The Opinionated Scalpel: Sharp takes, cleaner cuts

Your Patient’s WhatsApp Message Is Now a Legal Liability. Did Anyone Tell You?

May 1, 2026

 

The Opinionated Scalpel: Sharp takes, cleaner cuts

There is a particular kind of ignorance that is not laziness.

It is the ignorance of the overwhelmed. The doctor who finishes a twelve-hour OPD, drives home through traffic that would test the patience of a saint, eats dinner at 10 PM, and collapses into bed — only to wake up the next morning and do it all again. This doctor is not ignoring the law. This doctor simply does not have the bandwidth to track what Parliament is enacting between budget sessions.

I understand that doctor, I am that doctor.

But there is a law that has quietly arrived at the clinic door, and it does not care how tired you are. It is called the *Digital Personal Data Protection Act, 2023* — the DPDP Act — and it has changed, in a single stroke, what you are legally obligated to do with every digital record you hold on every patient you have ever seen.

If this is the first you are hearing of it, you are in distinguished company. And also in some danger.

 

 The Scene That Should Alarm You

Picture this.

A patient sends you a WhatsApp message at 11 PM. “Doctor saab, test results aayi hain — kya sab theek hai?” She has attached her CBC, her sugar levels, her thyroid report. You reply with a few lines of reassurance and go to sleep.

Nothing unusual. We have all done it a thousand times.

Except now, under the DPDP Act, that exchange — that perfectly ordinary, deeply human act of medical communication — is a regulated data processing event. The patient’s health data has been shared digitally. You are what the law calls a Data Fiduciary. You have obligations. You needed her consent. You needed a privacy notice. You needed, in the law’s own language, to be ready to tell her exactly what you will do with her data, how long you will keep it, and how she can ask you to delete it.

None of this happened over WhatsApp at 11 PM.

And if someone decides to complain — to the newly constituted Data Protection Board of India — the defence “But doctor-patient communication has always worked like this” will get you precisely nowhere.

 

 What Actually Is This Law?

The Digital Personal Data Protection Act was passed by Parliament in August 2023. The Rules under the Act — the operational guidelines that specify exactly how compliance works — were notified in January 2025.

The Act is, in its essence, India’s answer to GDPR. It is the country’s first comprehensive legislation governing how personal data — which includes, prominently and explicitly, health data — is collected, stored, processed, and shared.

Before this, if a hospital leaked patient records, or a clinic sold data to a pharmaceutical company, or a lab shared test results without authorisation, there were some provisions under the IT Act of 2000. But they were vague, patchy, and practically unenforceable. The DPDP Act is none of those things.

The Act establishes a Data Protection Board of India — an adjudicatory body with the power to investigate complaints, summon records, and levy penalties. The penalties are not symbolic. A significant data breach can attract a fine of up to ₹250 crore. And no, that is not a typo.

For smaller violations — failing to notify a data breach, failing to maintain appropriate security, failing to honour a patient’s request for their data — the numbers are lower but still consequential. We are talking about crores, not lakhs.

But the number is not really the point.

The point is that the Board exists. The mechanism for complaints exists. The law is in force. And most doctors in this country have no idea.

 

 Why Should You Care? You Are Just a Doctor.

I have heard this argument. I find it unconvincing.

“I am a solo practitioner in a small town. This law is for big hospitals, tech companies, and pharmaceutical giants.”

The DPDP Act does not draw a distinction based on the size of your practice. If you process digital personal data — and you do, every single day — you are covered. The question is not whether the law applies to you. The question is how it applies, and what you are supposed to do about it.

Let me make it concrete.

Every time a patient’s name, age, diagnosis, or test result is stored on your computer, your phone, or your clinic’s software — that is digital personal data. Every time you share a prescription on WhatsApp, store a scan on a cloud drive, or keep appointment records in Google Sheets — that is digital data processing.

You are not exempt. You are a Data Fiduciary. And the law gives your patients — your Data Principals, in the Act’s terminology — rights that they have never formally had before.

The right to know what data you hold on them. The right to correct it. The right to withdraw consent. And in certain circumstances, the right to have it erased.

The right, in other words, to the same kind of autonomy over their personal data that Samira Kohli demanded — and the Supreme Court upheld — over their own bodies. The law, in 2023, has simply extended that logic to the digital domain.

