DPDP Compliance for Healthcare Companies
Healthcare platforms handle the most sensitive data β medical records, prescriptions, health vitals, and insurance information. DPDP compliance isn't optional, it's existential.
Healthcare and DPDP: The Highest Stakes
Healthcare data is arguably the most sensitive category of personal data. Platforms like Practo, 1mg, and Cult.fit process medical histories, prescription records, health vitals, mental health consultations, and genetic information. A breach of healthcare data has irreversible consequences β you can change your password, but you canβt change your medical history.
The Telemedicine Data Explosion
Post-COVID India saw telemedicine platforms grow exponentially. Every online consultation generates:
- Video/audio recordings of doctor-patient conversations
- Chat transcripts containing symptoms and diagnoses
- Prescription images and medication histories
- Payment records linked to specific medical procedures
Under DPDP, the consent for a medical consultation does not automatically extend to storing these records indefinitely, sharing them with insurance partners, or using them for AI model training.
Pharmacy Data: The Hidden Risk
When you order medicines online, the platform knows your health conditions with near-certainty. An order for insulin, antidepressants, or HIV medication creates an inference chain thatβs impossible to anonymize effectively. Under DPDP:
- Users must be able to delete their prescription history
- Pharmacy aggregators cannot share medication data with insurers without explicit consent
- Delivery personnel should not see medication names on packaging labels
Health Insurance Data Sharing
Many healthtech platforms partner with insurance companies. When health data flows from a telemedicine consultation to an insurance underwriting algorithm, thatβs a DPDP compliance event requiring:
- Separate, informed consent
- Clear purpose limitation
- Right to withdraw without affecting insurance coverage
Fitness Data: Not As Harmless As It Seems
Apps tracking heart rate, sleep patterns, menstrual cycles, or workout routines generate deeply personal health profiles. Under DPDP, fitness data that reveals health conditions falls under the same obligations as clinical health data.
Healthcare Company Analyses
Apollo 24/7
Apollo 24/7's privacy policy is detailed about data collection but remains largely anchored to the IT Act 2000 and SPDI Rules. Given it handles highly sensitive medical data, the lack of explicit DPDP Act 2023 alignment, especially concerning granular consent, specific data retention, and DPB redressal, poses significant compliance risks.
Cure.fit (cult.fit)
cult.fit collects intimate health data β heart rate, body measurements, workout capacity, injury history, and mental health content engagement β processing what is effectively continuous health monitoring. At 42/100, treating this health data with consumer app privacy standards instead of health data protections creates significant DPDP exposure.
1mg
Tata 1mg handles prescription medicines, lab tests, and health content consumption β each revealing health conditions. At 48/100, the platform's e-commerce-style privacy approach is inadequate for what is effectively a health data processor. The Tata Group integration adds cross-entity data flow concerns.
Practo
Practo handles India's most sensitive personal data β medical records, doctor consultations, prescriptions, and health histories β scoring 53/100 on DPDP alignment. While healthcare-specific awareness is present, the lack of DPDP-specific consent granularity and retention timelines for medical data creates critical regulatory exposure.