Published On: June 16th 2026
Authored By: Pragati Kumari
University of Allahabad
Abstract
India’s transition to digital healthcare, anchored by the Ayushman Bharat Digital Mission (ABDM) and the Digital Personal Data Protection Act, 2023, has created a layered legal framework for health data protection. This article examines whether that framework adequately protects patient privacy in the digital age. Drawing on the constitutional mandate established in Justice K.S. Puttaswamy (Retd.) v. Union of India,[3] a comparative analysis with the EU General Data Protection Regulation, and an evaluation of implementation challenges, the article argues that while India has built a credible normative foundation, critical gaps in informed consent, secondary data use, cybersecurity, and enforcement accountability remain unaddressed.[4]
I. Introduction
India’s healthcare sector has been experiencing a paradigm shift from paper-based health information systems toward an integrated, digital healthcare ecosystem. The COVID-19 pandemic accelerated this transition, making telemedicine and e-diagnostics an integral part of contemporary medical practice. A key pillar of this transformation is the Ayushman Bharat Digital Mission (ABDM), envisaged as a digital infrastructure through which health information can be shared among various healthcare organisations. While technological developments promise greater efficiency and innovation, they simultaneously raise complex patient privacy concerns.
Traditionally, doctor-patient confidentiality in medicine has been governed by ethical rules prohibiting disclosure of information without a patient’s consent, alongside legal and ethical requirements reinforcing that obligation.[1] In an era of technological advancement, health records transcend clinical purposes and constitute a critical component of an informative, easily retrievable, and replicable dataset. This makes them prone to misuse for various purposes, leading to discrimination, stigmatisation, and profiling, particularly in cases of serious illness. The impact of medical confidentiality violations on practical lives is especially significant in India, where patients can suffer social ostracism as a consequence.[2]
The jurisprudential significance of this issue is underscored by the Supreme Court’s affirmation of the Right to Privacy as a fundamental right in Justice K.S. Puttaswamy (Retd.) v. Union of India. The Court affirmed that privacy is an indispensable component of dignity and autonomy under Article 21 of the Constitution,[3] and accordingly, informational privacy, including the privacy of medical information, constitutes a fundamental right requiring protection against arbitrary interference by both state and non-state actors.
The purpose of this article is to analyse India’s emerging digital health policy framework, focusing specifically on the interconnection between ABDM and the Digital Personal Data Protection Act, 2023. It argues that while a constitutional bedrock and a legislative framework exist, serious deficiencies persist in the areas of informed consent, accountability, and cybersecurity.[4]
II. Why Health Data Needs Special Protection
Health information occupies a special category within the domain of personal data and must therefore be afforded stronger protection. Unlike bank credentials or passwords, which can be changed if compromised, data about one’s health, whether it concerns past psychological conditions, genetic predispositions, fertility choices, or long-term illness, can neither be erased nor separated from the individual. Its disclosure may result in what some scholars describe as “dignitary harm,” a violation that cannot be undone once the information enters the public domain.[5]
The digitisation of healthcare amplifies this risk by enabling the accumulation and analysis of data at scale. Unlike physical records, digital health information can be copied easily and used to generate behavioural or health risk profiles. Contemporary literature describes these practices as “surveillance capitalism,” involving the appropriation and commodification of personal information by market actors and intermediaries such as healthcare application services,[6] insurers, and employers. Without effective regulation, these actors can exploit health data to engage in discrimination, for example in insurance pricing or employment screening based on health risk assessments.
In India, the risk is further compounded by the deep social stigma associated with conditions such as mental illness, HIV/AIDS, and reproductive and sexual health. The fear of disclosure discourages patients from seeking timely care, thereby implicating the right to health. The Supreme Court has confirmed that autonomous medical decision-making is an aspect of the right to life and personal liberty guaranteed by Article 21.[7] Consequently, gaps in health information law are not merely transgressions of information rights; they constitute an assault on constitutional rights more broadly.
