The Indian healthcare sector is expected to grow into a USD50 billion industry by 2025 due to digital innovation, such as in remote healthcare, medtech, and artificial intelligence. However, cyberattacks on AIIMS Delhi, a premier Indian healthcare institution, demonstrate the importance of robust data privacy laws that protect health data and encourage innovation. This is the first of a two-part series on Indian health data protection laws and looks at present laws.

No single Indian law specifically regulates health data processing. Relevant laws include the Information Technology Act, 2000, and rules and directions under it, including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (rules), and cybersecurity directions issued by the Indian Computer Emergency Response Team, India’s cybersecurity regulator. The rules do not differentiate between controllers and processors and apply to all body corporates, which include companies, firms, sole proprietorships, or other associations of individuals engaged in commercial or professional activities. Most healthcare providers, including hospitals, clinics, and independent practitioners are body corporates and must comply with the rules. The rules impose additional obligations on the processing of “sensitive personal data or information” (SPDI), which includes data on the health conditions of individuals and their medical records.

The sole grounds for SPDI collection under the rules is consent. The rules also impose obligations such as transparency, purpose limitation and data minimisation. They provide individuals with access, correction, consent withdrawal and grievance redressal rights.

Laws governing clinical establishments such as hospitals, clinics, nursing homes, dispensaries, and healthcare facilities impose limited data protections on clinical establishments. The Charter of Patient Rights and Responsibilities issued under the Clinical Establishments (Registration and Regulation) Act, 2010 (a central model law issued for states and union territories), gives individuals rights to confidentiality and privacy. Patients may access their medical records and consent to their digitisation.