FOR PATIENT’S EYES ONLY. Keeping medical records private
| Photo Credit:
triloks
Patient trust is the cornerstone of healthcare. Having practised as a surgeon before transitioning to healthcare law, I have seen how the doctor-patient relationship depends on the assurance that sensitive medical information remains confidential and secure. As India’s healthcare ecosystem becomes increasingly digital, the question is no longer whether health data should be protected, but whether it warrants protection distinct from other forms of personal data.Electronic health records, telemedicine, AI-enabled diagnostics, genomics, wearables and health information exchanges are now integral to healthcare delivery. The Digital Personal Data Protection Act (DPDP Act), 2023, has established India’s first comprehensive framework for digital personal data governance. While its consent-centric approach may be suitable for many sectors, healthcare presents unique ethical, operational and public interest considerations.A significant gap in the DPDP Act is its failure to distinguish health information from ordinary personal data. Unlike the European Union’s General Data Protection Regulation (GDPR), which classifies health information as a “special category” requiring heightened protection, the DPDP Act applies a uniform framework for all personal data. As a result, a patient’s psychiatric history, HIV status, genetic profile or cancer diagnosis receives the same statutory treatment as an individual’s name or email address, despite the vastly different consequences of disclosure.This distinction is reflected in India’s constitutional jurisprudence. In KS Puttaswamy vs Union of India (2017), the Supreme Court recognised informational privacy and bodily autonomy as integral to the fundamental right to privacy, acknowledging the harm arising from unauthorised disclosure of medical information. A framework that treats health data similar to ordinary personal data sits uneasily with this constitutional understanding.Specialised safeguards become even more inalienable when involving genetic and genomic data. Unlike most other personal information, genetic data is immutable, uniquely identifiable and capable of revealing information about individuals and their biological relatives. Misuse in employment, insurance or social settings can have lifelong consequences.The Act’s reliance on consent also presents practical challenges. Healthcare delivery often requires rapid information sharing among treatment providers, particularly during emergencies. A healthcare-specific framework should, therefore, recognise deemed or implied consent in appropriate circumstances while maintaining accountability and safeguards.Similarly, the Act’s permissive approach to cross-border data transfers may be insufficient for sensitive medical information. While international data flows are essential for research and innovation, additional safeguards are necessary when genetic, reproductive, biometric or mental health data is processed outside India.Right to erasureRecord retention is yet another area of concern. The DPDP Act grants individuals the right to seek erasure of personal data, yet healthcare providers are often legally and ethically required to preserve medical records for treatment, insurance claims, regulatory investigations and medico-legal purposes.All of this makes a case for a healthcare-specific carve-out under the DPDP Act. Such a framework should recognise health information as a specially protected category, establish a proportionate consent architecture, strengthen safeguards for cross-border transfers, provide enhanced protection for genetic data, and align with initiatives such as the Ayushman Bharat Digital Mission.The recently announced unified health interface Aarogya Setu 2.0 and other digital health initiatives have the potential to become healthcare’s UPI moment in India — unlocking a patient-centric and interoperable health ecosystem. However, the success would lie in balancing innovation with privacy, trust, consent and accountability, alongside a conducive regulatory environment. Health being a State subject, ensuring integration is critical too.The DPDP Act is an important step in strengthening India’s privacy regime. However, healthcare data cannot be viewed through the same lens as ordinary commercial information. A well-designed framework must protect patient dignity and confidentiality while ensuring that privacy regulation never becomes a barrier to care itself.










