Journal

DPDP

DPDP Act 2023 for physiotherapy clinics: a patient-data checklist

India's data-protection law now governs the patient data your clinic holds. A plain-language checklist — consent, security, retention, breaches — for small clinics.

Amar Gupta6 min read
DPHYSIOFLOW · JOURNAL

Your physiotherapy clinic holds some of the most sensitive data a person owns — names, phone numbers, injury histories, scan reports, sometimes payment details. India's Digital Personal Data Protection Act, 2023 (the "DPDP Act") is the law that now governs how you handle it. The good news: most of what it asks is just good practice written down. Here's the plain-language version, turned into a checklist a small clinic can actually act on.

First, where things stand on timing

The DPDP Act was passed in 2023, but a law needs rules before it fully bites. Those rules — the Digital Personal Data Protection Rules — were notified in late 2025, and the framework is being switched on in phases rather than all at once. Reporting at the time of writing suggested the core obligations (notices, security duties, breach reporting, patient rights) and the penalty regime would apply after a transition period running into 2027, with the Data Protection Board being set up first.

What that means for you: this is not a "panic by next week" situation, but it is a "start building the habit now" situation. Timelines and rule details have moved before — treat the dates below as a direction of travel, and confirm the current position with a professional before you rely on it.

The one concept to understand: you are a "Data Fiduciary"

Under the Act, the person or entity that decides why and how personal data is processed is a Data Fiduciary. Your patient is the Data Principal. As a clinic, you are the fiduciary for your patients' data — which means the duty of care sits with you, not your software vendor or your front-desk staff.

The Act is built on a few principles that everything else flows from:

  • Lawful basis / consent — you generally need a clear reason to hold data, usually the patient's consent, with health-related grounds recognised for treatment and emergencies.
  • Purpose limitation — use data only for the purpose you collected it for.
  • Data minimisation — collect only what you actually need.
  • Security safeguards — protect what you hold.
  • Retention limits — don't keep data forever "just in case."
  • Patient rights — people can ask what you hold, correct it, and in cases have it erased.

The clinic checklist

Work through these. None of them require a lawyer to start — they require you to be deliberate.

Lawful basis and consent

  • Tell patients, in plain language, what you collect and why — a short, clear privacy notice, not legalese. (See our privacy policy for the shape of one.)
  • Collect consent through a clear, affirmative step — not a pre-ticked box buried in a form. The Act describes valid consent as free, specific, informed, unambiguous, and given by clear affirmative action.
  • Note that treatment and medical-emergency situations are recognised grounds for handling health data — but don't treat that as a blanket licence to collect anything.

Purpose limitation and minimisation

  • For each field you collect (phone, address, diagnosis, scan), ask: do I need this to treat or bill this patient? If not, drop it.
  • Don't repurpose patient data quietly — using treatment data for a marketing blast is a different purpose, and needs its own basis.

Security safeguards

  • Put patient records behind a login. No shared spreadsheets, no WhatsApp groups full of reports.
  • Limit who can see what — your receptionist may not need full clinical notes.
  • Keep access logs so you can tell who saw or changed a record.
  • Back up data so a lost laptop or crashed phone isn't a catastrophe.
  • If a vendor processes data for you, make sure they are held to equivalent safeguards.

The Act requires "reasonable security safeguards," and the rules point to measures along the lines of encryption or tokenisation, access controls, logging, and backups. The exact bar will firm up as the framework matures, but the direction is clear: locked-down beats loosely-shared.

Breach handling

  • Decide now who is in charge if data is exposed — a lost device, a hacked email, a misdirected report.
  • Understand the principle: a personal-data breach is expected to be reported to the Data Protection Board and to the affected patients, and reporting is meant to be prompt — public commentary has pointed to a follow-up report to the Board within a short window (figures around 72 hours have been cited). Confirm the current requirement rather than relying on a number from an article.
  • Keep a simple incident note: what happened, what data, when you found it, what you did.

Retention and erasure

  • Set a sensible retention period for patient records, balancing the DPDP principle of not keeping data past its purpose against any medical-records or tax-record obligations you have under other laws.
  • When data is no longer needed, delete it properly — including from backups and old devices.

Patient rights

  • Be ready to tell a patient what data you hold about them.
  • Be ready to correct wrong details.
  • Be ready to erase data on request, where no other law requires you to keep it.
  • Give patients an easy way to raise a grievance — a named contact or email is enough to start.

A note on penalties — don't let the big numbers scare you

You may have seen eye-watering figures attached to the Act — caps reported in the hundreds of crores for serious failures. Those are statutory maximums for the worst cases, applied with the Board's discretion based on the nature, gravity, and duration of a breach and what you did to mitigate it. They are not a flat fine waiting to land on a small clinic that's making an honest effort. The right reading is: take reasonable steps, document them, and respond properly if something goes wrong.

The practical takeaway

You don't need a compliance department. You need: a clear notice, real consent, only the data you need, kept securely, deleted when it's done, and a plan for the day something goes wrong. Start with security and consent — they're the foundation everything else rests on.

PhysioFlow walls each clinic's data off behind its own login by default, so one clinic can never see another's patients — and access, records, and billing live in one place instead of scattered across phones and spreadsheets. Start a free 14-day trial and put your patient data on a footing you can defend.

This article is general information as of 2026 and is not legal advice. The DPDP Act and its rules were still being operationalised, and timelines, thresholds, and requirements can change. Confirm your obligations with a qualified data-protection professional or your DPO before relying on anything here.

Start your 14-day free trial

Set up your clinic today. Pay only when you’re ready.

Start 14-day free trialChat on WhatsApp