Compliance Brief
DPDP Act 2023:
What Your Clinic Must Know
India's Digital Personal Data Protection Act is now in effect. Healthcare providers handling patient data — names, phone numbers, medical history, payment details — are classified as Data Fiduciaries with specific obligations. Here's what it means for your clinic.
app-ening
What DPDP Act Requires from Clinics
Lawful Consent
Collect explicit consent before storing patient data. Record when and how consent was given. Allow patients to withdraw consent.
Data Security
Implement reasonable security measures. Encrypt personal data. Maintain access controls. Report breaches within 72 hours.
Right to Erasure
Patients can request deletion of their data. You must be able to identify and remove all data for a given individual.
How Most Clinics Handle Patient Data Today
Manual Approach (Non-Compliant)
x Patient phones stored in personal WhatsApp contacts
x Medical history in Excel on shared desktop
x No encryption — anyone with file access sees everything
x No consent record — when did patient agree?
x No audit trail — who accessed what, when?
x Staff leaves with patient list on personal phone
x No ability to delete one patient's data fully
x No breach detection or reporting capability
Appening (DPDP-Ready)
+ Patient data encrypted at rest (AES-256)
+ PII encryption with dedicated key management
+ Consent capture + withdrawal flows built-in
+ Full audit logs — every access is recorded
+ Role-based access control (agents see only their patients)
+ Row-level tenant isolation (your data is walled off)
+ Right-to-erasure support — delete patient data completely
+ Data residency in India
Fine Exposure Under DPDP Act
Violation Scenario Maximum Penalty
Failure to implement security measures Patient data in unencrypted Excel, no access controls up to ₹250 Cr
Non-compliance with consent requirements Messaging patients without recorded opt-in up to ₹50 Cr
Failure to report breach Staff phone with patient data lost/stolen, not reported up to ₹200 Cr
Non-compliance with erasure request Patient asks to be removed, data persists in spreadsheets up to ₹50 Cr
What Appening Provides — Compliance Checklist
+
PII EncryptionPatient names, phones, and medical notes encrypted with AES-256 at rest and in transit.
+
Audit LogsEvery data access, modification, and export is logged with timestamp and user ID.
+
Consent ManagementWhatsApp opt-in/opt-out flows with recorded timestamps for each patient.
+
Tenant IsolationRow-Level Security (RLS) ensures your data is invisible to other accounts.
+
Access ControlRole-based permissions. Staff see only what they need. No shared logins.
+
Data ResidencyAll data stored on AWS India (Mumbai region). No cross-border transfer.
+
Right to ErasureDelete all data for a patient with a single action. Verifiable removal.
+
Secure MessagingOfficial WhatsApp Business API (not personal). Messages in Meta's encrypted infrastructure.
Compliance is not optional. It's the law.
Appening removes DPDP liability from your clinic — so you can focus on patients, not paperwork.
app-ening.com
Share this brief with your CA or compliance advisor
DPDP Compliance Brief for Healthcare | Appening app-ening.com