Clinics to Clouds: Navigating Privacy Compliance in India’s Health-Tech Boom
Health data is uniquely sensitive, and its misuse can cause lasting harm. Building trust in digital healthcare therefore requires transparency and strong security safeguards.
India’s health-technology ecosystem is expanding rapidly, driven by rising digitization of healthcare and the growing demand for data-enabled healthcare services. Wearable devices and cloud-based electronic health record (EHR) platforms now form the backbone of this shift by enabling continuous monitoring, remote care, and interoperable clinical workflows.
These technologies reflect the sector’s shift toward data-centric care delivery, and it also amplifies concerns around data security, patient consent, and regulated use of sensitive health information. This shift impacts all stakeholders as patients increasingly generate health data through devices and applications, gaining greater visibility over their health while also facing heightened risks of misuse and exposure of deeply personal information. Healthcare providers rely on digital systems to deliver efficient and timely care, making data security and access controls critical to patient safety and trust. Similarly, health-tech companies occupy a central role, aggregating and analysing health data at scale, often across multiple platforms and vendors.
The need of the hour is responsible innovation anchored in respect for patient data. Health data is uniquely sensitive, and its misuse can cause lasting harm. Building trust in digital healthcare therefore requires transparency and strong security safeguards. Against this backdrop, India’s evolving data-protection framework plays a pivotal role in shaping responsible innovation in the health-tech sector.
The DPDP Act recognizes the sensitive nature of health data and permits processing of such data without explicit consent in limited circumstances, such as medical emergencies involving threat to life or immediate health risk, and public health situations such as epidemics, disease outbreaks, other health threats where timely treatment requires rapid data use.
I. Data Privacy Regulations
India’s data-protection landscape for health-tech is evolving from a narrow protection regime under the SPDI Rules to a comprehensive rights-based framework under the Digital Personal Data Protection Act (DPDP) and its recently enacted rules.
Prior to the DPDP Act, health-related information was primarily governed by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, (SPDI Rules) applicable only to body corporates. Under the SPDI Rules, entities were required to implement “reasonable security practices” which were not sufficient for sensitive data types such as health and biomedical data.
The regime lacked detailed framework for rights, accountability, and enforcement which left significant gaps for data-intensive health-tech services.
Digital Personal Data Protection Act, 2023
The Digital Personal Data Protection Act, 2023 (DPDP Act) and the Digital Personal Data Protection Rules, 2025 (Rules) have been recently notified in India and provide a comprehensive law regulating personal data, including health data.
The DPDP Act applies to “personal data”, if it is digital personal data processed within India, or personal data processed outside India if linked to offering goods or services to individuals in India. It is also applicable to personal data originally processed in non-digital form but subsequentlydigitized. It does not apply to data processed for purely personal/domestic purposes or personal data expressly made publicly available by the individual.
The key stakeholders under the DPDP Act and Rules are –
i. Data Principal: The individual to whom the data relates.
ii. Data Fiduciary: Entity determining purpose and means of processing (e.g., hospital, EHR provider, wearable manufacturer).
iii. Data Processor: Processes data on behalf of the Data Fiduciary.
iv. Significant Data Fiduciary: High-impact entities designated by the Government, subject to enhanced duties
While the DPDP Act and Rules have been notified, they will be brought into force in a phase wise manner and its implementation remains to be seen.
Impact on the Health-Tech Industry
The obligations prescribed under the DPDP Act and Rules translate into concrete operational requirements that must be strictly complied with by health-tech companies as provided below:
i. Notice and Consent
Health-tech platforms as data fiduciaries must provide notice and consent to patient/user who will be the data principal. The notice should elaborate on what kind of personal data will be processed, for what purpose, and the rights and grievance mechanisms available to the patient. This should be done at the time of obtaining consent.
Additionally, the consent obtained from the patient or user must be free, specific, informed, unambiguous, and given through clear affirmative action. In context to wearables and health apps, this requires explicit, purpose-bound consent rather than bundled acceptance through generic terms of service. Upon withdrawal of consent, health-tech companies must cease processing and ensure deletion of personal data within a reasonable time, unless retention is required under applicable laws.