The problem is not purely theoretical. The ransomware attack on the All India Institute of Medical Sciences, Delhi, in 2022 demonstrated the vulnerabilities of India’s digital health infrastructure, leading to the exposure of critical patient data and a serious disruption of services.[8] This incident confirmed that patient safety and information security are intrinsically interdependent.
In the past, the confidential doctor-patient relationship was largely upheld by ethical codes enforced by professional bodies.[9] Now that numerous intermediaries, including healthcare technology providers and data processing service providers, participate in health information flows, ethics alone cannot guarantee confidentiality. The Law Commission of India has concluded that conventional common law rules of confidentiality are inadequate for the management of electronic health records.[10]
III. Constitutional and Legal Foundation
The regulatory regime governing digital health in India can be understood as a layered structure comprising constitutional, statutory, and policy instruments. These layers interact to govern the storage, processing, and transmission of health data while simultaneously enabling the development of digital health infrastructure. This legal regime represents a sustained effort to balance technological progress against the constitutional right to privacy.
3.1 The Constitutional Mandate: The Puttaswamy Doctrine
The Supreme Court’s nine-judge bench decision in Justice K.S. Puttaswamy (Retd.) v. Union of India[11] conclusively overruled the fragmented privacy jurisprudence that had previously prevailed. Earlier decisions such as M.P. Sharma v. Satish Chandra[12] and Kharak Singh v. State of Uttar Pradesh[13] had declined to recognise a fundamental right to privacy, leaving wide scope for state intrusion without constitutional safeguard.
Puttaswamy resolved this uncertainty by holding that privacy is integral to the fundamental right to life and personal liberty under Article 21 of the Constitution.[14] The Court held that privacy is so intrinsic to human dignity and autonomy that it cannot be treated as a privilege of the few. Crucially for this discussion, the Court explicitly recognised a “right to informational privacy,” encompassing the individual’s interest in controlling personal information.
In defining the permissible limits of interference with the privacy right, the Court formulated a four-part test: the interference must have the authority of law; the purpose must be legitimate; there must be a rational nexus between the objective and the means adopted; and the restriction must be proportionate to the objective, meaning it must constitute the least restrictive means available to achieve the aim.[15] This test constitutes the constitutional standard against which all digital health practices must be measured.
3.2 The Statutory Framework: The Digital Personal Data Protection Act, 2023
Building on this constitutional foundation, the Digital Personal Data Protection Act, 2023 represents India’s first comprehensive legislation explicitly dedicated to the protection of personal data in the digital sphere.[16] It establishes an elaborate regime governing the obligations of Data Fiduciaries, including hospitals, health insurers, and health technology platforms, as well as the rights of Data Principals.
Central to the Act is a consent-based framework: consent obtained from Data Principals for the collection, processing, and transfer of data must be free, informed, specific, and unambiguous.[17] This requirement carries particular significance in healthcare, given the inherent information asymmetry between patients and providers. The Act also mandates data breach notification, requiring that both the Data Principal and the Data Protection Board be informed promptly upon the occurrence of a security breach.[18] Additionally, individuals are guaranteed the right to erase and correct their data, as well as the right to withdraw consent for processing.[19]
The Act does not explicitly categorise health data as sensitive personal data, but its scope is broad enough that any processing of health data must comply with its directives. This represents a clear departure from the previous sector-specific approach and marks a shift toward a comprehensive data protection framework.
