Consent is the permission slip for everything your clinic does with a patient's data. Under India's Digital Personal Data Protection Act, 2023, you usually need that permission before you collect and use personal data, and it has to be the right kind of permission. Not a buried clause. Not a pre-ticked box. A clear, specific yes.
This guide is about consent in particular, not the whole Act. If you want the wider picture first, start with the DPDP Act primer for clinics and the pillar on patient data security for clinics. What follows is practical and not legal advice. Confirm the specifics with a qualified advisor, since the operational rules are still being detailed.
Notice first, then consent
Consent does not stand on its own. It rests on a notice you give the patient before you ask. The notice is plain-language and it answers three questions:
- What personal data you are collecting. Name, contact, history, the clinical and billing details a visit produces.
- Why you need it. To treat the patient, to bill them, and to run the clinic's legitimate operations.
- How long and to whom. Roughly how long you will keep it, and the kinds of parties you may share it with, such as a lab or an insurer.
Get the notice right and the consent that follows is informed, because the patient actually knew what they were agreeing to. Skip the notice and the consent is hollow, no matter how many boxes got ticked.
What "valid consent" actually means
The Act sets a bar for consent. It has to be free, specific, informed, unconditional, and given by a clear affirmative action. In a clinic, that translates cleanly:
- Free. The patient is not pressured, and care is not held hostage to agreeing to unrelated uses.
- Specific. Consent is tied to a stated purpose. Agreeing to be treated is not the same as agreeing to marketing messages later.
- Informed. They saw the notice and understood it.
- A clear yes. A signature, a tick they made themselves, a verbal yes you record. Silence is not consent.
The common mistake is the blanket. One vague clause that tries to cover treatment, billing, marketing, research, and sharing all at once. That is the opposite of specific, and it is exactly what the law is built to stop.
Use it only for what you asked for
Consent for one purpose is not a licence for any purpose. This is purpose limitation, and it is the rule clinics break most often without noticing.
You took a patient's number to send appointment reminders. Sending them festival offers or third-party promotions on that same number is a different purpose they never agreed to. If you want to do something new with the data, you go back and ask. The cleaner your original notice, the easier that line is to hold, because everyone can see what the data was for.
Honour withdrawal, access, and correction
Consent is not a one-time capture. The patient keeps three rights over their data, and your clinic has to be able to act on each.
Withdrawal. A patient can withdraw consent as easily as they gave it. When they do, you stop the processing that depended on that consent. One caveat worth being precise about: withdrawal does not erase what was already done lawfully, and it does not override a separate legal duty to keep certain medical records for a fixed period. So you may continue to hold a record for a lawful retention reason while you stop the consent-based uses such as marketing. For how long records must or may be kept, see patient record retention and disposal in India.
Access. A patient can ask what data you hold about them. You should be able to pull their record and show them, without it turning into an archaeology project.
Correction. If a detail is wrong, they can ask you to fix it, and you should. An accurate record is both a patient right and good clinical practice.
The practical test is simple. If a patient walked in today and asked to see their record, withdraw a consent, or correct a number, could your front desk handle it this week? If the honest answer is no, that is the gap to close.
Special care for children's data
Children get the strongest protection in the Act. A child means anyone under eighteen, and the default rule is verifiable consent from a parent or lawful guardian before you process their data. Behavioural tracking and advertising aimed at children are restricted.
There is a nuance worth knowing. The Act allows certain classes of fiduciaries, which may include healthcare providers, to be exempted from some of these conditions, with the exact terms set by the rules. Do not lean on that as a loophole. For a paediatric or family practice, the safe operating default is straightforward: take guardian consent, note who the guardian is, and confirm the specifics with your advisor rather than assuming an exemption applies to you.
Where consent actually happens in your flow
Consent is not a policy that lives in a drawer. It happens at specific moments in the clinic day, and naming them makes it real.
At registration. This is the main one. When you create a patient record, that is where the notice is shown and the first consent is taken, for treatment and billing. Build it into the intake step so it happens every time, not when someone remembers.
When you share with a lab or insurer. Sending a patient's details to an external lab, or to an insurer for a claim, is sharing with a third party. Make sure the patient understood and agreed that this could happen. Often this fits inside the registration notice if you listed those parties clearly. If it is something new or unusual, ask again.
When the purpose changes. Any time you want to use the data for something outside the original purpose, that is a fresh consent moment, not an assumption.
DPDP consent is not ABDM consent
This trips people up, so be clear about it. DPDP consent and ABDM consent are different things.
DPDP consent is the lawful basis for your clinic to collect and process a patient's data inside your own systems. ABDM consent is a separate, record-level permission a patient gives to share specific health records across the ABDM network, managed through a consent manager. Different mechanism, different scope. Handling your DPDP obligations does not satisfy ABDM, and vice versa. If ABDM is on your roadmap, the ABHA and ABDM explainer covers that consent flow on its own terms.
Where software helps, and where it does not
Be clear-eyed here, because it matters. Software does not make a clinic DPDP compliant. Consent is your clinic's process and your obligation as the data fiduciary. A tool cannot give the notice, judge whether consent was free and informed, or decide your retention policy. People and process do that.
What good software does is make the process workable. With Avinya Plus, patient information lives in structured records where a clinic can record its own intake steps as part of registration, rather than scattered across paper and chat. Role-based access and a tenant-scoped audit trail mean data is used on a need-to-know basis and you can show who viewed or changed a record, which is what purpose limitation looks like in practice. And because records are exportable, answering a patient's access or correction request is a normal operation, not a scramble.
That is the honest line. The controls support your duty. They do not replace it. Treat consent as something you design into the front desk on day one, and the law becomes a way of working rather than a thing you fear.
Frequently asked questions
- Do I need patient consent to process data under the DPDP Act?
- In most cases, yes. Consent is the usual lawful basis for processing a patient's personal data, and it must follow a clear notice that says what you collect and why. The Act also recognises some legitimate uses that do not need separate consent, but for routine clinic data the safe default is to give notice and take consent at registration. This is general guidance, not legal advice.
- What makes consent valid under the DPDP Act?
- Valid consent is free, specific, informed, unconditional, and given by a clear affirmative action. The patient must understand what data you take and the purpose, and agree to that purpose specifically rather than to a vague blanket. A pre-ticked box or a buried clause is not valid consent. The notice you give before asking is what makes the consent informed.
- Can a patient withdraw consent, and what happens to their data?
- Yes. A patient can withdraw consent as easily as they gave it. Once withdrawn, you stop processing for that purpose going forward. Withdrawal does not erase what was lawfully done before, and it does not override a separate legal duty to retain certain medical records for a set period. So you may keep the record for a lawful retention reason while stopping uses that depended only on consent.
- Is DPDP consent the same as ABDM or ABHA consent?
- No. DPDP consent is the lawful basis for your clinic to collect and process patient data inside your own systems. ABDM consent is a separate, record-level permission a patient gives to share specific health records across the ABDM network through a consent manager. They are different mechanisms with different scopes. Doing one does not satisfy the other.
- What does the DPDP Act require for a child's data?
- Processing a child's data, meaning anyone under eighteen, generally requires verifiable consent from a parent or lawful guardian, and behavioural tracking or targeted advertising aimed at children is restricted. The Act allows for certain classes of fiduciaries, which may include healthcare providers, to be exempted from some of these conditions, but the exact terms depend on the rules. Treat guardian consent and identity as the default and confirm specifics with a qualified advisor.