Hospitals are exceptionally good at clinical protocol and often surprisingly weak at digital compliance protocol — and the Digital Personal Data Protection Act is exposing that gap fast. Here are five blind spots showing up repeatedly across Indian healthcare providers right now.
Gap one: assuming health data gets special treatment. It doesn't. The DPDP Act applies the same consent and security standard to a phone number as it does to a cancer diagnosis. Providers who assumed "medical" data would come with extra grace are discovering there isn't any.
Gap two: no clean separation between emergency and routine consent. The law's emergency exemption is real, but narrow — it covers genuine threat-to-life situations, not "we were too busy at the front desk to ask." Once a patient stabilizes, standard consent obligations kick back in, and plenty of hospitals have no process for making that switch.
Gap three: vendor sprawl. Billing agencies, diagnostic labs, cloud hosts, AI-based analytics tools — each one is a Data Processor your hospital remains accountable for. Most compliance teams can't currently produce a clean list of who has access to what.
Gap four: retention with no expiry logic. Records need to be erased once their purpose is served, subject to clinical retention laws — but "keep everything forever, just in case" is still the default setting in most hospital IT systems.
Gap five: children's health data treated like adult data. Pediatric platforms need verifiable parental consent and are barred from any behavioral tracking or targeted advertising aimed at minors — a rule a surprising number of child-health apps are quietly violating right now.
If any of these sound familiar, this detailed breakdown of medical data security obligations under the DPDP Act is a useful next read before your next compliance review.
Sign in to leave a comment.