3.3 Administrative Implementation: Ayushman Bharat Digital Mission
The Ayushman Bharat Digital Mission (ABDM) serves as the primary vehicle for implementing digital health infrastructure in India. Under the ABHA (Ayushman Bharat Health Account) system, individuals are assigned a digital health identifier designed to facilitate interoperability across healthcare providers, health insurers, and diagnostic facilities.[20]
ABDM incorporates a “privacy-by-design” architecture, employing consent managers and decentralised data storage infrastructure to govern access. However, the very principle of interoperability introduces new privacy risks: the aggregation of data across multiple sources creates a vulnerability where a breach at a single node may compromise an individual’s entire health record. This risk has been demonstrated empirically through reported breaches of personal health data via an integrated digital health dashboard.[21]
IV. Major Legal and Practical Concerns
While the Digital Personal Data Protection Act, 2023 and the Ayushman Bharat Digital Mission together provide a legal structure for the protection of digital health data, a closer examination reveals a lack of coordination between the normative framework and implementation practice. The transition from paper-based to interconnected digital health records has transformed the nature of doctor-patient trust, exposing new vulnerabilities that existing legislation has not adequately addressed.
4.1 Consent in Clinical Practice
The validity of processing personal data in digital health systems under the DPDP Act rests on informed consent.[22] In clinical practice, however, several factors may compromise a patient’s autonomy. Consent disclosures are typically lengthy, technical, and presented in standardised formats that afford little scope for negotiation.[23] This problem is compounded by broad exceptions for “legitimate uses,” particularly in emergencies and for public health purposes,[24] given that clinical emergencies make it practically impossible to obtain genuinely free and unequivocal consent.
4.2 Secondary Use of Health Data
In the current healthcare environment, laboratories, insurance companies, telemedicine providers, cloud servers, and various digital platforms are interconnected. Although these linkages are essential for efficient healthcare delivery, they significantly increase the number of parties with access to confidential data. Information collected during an initial consultation may later be used not only for treatment, but also for insurance assessment, research, or algorithmic processing.[25] As health data moves beyond the initial therapeutic context, the enforceability of the right to erasure or withdrawal is significantly weakened.[26] In the absence of rigorous auditing procedures governing data sharing arrangements between fiduciaries and third-party processors, there is a considerable risk of the commodification of health information, precisely the concern identified in Puttaswamy.[27]
4.3 Cybersecurity Vulnerabilities
The ransomware attack on the All India Institute of Medical Sciences, Delhi, in 2022 was a stark reminder of how security failures in an electronic system can affect patient care through breaches of both confidentiality and continuity of service.[28] Unlike stolen credentials, which can be reissued, disclosed mental health information, HIV status, or genetic predisposition to disease cannot be recalled. The sensitivity of medical data means there is no simple recourse once such information is exposed.[29]
4.4 Accountability in a Federated Digital Ecosystem
The legal dimensions of accountability in federated digital health systems remain unclear. Medical data involves complex technological supply chains comprising platform providers, application providers, cloud service providers, and diagnostic vendors, making it difficult to assign accountability in cases of unauthorised access.[30] Although the DPDP Act holds Data Fiduciaries responsible for data privacy, questions persist regarding the determination of liability and indemnity in multi-party arrangements. Furthermore, the delayed implementation of the Act means that legal precedents in these matters are yet to be established.[30]
V. Comparative Perspective: GDPR and International Norms
India’s digital health policy framework is usefully examined alongside the EU’s General Data Protection Regulation (GDPR), which remains the most stringent legal instrument on informational privacy. The most fundamental distinction concerns the legal classification of health data. Article 9 of the GDPR explicitly designates personal data relating to health, genetic data, and biometric data as a special category, the processing of which is prohibited unless a specific ground exists.[31] Processing such data therefore requires both a lawful basis and a specific justification. By contrast, the Digital Personal Data Protection Act, 2023 does not establish a separate statutory category for sensitive personal data.[32] Although Significant Data Fiduciaries may be designated on the basis of data sensitivity, the obligations imposed remain generic.[33]
A similar divergence is apparent at the level of consent. The GDPR requires “explicit consent” for the processing of health data,[34] whereas the DPDP Act requires that consent be voluntary, specific, informed, and unambiguous, without imposing the heightened “explicit” standard.[35]
Both instruments accommodate public health grounds. The GDPR provides for processing in the context of medical diagnosis and treatment where professional secrecy obligations apply,[36] while the DPDP Act includes exceptions that, on a purposive interpretation, would constitute lawful use in medical emergencies.[37] The GDPR’s narrower, more specifically defined exceptions, however, create a stronger presumption in favour of protection and thus offer a higher baseline for patients.
