A Project by Meridian Bridge Strategy
๐Ÿฅ

DPDP Compliance for Healthcare Companies

Healthcare platforms handle the most sensitive data โ€” medical records, prescriptions, health vitals,. Talk to our experts.

46/100 Avg. Score
8 Analyzed
52 Gaps Found

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Now replace the sandwich shop with your Healthcare company. Where does personal data enter? Where does it sit? Who else touches it?

Healthcare DPDP Self-Check

Start here to understand why DPDP is relevant to Healthcare. Before any other task, first understand how personal data moves through the business.

What is Healthcare?

In this context, Healthcare means clinics, hospitals, diagnostics, telemedicine, pharmacies, health apps and care-support workflows that collect or use patient, appointment, prescription, billing, medical and communication data.

Start the self-check Book a 20-minute clarity call

Children's data

  • Do you collect age, class, school, parent details or learning progress?
  • Can you separate child, parent and guardian data?
  • Do you know which users are under 18?

Consent

  • Can you prove where consent came from?
  • Is consent collected before data is used for the stated purpose?
  • Can consent be withdrawn without breaking the entire account flow?

Tracking and profiling

  • Do you track usage, performance, attention, behavior or drop-offs?
  • Is any of this used for ads, recommendations or nudges?
  • Are analytics tools collecting user identifiers?

Vendors and SDKs

  • Which CRMs, email tools, payment tools, analytics tools and support tools receive personal data?
  • Do contracts say they process data only on your instructions?
  • Can you delete or export data from each vendor?

Retention

  • What happens when the service ends?
  • What happens when a user leaves?
  • What data is kept for certificates, invoices, disputes or regulatory records?

First action

  • Map one user journey from sign-up to completion.
  • Mark where data is collected, stored, shared, used for communication and deleted.

If this self-check exposed more than three unclear answers, the next useful step is a DPDP data journey map.

Book a DPDP clarity call

Healthcare Company Analyses

Healthcare

Apollo 24/7

35

Apollo 24/7's privacy policy is detailed about data collection but remains largely anchored to the IT Act 2000 and SPDI Rules. Given it handles highly sensitive medical data, the lack of explicit DPDP Act 2023 alignment, especially concerning granular consent, specific data retention, and DPB redressal, poses significant compliance risks.

โš ๏ธ No explicit DPDP Act 2023 reference โ€” still relies on IT Act 2000 framework
โš ๏ธ Consent mechanism bundled, not 'freely given' per Section 6
+5 more gaps detected
Feb 2026 View Report
Health & Fitness

Cure.fit (cult.fit)

42

cult.fit collects intimate health data โ€” heart rate, body measurements, workout capacity, injury history, and mental health content engagement โ€” processing what is effectively continuous health monitoring. At 42/100, treating this health data with consumer app privacy standards instead of health data protections creates significant DPDP exposure.

โš ๏ธ No DPDP Act 2023 reference
โš ๏ธ Health metrics data (heart rate, calories, BMI) treated as standard app data
+5 more gaps detected
Feb 2026 View Report
Healthcare

HealthifyMe

42

HealthifyMe relies on a 'bundled' consent model that likely fails the DPDP Act's strict requirement for specific and unconditional permission. While they prioritize security for sensitive health data, their broad data-sharing clauses and lack of a dedicated Indian grievance path create major legal risks.

โš ๏ธ Consent is bundled with Terms of Use โ€” not 'freely given' or 'separate'
โš ๏ธ Data sharing allowed for 'any other purposes' โ€” lacks DPDP specificity
+4 more gaps detected
Apr 2026 View Report
Healthcare

MediBuddy

42

MediBuddy's privacy policy is comprehensive under older regulations but lacks explicit alignment with the DPDP Act 2023. Given its handling of sensitive health data, the absence of granular consent, specific data retention periods, and clear cross-border transfer rules poses significant compliance challenges and potential liabilities.

โš ๏ธ No explicit DPDP Act 2023 reference
โš ๏ธ Bundled consent for all data processing purposes
+5 more gaps detected
Apr 2026 View Report
Healthcare

mfine

42

mfine handles highly sensitive medical and physiological data, yet its policy relies on outdated 'all-or-nothing' consent models. While security measures are mentioned, the lack of DPDP-aligned data erasure timelines and grievance mechanisms creates significant risk for a health-tech leader.

โš ๏ธ Uses bundled consentโ€”accepting T&Cs means accepting the whole privacy policy
โš ๏ธ Retention policy of 'at least 3 years' violates purpose-limitation rules
+4 more gaps detected
Apr 2026 View Report
Healthcare

PharmEasy

48

PharmEasy handles highly sensitive health data but its privacy policy doesn't explicitly align with the DPDP Act 2023. Key issues include non-granular consent for health information, unclear data retention, and an incomplete framework for user rights, posing significant regulatory and reputational risks.

โš ๏ธ No explicit DPDP Act 2023 reference โ€” still relies on older IT Act provisions
โš ๏ธ Bundled consent for sensitive health data, not 'freely given' per Section 6
+5 more gaps detected
Apr 2026 View Report
Healthcare

Practo

53

Practo handles India's most sensitive personal data โ€” medical records, doctor consultations, prescriptions, and health histories โ€” scoring 53/100 on DPDP alignment. While healthcare-specific awareness is present, the lack of DPDP-specific consent granularity and retention timelines for medical data creates critical regulatory exposure.

โš ๏ธ No DPDP Act 2023 reference โ€” uses IT Act and MCI guidelines
โš ๏ธ Health data processing consent not adequately granular
+4 more gaps detected
Feb 2026 View Report
Healthcare

1mg

60

Tata 1mg's privacy policy demonstrates a robust approach to data security and provides mechanisms for data principals to exercise certain rights, such as withdrawing consent. However, the policy currently lacks explicit alignment with several critical provisions of India's Digital Personal Data Protection Act 2023. Key areas requiring enhancement include the granularity of consent, clear definition of data retention periods, explicit mention of DPDP Act-mandated rights like nomination, and the escalation process to the Data Protection Board. Given the sensitive nature of health-related personal data processed by 1mg, precise DPDP compliance is essential to build and maintain user trust while navigating India's evolving data protection landscape.

โš ๏ธ Consent mechanism bundled with service terms โ€” not explicitly 'freely given' and granular per Section 6, and no mention of Consent Manager integration.
โš ๏ธ Data retention period undefined โ€” uses 'as long as necessary' language, lacking specific timelines or automated erasure triggers per Section 9.
+4 more gaps detected
Mar 2026 View Report

Frequently asked questions

Can we still send lab reports to patients via WhatsApp?

You can, but you must document that the patient specifically chose this channel. You are responsible for ensuring the person receiving the message is the verified patient and that the data is not used for other purposes by the platform.

Does DPDP override the 3-year medical record retention rule?

No, legal requirements for record-keeping take priority over deletion requests. However, you must delete non-clinical data, like app usage history or marketing preferences, once the patient stops using your services.

Are our visiting consultants considered separate Data Fiduciaries?

If the hospital manages the billing and patient records, the hospital is the primary Fiduciary. Your contracts with visiting doctors must include specific clauses about restricted access to the hospital's central database.

Book clarity call