Medical Record Security and Privacy in India: Laws, Rights, and Best Practices

Medical records are among the most sensitive data a person generates. They reveal diagnoses, mental health history, reproductive choices, genetic conditions, and lifestyle information that people share with their doctors in strict confidence. In India, the legal and technical frameworks protecting this data have evolved significantly — but most patients and even many healthcare providers are not fully aware of their rights and obligations.

This guide covers India's current legal framework for medical data protection, what patients have the right to expect from healthcare providers, how digital health platforms must handle health data, and practical steps you can take to protect your own family's health records.

Why Medical Record Privacy Matters

The consequences of a health data breach are different from, and often more serious than, a financial data breach.

Employment discrimination. An employer who learns that a candidate has HIV, a history of mental illness, or a genetic predisposition to a serious condition may discriminate — illegally, but difficult to prove and address after the fact.

Insurance discrimination. Insurers who obtain health data outside the legitimate underwriting process may use it to deny coverage, exclude pre-existing conditions, or increase premiums.

Social stigma. Mental health conditions, certain infectious diseases, reproductive health information, and addiction history carry social stigma in India. Exposure of this information — even without any legal consequence — can cause serious personal harm.

Family impact. Medical records often contain information about hereditary conditions, which affects not just the individual but their entire family. A disclosure that reveals a genetic condition, for example, implicitly reveals information about parents, siblings, and children.

Identity theft. Health records contain sufficient personal identifying information (name, date of birth, address, Aadhaar-linked identifiers, phone number) to facilitate identity theft and financial fraud.

India's Legal Framework for Medical Data Protection

India does not yet have a single comprehensive healthcare-specific privacy law equivalent to HIPAA in the United States or GDPR in Europe. Instead, medical data protection is governed by a patchwork of laws, rules, and guidelines that have been evolving rapidly.

Digital Personal Data Protection Act, 2023 (DPDP Act)

The DPDP Act 2023 is India's first comprehensive data protection legislation. It came into force in August 2023, and the government is in the process of finalising and implementing its rules.

Key provisions relevant to medical data:

• Sensitive personal data: The DPDP Act's classification of "sensitive personal data" includes health data, biometric data, and genetic data. This category receives heightened protection.

• Consent requirement: Processing of personal data requires the consent of the data principal (the individual), which must be free, specific, informed, unconditional, and unambiguous. For medical data, this means hospitals and healthcare platforms must obtain explicit consent before collecting, storing, or sharing health data.

• Purpose limitation: Data collected for one purpose (e.g., your consultation at a hospital) cannot be used for a different purpose (e.g., sold to an insurer or drug company) without additional consent.

• Data principal rights: Under the DPDP Act, individuals have the right to access their personal data, the right to correction and erasure, the right to grievance redressal, and the right to nominate someone to exercise their data rights after death.

• Data fiduciary obligations: Healthcare providers and digital health platforms that collect and process health data are "data fiduciaries" under the Act and must implement appropriate technical and organisational security measures.

• Penalties: Penalties for data breaches and non-compliance range up to ₹250 crore per breach, with a maximum aggregate penalty of ₹500 crore.

IT Act, 2000 and Sensitive Personal Data Rules, 2011

Before the DPDP Act, the primary legal framework was the Information Technology Act, 2000 and the IT (Amendment) Act 2008, supplemented by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

These rules defined "sensitive personal data or information" to include medical records and health data, and required organisations collecting such data to:

• Obtain consent before collection
• Use data only for the purpose for which it was collected
• Not retain data longer than necessary
• Implement reasonable security practices

The DPDP Act 2023 supersedes aspects of these rules but does not immediately eliminate them — the transition is being managed through the rule-making process.

Clinical Establishments Act, 2010

The Clinical Establishments (Registration and Regulation) Act, 2010 — adopted by many states, though not all — establishes minimum standards for registered healthcare facilities, including obligations around maintaining patient records and providing patients with access to their records.

