India’s healthcare ecosystem is rapidly digitizing through EHRs, telemedicine, health apps, and initiatives like ABDM. As a result, patient data no longer stays within a single system it continuously flows across hospitals, labs, insurers, clinical research organizations, pharmacies and digital platforms.
While this model is built on consent, the reality is more complex. Consent is often taken once, but data continues to move across multiple entities, creating a gap between consent and actual control under the DPDPA.
In this interconnected environment, accountability is fragmented sometimes unclear, visibility is limited, and enforcing purpose limitation becomes difficult. Data is shared through APIs and platforms with limited auditability.
This blog will examine how healthcare has become a complex and dynamic data processing ecosystem, where traditional governance mechanisms may not be sufficient, and what organizations must do to move from a one-time fix to continuous and evolving data governance structure.
Patient Data Never Stays Still: Rethinking DPDPA in Healthcare
India's healthcare sector is currently in transition. With electronic health records, telemedicine applications, diagnosis, and nationwide infrastructure such as ABDM, the movement of patient information has been transformational – although perhaps better described as the perpetual motion of patient information.
The digital health market in India was valued at USD 14.50 billion in 2024 and is projected to reach USD 106.97 billion by 2033 with a CAGR of 25.12%. The industry’s rapid growth is mostly attributed to ABDM that enables digital health records, telemedicine, and technology-assisted services. By September 2024, there were over 670 million ABHA accounts with more than 420 million health records linked, and more than 236 private organizations including labs, pharmacies, and technology-based solutions companies, integrated into the platform.
What a simple patient interaction will now produce may involve the flow of data through EHRs in the hospital, external diagnostic laboratories, insurance aggregators, government registries, and even wellness applications all in a matter of hours. The data flows of the healthcare sector have been purposefully designed. But the data governance frameworks protecting patients data still needs to improve. That’s where DPDPA comes in.
The Consent Gap
The recently enacted Digital Personal Data Protection Act (DPDPA), 2023 in India centers around data collection while obtaining consent from the individual. Under Section 6(1) of the DPDPA, any consent obtained from an individual should be for a specific purpose and only for data relevant for the said purpose. It is imperative to obtain consent from patients before using their information, which is both appropriate and justified. However, the implementation of consent is often a one-time process when signing up or registering through an application.
Patient data will now start flowing through multiple organizations such as hospitals, insurance companies, third-party processors, and even API-enabled systems, sometimes beyond the scope envisioned by the consent form that the patient signed during the enrollment process. Each transfer may be legal, but there is limited traceability for the patient data, and no mechanism to revisit consent at each juncture, and no means to enforce purpose limitation at all points.
Significantly, the DPDPA limits businesses from using data for any other purpose/s not authorised by the consumer, and when the data principal revokes consent, it is required by law for the data fiduciary to immediately cease processing the data and delete it, unless retention is otherwise required by another act of Indian legislation. Given that the health care system is fragmented and includes several organizations,
The practical difficulties of adhering to this legal mandate are much greater than anticipated under the law.
Accountability at the Edges
Under the DPDPA regime, there are Data Fiduciaries which define how their data shall be processed. The Act classifies some Data Fiduciaries as Significant Data Fiduciaries (SDF) who have additional obligations such as Data Protection Impact Assessments and audit based on the extent of processing and type of data. In a linear data lifecycle, this accountability mechanism is easier to implement. But in the case of health care, it is not.
ABDM’s architecture has been developed to facilitate interoperability by using three gateways: The Health Information Exchange and Consent Manager (HIE-CM), National Health Claims Exchange (NHCX) and Unified Health Interface (UHI), to enable seamless data exchange among stakeholders. The ABDM architecture is federated and designed in a manner that the data stays where it is generated, allowing sharing of data only upon patients' consent. However, the practicality is that there are over 236 private parties associated with ABDM.
In the case of a health data aggregator sourcing information through an API linked under the ABDM framework, who bears the duty as a fiduciary? If a wellness application transfers data to a research organization for its analytics, what constitutes responsibility here? In the situation where a claims processing system stores data beyond the period required to process a specific claim, who is there to enforce such limits on storage?
Fragmentation of responsibilities is not a loophole but an inherent characteristic of modern digital health systems. The Data Fiduciary cannot be insulated from liability Under the DPDPA, a Data Fiduciary cannot escape liability by showing that a processor acted independently or wrongfully.
Purpose Limitation in Motion
Purpose limitation is another very straightforward obligation within the DPDPA. Data collected for one purpose may not be repurposed without additional consent. New purposes require new consent. This can be audited easily in a static world but would require active enforcement in a dynamic ecosystem.
The Act provides a tangible example of how it works: If a telemedicine application seeks consent from a user to access their contact list, which has no relevance to giving medical advice, then that aspect of the consent is invalid and should be disregarded. The principle is well-defined; the execution is difficult.
Take, for instance, a patient who downloads a telemedicine application to consult a doctor. All the information they provide, including symptoms, prescriptions, and location — will be processed to facilitate the consultation. However, the same data, when provided to a service vendor under the pretext of service improvement or personalization in the future, has been repurposed silently.
As per the DPDP Rules 2025, Significant Data Fiduciaries are obligated to perform a Data Protection Impact Assessment and audit annually and submit a report of significant findings to the Data Protection Board. However, for the larger ecosystem of health data controllers – who will not fit into the category of Significant Data Fiduciaries in the vast majority of cases – there is no such requirement.
Purpose limitation in healthcare is difficult to ensure just from a checkbox on consent. Technical safeguards are needed, such as data tagging and logging and audit trails at the API level – something that many of the platforms operating in India's health care ecosystem are yet to implement.
Toned for Continuous Governance
Re-thinking compliance in such an environment requires a shift in perspective from consent being a single point in time activity to governance being an ongoing process. Key points include the following:
Dynamic consent mechanisms. The DPDPA Rules 2025 contain a provision for a "Consent Manager" approach – a consent portal wherein the patient can manage their consents within all Data Fiduciaries in one central portal, similar to the Account Aggregator approach adopted in India in the field of financial data. These provisions are set to come into effect by November 13, 2026.
Contractual chains that carry obligations forward. Data Processing Agreements should be aligned with certain flows, purposes, and requirements to store and delete healthcare data. The DPDPA explicitly states that a Data Fiduciary is not exempted from liability in case of violations of processors.
Audit capabilities. Breach reporting needs to take place within 72 hours, and DPIAs need to be prepared in case of high-risk processes according to the DPDPA. Proof that the company can prove compliance regarding who had access to the information, for what purpose, and based on which consents need audit capabilities.
Data minimisation. The DPDP Rules 2025 require that processing must be strictly necessary and proportionate to the stated purpose, and only minimum data necessary may be processed. Interoperability does not require sharing everything. Organisations must enforce this technically, not just contractually, at each integration point.
The Broader Stakes
Healthcare data is some of the most sensitive data available. Healthcare data impacts how people get covered by insurance, are hired, and more importantly, how they are treated. The DPDPA and the DPDP Rules 2025 have laid down a rigorous framework for privacy within the healthcare industry and life sciences in India, which is currently going through its implementation phase, with all compliance being enforced starting May 2027.
This phase gives companies time to shift their compliance focus from just checking off boxes to actual management of data.
With our environment continuously evolving, our governance frameworks will also need improvements.