Get in Touch

Blog Details

By Lexcuriam 12 May, 2026

Informed Consent in Indian Hospitals Under DPDP Act

How the DPDP Act 2023 Changes Healthcare Consent Obligations

Indian hospitals have long operated within a reasonably established framework of informed clinical consent.

The Supreme Court’s landmark ruling in Samira Kohli v. Dr. Prabha Manchanda (2008) clarified that a patient’s consent to medical treatment must be real, voluntary, and informed. Over the years, hospitals have become increasingly familiar with the legal importance of treatment consent, disclosure obligations, and patient autonomy.

What remains significantly underdeveloped, however, is the framework governing consent for patient data. And this is where the Digital Personal Data Protection Act, 2023 (DPDP Act) introduces an important shift. Healthcare institutions are now required to think beyond consent for treatment. They must also address consent for collecting, storing, processing, sharing, and managing patient data.

Clinical consent governs what may be done to a patient’s body. Data consent governs what may be done with information about that body. Legally, these are two distinct obligations. Under the DPDP Act, they must also be obtained through distinct and properly documented processes. For many hospitals, this distinction creates an immediate compliance challenge. Institutions that continue relying on broad, bundled pre-admission forms for both medical treatment and data processing may unknowingly expose themselves to future regulatory scrutiny.

The DPDP Act and the Legal Structure of Data Consent

Section 6 of the DPDP Act forms the core of India’s modern data consent framework.

The provision establishes that valid consent for personal data processing must be:

  • free,
  • specific,
  • informed,
  • unconditional,
  • and unambiguous.

For hospitals, these are not merely technical drafting requirements. They directly affect how patient information is collected and managed across healthcare systems. Consent cannot be treated as valid if it is forced, hidden inside lengthy paperwork, or tied to unrelated permissions in a way that makes refusal impractical.

Similarly, a vague authorisation allowing hospitals to “use patient information for operational purposes” may no longer satisfy legal standards under the Act.

Healthcare institutions are expected to clearly identify:

  • what personal data is being collected,
  • why it is being collected,
  • how it will be processed,
  • and who may receive access to it.

This becomes especially relevant in healthcare environments involving:

  • insurance coordination,
  • diagnostic partnerships,
  • telemedicine platforms,
  • IVF services,
  • third-party technology vendors,
  • and digital patient management systems.

As healthcare delivery becomes increasingly digital, every point of data movement potentially creates legal responsibility.

Why Hospitals Must Separate Clinical Consent from Data Consent

One of the most common operational mistakes hospitals make is treating all forms of consent as a single administrative exercise.

In practice, many healthcare institutions currently combine:

  • treatment consent,
  • billing permissions,
  • data-sharing authorisations,
  • communication approvals,
  • and privacy acknowledgements

into a single admission document. Operationally, this may appear efficient. Legally, however, it creates risk.

The DPDP Act expects consent to be purpose-specific.

A patient agreeing to surgery is not automatically consenting to unrelated data processing activities, marketing communication, or external sharing arrangements. This distinction matters because healthcare data is among the most sensitive categories of personal information. Medical records, reproductive health details, diagnostic history, insurance data, and digital consultation records all carry heightened privacy implications. Hospitals that fail to separate clinical consent from data consent may therefore face not only compliance concerns, but also patient trust and reputational challenges.

The Notice Requirement Under the DPDP Act

Before obtaining consent, hospitals must also satisfy the notice obligation under Section 5 of the Act.

The law requires healthcare institutions to provide patients with clear and accessible information regarding:

  • the personal data being collected,
  • the purpose of processing,
  • available patient rights,
  • and the grievance redressal mechanism.

This notice must be understandable and reasonably accessible to patients. Complex legal drafting that an ordinary patient cannot interpret may undermine the purpose of informed consent itself. For hospitals, this creates an important governance consideration.Data protection compliance is no longer limited to backend IT systems. It increasingly affects patient communication, operational transparency, and institutional accountability.

Consent Obligations for Children’s Data

The DPDP Act imposes an even stricter framework when hospitals process the personal data of children. Under Section 9, healthcare institutions handling paediatric services must obtain verifiable parental consent before processing a child’s data. The obligation extends beyond mere parental presence.

Hospitals may need systems capable of verifying:

  • parental identity,
  • authority,
  • and consent authenticity.

The law also restricts behavioural monitoring and profiling of children.

This becomes particularly important for:

  • paediatric hospitals,
  • fertility and reproductive healthcare centres,
  • child counselling services,
  • educational healthcare platforms,
  • and digital health applications involving minors.

Practical Compliance Priorities for Hospitals

For many healthcare institutions, DPDP compliance will require more than revised paperwork. It may require a structural redesign of patient data processes.

Hospitals should begin reviewing:

  • admission documentation,
  • patient consent architecture,
  • vendor agreements,
  • healthcare software systems,
  • grievance handling procedures,
  • and internal accountability mechanisms.

Particular attention should be given to:

  • recording consent events,
  • withdrawal mechanisms,
  • access controls,
  • data retention practices,
  • and staff training.

Because healthcare compliance today increasingly includes both medical governance and data governance.

The DPDP Act, 2023, fundamentally changes how Indian hospitals must approach informed consent. For years, healthcare institutions focused primarily on consent for treatment.
The next phase of compliance requires equally robust frameworks for consent relating to patient data. That shift reflects a broader legal principle already recognised by the Supreme Court in Samira Kohli — patient autonomy and informed decision-making remain central to healthcare relationships. The difference is that autonomy now extends beyond medical procedures to personal data itself. Hospitals that proactively modernise ther consent systems will not only strengthen legal compliance, but also improve institutional trust, operational resilience, and long-term governance standards.

Lexcuriam advises hospitals, IVF centres, healthcare institutions, and healthcare businesses on healthcare law, DPDP compliance, dispute management, and regulatory risk frameworks.