Cliniq Flo
Cliniq Flo
ABDM & Compliance
11 min read
April 20, 2026

Patient Data Privacy for Indian Clinics: DISHA, DPDPA, and What You Must Do Now

India's DISHA and Digital Personal Data Protection Act 2023 set clear obligations for clinics. This guide explains what they mean in practice — and how to make your clinic compliant without expensive consultants.

DISHA clinic compliancepatient data privacy IndiaDigital Personal Data Protection Act clinicclinic data security India
CF

Cliniq Flo Editorial Team

Clinic Management Experts · India

Share

Want to implement this in your clinic?

Cliniq Flo covers everything in this guide — ABDM, GST billing, OPD management, lab, pharmacy. Book a free 30-minute demo.

Book Free Demo
₹250 CrMax DPDPA penalty
72 hrsBreach notification window
7 yearsMinimum record retention
AES-256Required encryption standard

Why Patient Data Privacy Is Now a Legal Priority for Indian Clinics

Two major legal frameworks now govern how Indian clinics collect, store, and use patient health data:

  1. DISHA (Digital Information Security in Healthcare Act) — specifically designed for health data, covering all clinical establishments
  2. Digital Personal Data Protection Act (DPDPA) 2023 — India's comprehensive data privacy law, equivalent to GDPR, applicable to all personal data including health information
This Is Not Theoretical
Penalties under DPDPA can reach ₹250 crore for serious violations. Health data is classified as "sensitive personal data" attracting the highest protection standards. Small clinics are expected to comply — enforcement will scale up over 2025–2027.

What DISHA Requires from Your Clinic

As a Health Data Fiduciary

ObligationWhat It Means for Your Clinic
Informed ConsentPatient must consent to digital record keeping before data is collected — not assumed, not in fine print
Purpose LimitationData collected for treatment can only be used for treatment — not marketing without explicit separate consent
Data MinimisationCollect only what's necessary for the specific care episode
Patient RightsPatients can request access to their records, correction of errors, and deletion (with exceptions)
Security StandardsAES-256 encryption, access controls, audit logs, breach notification within 72 hours

DPDPA 2023: Key Changes for Clinics

Consent Requirements

Consent must be "free, specific, informed, unconditional, and unambiguous." Pre-ticked boxes and assumed consent don't qualify. Your registration process needs a clear consent form for digital record-keeping.

Data Localisation

Health data of Indian citizens must be stored on servers located in India. If your software uses cloud storage, verify your vendor's servers are in India — not on international platforms without India data centres.

⚠️
Check Your Software Vendor's Server Location
Ask your software vendor explicitly: "Where are your servers located?" Cliniq Flo stores all patient data on ISO 27001-certified servers located in India, compliant with DPDPA data localisation requirements.

Children's Data

Additional protections apply to patients under 18. Parental consent is required for collecting and processing a minor's health data — your registration form must capture this separately.

5 Practical Compliance Steps for Your Clinic

1
Audit Your Current Data Storage
Where is patient data currently stored? Paper records, Excel sheets, WhatsApp, email, cloud software? Map every location and assess the security of each. Delete what you don't need.
2
Choose DISHA-Compliant Software
Verify: AES-256 encryption, India-located servers, access logs, breach notification procedure, data export capability. Cliniq Flo is DISHA-compliant — ask us for our security documentation.
3
Update Patient Consent Process
Add a simple digital consent form to your registration workflow. One page, plain language, explaining what data you collect, why, and patient rights. Keep acknowledgement records.
4
Train Your Staff
Most breaches happen through human error — wrong recipient WhatsApp, discussing patients in public areas, staff mobile phones with patient photos. 30-minute training session saves enormous liability.
5
Designate a Data Privacy Responsible Person
Designate a staff member (even part-time) responsible for data privacy compliance. Not a DPO (required only for large institutions) — just someone accountable for the basics.

Securing WhatsApp Use in Your Clinic

WhatsApp is used extensively in Indian clinics. Key rules:

  • WhatsApp is end-to-end encrypted — secure for direct doctor-patient communication
  • WhatsApp Business API (used by software for automated reports) is also secure
  • Never send identifiable patient information to the wrong number — verify before sending
  • Never use WhatsApp groups that include multiple patients to share health information
  • Don't save patient photos on personal WhatsApp — use a clinic device or dedicated system
🎯 Key Takeaway
The basic compliance steps — consent form, India-server software, staff training — are not expensive or complex. Start with these five steps and you're substantially compliant with both DISHA and DPDPA for a small clinic context. Ask us about Cliniq Flo's security documentation →

Frequently Asked Questions

Are small clinics exempt from DISHA and DPDPA?

No. Both laws apply to all clinical establishments regardless of size. Enforcement initially focuses on larger institutions but small clinics are legally obligated to comply.

What is the penalty for a patient data breach?

Under DPDPA 2023, penalties can reach ₹250 crore for serious violations. Smaller breaches have proportionate penalties. Both are significant enough to take seriously.

Does my clinic need a Data Protection Officer (DPO)?

A DPO is mandatory only for "significant data fiduciaries" — large hospitals and healthcare chains. Small clinics are not required to appoint a formal DPO but should designate a responsible person internally.

Related guides: ABDM Compliance Guide → | Choosing Secure Clinic Software →

Start Using Cliniq Flo in Your Clinic Today

ABDM-ready · GST-compliant · Built for India · Free onboarding · 500+ clinics trust us

Book Free DemoView Pricing

Tagged

DISHA clinic compliancepatient data privacy IndiaDigital Personal Data Protection Act clinicclinic data security Indiapatient record security India
Share this guide:WhatsAppShare on XLinkedIn

Explore CliniqFlo

Clinic Management SoftwareEMR Software IndiaMedical Billing SoftwareAppointment SchedulingABDM IntegrationGST Billing

📚Related Articles

ABDM & Compliance

ABDM Compliance for Indian Clinics in 2026: Complete Step-by-Step Guide

Everything your clinic needs to know about Ayushman Bharat Digital Mission — HFR enrollment, ABHA ID…

Read →

ABDM & Compliance

PMJAY Empanelment for Clinics: Step-by-Step Guide to Ayushman Bharat Tie-Up

Ayushman Bharat PMJAY empanelment opens your clinic to 50 crore beneficiaries. This guide covers eli…

Read →

ABDM & Compliance

NABH Accreditation for Small Clinics in India: Is It Worth It? Cost, Process & Benefits

NABH accreditation is seen as only for large hospitals, but there is an Entry Level certification de…

Read →