5 Compliance Gaps Hospitals Don't Know They Have Under the DPDP Act

5 Compliance Gaps Hospitals Don't Know They Have Under the DPDP Act

Hospitals are exceptionally good at clinical protocol and often surprisingly weak at digital compliance protocol — and the Digital Personal Data Protection A...

Nitin Roy
Nitin Roy
2 min read

Hospitals are exceptionally good at clinical protocol and often surprisingly weak at digital compliance protocol — and the Digital Personal Data Protection Act is exposing that gap fast. Here are five blind spots showing up repeatedly across Indian healthcare providers right now.

Gap one: assuming health data gets special treatment. It doesn't. The DPDP Act applies the same consent and security standard to a phone number as it does to a cancer diagnosis. Providers who assumed "medical" data would come with extra grace are discovering there isn't any.

Gap two: no clean separation between emergency and routine consent. The law's emergency exemption is real, but narrow — it covers genuine threat-to-life situations, not "we were too busy at the front desk to ask." Once a patient stabilizes, standard consent obligations kick back in, and plenty of hospitals have no process for making that switch.

Gap three: vendor sprawl. Billing agencies, diagnostic labs, cloud hosts, AI-based analytics tools — each one is a Data Processor your hospital remains accountable for. Most compliance teams can't currently produce a clean list of who has access to what.

Gap four: retention with no expiry logic. Records need to be erased once their purpose is served, subject to clinical retention laws — but "keep everything forever, just in case" is still the default setting in most hospital IT systems.

Gap five: children's health data treated like adult data. Pediatric platforms need verifiable parental consent and are barred from any behavioral tracking or targeted advertising aimed at minors — a rule a surprising number of child-health apps are quietly violating right now.

If any of these sound familiar, this detailed breakdown of medical data security obligations under the DPDP Act is a useful next read before your next compliance review.

More from Nitin Roy

View all →

Similar Reads

Browse topics →

More in Health

Browse all in Health →

Discussion (0 comments)

0 comments

No comments yet. Be the first!