Patient Data Protection In India: Constitutional Privacy, Consent Architecture, And Regulatory Gaps After The Digital Personal Data Protection Act, 2023

Fidha Farshana, CHRIST (Deemed to be University)

ABSTRACT

The rapid digitisation of India’s healthcare ecosystem has fundamentally transformed the relationship between patients, medical institutions, and the State. Initiatives such as the Ayushman Bharat Digital Mission (ABDM), the Ayushman Bharat Health Account (ABHA), telemedicine platforms, and electronic health record infrastructures promise accessibility, interoperability, and efficiency in healthcare delivery. However, these developments simultaneously generate unprecedented volumes of sensitive personal data, the misuse of which can directly affect dignity, autonomy, and equality. The enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act) represents India’s first comprehensive legislative attempt to regulate personal data governance across sectors, including healthcare. Yet, the Act does not classify health data as a distinct category of sensitive personal data, raising significant constitutional and regulatory concerns. This paper examines whether the DPDP Act provides adequate protection for patient confidentiality within India’s emerging digital health ecosystem. It argues that although the statute establishes a foundational framework for consent-based processing and fiduciary accountability, structural gaps persist in consent architecture, emergency processing exceptions, telemedicine compliance, cybersecurity enforcement, and digital literacy barriers that affect meaningful participation in ABDM systems. Drawing on the constitutional right to informational privacy recognised in Justice K. S. Puttaswamy v. Union of India, the paper evaluates the extent to which current health data governance mechanisms satisfy the proportionality standards required under Article 21. It further analyses recent cybersecurity incidents such as the AIIMS ransomware attack as indicators of systemic vulnerability.

The paper concludes by proposing a regulatory reform roadmap that includes classification of health data as sensitive personal data, strengthening consent infrastructure within ABDM, harmonising telemedicine standards with statutory privacy obligations, and establishing sector-specific health data protection norms consistent with global best practices such as the EU General Data Protection Regulation (GDPR).

Keywords: Patient Data Protection; Digital Personal Data Protection Act, 2023; Informational Privacy under Article 21; Ayushman Bharat Digital Mission (ABDM); Consent Architecture in Digital Healthcare; Telemedicine Regulation in India; Cybersecurity in Health Infrastructure; Health Data Governance in India.