A Project by Meridian Bridge Strategy
Book Consultation
πŸ₯

DPDP Compliance for Healthcare Companies

Healthcare platforms handle the most sensitive data β€” medical records, prescriptions, health vitals, and insurance information. DPDP compliance isn't optional, it's existential.

46/100 Avg. Score
5 Analyzed
32 Gaps Found

Healthcare and DPDP: The Highest Stakes

Healthcare data is arguably the most sensitive category of personal data. Platforms like Practo, 1mg, and Cult.fit process medical histories, prescription records, health vitals, mental health consultations, and genetic information. A breach of healthcare data has irreversible consequences β€” you can change your password, but you can’t change your medical history.

The Telemedicine Data Explosion

Post-COVID India saw telemedicine platforms grow exponentially. Every online consultation generates:

  • Video/audio recordings of doctor-patient conversations
  • Chat transcripts containing symptoms and diagnoses
  • Prescription images and medication histories
  • Payment records linked to specific medical procedures

Under DPDP, the consent for a medical consultation does not automatically extend to storing these records indefinitely, sharing them with insurance partners, or using them for AI model training.

Pharmacy Data: The Hidden Risk

When you order medicines online, the platform knows your health conditions with near-certainty. An order for insulin, antidepressants, or HIV medication creates an inference chain that’s impossible to anonymize effectively. Under DPDP:

  • Users must be able to delete their prescription history
  • Pharmacy aggregators cannot share medication data with insurers without explicit consent
  • Delivery personnel should not see medication names on packaging labels

Health Insurance Data Sharing

Many healthtech platforms partner with insurance companies. When health data flows from a telemedicine consultation to an insurance underwriting algorithm, that’s a DPDP compliance event requiring:

  • Separate, informed consent
  • Clear purpose limitation
  • Right to withdraw without affecting insurance coverage

Fitness Data: Not As Harmless As It Seems

Apps tracking heart rate, sleep patterns, menstrual cycles, or workout routines generate deeply personal health profiles. Under DPDP, fitness data that reveals health conditions falls under the same obligations as clinical health data.

Healthcare Company Analyses

Healthcare

Apollo 24/7

35

Apollo 24/7's privacy policy is detailed about data collection but remains largely anchored to the IT Act 2000 and SPDI Rules. Given it handles highly sensitive medical data, the lack of explicit DPDP Act 2023 alignment, especially concerning granular consent, specific data retention, and DPB redressal, poses significant compliance risks.

⚠️ No explicit DPDP Act 2023 reference β€” still relies on IT Act 2000 framework
⚠️ Consent mechanism bundled, not 'freely given' per Section 6
+5 more gaps detected
Feb 2026 View Report
Health & Fitness

Cure.fit (cult.fit)

42

cult.fit collects intimate health data β€” heart rate, body measurements, workout capacity, injury history, and mental health content engagement β€” processing what is effectively continuous health monitoring. At 42/100, treating this health data with consumer app privacy standards instead of health data protections creates significant DPDP exposure.

⚠️ No DPDP Act 2023 reference
⚠️ Health metrics data (heart rate, calories, BMI) treated as standard app data
+5 more gaps detected
Feb 2026 View Report
Healthcare

HealthifyMe

42

HealthifyMe relies on a 'bundled' consent model that likely fails the DPDP Act's strict requirement for specific and unconditional permission. While they prioritize security for sensitive health data, their broad data-sharing clauses and lack of a dedicated Indian grievance path create major legal risks.

⚠️ Consent is bundled with Terms of Use β€” not 'freely given' or 'separate'
⚠️ Data sharing allowed for 'any other purposes' β€” lacks DPDP specificity
+4 more gaps detected
Apr 2026 View Report
Healthcare

Practo

53

Practo handles India's most sensitive personal data β€” medical records, doctor consultations, prescriptions, and health histories β€” scoring 53/100 on DPDP alignment. While healthcare-specific awareness is present, the lack of DPDP-specific consent granularity and retention timelines for medical data creates critical regulatory exposure.

⚠️ No DPDP Act 2023 reference β€” uses IT Act and MCI guidelines
⚠️ Health data processing consent not adequately granular
+4 more gaps detected
Feb 2026 View Report
Healthcare

1mg

60

Tata 1mg's privacy policy demonstrates a robust approach to data security and provides mechanisms for data principals to exercise certain rights, such as withdrawing consent. However, the policy currently lacks explicit alignment with several critical provisions of India's Digital Personal Data Protection Act 2023. Key areas requiring enhancement include the granularity of consent, clear definition of data retention periods, explicit mention of DPDP Act-mandated rights like nomination, and the escalation process to the Data Protection Board. Given the sensitive nature of health-related personal data processed by 1mg, precise DPDP compliance is essential to build and maintain user trust while navigating India's evolving data protection landscape.

⚠️ Consent mechanism bundled with service terms β€” not explicitly 'freely given' and granular per Section 6, and no mention of Consent Manager integration.
⚠️ Data retention period undefined β€” uses 'as long as necessary' language, lacking specific timelines or automated erasure triggers per Section 9.
+4 more gaps detected
Mar 2026 View Report
πŸ“ž Free Consultation