 

 The Consent Problem, Revisited

Those of you who read my earlier piece on informed consent will see the irony immediately.

We have spent decades debating whether a signature on a form constitutes genuine consent to a medical procedure. And now, layered on top of all of that, we have a new consent obligation — one that most of us are meeting even less rigorously than the medical consent we already struggle with.

The DPDP Act requires that consent for data processing must be free, specific, informed, unconditional, and unambiguous

It is not a coincidence. The architects of the DPDP Act drew from the same philosophical well. Autonomy. Awareness. The right of a person to make decisions about things that affect them — whether those things are their body or their data.

The problem is the same. The forms we use — if we use any at all — do not meet this standard. The verbal “aap theek hain?” at the end of a consultation is not consent to data processing. It is not even close.

And the Act, unlike medical ethics, has deadlines, boards, and penalties attached to it.

 The Urgency Is Not Hypothetical

The Data Protection Board of India is being operationalised. The government has been moving steadily through the machinery of setting it up. This is not a law that is waiting for a future notification before it bites — the Act is already in force, and the Rules are already notified.

What is coming is enforcement. And in India, enforcement does not usually announce itself with a polite letter in advance.

The pattern is familiar. A law is passed. A grace period of administrative ambiguity follows. And then one day, a complaint is filed, an investigation is opened, and a doctor or clinic finds itself trying to explain why their WhatsApp groups, their cloud-stored records, and their third-party lab integrations were operating entirely outside the framework the law required.

The moment to act is before that day. Not on it.

 

 So What Do You Actually Do? Five Things, Plainly Stated.

I am a doctor who has been building a consent tech company. I have spent the past year inside the architecture of this problem. Let me save you the reading of fifty pages of legalese.

One: Know what data you hold and where it lives. Patient names, phone numbers, diagnoses, prescriptions, lab results, photos, scan images. Which of these are on your phone? On clinic software? On a WhatsApp group? On Google Drive? Make a list. It does not need to be a fancy audit. It needs to be honest.

Two: Have a privacy notice. This is a plain-language document — it can be short — that tells patients what data you collect, why, how long you keep it, and who you share it with (including labs, referral doctors, and billing teams). This notice needs to exist and needs to be accessible. A printout in your reception or a message sent when a patient first registers with you.

Three: Don’t share data without a reason. Sending a patient’s reports to another doctor for a referral opinion — fine, clinically justified, still needs consent. Sharing data with a pharma company’s field rep because they asked nicely — not fine. The Act requires a lawful basis for every instance of sharing.

Four: Know what to do if there is a breach. If your clinic’s computer is stolen, if your WhatsApp data is compromised, if your cloud storage is hacked — you are legally required to notify the Data Protection Board. The notification window is tight. You need to know this before the breach, not after.

Five: Give patients their rights when they ask. If a patient asks to see their data, correct a wrong entry, or withdraw consent for something — that request has to be honoured. You need a simple process for how you would handle it. “We will figure it out if someone asks” is not a process.

None of this requires a law firm on retainer. All of it requires the kind of clear-headed attention to process that good clinical practice already demands.

 

 The Larger Point

Here is what strikes me most about the DPDP Act, when I think about it from inside medicine.

We have, as a profession, always held the patient’s clinical information as sacred. The duty of confidentiality is older than any law that codifies it. We knew, intuitively, that what a patient tells us in the consulting room stays in the consulting room.

What we did not anticipate was that the consulting room would one day expand — silently, incrementally — into WhatsApp, into cloud drives, into shared login credentials for clinic software, into lab portals that email results to five people at once. We carried the instinct of confidentiality into a digital world without carrying the architecture.

The DPDP Act is, at its core, asking us to build that architecture. To extend the same care we have always taken with a patient’s body to the data trail their body leaves behind.

That is not an unreasonable ask.

It is, in fact, exactly what a patient-centred doctor should have been doing already.

The law has simply decided to stop waiting for us to get there on our own.

 

Shishir writes at isaychaps.com — at the intersection of medicine, law, and the decisions that shape both. He is also the founder of ClarityConsent, a governance-grade AI consent platform for Indian obstetrics.

*

facebookShare on Facebook
TwitterPost on X
FollowFollow us

You May Also Like

The Consent That Wasn’t Given — And Perhaps Never Fully Can Be
March 29, 2026
The Sky Has Fallen: Doctors Die Young
June 16, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *