DPDP Act 2023: What Clinics Must Do for Compliance
How India's Digital Personal Data Protection Act 2023 affects clinics — consent, data retention, breach reporting, and practical steps to stay compliant with patient records.
The Digital Personal Data Protection Act 2023 treats patient demographics, clinical notes, and billing data as personal data. Clinics are data fiduciaries — you must collect data for specified purposes, obtain valid consent, and protect against breaches.
Practical compliance steps
- Publish a clear privacy notice at registration
- Collect explicit consent for SMS, WhatsApp, and marketing
- Limit staff access with role-based permissions
- Define retention periods and secure deletion for inactive records
- Report significant breaches as rules require
OpdNest provides consent capture, access logs, and encrypted storage aligned with healthcare workflows. Pair software controls with staff training — reception should never share records on personal WhatsApp.
Documentation
Maintain a record of processing activities: what data you hold, why, how long, and which vendors (cloud hosts, SMS gateways) process it on your behalf.
Written by
OpdNest Team
Compliance & Government · OpdNest
OpdNest is an affordable, ABDM-ready clinic management platform built for Indian clinics. Our team writes practical guides for doctors and clinic managers across India.