part of operational housekeeping. DPDP rephrases it as the basis for legal data processing. The Act says that records must be kept for a certain amount of time: inpatient records for five years and outpatient records for three years. DPDP now says that retention durations must be based on a reason and be able to be explained. A hospital can’t keep records forever “just in case.” It needs to set deadlines for keeping records for legal defence (7 years after release) and treatment continuation (5 years). Deletion is required after a certain amount of time. 

Limiting the purpose becomes very important. In the past, the Clinical Establishments Act put all medical information into one group. DPDP requires certain objectives for data: diagnosis, treatment, billing, insurance claims, research, and quality assurance. Each of these needs individual consent and a good reason to keep the data. Without clear permission for that specific use, a diagnostic facility can’t keep samples for “future testing.” 

IRDAI Regulations: Insurance Data Governance 

The Insurance Regulatory and Development Authority has rigorous rules for network providers, insurers, and TPAs. Regulation 35(c) of the IRDAI Health Insurance Regulations 2016 says that information about policyholders must be kept secret. The most significant thing is that the IRDAI TPA Regulations 2016 say that TPAs can’t share customer data unless they have a court order, a government inquiry, an IRDAI probe, or are following the rules. DPDP says that insurance companies must seek verified permission before sharing health information with TPAs for claims, case management, or fraud detection. 

Data sharing has big impacts. Insurance companies used to utilise hospital data to settle claims, but now they need the patient’s permission. Hospitals must tell patients that submitting a claim means sharing data with TPAs. Patients can refuse to pay claims and deal with them themselves. Consent granularity can hinder workflows, but it safeguards patients’ rights. 

Sectoral Data Trade Implications 

• Processing Insurance Claims: Hospitals send patient information to insurers through TPAs. DPDP requires patient consent that clearly states what data is given, how insurers utilise it, and how long they keep it. Patients can say no, but they will have to pay the claim. This gives patients more power than hospitals and insurance, which makes things more complicated but respects their freedom. 

• Research and Epidemiology: In the past, hospitals used de-identified data for research without getting permission first. DPDP necessitates agreement for the utilisation of research data, even when de-identified. Explicit permission methods are needed for public health programs that track diseases. This slows down research timetables but protects people’s rights. 

• Cross-Border Data Transfer: Large hospital groups who work with hospitals in other countries have to follow DPDP rules when they send data across borders. The Act only allows transfers to countries that India’s government has told them about. Only a few nations are currently notified. Medical tourism, foreign consultations, and cloud storage in non-notified jurisdictions become complicated. 

• Telemedicine and Data Residency: Telemedicine services that store data on overseas cloud servers are not sure what the law is. The DPDP and SPDI Rules stress data localisation. Many platforms use AWS, Google Cloud, or Azure with Indian data centres, but this needs clear architectural choices and contractual guarantees. 

Practical Compliance Roadmap 

• For Hospitals: audit data moves across EMRs, pathology systems, billing, insurance, ABDM, and telemedicine. Use detailed consent documents that show the treatment, billing, research, and insurance purposes. Change the rules for keeping records based on what the law says and what is clinically necessary. Make sure that your data breach response plans are in accordance with the 72-hour notice deadlines. 

• For Mental Health Professionals: Use dual-consent frameworks that recognise the requirements of both the MHCA and the DPDP independently. Teach doctors the difference between consent for clinical care and consent for data processing. Create ways for patients to revoke their consent, retrieve their data, and file complaints through the patient portal. 

• For Diagnostic Labs: Clearly state that the patient agrees to the sample’s retention, future testing, and research use, if so. Set up safe ways to destroy samples that follow DPDP deletion rights. Make it clear how data will be shared with hospitals and insurance providers. 

• For Insurance TPAs: Get permission to obtain health data from hospitals before you do so. Make vendor agreements with hospitals that require them to handle data in a way that is compliant with DPDP. Keep an eye on access logs and the hazards of a breach. 

• For lawyers and privacy experts: Instead of treating DPDP compliance as a separate legal project, healthcare organisations should include it in their enterprise risk framework. They should also compare their obligations under the DPDPA 2023 to those under sectoral laws like the MHCA 2017, the Clinical Establishments Act 2010, the NCAHP Act 2021, and IRDAI health/TPA regulations. Work with CISOs and DPOs to create a single compliance plan that includes data mapping, DPIAs, cross-border transfer assessments, and data processing agreements. Also, set up governance forums where legal, clinical, and IT leaders can regularly look over breaches, regulator guidance (including DPDP Rules 2025), and changing case law to make sure that privacy programs are always up to date and not just static documents. 

Conclusion 

The DPDP Act is the beginning, and the sectoral laws are the different movements. Together, they make up India’s healthcare privacy framework. The DPDP Act 2023, DPDP Rules 2025, NCAHP Act 2021, Mental Healthcare Act 2017, Clinical Establishments Act 1970, and IRDAI Regulations all work together to develop a system where gaps create responsibility and alignment builds confidence. Healthcare organisations that embrace this complexity by mapping data flows, implementing granular consent, training personnel, and embedding privacy-by-design into operations will be at the forefront of India’s digital health transformation. People that treat DPDP as a checkbox risk fragmentation and exposure to breaches. Privacy, patients, and accountability for all parties will shape the future of healthcare in India. patients, and accountability for all parties.