VI. Critical Evaluation: Has India Struck the Right Balance?
A close examination of India’s digital health architecture reveals a tension between the ambitious vision underlying ABDM and the practical complexities of implementation. ABDM is designed so that privacy and security are built into the system from the outset rather than added as afterthoughts. Its foundational principle, that patient data remains with the originating organisation rather than being aggregated in a central repository, reflects a genuine commitment to patient control over medical records.
Yet a structural tension persists at the core of the framework. Healthcare today operates as a marketplace as much as a system of care. The DPDP Act classifies hospitals and health technology firms as “Data Fiduciaries,”[38] which implies that they are expected to act as trusted custodians of personal data, exercising responsibility and accountability. In practice, however, patient data has become a valuable commercial asset. Hospitals and platforms can exploit such records for analytics, pharmaceutical testing, insurance modelling, and service optimisation. The commercial imperatives of the health industry are in direct tension with the fiduciary obligations the law seeks to impose. ABDM attempts to address this through consent managers, intermediaries designed to help patients make informed choices about data access. The efficacy of this mechanism is, however, questionable when consent managers themselves operate in commercially incentivised environments.[39]
The right to erasure presents a further complication. The DPDP Act provides that individuals may request the deletion of their data once the purpose of processing is fulfilled.[40] In healthcare, however, sector-specific legislation mandates the retention of records for legal, insurance, and continuity-of-care purposes.[41] Without a clear framework specifying when data protection obligations override sector-specific retention requirements, healthcare providers can readily invoke legal necessity as a reason to retain data indefinitely. Progressive data protection law therefore does not automatically translate into meaningful patient control over health information.
The effectiveness of the entire regulatory structure ultimately depends on the institutional capacity of the Data Protection Board of India.[42] The Board’s credibility will be determined by the depth of its regulatory expertise, the speed of its adjudicatory processes, and the rigour with which it enforces compliance. In a digital health sector of India’s scale and complexity, there is a real risk that enforcement will concentrate on high-profile data breaches while systemic deficiencies within public health institutions receive insufficient attention.
A further concern is that the Act permits voluntary undertakings in lieu of formal penalties,[43] which risks producing negotiation-based compliance that fails to deter future violations. More broadly, the pace of health technology development has outrun the development of legal accountability mechanisms, leaving patients with limited practical recourse when digital systems fail.[44]
Ultimately, the success of India’s digital health framework cannot be assessed on technological or legal grounds alone. Its true measure is whether patients trust the system. Technology can improve the reach and efficiency of healthcare delivery, but those gains are negated if patients avoid digital healthcare because they fear that their private health information is inadequately protected. Restoring and sustaining that trust requires not only sound legislation but credible enforcement.
VII. Conclusion
India’s transition to digital health is irreversible, and its benefits in terms of access, efficiency, and equity are substantial. However, these gains can only be sustainably realised if personal privacy is protected with equal rigour, since it is privacy that underpins both patient trust and human dignity. The DPDP Act and the ABDM framework together represent meaningful progress, but they leave unresolved a set of critical challenges: the structural inadequacy of consent mechanisms in clinical settings, the risks posed by secondary data use and commercial exploitation, the persistent vulnerabilities of digital health infrastructure to cyberattack, and the uncertain accountability framework governing multi-party data ecosystems.