Under this Act, patients have the right to:

• Receive a copy of their medical records
• Be informed about their medical condition and treatment
• Have their records treated as confidential

Medical Council of India — Code of Ethics

The Medical Council of India (now the National Medical Commission after the NMC Act 2020) maintains a code of ethics for registered medical practitioners. The code includes specific obligations around patient confidentiality:

• Information about a patient shared with a physician in confidence must not be disclosed except in specific circumstances (legal requirement, patient's express consent, or where failure to disclose would harm others)
• Patient records must be maintained securely
• Telemedicine guidelines issued by the NMC include specific provisions about data security in digital consultations

Ayushman Bharat Digital Mission (ABDM) Framework

The ABDM, which powers the Ayushman Bharat Health Account (ABHA) system and the Health Information Exchange and Consent Manager (HIC) infrastructure, operates under a specific privacy and consent framework:

• Health records can only be accessed by a healthcare provider with the patient's specific, time-limited, purpose-limited consent
• Consent can be granted and revoked through the PHR (Personal Health Records) application
• The ABDM system uses a consent artefact — a digitally signed record of what consent was given, to whom, for what purpose, and for how long
• No health data moves between facilities without explicit patient consent recorded in the system

This is one of the most sophisticated health data consent frameworks in the world — in principle. Its effectiveness depends on healthcare providers actually using it, which is still in progress.

What Your Healthcare Providers Are Obligated to Do

Understanding what the law requires of healthcare providers helps you know when your rights are being violated and what to expect.

Hospitals and clinics must:

• Maintain medical records for a minimum period (typically three years after the last patient contact, or seven years for major procedures under various state rules)
• Provide patients with copies of their records on request, within a reasonable time and for a reasonable fee
• Not share patient records with third parties (including insurance companies, employers, or family members) without the patient's consent
• Implement security measures appropriate to the sensitivity of the data
• Inform patients about data breaches if those breaches affect their health data (under DPDP Act requirements)

Digital health platforms (apps, telemedicine services) must:

• Obtain explicit, specific consent before collecting health data
• Not use health data for any purpose beyond what was consented to (in particular, not sell data to advertisers or insurers without explicit consent)
• Allow users to access, download, and delete their own data
• Maintain audit trails of data access
• Implement encryption for data at rest and in transit
• Notify users and the Data Protection Board of India of data breaches

What providers cannot do:

• Share patient data with employers or family members without patient consent
• Use patient data for research without appropriate consent and ethics oversight
• Retain data indefinitely without purpose
• Transfer data to foreign jurisdictions without compliance with applicable restrictions
• Sell patient data without explicit consent

Common Ways Medical Privacy Is Compromised in India

Understanding where breaches actually occur helps you take targeted protective action.

Paper records left unsecured. In many Indian clinics, patient records are kept in open shelves, accessible to multiple staff, and discussed in earshot of other patients. Physical security of paper records is often poor.

WhatsApp sharing by healthcare providers. Indian healthcare has a strong culture of sharing medical information (reports, images, consultation summaries) via WhatsApp. While convenient, WhatsApp is not a HIPAA-equivalent secure messaging platform — messages are stored on personal devices, can be forwarded, and are accessible if the phone is lost or compromised.

Unsecured cloud storage. Reports, scans, and images sent by hospitals or labs are often uploaded to publicly accessible links without password protection. The link is shared with the patient by SMS, but anyone with the link can access the document.

Insurance data sharing. When patients claim health insurance, they typically sign a blanket consent form authorising the insurer to obtain health records from the treating hospital. The scope of this consent is often broader than patients realise, and insurers may retain data beyond what is required for the specific claim.

Lab and diagnostic reports. Many labs share reports via email or SMS links with minimal security. In some cases, report databases are accessible through predictable URL patterns, exposing patient data to anyone who discovers the pattern.

Hospital data breaches. Large-scale data breaches affecting Indian hospitals have been reported in recent years. In 2022, AIIMS Delhi experienced a ransomware attack that compromised patient data for millions of patients. The healthcare sector is a high-value target for cybercriminals.

Family member access. In Indian cultural contexts, family members frequently receive and act on medical information about a patient without the patient's explicit consent. While this is often well-intentioned, it can violate patient autonomy and lead to disclosure of sensitive information the patient preferred to keep private.

