Your Medical Records Aren't as Private as You Think — Here's What's Changing in India

The next time you hand over your phone number at a hospital reception desk, pause for a second. That number, along with your diagnosis, your prescriptions, maybe even a genetic test result, is about to travel through billing systems, insurance portals, and cloud servers you'll never see. For years, nobody really asked what happened to it after that. That's finally changing.

India's Digital Personal Data Protection Act is now actively rolling out, and healthcare is one of the sectors most affected by it. The law doesn't create a special "extra sensitive" category for medical information the way some other countries' privacy laws do — which sounds counterintuitive, but the effect is that all your personal data, from your address to your psychiatric history, now has to meet the same strict bar for consent and security.

What this means practically: a hospital or telemedicine app has to tell you exactly why they're collecting your information, in plain language, not buried in a ten-page admission form. You can say no to some uses and yes to others. And you can ask for your data back — literally request a summary of everything they hold on you, free of charge.

There are sensible carve-outs too. If you're wheeled into an ER unconscious, doctors aren't legally stuck waiting for a signature before they can treat you — the law allows processing without consent in genuine medical emergencies, then expects normal consent rules to resume once you're stable.

It's not a perfect system yet, and enforcement is still maturing through 2026 and into 2027. But for the first time, there's an actual regulator — the Data Protection Board of India — with the power to fine institutions up to ₹250 crore for serious security failures. For a more detailed look at what hospitals and health-tech companies are now required to do, this deep dive into medical data security under the DPDP Act is worth a read if you want the fuller regulatory picture.