Addressing these challenges will require further legislative refinement, including the explicit classification of health data as a sensitive category warranting heightened protection, stronger institutional capacity in the Data Protection Board, rigorous inter-agency coordination between health and data protection regulators, and the development of sector-specific guidelines calibrated to the realities of clinical practice. Patient-centricity must be the governing principle of all reform efforts. Healthcare providers and technology intermediaries must prioritise security and transparency, and regulatory authorities must ensure that enforcement is both swift and consistent.
References
[1] Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations 2002, reg 7.14.
[2] Common Cause v. Union of India (2018) 5 SCC 1.
[3] Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) 10 SCC 1.
[4] Digital Personal Data Protection Act 2023 (Act No 40 of 2023).
[5] Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) 10 SCC 1.Â
[6] Shoshana Zuboff, The Age of Surveillance Capitalism (PublicAffairs 2019).
[7] Common Cause v. Union of India (2018) 5 SCC 1.
[8] ‘AIIMS Delhi Ransomware Attack: A Wake-up Call for India’s Digital Health Infrastructure’ (2022) 5(12) The Lancet Digital Health e854.
[9] Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations 2002, reg 7.14.
[10] Law Commission of India, Legal Aspects of Medical Records (Law Com No 221, 2009).
[11] Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) 10 SCC 1.
[12] M.P. Sharma v. Satish Chandra (1954) SCR 1077.
[13] Kharak Singh v. State of Uttar Pradesh (1964) 1 SCR 332.
[14] Constitution of India 1950, art 21.
[15] Justice K.S. Puttaswamy (Retd.) v. Union of India (n 11) [310].
[16] Digital Personal Data Protection Act 2023 (Act No 40 of 2023).
[17] Digital Personal Data Protection Act 2023, s 6(1).
[18] Digital Personal Data Protection Act 2023, s 8.
[19] Digital Personal Data Protection Act 2023, s 6(4).
[20] National Health Authority, Ayushman Bharat Digital Mission: Strategy Document (2021).
[21] ‘Data Leak Reported in ABDM-linked PM-JAY Dashboard’ MediaNama (New Delhi, 14 November 2023) <https://www.medianama.com> accessed 9 May 2026.
[22] Digital Personal Data Protection Act 2023, s 6.
[23] Centre for Internet and Society, Privacy and Security of Health Data in India (2023) 12–15.
[24] Digital Personal Data Protection Act 2023, s 7.
[25] Latham and Watkins, ‘India Enacts Long-Awaited Data Protection Law’ (Client Note, 2023) 4.
[26] Digital Personal Data Protection Act 2023, s 12.
[27] Justice K.S. Puttaswamy (Retd.) v. Union of India (n 11) [311].
[28] ‘AIIMS Delhi Ransomware Attack: A Wake-up Call for India’s Digital Health Infrastructure’ (2022) 5(12) The Lancet Digital Health e854.
[29] Digital Personal Data Protection Act 2023, s 8.
[30] Ministry of Electronics and Information Technology, ‘Notification on Phased Implementation of the Digital Personal Data Protection Act’ (December 2025).
[31] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [2016] OJ L 119/1, art 9.
[32] Digital Personal Data Protection Act 2023 (Act No 40 of 2023).
[33] ibid s 10.
[34] Regulation (EU) 2016/679 (n 31) art 9(2)(a).
[35] Digital Personal Data Protection Act 2023, s 6(1).
[36] Regulation (EU) 2016/679 (n 31) art 9(2)(h).
[37] Digital Personal Data Protection Act 2023, s 7(d).
[38] Digital Personal Data Protection Act 2023, s 2(i).
[39] National Health Authority, Consultation Paper on Unified Health Interface (2021).
[40] Digital Personal Data Protection Act 2023, s 12(3).
[41] Clinical Establishments (Registration and Regulation) Act 2010; Insurance Regulatory and Development Authority of India (Protection of Policyholders’ Interests) Regulations 2017.
[42] Digital Personal Data Protection Act 2023, s 18.
[43] ibid s 28(1).
[44] Centre for Internet and Society, Privacy and Security of Health Data in India (2023) 45.
