Skip to content
Patient Square
Patient SquareDPDP
DPDP Act for Doctors: What It Means for Your Clinic

DPDP Act for Doctors: What It Means for Your Clinic

By Patient Square Team · · 9 min read

For a practising doctor, the DPDP Act means one thing above all: the moment your patient records go digital, your clinic becomes a "Data Fiduciary" with real legal duties, and most of them take effect by 13 May 2027. You owe patients proper consent, tight purpose limits, security, breach reporting, and the right to see or delete their data. This is the doctor's version, not the law firm's. What you have to do, what a slip costs, and the questions to ask any software you buy.

Key takeaways

  • DPDP makes your clinic a Data Fiduciary the instant patient data is digital. No size exemption, no lighter tier for a two-doctor practice.
  • The deadline that matters is 13 May 2027, when the bulk obligations switch on. The Consent Manager framework lands earlier, on 13 November 2026.
  • Penalties are statutory ceilings, not automatic fines, and reach up to ₹250 crore for a security-safeguard failure that leads to a breach.
  • Your record-retention floor is unchanged: three years for inpatient records, from the operative 2002 medical-council rules, not from DPDP.
  • Every software purchase is now a compliance decision. The right vendor questions are four, and they are short.
13 May 2027

Bulk DPDP obligations switch on: consent, notice, security, breach, patient rights

₹250crore

Top statutory penalty ceiling, for a security-safeguard failure that leads to a breach

3years

Inpatient record retention, from the operative MCI 2002 rules (unchanged by DPDP)

Sources: PIB / MeitY DPDP Rules 2025; PRS India on the DPDP Act 2023 Schedule; NMC Code of Medical Ethics 2002.

This is reporting, not legal advice, and the Data Protection Board is still building its machinery. Treat the list below as the shortlist worth confirming with your counsel, not a substitute for them. Want the full obligation primer, written for clinic owners? Our DPDP Act for clinics guide walks each duty in detail. This page is the doctor-facing version: shorter, organised by what you actually do.

Is my clinic really covered by the DPDP Act?

Yes, and the size of your practice has nothing to do with it. The Act applies to any "Data Fiduciary," which it defines as any person who, alone or with others, decides the purpose and means of processing personal data. A solo GP keeping digital records is making exactly those decisions. So is a two-doctor clinic on a shared EMR. There is no carve-out for small practices, and if anything the sensitivity of health data raises the stakes rather than lowering them.

What flips the switch is digitisation. Paper-only files sit outside the Act's core machinery. The moment patient data goes digital, the duties attach, and "digital" is broad here: an EMR, a billing tool, the clinic WhatsApp number, an AI scribe. If it holds patient data and runs on a screen, it counts.

What does the DPDP Act actually ask a doctor to do?

Here is the checklist, organised by the action, not the legal clause. None of it is exotic. Most of it is good clinical record-keeping with a consent layer on top.

ObligationWhat it means at the front deskWho it falls on
Take consent properlyCollect data on free, specific, informed, unambiguous consent, after a plain notice saying what you collect and why. No bundled, take-it-or-leave-it checkbox.The clinic
Stick to the stated purposeData gathered for treatment is not a marketing list or a referral-selling list.The clinic
Keep reasonable securityEncryption, access control, logging. This duty carries the biggest penalty, which tells you what the law cares about most.The clinic + every vendor
Report a breachTell affected patients and the Data Protection Board without delay, then file a detailed report to the Board within 72 hours.The clinic
Honour patient rightsA patient can ask what you hold, fix it, or have it erased. Publish a grievance route and answer within 90 days.The clinic
Vet your vendorsHand data to a processor and their handling becomes your liability. Diligence is not optional.The clinic

The one that catches doctors off guard is the last. Buying software used to be an IT decision. Under DPDP it is a fiduciary one, because whatever your scribe or your billing host does with patient data, the exposure lands on you. We come back to that below, because it is where a good buying decision saves you the most work. If you are already vetting a scribe, book a short demo and put your data-handling questions to it directly.

