India's Digital Personal Data Protection Act 2023 (DPDP) fundamentally changes how hospitals and health technology vendors must handle patient data. Non-compliance carries penalties up to โน250 crore. Every CMO running digital health tools must understand their obligations under this law.
DPDP Act received Presidential assent on 11 August 2023. Health data โ including patient records, clinical notes, prescriptions and insurance information โ is classified as sensitive personal data under the Act and carries the highest level of protection obligations.
Key obligations for hospitals under DPDP
โ
Informed Consent: Hospitals must obtain explicit, specific consent from patients before collecting and processing their health data. Generic consent buried in admission forms is not sufficient under DPDP.
โ
Purpose Limitation: Data collected for clinical treatment cannot be used for hospital marketing, pharmaceutical partnerships or research without separate specific consent.
โ
Data Localisation: Patient health data must be stored on servers located in India. Using cloud services that store data outside India โ including US-based platforms โ requires explicit government approval for health data.
โ
Breach Notification: Data breaches affecting patient records must be reported to the Data Protection Board of India within 72 hours of discovery.
โ
Right to Deletion: Patients have the right to request deletion of their personal data. Hospitals must have processes to honour these requests within defined timelines.
โ
Vendor Accountability: Hospitals are responsible for ensuring that all third-party technology vendors (including AI tools, EMR software, billing systems) also comply with DPDP. CMOs must verify vendor compliance before deployment.
What this means for AI clinical tools
Any AI tool that listens to doctor-patient conversations, processes clinical notes or handles prescription data must be fully DPDP compliant. CMOs evaluating voice AI tools must verify:
Where is the data stored? Must be on Indian servers. Who has access to it? Must be auditable and role-restricted. Is it encrypted? Both in transit and at rest. Can it be deleted on patient request? System must support complete data erasure.
How Voxmed AI complies
Voxmed AI was built for India from day one. All data is stored exclusively on Indian servers. We are ABDM sandbox registered, DPDP Act 2023 compliant and IT Act 2000 compliant. Patient data is never shared with any third party โ including OpenAI's training data โ ever. Full audit trails are available for NABH and JCI accreditation reviews.
References & Official Sources
Ministry of Electronics and Information Technology, India.
The Digital Personal Data Protection Act, 2023. Official gazette notification.
meity.gov.inData Protection Board of India.
Guidelines for Health Data Processing under DPDP 2023. Sector-specific guidance for healthcare organisations.
meity.gov.inNational Health Authority, India.
ABDM Health Data Management Policy. Data governance framework for Ayushman Bharat Digital Mission participants.
abdm.gov.inMinistry of Health and Family Welfare.
Electronic Health Records Standards for India. 2016 (updated 2023). Technical and privacy standards for electronic health records in Indian healthcare.
mohfw.gov.in
Is your hospital's clinical AI DPDP compliant?
We provide a compliance checklist for CMOs evaluating AI tools. Contact us to verify your current setup.
๐ฑ Talk to us on WhatsApp โ