DPDPA 2023 for Indian Clinics — What You Need to Do

India's Digital Personal Data Protection Act, 2023 (DPDPA) came into force in 2023 and applies to any entity that collects, stores, or processes personal data of Indian residents in digital form. If your clinic maintains digital patient records — even just appointment bookings and mobile numbers — the DPDPA applies to you.

This article explains what the Act requires of clinics in plain language, what you need to do now, and what your software vendor's responsibilities are under the Act.

What is the DPDPA 2023?

The Digital Personal Data Protection Act, 2023 is India's first comprehensive data protection legislation. It replaces the patchwork of provisions previously scattered across the IT Act 2000 and the SPDI Rules 2011. The Act creates a structured framework for how personal data must be collected, stored, used, and protected — with enforceable rights for individuals and penalties for non-compliance.

For healthcare providers, the Act is particularly relevant because patient health information — names, mobile numbers, dates of birth, diagnoses, prescriptions, billing records — falls squarely within its scope as personal data, and some of it qualifies as sensitive personal data requiring higher protection standards.

Key terms you need to know

• Data Principal: The individual whose data is being processed — your patient.
• Data Fiduciary: The entity that determines the purpose and means of processing personal data — your clinic.
• Data Processor: An entity that processes data on behalf of the Data Fiduciary — your clinic management software provider (e.g. CareQ).
• Personal data: Any data about an identifiable individual. In a clinic context: patient names, mobile numbers, addresses, dates of birth, visit records, prescriptions, and billing details.
• Data Protection Board: The regulatory body established under the Act to handle breach notifications, complaints, and enforcement.

What the DPDPA requires from your clinic

1. Obtain valid consent before processing patient data

The DPDPA requires that you obtain free, specific, informed, unconditional, and unambiguous consent from a patient before collecting and processing their personal data. For a clinic, this means:

• Displaying a clear notice at the point of registration explaining what data you collect, why you collect it, and how it will be used.
• Obtaining the patient's consent — a signature on a physical form or a checkbox on a digital intake form both work.
• Not bundling consent for data collection with consent for treatment — they must be separate.
• Keeping a record that consent was obtained.

2. Process data only for the stated purpose

Data collected for the purpose of appointment booking and medical care may not be used for other purposes without separate consent. This means:

• You cannot use patient mobile numbers to send promotional messages without explicit marketing consent.
• You cannot share patient contact details with third parties (pharmaceutical reps, labs, insurance providers) without consent.
• Appointment reminders and health-related communications directly related to the patient's care are generally within scope of the original consent.

3. Maintain reasonable data security

The DPDPA requires Data Fiduciaries to implement "reasonable security safeguards" to prevent personal data breaches. For a clinic, this means:

• Using clinic management software that encrypts patient data at rest and in transit.
• Controlling who on your staff can access patient records (role-based access).
• Using strong passwords and not sharing login credentials.
• Deactivating accounts of staff who leave the clinic promptly.
• Not storing patient data in unsecured locations (unencrypted spreadsheets, WhatsApp groups, personal devices).

4. Respond to patient rights requests

Under the DPDPA, your patients have the following rights:

• Right to access: A patient can ask what personal data your clinic holds about them. You must provide this information.
• Right to correction: A patient can ask you to correct inaccurate data.
• Right to erasure: A patient can request deletion of their data. Note that this right may be balanced against your obligation to maintain medical records under healthcare regulations — you may need legal advice on specific cases.
• Right to grievance redressal: Patients must have a way to raise complaints about how you handle their data.

5. Report data breaches to the Data Protection Board

If a personal data breach occurs — for example, patient records are accessed without authorisation, or a device containing patient data is lost — you are required to report it to the Data Protection Board. The Act requires notification "in such form and manner as may be prescribed" — the specific form and timeline are being defined in the Rules currently being drafted.

In practice: investigate any suspected breach immediately, document what happened and what data was affected, notify affected patients if the breach is likely to cause harm, and be prepared to report to the Board. Your clinic management software provider should also notify you within 72 hours of any breach on their platform that involves your clinic's data.

What your software provider's responsibilities are

Your clinic management software provider is a Data Processor under the DPDPA. They process patient data on your behalf — storing records, sending WhatsApp notifications, processing payments — and must:

• Process patient data only on your instructions, not for their own purposes.
• Maintain security measures that meet the Act's requirements.
• Not engage sub-processors without informing you.
• Help you respond to patient rights requests (data exports, corrections, erasure).
• Notify you promptly of any breach involving your patients' data.
• Delete or return patient data at the end of the service relationship.

Before choosing or continuing with a clinic management platform, verify that they can address these points. Ask specifically: Where is patient data stored (India or overseas)? Can I export all patient data? What is their breach notification process?

DPDPA vs HIPAA — why it matters for Indian clinics

Many clinic software vendors in India describe themselves as "HIPAA-compliant". HIPAA is a US federal regulation — the Health Insurance Portability and Accountability Act — that applies to US healthcare providers and their business associates. It is not applicable law for Indian clinics treating Indian patients.

HIPAA-aligned security practices (encryption, access controls, audit logging, breach notification) are good practices that align well with what the DPDPA also requires. But citing "HIPAA compliance" does not substitute for DPDPA compliance. When evaluating software, look for explicit DPDPA 2023 acknowledgement, not just HIPAA alignment.

Penalties for non-compliance

The DPDPA establishes a tiered penalty structure with fines up to ₹250 crore for significant breaches of security obligations, and up to ₹50 crore for failure to notify breaches. While enforcement is still developing and the Rules are being finalised, the direction is clear: treating DPDPA compliance as optional is a meaningful legal risk.

Practical checklist for clinic owners

How CareQ supports your DPDPA obligations

CareQ is built for Indian clinics and is designed around DPDPA 2023 compliance as the primary framework:

• Patient data is stored in India, encrypted at rest and in transit.
• Role-based access control — receptionist, doctor, owner, and read-only roles with per-clinic isolation.
• Full patient data export available on request to support access right responses.
• 72-hour breach notification commitment to affected clinics.
• Data Processing Agreement available on request (contact info@amdcode.com).

DPDPA compliance is ultimately your clinic's responsibility — CareQ provides the platform safeguards and assists with the technical side. The consent notice, staff training, and patient rights process are yours to implement. The checklist above is a good place to start.