The deadline that matters is 13 May 2027

The date to circle is 13 May 2027. That is when the obligations that reshape how a clinic handles data actually bite. The runway started on 13 November 2025, when the DPDP Rules were notified, but the Rules switch on in waves rather than all at once.

13 Nov 2025

Rules notified; definitions and the Data Protection Board go live

13 Nov 2026

Consent Manager registration framework in force

13 May 2027

Bulk clinic obligations live: consent, notice, security, breach, rights

Source: SCC Online and PIB / MeitY on the DPDP Rules 2025 phased commencement.

So two years sounds like plenty. It is not, once you count what has to be built: a consent notice your front desk can actually use, a breach process you have rehearsed, and vendor contracts that hold up. Clinics that spend 2026 getting consent, security, and procurement in order are the ones not scrambling in early 2027. If you want the obligation-by-obligation calendar with the exact rule numbers, our DPDP Rules 2025 timeline lays out which provision lands when. Don't wait for a notice from the Board. Compliance is cheapest built before anyone asks for it.

What are the DPDP penalties for a clinic?

Large, tiered, and discretionary. The Act's Schedule sets statutory ceilings that the Data Protection Board applies case by case. There is no minimum, no automatic fine, and the Board weighs the conduct before it lands on a number.

Read the chart for its shape, not its top number. No clinic should expect a ₹250 crore demand. What the figures tell you is priority. The biggest ceiling sits on the security-safeguards duty, which is the law signalling, in the bluntest way it can, that protecting the data is the obligation it takes most seriously. The breach-reporting and children's-data duties share the next tier. Everything else falls under the residual ceiling. Spend your attention where the law spends its biggest number: on holding the data safely.

DPDP doesn't change how long you keep records

No, it doesn't, and this is the point most coverage gets muddled, so here it is straight. Your retention floor still comes from the medical-council rules, not from DPDP. The Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations 2002 are the live rules. Under Regulation 1.3 you keep inpatient records three years from the start of treatment and produce any record within 72 hours of a request.

The catch is the regulation people quote. The NMC's 2023 conduct regulations restated this and proposed tighter timelines, but they were held in abeyance in August 2023 and never commenced. So when you cite "three years," cite the 2002 rules, the ones actually in force, not the 2023 ones a lot of blog posts treat as law.

3years

Inpatient record retention from commencement of treatment, MCI 2002 Reg 1.3

72hours

Window to produce records on request, MCI 2002 Reg 1.3

90days

Window to answer a grievance under the DPDP Rules

Sources: NMC Code of Medical Ethics 2002, Regulation 1.3; SCC Online on the DPDP Rules 2025 grievance window.

The two regimes pull the same way. MCI 2002 sets your retention floor and your duty to produce a record on request. On top of that, DPDP wants consent, purpose limitation, security, and deletion once the treatment purpose has run its course. So a complete, retrievable note satisfies both at once, which is also why a thin or missing one is a liability under either. One thing you do not carry: the time-bound deletion clock in the DPDP Rules targets large platforms like e-commerce and social media above set user thresholds, not a clinic. Your retention is governed by purpose plus the medical-council rule. The retention question deserves its own sitting with counsel; this is the short version.

What should I ask an AI scribe or any health-tech vendor?

Since every software purchase is now a fiduciary decision, the vendor's data handling becomes your exposure. Four questions do most of the filtering. Ask them out loud and listen for whether the answer comes back in a sentence or a fog.

  • "What patient data do you collect, and where is it stored?" Without the data map you cannot honour purpose limitation or answer a patient request.
  • "How long do you keep it, and can I delete any record on demand?" Deletion once the purpose ends is a DPDP duty, so the vendor has to support it, not resist it.
  • "Is visit audio stored, and for how long?" Stored audio is about the most sensitive thing a clinic can hold. A vendor that processes audio in memory and never keeps it takes a whole risk category off your books.
  • "Is my patients' data used for anything beyond my care, like model training, analytics, or resale?" This is where purpose limitation lives or dies.

