India’s Digital Personal Data Protection (DPDP) Act 2023 and the Draft DPDP Rules 2025 represent a landmark regulatory framework impacting hospitals as data fiduciaries responsible for safeguarding patient data privacy. The Act, formally enacted in August 2023 following the Supreme Court’s 2017 recognition of privacy as a fundamental right in the K. S. Puttaswamy case, introduces rigorous requirements grounded in the principle of informed consent and accountability. Hospitals must now establish compliant privacy governance frameworks that include appointment of consent managers to oversee patient consent, transparent notices explaining data usage, protocols for data access, correction, and erasure, and robust security safeguards against data breaches. The Act places significant emphasis on patient autonomy, mandating that consent be specific, revocable, and recorded through interoperable platforms maintained by board-registered consent managers. The Draft Rules published in January 2025 provide operational details for implementation, including mechanisms for consent management, data processor contracting, and breach notification. Special provisions address vulnerable populations such as minors and patients in mental healthcare, requiring additional consent safeguards. Hospitals recognized as significant data fiduciaries need to appoint data protection officers and enact continuous auditing and reporting standards. The Act also clarifies lawful data processing uses, including public interest and statutory requirements. The DPDP Act necessitates systemic changes across hospital administration, IT infrastructure, and legal compliance to uphold patient privacy rights and align Indian healthcare data governance with global standards while facing evolving digital health challenges.
Chail et al. (Thu,) studied this question.