Your clinic does not just treat patients. It collects, stores and shares health data every day.
From prescriptions and lab reports to WhatsApp sharing, family-member updates, diagnostic images, appointment records, billing details, home sample collection and clinic software — healthcare providers handle sensitive patient data at every step. This 3-minute scan shows where DPDPA exposure may arise in your patient-data workflows. It collects no patient data — only your answers about your processes.
Most clinics don't have a patient-care problem — they have a patient-data movement problem.
Your patient-data risk map
The free scan scores your clinic or lab across these five areas. Here is what each one looks at.
Patient data collection risk
Patient details, prescriptions, ID proof and referral documents arriving via registration systems, paper forms, WhatsApp, phone calls, home collection and reception desks.
First move: Standardise intake — define approved channels and reduce scattered WhatsApp, phone and paper collection.
Health data sensitivity risk
Lab reports, diagnostic images, diagnosis and chronic-condition details, and fertility, pregnancy or mental-health data.
First move: Treat health data as sensitive — limit who can access reports, images and sensitive treatment records.
Report sharing & communication risk
Reports shared by WhatsApp to patients or family/caregivers, email, software links, field staff, referring doctors, hospitals and TPAs.
First move: Verify the recipient before sharing, control family-member sharing, and document partner disclosures.
System, staff & vendor access risk
Reception, billing, lab and support staff; clinic software/HIS, LIS, PACS; outsourced labs, home-collection partners, TPAs and IT vendors.
First move: Use role-based access, remove ex-staff access, and keep a register of every vendor that processes patient data.
Retention & incident readiness risk
Old reports, prescriptions and images kept for years; no clear plan for a wrong-recipient report, an exposed WhatsApp account or a system compromise.
First move: Set a retention + deletion schedule and a simple incident-response process for wrong-recipient and breach events.
How the 3-minute scan works
Answer 10 quick questions
About your patient data, intake channels, report sharing, recipient verification, staff/vendor access and retention. ~3 minutes.
See your readiness score + risk map
A 0–100 DPDPA readiness score, your risk band, and five clinic/lab-specific risk areas.
Get your priority fixes + checklist
The five controls to start with, plus the Clinic & Diagnostic Lab DPDPA Starter Checklist.
What the scan checks
Ten plain-English questions across your real patient-data workflows. The scan collects no patient data.
Clinic & diagnostic lab DPDPA questions
Does the DPDPA apply to clinics and diagnostic labs?
Yes. Clinics and diagnostic labs process patient personal data — names, contact details, prescriptions, lab reports, diagnostic images and medical history — which makes them Data Fiduciaries under the Digital Personal Data Protection Act, 2023. Health data is among the most sensitive categories, so obligations apply regardless of the clinic or lab's size.
Can we share lab reports or prescriptions with patients over WhatsApp?
You can, but it must be controlled. The bigger risk is sending a report to the wrong number or to a family member without the patient's authorisation. Verify the patient's identity and contact details before sharing, get consent for family-member or caregiver delivery, and prefer a secure portal or password-protected file for sensitive reports.
Do we need patient consent to share reports with a referring doctor, hospital or TPA?
Sharing patient data with a referring doctor, hospital, insurer or TPA is a disclosure to a third party. It must have a clear basis — patient authorisation or a clear treatment/payment purpose — and the patient should be informed. Sharing reports simply because a partner or referring doctor asks, without authorisation or notice, is a common DPDPA gap.
How long can we keep old patient reports, prescriptions and images?
The DPDPA expects data to be kept only as long as the purpose requires (alongside any medical-record retention obligations). The risk is not retention itself — it is keeping reports, prescriptions and images indefinitely with no documented schedule, access control or review. Define a retention period by record type and delete or archive past it.
Is health data treated differently under the DPDPA?
Health data — diagnoses, lab reports, fertility, pregnancy, mental-health and chronic-condition details — carries higher sensitivity and reputational risk. It needs stronger access controls, careful sharing (especially over WhatsApp and with family members), and clear retention and incident-response processes.
Take the free scan
10 questions · 3 minutes · free · no login. Get your clinic or lab's DPDPA readiness score.
Start Clinic / Lab Risk Scan →Related Briefings
Need advice?
Request Consultation →Legal baseline: DPDP Rules, 2025 notified on 14 November 2025, with phased commencement.
This page is for educational purposes and does not constitute legal or medical advice.