Of all the sectors that the DPDPA will reshape, healthcare may carry the highest stakes. A person’s health data is among the most sensitive information that exists — it can affect insurance eligibility, employment, relationships, and carries deeply personal dimensions that financial or transactional data simply does not. India’s health-tech sector has grown rapidly, with platforms holding diagnostic reports, prescription histories, chronic condition data, and real-time vitals. The DPDPA now draws a sharp line around how all of that is handled.
The consent requirements here are particularly demanding. A hospital app or diagnostic platform must specify, at the point of collection, exactly what each data point will be used for. Uploading a blood report to receive results is one purpose. Using that same report to recommend supplements, flag the patient to an insurance partner, or feed a research database is an entirely different purpose — and requires separate, specific consent. The purpose limitation principle does not make exceptions for healthcare; it arguably matters more there. Equally, once a consultation is concluded or a test result delivered, the data must not be held indefinitely without a legitimate ongoing reason.
The retention question is especially complex in healthcare, where medical history has genuine long-term value for care continuity. The law does not prohibit retention for legitimate medical purposes, but it requires that those purposes be clearly defined and communicated. What this means in practice is that every health-tech platform needs a documented data lifecycle — what is collected, why, for how long, and under what conditions it is deleted or transferred. Hospitals and health-tech companies that treat compliance as an afterthought will find themselves exposed. Those that build privacy into their product design will earn something harder to manufacture: genuine patient trust.
