Union Minister Ashwini Vaishnaw announced a historic development on September 18, 2025, which could redefine the ways by which the private data of Indians would be handled by the industries. The final regulations of the Digital Personal Data Protection (DPDP) Act, 2023, are finalized and would come into public domain by a date not later than the 28th of September, 2025. In a hitherto rare and emphatic move, the Minister instructed S. Krishnan, Secretary at the Ministry of Electronics and IT, to confirm the deadline. Krishnan remained equally stern, adding the rationale that the regulations seek to strike a delicate balance between the maintenance of the private sphere of individuals as well as enabling technological innovation.

For the health sector, however, this is not a matter of balance. This is a matter of survival. Very few sectors deal with information as personal, private, and life-defining as the health sector. In a clinic or a hospital, information is not figures on a server. This is a record of an individual’s HIV status, his journey of fertility treatment, his psychiatric treatment history, his genetic structure. This is medications, test reports, and claim reports for insurance which, if it falls into the wrong hands, may lead into stigmatisation, discrimination, or financial abuse.

These risky methods had been the standard practice for years in India’s medical practice. Patient records were transferred for free or a commission to pharmas. Prescription records were secretly sold for referral kickbacks to labs for diagnosis. The reports were transferred as a routine matter through unsecured WhatsApp groups/Gmail chains. The hospitals stored the patients’ data for years by using cheap servers without or with little encryption. Startups experimenting with artificial intelligence would sometimes train the model using patients’ records without taking the bother of obtaining express permission. The acceptable quick fix for survival when the market became competitive today becomes a criminally punishable offence thanks to the DPDP Act. The breach would incur a maximum ₹250 crore fine, a sum so huge the big corporate hospitals may not survive.

The costs of noncompliance overwhelm financial penalties. If a patient’s confidence once goes, it may never recover. One unauthorized release of an individual’s cancer, infertility, or psychiatric disorder may irrevocably damage a hospital’s reputation. Investors, whether venture capitalists or private equity firms, won’t invest in institutions with catastrophic liability. Partners,—from insurers to drug collaboration partners,—will quickly exit alliances jeopardizing their own compliance. And perhaps most deleterious of all, media reports of such disclosures may destroy reputations overnight, leaving scars deeper than the fines themselves.

Global history offers a bracing lesson. In the United Kingdom, under the GDPR framework, the Royal Free–DeepMind case unearthed the potential for abuse of data when it transferred without permission the records of 1.6 million NHS patients. In the United States, HIPAA violations have led to multimillion-dollar fines against hospitals and cancer centers, sometimes forcing smaller centers to close shop. In France, the regulators fined CEGEDIM SANTÉ by €800,000 for the inappropriate management of patient files, exemplifying the strictures with which health data is governed all over the world. If the developed economies with well-developed mechanisms for compliance could fall, India’s unprepared and decentralized health system stands at a further risk.

But compliance is not just a question of avoidance of fines. Compliance, when well executed, also becomes a very strong competitive advantage. Going forward, patients would come to prefer providers which ensure their medical data is safe. Loyalty from the patient would translate into patient loyalty and revenues immediately. Investors would pay increased attention to healthcare companies well-endowed with good governance and compliance with the law as they would consider them a safer bet for the long haul. Partnerships internationally, whether with multinational drug companies or foreign insurers, would prefer institutions which meet the test of strong protection for data. Cyber resilience also would receive a boost, reducing the likelihood of hospitals getting locked by ransomware or data intrusions. 

Going forward, compliance would change from a question of simple compliance with the law into a badge of honour for credibility. Preserving privacy, in short, would yield assurances of competitiveness.  The question, however, is whether Indian healthcare is ready. The uncomfortable reality is, not yet. The majority of hospitals continue running antiquated systems jury-rigged over decades. Laboratories continue depending all too frequently on free cloud-based storage or private Gmail accounts. Startups treat forms of consent as one more form of paperwork rather than a right of the patient. Small clinics nearly never implement any kind of cybersecurity. The system, with the DPDP regulations due for compliance within less than 10 days, is not nearly close to being ready, and as a consequence, healthcare as a whole is one of the softest targets for regulators determined to draw early precedent.

So what must the leaders of the healthcare sector do in order not to fall as the first casualties of DPDP enforcement? They need to begin with the immediate reforms. The erstwhile practice of exchanging reports via WhatsApp or selling data to third parties must immediately cease. All patient data, whether at rest or during transit, must get encrypted. Processes for getting the patient’s consent need a rewrite so as to get them granular, transparent, and auditable, so patients get a precise view of how their data gets used. Privacy audits and the Data Protection Impact Assessment need getting undertaken immediately. Vendors, from the IT providers to the diagnostic labs, need getting held responsible for their state of compliance readiness. The staff at all levels, from the receptionists up to the senior physicians, need getting trained immediately on the new-set obligations. The hospitals, which desire getting a word out to their patients, may go a step further by committing themselves publicly to the privacy pledge, making the protection of data a prominent and overt part of the organization’s identity. And finally, compliance cannot continue as the concern of the IT department. It must get elevated to the level of the boardroom, influencing the very strategy of the organization.

The DPDP Act promises hope as much as risk. The positives are the protection of patients from the humiliations of stigma when sensitive medical information goes public, the imposition of modernization of the IT systems, and the creation of an atmosphere wherein the trust may take root. The Act brings India into conformity with the best international practices and introduces it into new partnerships. The negatives are the potential risk of the compliance cost becoming unaffordable for smaller startups and clinics, jeopardizing their survival. The strict time line may force providers into the practice of the “checkbox compliance” whereby the letter and not the spirit of the rules gets followed. Innovation by AI may also fizzle as startups feel hemmed in from the use of patient information.

As a citizen of India, for whom public trust in the safeguarding of data has not yet been shaken by Aadhaar-based leaks and hospital data intrusions, the DPDP Act arrives not a moment too soon. Globally, the GDPR and HIPAA lessons prove how although the process is excruciating, the end result ends up being better-equipped and robust healthcare systems. The lesson for India would be to draw lessons from those experience without facing unnecessary disruptions but with real accountability. As former US President Barack Obama once quipped in the case of the restructuring of the healthcare sectors, “If we want to keep healthcare affordable and effective, we must keep it accountable.”  The countdown to compliance has finally arrived. The announcement by Minister Vaishnaw cannot be taken as just another bureaucratic announcement, but as a final wake-up call. Healthcare providers now have fewer than 10 days. Those taking firm action now may not only survive but come out with lasting advantage. Those waiting will not only pay fines of ₹250 crores, but also the loss of patients, the fleeing of investors, and finally the closure of their institutions. Survival in the new era of Indian healthcare will not only depend upon whoever treats better, but whoever guards better.

Dr. Prahlada N.B
MBBS (JJMMC), MS (PGIMER, Chandigarh). 
MBA in Healthcare & Hospital Management (BITS, Pilani), 
Postgraduate Certificate in Technology Leadership and Innovation (MIT, USA)
Executive Programme in Strategic Management (IIM, Lucknow)
Senior Management Programme in Healthcare Management (IIM, Kozhikode)
Advanced Certificate in AI for Digital Health and Imaging Program (IISc, Bengaluru). 

Senior Professor and former Head, 
Department of ENT-Head & Neck Surgery, Skull Base Surgery, Cochlear Implant Surgery. 
Basaveshwara Medical College & Hospital, Chitradurga, Karnataka, India. 

My Vision: I don’t want to be a genius.  I want to be a person with a bundle of experience. 

My Mission: Help others achieve their life’s objectives in my presence or absence!

My Values:  Creating value for others. 

Leave a reply