DPDP Act 2023: what every hospital must do with patient data

The Digital Personal Data Protection Act 2023 is now law. It applies to every hospital that processes digital personal data — which is every hospital with a computer.

Section 6 requires consent before processing personal data. For hospitals, this means capturing consent at registration with a clear statement of purpose. "We collect your data for treatment, billing and statutory compliance" — documented, timestamped, attributed.

Section 5 requires purpose limitation. Data collected for treatment cannot be repurposed for marketing or research without separate consent. This catches hospitals that share patient lists with pharma companies or use patient data for promotional communications.

Sections 12 and 13 give data principals (patients) the right to access their data and request erasure. Hospitals must be able to produce a patient's records on request and process erasure requests — subject to retention obligations under other laws (MTP Act records, NABH documentation requirements, Income Tax Act for financial records).

Section 8 requires breach notification to the Data Protection Board. The audit trail in your ERP supports breach investigation — who accessed what, when, from where.

Section 33 provides for penalties up to ₹250 crore for significant breaches. This is not theoretical; the Board has enforcement powers.

Practical steps: capture consent at registration (not in a Terms & Conditions page nobody reads — at the counter, with purpose stated). Enforce role-based access control. Maintain an audit trail. Build a process for access and erasure requests. Encrypt data at rest and in transit.

OneCity captures consent at patient registration with purpose and timestamp, enforces RBAC by role, maintains a full audit trail and supports the patient portal for access requests. Erasure is processed per Sec 13, with retention obligations surfaced.