What India's DPDPA actually changes for healthcare, in five stakeholder snapshots
Most boards still treat DPDPA as a legal-and-IT problem. The Act, in force since November 2025, flipped the asymmetry between provider and patient. The "file" the hospital owned for 50 years is now legally the patient's.
Here's what changed in practice, across five stakeholders.
DPDPA is not a compliance bill. It is a trust standardisation bill. Until now, "we take your privacy seriously" was a slide. From November 2025, it is a baseline. Every hospital, insurer, and app meets the same floor — which means the floor is no longer a differentiator.
The five stakeholders
All five at a glance
What it costs to get it wrong
The readiness diagnostic
The bottom line
The real test is simple. If a patient walked in tomorrow and asked to see every person, system, and partner that touched their data in the last six months — could you answer? In five minutes, you're a market leader. In five days, you're scrambling. Not at all, and you're facing immediate regulatory exposure.
The winners won't be the ones who comply. They'll be the ones who make trust visible — and can prove it on demand.
How visibly do you go beyond the floor? Live "who accessed my record" dashboards, one-tap consent withdrawal, and plain-language explanations of how data shaped a premium or diagnosis. And how quickly can your operations prove it? The DPB does not care about intent — it cares about the audit trail. Privacy wired into systems, not into policies.