DPDP Act for Clinics: What Doctors Must Do in 2026

The DPDP Act 2023 turns every Indian clinic that handles patient data into a Data Fiduciary with real legal duties, and with the DPDP Rules notified in November 2025, the compliance clock is now running. This is a practical guide for clinic owners and doctors, not lawyers: what the law actually asks of you, what the penalties are, and how to vet the software you buy. It is not legal advice, so confirm specifics with counsel, but it will tell you what to confirm.

Key takeaways

• The DPDP Act applies to clinics of any size; you are a "Data Fiduciary" the moment you decide how patient data is used.
• The DPDP Rules were notified on 14 November 2025, with most obligations phasing in over roughly 18 months. The window is open now.
• Penalties reach up to ₹250 crore for security-safeguard failures that lead to a breach.
• Every software purchase is now a fiduciary decision; the right vendor questions are short and specific.

Source: PIB / MeitY, DPDP Rules 2025 backgrounder, November 2025.

Does the DPDP Act actually apply to my clinic?

Yes, and the size of your practice doesn't change that. The Digital Personal Data Protection Act, enacted on 11 August 2023, applies to any "Data Fiduciary": the person or organization that determines the purpose and means of processing personal data. A two-doctor clinic keeping digital patient records decides why and how that data is handled, which makes it a Data Fiduciary with obligations. Health data isn't carved out into a lighter category; if anything, its sensitivity raises the stakes.

The practical trigger is digitization. Paper-only records sit outside the Act's core machinery, but the moment patient data is digital, DPDP duties attach. That covers an EMR, a billing system, a WhatsApp number, an AI scribe.

When do I actually have to comply?

Now is when you prepare. The DPDP Rules, 2025 were notified on 14 November 2025, and most substantive obligations phase in over roughly an 18-month window from notification. So enforcement isn't retrospective to 2023, but the runway is finite and it has started. The clinics that treat 2026 as the build period, getting consent, security, and vendor contracts in order, are the ones that won't be scrambling when the obligations bite.

Don't wait for a Data Protection Board notice to start. The cheapest version of compliance is the one you build before anyone asks.

What does DPDP actually require a clinic to do?

Six duties, in plain terms:

1. Consent, taken properly. Collect patient data on the basis of consent that is free, specific, informed, and unambiguous, with a clear notice of what you're collecting and why. Certain medical situations have carve-outs, but consent is the default footing.
2. Purpose limitation. Use the data only for the purpose you stated. Patient data gathered for treatment isn't a marketing list.
3. Reasonable security safeguards. Protect the data with appropriate technical and organizational measures: encryption, access control, logging. This is the duty with the largest penalty attached.
4. Breach notification. If a personal-data breach occurs, notify the Data Protection Board and affected individuals, in plain language, without delay.
5. Honor data-principal rights. Patients can ask what you hold, request correction, and request erasure; requests are to be answered within the timelines the Rules set (within 90 days for certain requests).
6. Vendor diligence. When you hand data to a processor, whether an EMR host, a scribe, or a billing service, you remain responsible. Their handling is your liability.

What are the penalties?

They are large and tiered. The DPDP Act's schedule sets statutory ceilings applied by the Data Protection Board:

These are ceilings, not automatic fines, and enforcement is administered case by case. No clinic should read this as "you will be fined ₹250 crore." But the security-safeguards duty carrying the highest ceiling is the clearest signal in the law: protecting the data is the obligation the state cares about most.

How does DPDP sit alongside medical record-keeping rules?

They stack. DPDP governs how you handle data; medical-council ethics rules govern what records you keep and for how long. On retention, note a nuance many guides get wrong. The NMC's 2023 conduct regulations, which proposed three-year retention for all patients and records supplied within five working days, were held in abeyance shortly after notification. The rules actually in force are the older MCI 2002 ethics regulations: keep inpatient records three years from the start of treatment, and produce records within 72 hours of a request, with failure treated as professional misconduct.

So the practical picture: MCI 2002 sets your retention floor and production duty; DPDP layers purpose-limitation, security, consent, and the obligation to delete when the purpose ends. A record-keeping system that's complete and retrievable serves both, which is also why thin, missing notes are a liability under both regimes. (For the retention rules in detail, the medico-legal record-keeping question deserves its own read with counsel.)

Sources: NMC / MCI Code of Medical Ethics 2002; PIB / MeitY DPDP Rules 2025 backgrounder.

What should I ask an AI scribe or health-tech vendor?

Every software purchase is now a fiduciary decision, because the vendor's handling becomes your exposure. Four questions settle most of it:

• "What patient data do you collect, and where is it stored?" You need to know the data map to honor purpose-limitation and answer patient requests.
• "How long do you retain it, and can I delete any record on demand?" Deletion-on-purpose-completion is a DPDP duty; the vendor has to support it.
• "Is visit audio stored, and if so for how long?" Stored audio is among the most sensitive data a clinic can hold. A vendor that processes audio in memory and never stores it removes a whole category of risk.
• "Is my patients' data used for anything beyond my care, like model training, analytics, or resale?" Purpose-limitation lives or dies here.

AI Scribe by Patient Square is an ambient AI medical scribe that listens during the visit and hands back a structured SOAP note, ICD-10 suggestions, and a prescription draft, ready to review and sign about two minutes after the visit. It's built to make these answers short. Visit audio is processed in memory and discarded the moment the note is drafted, so there is no audio archive. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256), access is role-scoped and logged, and you can export or delete any visit at any time. We describe this as handling data to DPDP Act 2023 standards, consent-first and purpose-limited, rather than as a certification, because DPDP certification for vendors isn't a thing that exists. The full posture, in the same plain terms, is on our security page.

A clinic that picks vendors with this discipline does most of its DPDP work at procurement, before a single patient is seen. If you're evaluating tools, the India scribe comparison covers how the main options handle data, and you can put our answers to the test directly. Book a short demo and ask the four questions above, or run the 7-day trial and watch where the audio goes. (Nowhere. That's the design.)