Your Rights as a Patient: A Practical Guide

The right to access your own records

You have the right to request and receive copies of your medical records from any Indian healthcare facility. This right exists under the Clinical Establishments Act (in adopting states), under the Consumer Protection Act (patients are consumers of healthcare services), and under the right to information principles of the constitution.

How to exercise this right:

1. Submit a written request to the hospital's medical records department
2. Include your full name, patient ID if known, date(s) of treatment, and the specific records you want
3. Bring proof of identity
4. Expect a fee for copying — typically ₹50 to ₹500 depending on volume
5. If a hospital refuses without a valid reason, you can file a complaint with the State Medical Council or under the Consumer Protection Act

The right to data portability

Under the DPDP Act and the ABDM framework, you have the right to take your health data with you when you switch healthcare providers. For ABDM-linked records, this is managed through the ABHA system — your records follow your ABHA ID, not the provider.

The right to correction

If your medical records contain an error — an incorrect diagnosis, a wrong medication listed, an incorrect allergy entry — you have the right to request correction. Document your request in writing and keep a copy.

The right to withdraw consent

Under the DPDP Act, you can withdraw consent for data processing at any time. Note that withdrawing consent may affect the service you receive — a digital health platform that cannot store your health data cannot provide a health record management service. Withdrawal applies to future processing; it does not require deletion of all historical data (though you also have the right to request erasure in certain circumstances).

The right to complain

If you believe your health data has been misused, you can:

• File a complaint with the hospital's patient grievance cell
• File a complaint with the State Consumer Forum under the Consumer Protection Act
• File a complaint with the National Medical Commission or State Medical Council
• Once operational: file a complaint with the Data Protection Board of India (established under the DPDP Act)

Practical Steps to Protect Your Health Data

For your physical records

• Never leave original documents at a healthcare facility unless explicitly required — provide copies
• Redact (black out) sensitive information on documents that do not need the specific field (e.g., Aadhaar number on documents submitted for routine purposes)
• When sharing records, share only what is relevant to the specific consultation or purpose
• Do not share photos of prescriptions or investigation reports in general WhatsApp groups

For digital records

Choose secure platforms. Use medical records apps and platforms that explicitly state they use end-to-end encryption, do not sell user data, and comply with Indian data protection laws. Check the privacy policy before entering any health information.

Use strong, unique passwords. Your medical records app password should be different from all other passwords. Use a password manager if needed. Enable two-factor authentication (2FA) wherever available.

Review app permissions. Medical records apps need camera access (for scanning) and storage access. Be cautious of apps that request contacts, microphone, or location access without a clear medical justification.

Manage cloud sharing carefully. If you store medical documents on Google Drive, iCloud, or Dropbox, ensure the folder is not set to public or shareable. Use sharing links with password protection and expiry dates when sharing specific documents.

Audit access regularly. Review which family members have access to shared medical records. Remove access for people who no longer need it.

Be cautious with telemedicine platforms. Before your first teleconsultation, review the platform's privacy policy. Confirm that consultation notes and recordings (if the platform records consultations) are stored securely and not shared without your consent.

For your ABHA-linked records

• Link only healthcare providers you actively use to your ABHA ID
• Review and manage your consent artefacts in the PHR app — you can see who has been granted access to your records and revoke access at any time
• Use the lock feature on ABHA-linked records if you want to temporarily prevent any sharing until you explicitly grant consent

When sharing with insurance companies

• Read the consent form before signing — understand exactly what records the insurer is authorised to access
• Provide records relevant to the specific claim, not your entire health history
• After a claim is settled, you can request confirmation that the insurer has appropriately disposed of or restricted further use of your records

For children's health data

• Be conservative about sharing children's health information — they cannot consent on their own behalf, and data collected about children carries heightened sensitivity
• Review permissions on school health portals and any health apps used by your child's school
• When your child reaches adulthood, review who has historical access to their childhood health records

Understanding HIPAA: An Important Clarification

HIPAA (Health Insurance Portability and Accountability Act) is a United States federal law. It does not apply in India. Healthcare providers in India are not HIPAA-compliant by law — HIPAA compliance is relevant only for US-based healthcare entities.

