Tishampati SenHarsh MahajanDecember 29, 2025 07:23 AM IST First published on: Dec 29, 2025 at 07:22 AM ISTThe recently notified Digital Personal Data Protection Rules, 2025, have brought into effect parts of the DPDP Act, 2023, and have started the timer for the other provisions of the Act to kick in. This is, arguably, the most significant privacy reform since the IT Act, 2000. The DPDP Act, along with the Rules, aims to foster respect for individual rights and data accountability.It will impact the healthcare sector in a big way. As with most ambitious reforms, the devil lurks in the details. The Act elevates every clinic, hospital, lab and telemedicine app to the category of “data fiduciary”. It does not differentiate between a large hospital, a small clinic, a large corporation, or a start-up. Any personal data in digital form, or in non-digital form and digitised later, is subject to the Act (unless it falls in the limited exceptions in Section 3(c) of the Act). Patients become “data principals” with rights to access, correct and even erase their medical information. On paper, this is empowering. In practice, Indian healthcare now finds itself navigating a maze where the law is clear about duties, but vague about the boundaries.AdvertisementAnyone who has signed a hospital consent form knows that it is quite often an exercise in blind faith rather than informed choice. The DPDP Act forces transparency into such a system. Yet, consider the emergency ward. Patients don’t arrive seeking privacy statements — they arrive seeking survival. Thankfully, the Act acknowledges this reality by permitting processing without consent during medical emergencies and public health crises. But ambiguities exist — post-operative ICU care, chronic illnesses, follow-up regimens — remain untouched by the Act. Consent architecture may need to be redesigned to include these grey zones.The Act, with the laudable objective of minimising data collection and retention, gives a wide berth to the individual to withdraw consent or to seek deletion of data. While this may be relevant for sectors such as online gaming or e-commerce, it creates complications for the healthcare sector. If a patient withdraws consent, or if there is a request to erase personal data, the fiduciary is bound to delete the said data and stop “processing” it. However, who is to take the responsibility for the treatment and health of such a patient? The Act does warn the data principal that it will be the individual who will be responsible for the consequences of the withdrawal of consent. But it is worth remembering that the DPDP Act does not take away the legal obligations of the healthcare sector.The definition of “processing” in the Act includes “erasure” and “destruction”. A conservative reading would suggest that even for the deletion of personal data, the data fiduciary would need to take the data principal’s consent. Without such permission, how long would the healthcare participant — a nursing home, for example — be required to retain patient data? Schedule III of the Rules lists sectors for which data retention timelines are prescribed. Healthcare, however, is absent from such timelines. A patient’s medical records are lifelines, often needed years after treatment. By not specifying retention norms for medical data, the Rules inadvertently leave hospitals guessing, lawyers busy, and patients potentially unprotected.AdvertisementSection 5(2) of the Act mandates that for data collected prior to the commencement of the Act, the data fiduciary may give notice to data principals “as soon as it is reasonably practicable” regarding their rights. While the phrase “reasonably practicable” may provide some comfort to hospitals or clinics, there is no ceiling in terms of the time period for which such a look-back may be applicable. Without clarification, it may well mean that all the data in digital form, irrespective of how long ago it was collected, would have to be brought within the Act’s scope.most readDespite these gaps, the law is a serious attempt at giving Indian healthcare a privacy backbone. It tells patients — your data is a right. It tells providers: your duty of care includes digital care. Some provisions need revisiting. Healthcare possibly deserves a sector-specific rulebook — not because it is burdensome, but because it is too consequential to be lumped together with online commerce and gaming companies.Sen is advocate, Supreme Court and Mahajan is founder and chief radiologist, Mahajan Labs and mentor, health sector, FICCI