DPDP Compliance for Healthcare AI Applications in India

Health Data Under DPDP: Higher Stakes

DPDP 2023 does not explicitly categorise 'sensitive personal data' (unlike GDPR), but health and medical information clearly falls within 'personal data' and is subject to the Act's full protections. More importantly, health data processing by AI systems has particular risks: health information is highly re-identifiable, incorrect AI health decisions have serious consequences, and health data is a primary target for data brokers.

The DPDP Section 6 consent requirement is especially important for health AI: consent must be specific to each purpose, and using health data collected for diagnosis to train an AI model for a different condition requires separate consent.

AI in Clinical Workflows: Compliance Requirements

If your AI assists with diagnostic decisions, treatment recommendations, or patient risk stratification, you face DPDP obligations plus additional regulatory context from the Medical Devices Rules 2017 (if your AI qualifies as a medical device) and NABH accreditation requirements for clinical decision support.

For DPDP specifically: every patient data element fed into an AI diagnostic model requires consent. The consent notice must explain that AI is being used in the clinical workflow and what data it processes. Patients must be able to opt out of AI-assisted decisions.

EHR and LLM Integration Risks

Connecting Electronic Health Records to LLMs is a high-risk operation under DPDP. Patient records contain some of the most sensitive personal data covered by the Act. Common pitfalls: RAG (retrieval-augmented generation) systems that pull patient records into LLM context without per-patient consent, EHR search features that expose data from other patients in results, and clinical notes dictation that logs the raw audio/transcript to third-party LLM APIs.

Mitigation: Deploy CrewCheck as a mandatory gateway between your EHR system and any LLM. Configure strict health data policies: detect medical record numbers, diagnosis codes (ICD-10), prescription names, and biometric identifiers. Redact before transmission.

Compliance operational checklist

DPDP Compliance for Healthcare AI Applications in India should be reviewed as an operating control, not only as a reference article. The minimum checklist is a data inventory, a stated processing purpose, owner approval, PII detection at the AI boundary, redaction or tokenisation where possible, retention limits, vendor transfer records, and a tested user-rights workflow. This checklist gives engineering and compliance teams a shared language for deciding what must be blocked, what can be allowed in shadow mode, and what needs human review before production release.

For AI systems, the review should include prompts, retrieved context, tool call arguments, model responses, logs, traces, analytics events, exports, and support attachments. Many incidents happen because teams scan only the visible form field while sensitive data moves through background context or observability tooling. CrewCheck's recommended pattern is to place the scanner at the request boundary, record the policy version, and keep audit evidence that shows which identifiers were detected and what action was taken.

A practical rollout starts with representative samples from production-like traffic. Run a DPDP scan, sort findings by identifier sensitivity and blast radius, fix Aadhaar, PAN, financial, health, children's, and precise-location exposure first, then move to consent wording, retention, deletion, and vendor review. Use shadow mode when false positives could disrupt users, and promote to enforcement only after the exceptions have owners and expiry dates.

This page is educational and should be paired with legal review for final policy interpretation. The operational proof should still come from repeatable evidence: scanner results, audit exports, pull-request checks, policy configuration, and a documented owner for the workflow. That combination is what makes the content useful during buyer diligence, board review, regulatory questions, or an incident investigation.