The DPDP Act for clinics: a plain-English primer

A patient's health record is some of the most sensitive personal data there is. India's Digital Personal Data Protection Act, 2023 (DPDP Act) is the law that governs how that data must be handled, and a clinic is squarely within its scope. This is a plain-English primer, not legal advice: confirm specifics with a qualified advisor, since the operational rules continue to be detailed.

The two roles you need to know

• Data Principal: the individual the data is about. For a clinic, that's the patient (and, for minors, their parent or guardian).
• Data Fiduciary: whoever decides how and why the data is processed. When you collect a patient's name, history, and contact details to treat and bill them, your clinic is the data fiduciary. The responsibility sits with you.

That single fact (you are the fiduciary) is the thing most clinics underestimate.

What the law expects, in practice

The Act is built on a handful of principles. Translated to a clinic:

• Notice & consent: tell patients what you collect and why, and have a lawful basis (typically consent) for processing it.
• Purpose limitation: use the data for care and the clinic's legitimate operations, not for unrelated purposes.
• Data minimisation: collect what you need, not everything you could.
• Accuracy: keep records correct and up to date.
• Security safeguards: protect the data with reasonable technical and organisational measures.
• Breach handling: be able to detect a personal-data breach and respond appropriately.
• Patient rights: people can ask to access or correct their data, and to have it erased when there's no longer a lawful reason to keep it.
• Grievance redressal: give patients a way to raise a complaint.

The security part is where software earns its keep

"Reasonable security safeguards" is the obligation a clinic can't meet with a policy document alone. It has to be built into the system holding the data. Three controls do most of the work:

• Access on a need-to-know basis. Your front desk should be able to book and bill without opening clinical notes; the doctor sees the full record. This is role-based access, and it directly serves purpose limitation and minimisation of exposure.
• Isolation between tenants. If you run more than one branch, one location must not be able to read another's patients. Enforcing that in the database (not just hiding it in the interface) is what makes the guarantee real.
• An audit trail. Being able to show who viewed or changed what, and when is the difference between "we think we're fine" and being able to demonstrate it: for a grievance, an inquiry, or a breach investigation.

A short clinic checklist

1. Map what personal data you hold and why.
2. Add a clear notice + consent step at registration.
3. Lock down access by role; isolate branches.
4. Turn on an audit trail and keep it.
5. Have a plan for access/correction/erasure requests and for a breach.
6. Don't keep data longer than you have a reason to.

Where Avinya Plus fits, honestly

We're precise about this: software does not make a clinic "DPDP compliant". Compliance is the fiduciary's responsibility, and it depends on your processes as much as your tools. What good software does is give you the technical controls that make compliance achievable: role-based access, PostgreSQL-enforced branch isolation, and a tenant-scoped audit trail, on a single structured record where access is governed rather than assumed.

Treat the DPDP Act as a reason to get access control right from day one, not a box to tick later. See how Avinya Plus isolates and audits clinic data, or book a demo from the menu to review the controls against your own setup.