AI Scribe by Patient Square is an ambient AI medical scribe that listens during the visit and hands back a structured SOAP note, ICD-10 suggestions, and a prescription draft, ready to review and sign about two minutes after the visit. We built it so those four answers come back short. Visit audio is processed in memory and discarded the moment the note is drafted, so there is no audio archive to breach or to produce. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256), access is role-scoped and logged, and you can export or delete any visit at any time. We never sell or share clinical data. We describe this as handling data to DPDP Act 2023 standards, consent-first and purpose-limited, and we deliberately do not call it a certification, because a DPDP certification for vendors does not exist. A SOC 2 Type II audit is underway, that phrase exactly, and ABDM integration is on our roadmap, not live, so we never claim otherwise. The full posture, in the same plain terms, sits on our security page.

Two more things doctors ask us. The scribe is EMR-agnostic, so it does not lock you into one records system. And the price is flat and transparent: in India, the launch annual rate is ₹1,199 per clinician a month for Solo and ₹999 for Group, both ex-GST, plus 18% GST, so a Solo seat lands at about ₹1,415 a month all in. No per-feature gating, no surprise tiers.

If you operate across borders or want the obligation map next to HIPAA, our HIPAA vs DPDP guide for AI scribes puts both regimes side by side. And if you would rather test the answers than read them, book a short demo and ask the four questions above, then run the 7-day trial on a real OPD day and watch where the audio goes. Nowhere. That is the design, and under DPDP, the data you never store is the breach you never have to report.

FAQ

Common questions

What does the DPDP Act mean for a practising doctor?

It makes your clinic a Data Fiduciary the moment patient data goes digital. You owe patients consent, purpose limitation, security, breach reporting, and the right to see, correct, or erase their data. Practice size does not exempt you. The duties are operational, not just paperwork, and most take effect by 13 May 2027.

When does a clinic actually have to comply with the DPDP Act?

The DPDP Rules were notified on 13 November 2025 and switch on in stages. The Consent Manager framework lands on 13 November 2026, and the bulk obligations, consent, notice, security, breach, and patient rights, take effect on 13 May 2027. That is your real deadline. The build window is open now.

What are the DPDP penalties a clinic should worry about?

The Act sets statutory ceilings, not automatic fines. Up to ₹250 crore for failing to keep reasonable security safeguards where that leads to a breach, up to ₹200 crore for failing to report a breach or for mishandling children's data, and up to ₹50 crore for other violations. The Data Protection Board applies them case by case.

Does the DPDP Act change how long doctors keep medical records?

No. Your retention floor still comes from the Indian Medical Council 2002 ethics rules: keep inpatient records three years, produce them within 72 hours of a request. The NMC 2023 regulations that restated this were held in abeyance in August 2023. DPDP layers consent, purpose limitation, and deletion duties on top of that floor.

What should a doctor ask an AI scribe before buying it under DPDP?

Four questions settle most of it: what patient data you collect and where it lives, how long it is kept and whether the clinic can delete it, whether visit audio is stored, and whether the data trains models or gets resold. A vendor that processes audio in memory and never stores it shrinks your DPDP exposure at the point of purchase.

Sources

  1. MeitY: Digital Personal Data Protection Act, 2023 (full text; assent 11 August 2023).
  2. PRS India: Digital Personal Data Protection Act, 2023 (Schedule penalties; consent and fiduciary provisions).
  3. PIB / MeitY: DPDP Rules, 2025 notified 13 November 2025 (phased commencement).
  4. SCC Online: DPDP Rules 2025 per-rule commencement dates (Rule 4 at 13 Nov 2026; bulk at 13 May 2027).
  5. DPDP Rules 2025, Rule 7: intimation of personal data breach (without delay; detailed report within 72 hours).
  6. NMC: Code of Medical Ethics Regulations 2002, Regulation 1.3 (operative 3-year retention; 72-hour production).
  7. Medical Dialogues: NMC holds its Registered Medical Practitioner (Professional Conduct) Regulations 2023 in abeyance (23 August 2023).

Finish your notes before the patient reaches the front desk.