However, HIPAA is often referenced as a global standard for healthcare privacy, and some Indian healthcare platforms advertise "HIPAA compliance" as a quality signal. If an Indian platform claims HIPAA compliance, it means they have voluntarily adopted HIPAA-equivalent security and privacy standards — which is a positive indicator, but it is a voluntary choice, not a legal requirement in India.

India's applicable standard is the DPDP Act 2023 and the IT Rules. When evaluating healthcare platforms or asking your doctor about data security, reference India's actual legal framework rather than HIPAA.

How Ayu Protects Your Health Data

Ayu is built on the principle that your health data belongs to you — not to Ayu, not to advertisers, and not to insurers.

• End-to-end encryption for all stored health records and documents
• No data selling: Ayu does not sell, license, or share user health data with any third party
• User-controlled sharing: You decide who sees your records. Sharing is explicit, revocable, and logged
• ABDM integration: Supports ABHA-based consent for linking and sharing records with participating healthcare providers
• Biometric or PIN lock: App access requires biometric authentication or PIN — records are not accessible on a lost or stolen phone
• DPDP-compliant consent architecture: Consent is obtained for each specific purpose, and you can withdraw it at any time within the app

Download Ayu free →

Frequently Asked Questions

Can a hospital in India share my records with my employer without my consent?

No. Sharing patient health information with an employer without the patient's explicit consent is a violation of the patient's right to confidentiality under the Medical Council of India's code of ethics and, if the hospital is a registered clinical establishment, potentially under the Clinical Establishments Act. If this occurs, you can file a complaint with the State Medical Council and, depending on the harm caused, under the Consumer Protection Act.

Can insurance companies access my medical records without my consent?

Not without a consent form you sign. However, most insurance policy documents and claim forms include a consent clause authorising the insurer to request records from treating providers. Read these clauses carefully before signing. You can negotiate more limited consent — for example, records relevant only to the specific claim — though the insurer may decline to process the claim if they believe broader access is necessary.

What should I do if I discover a healthcare provider shared my records without my permission?

Document what happened — specifically what data was shared, with whom, when, and how you discovered it. Raise a formal complaint in writing with the healthcare provider's grievance officer. If unsatisfied, escalate to the State Medical Council, State Consumer Forum, or (once operational) the Data Protection Board of India. Consider consulting a lawyer if the breach caused you concrete harm.

Is it safe to use a medical records app on my phone?

Safety depends on the specific app and how you use it. A reputable medical records app with end-to-end encryption, biometric lock, a clear no-data-selling policy, and transparent privacy documentation is safe. An app that is vague about encryption, has broad permission requests, or lacks a clear privacy policy carries higher risk. Review the privacy policy of any app before entering health data.

Can I ask a doctor to delete my records?

Technically, under the DPDP Act's right to erasure, you can request deletion of your data from a data fiduciary. However, healthcare providers have legal obligations to retain records for minimum periods, and your right to erasure is balanced against these obligations. In practice, a doctor cannot delete all records immediately on request. You can request that your records not be used for any purpose beyond your direct care, and you can request deletion of data that is clearly no longer needed.

Are there any conditions where a doctor can share my records without consent?

Yes, limited exceptions exist: a court order or legal requirement; a public health emergency declared by a competent authority; when disclosure is necessary to prevent serious harm to the patient or others; and in certain anonymised research contexts with appropriate ethics oversight. These are narrow exceptions — routine sharing for commercial or administrative purposes requires consent.

1. Ministry of Electronics and Information Technology, Government of India. Digital Personal Data Protection Act, 2023. https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf

2. Ministry of Health and Family Welfare, Government of India. Clinical Establishments (Registration and Regulation) Act, 2010. https://main.mohfw.gov.in/acts-rules-and-standards-indian-health-sector/acts-and-rules-0/clinical-establishments-registration-and-regulation-act-2010

3. National Health Authority, Government of India. Ayushman Bharat Digital Mission — Privacy Policy. https://abdm.gov.in/privacy-policy

4. Ministry of Electronics and Information Technology, Government of India. IT Rules 2011 — Sensitive Personal Data. https://www.meity.gov.in/content/sensitive-personal-data-or-information