DrCliniqCliniq
← All posts
Compliance22 Apr 2026 · 6 min read

DPDP Act Compliance for Clinics: What Every Indian Doctor Must Know

The Digital Personal Data Protection Act, 2023 (DPDP Act) is now fully in effect. If your clinic collects patient phone numbers, sends WhatsApp messages, stores medical records digitally, or uses any software that processes patient data — you are a data fiduciary under this law.

Most Indian doctors don't know this yet. But the penalties for non-compliance go up to ₹250 crore. Here's what you need to know — in plain language, not legalese.

What the DPDP Act means for clinics

In simple terms, the DPDP Act says: if you collect someone's personal data, you must tell them what you're doing with it, get their consent, keep it safe, and delete it when you no longer need it.

For clinics, "personal data" includes:

  • Patient names, phone numbers, email addresses
  • Medical records, prescriptions, lab reports
  • WhatsApp conversation history
  • Appointment booking data
  • Payment and billing records
  • Any data collected through clinic software, apps, or websites
⚠️ Health data is "sensitive personal data" — it requires higher protection standards. Even storing a patient's diagnosis in a WhatsApp chat makes you responsible for that data under DPDP.

Key requirements for clinics

1. Informed consent

Before processing patient data, you must obtain clear, specific consent. This means telling patients: what data you collect, why you collect it, how long you keep it, and who you share it with. A generic "I agree" checkbox is not sufficient.

2. Purpose limitation

You can only use patient data for the purpose it was collected. If a patient gives you their phone number for appointment reminders, you cannot use it for promotional messages without separate consent.

3. Data minimisation

Collect only the data you need. If you don't need a patient's Aadhaar number for treatment, don't ask for it. The less data you collect, the less liability you carry.

4. Data storage in India

Patient data must be stored on servers within India (with some exceptions for cross-border transfer under government-approved arrangements). If your clinic software stores data on servers outside India, this is a compliance risk.

5. Right to erasure

Patients can request deletion of their data. You must comply within a reasonable timeframe, unless retention is required by other laws (like medical record retention rules).

6. Breach notification

If patient data is compromised (leaked, hacked, accidentally exposed), you must notify the Data Protection Board of India. There is no "it was just a small breach" exception.

WhatsApp communication and DPDP

This is where most clinics are unknowingly non-compliant. If you use WhatsApp to communicate with patients (and almost every Indian doctor does), here's what DPDP requires:

  • Consent for automated messages — If you use any automation tool (auto-replies, broadcast lists, chatbots), patients must consent to receiving automated communication
  • Official API only — Using unofficial WhatsApp automation tools (those that don't use the official Business API) puts patient data at risk and violates both WhatsApp's terms and DPDP
  • Chat data storage — WhatsApp messages containing patient health information are "sensitive personal data". Your automation tool must store this data in India
  • Employee access controls — Not every staff member should have access to all patient WhatsApp conversations. Role-based access is required

Penalties for non-compliance

₹50 Cr
Failure to take security measures
₹200 Cr
Failure to notify data breach
₹250 Cr
Processing children's data without consent
₹10,000
Per individual complaint upheld

DPDP compliance checklist for clinics

  • Patient consent form updated with DPDP-compliant language
  • Privacy policy published and accessible to patients
  • WhatsApp automation uses official Business API (not unofficial tools)
  • Patient data stored on servers within India
  • Role-based access controls for staff viewing patient data
  • Data retention policy defined (how long records are kept)
  • Process for handling patient data deletion requests
  • Data breach response plan documented
  • Automated messages include opt-out mechanism
  • Third-party software vendors verified for DPDP compliance

How compliant tools help

The easiest path to DPDP compliance for WhatsApp communication is using tools that are built for Indian healthcare compliance. Look for:

  • India-based data storage with encryption at rest and in transit
  • Official WhatsApp Business API integration
  • Built-in consent collection flows
  • Automatic NMC-compliant disclaimers on medical replies
  • Audit logs for data access
  • One-click data export and deletion for patient requests

DPDP compliance isn't optional anymore. But with the right tools and processes, it doesn't have to be complicated. Start with the checklist above, fix the gaps, and make sure any software you use meets these standards.

Ready to automate your clinic?

Set up DrCliniq in 5 minutes. No credit card required.

Start for Free →
© 2026 Yesinfosolutions. All rights reserved.