DPDPA Compliance for Healthtech & Clinics in Delhi

Health data is among the most sensitive personal data. Clinics, diagnostic labs, telemedicine and health apps all act as Data Fiduciaries for patient records, prescriptions and test results.

Delhi context: A dense services and trading hub where consumer-data and lead-generation practices draw early enforcement attention. The obligations below apply to healthtech platforms and clinics operating in Delhi, Delhi — there is no local exemption and no turnover threshold under the DPDP Act.

DPDPA applies fully. Health data volume and sensitivity make SDF classification and DPIAs more likely than for a generic small business.

• Patient demographics & contact
• Medical history & diagnoses
• Lab & diagnostic results
• Prescriptions and treatment notes
• Insurance and billing data

• Reports shared over WhatsApp/email without safeguards
• Records retained forever
• Lab/partner labs without processor contracts
• Children's health data without verifiable parental consent

• Explicit consent for health-data processing
• Reasonable security safeguards (encryption, access logs)
• Processor contracts with labs, billing, EHR vendors
• Verifiable parental consent for minors
• Retention schedule aligned to medical-record norms
• Breach notification workflow

• Reports emailed unencrypted
• No access control on patient records
• Marketing to patients without consent

• Stop sending reports over personal WhatsApp
• Restrict record access by role
• Add parental-consent flow for minors
• Publish a patient privacy notice & grievance contact

Can we keep patient records forever?

Retention must be tied to a purpose and statutory medical-record norms. Indefinite retention 'just in case' is not defensible.

Is WhatsApp okay for sending reports?

Only with appropriate safeguards and patient consent. A controlled patient portal is the safer, demonstrable approach.