The DPDP Act recognizes the sensitive nature of health data and permits processing of such data without explicit consent in limited circumstances, such as medical emergencies involving threat to life or immediate health risk, and public health situations such as epidemics, disease outbreaks, other health threats where timely treatment requires rapid data use.
ii. Treatment of Health Data of Children and Persons with Disabilities
For data fiduciaries such as health tech platforms, to process personal data of children and persons with disabilities, the DPDP Act and the Rules set out certain obligations and exemptions. Verifiable consent from a parent/guardian must be obtained. However, clinical establishments and healthcare professionals may process such data to the extent necessary to provide health services for emergency paediatrics, tele-ICU platforms, and digital triage systems.
iii. Obligations of Data Fiduciaries
The DPDP Act and Rules require data fiduciaries, such as health-tech companies, to implement reasonable technical and organizational security measures to prevent personal data breaches, with the adequacy of safeguards assessed against the nature of data, purpose of processing, and risk of harm to the patient/user of a platform.
These security measures include:
- Encryption, tokenization, masking, or obfuscation of health data;
- Role-based access controls and secure authentication for clinical, technical, and administrative users;
- Audit trails and system logs to detect unauthorized access, retained for at least one year as mandated under the rules.
- Documented information-security policies and internal access protocols;
- Periodic security assessments, vulnerability testing, and internal audits;
- Training of clinicians, engineers, and support staff handling digital health data.
Data fiduciaries are also responsible for notifying the Data Protection Board and each affected data principal in the form and manner as prescribed in Rules in the event of a personal data breach. The data fiduciary must also ensure compliance with the DPDP Act for any data processed by itself or by a data processor on its behalf, irrespective of any agreement to the contrary.
II. Challenges
a. Uniform Treatment of All Personal Data – The DPDP Act does not distinguish sensitive health data from other personal data, creating a single compliance standard. This places a heavier burden on smaller hospitals, diagnostic centres, and health-tech entities that must apply strict requirements even to routine clinical information.
b. Limited Processor Dependency Risks – Modern health-tech ecosystems rely extensively on third- party vendors and infrastructure providers. While data processing is often outsourced, the DPDP Act places full accountability on the data fiduciary for ensuring consistent security standards, breach preparedness, and deletion obligations. This can be challenging for such health-tech entities engaging multiple processors.
c. Uncertainty in Cross-Border Data Transfers – Government may restrict cross-border transfers of data leading to a disrupting in clinical trials, pharmacovigilance, and international research collaborations. Health-tech firms using global cloud services may face operational hurdles.
d. Burden of Significant Data Fiduciary Classification – Large scale health-tech pharma entities could be designated as significant data fiduciaries, triggering additional obligations such as audits and Data protection Officer requirements. However, the absence of clear thresholds for designation creates uncertainty in compliance planning and resource allocation.
III. Recommendations
While the manner of implementation of the DPDP Act and Rules will be staggered, we recommend that health-tech entities put in place mechanisms for compliance. This includes appropriate notice and consent practices along with stringent implementation of the reasonable security measures prescribed under the DPDP Act and Rules.
They should also establish clear breach response and grievance redressal mechanisms by developing internal processes for incident detection, escalation, and documentation to reduce harm. Additionally, health-tech platforms should invest in training clinicians, support staff, and IT teams on their respective duties, consent protocols, and proper handling of digital health records to ensure compliance with the DPDP Act.
The DPDP Act and Rules establish a modern, unified framework to govern digital personal data, requiring data fiduciaries like health-tech entities to adopt structured consent processes, enhanced security measures, and clearly defined protocols for emergencies and cross-border transfers. While challenges remain particularly around operational clarity and flexibility for small scale entities, the DPDP Act pushes this sector toward higher standards of accountability.
Disclaimer – The views expressed in this article are the personal views of the authors and are purely informative in nature.