Executive Summary
The Digital Personal Data Protection Act, 2023 (DPDP Act) marks a watershed moment for healthcare data protection in India, introducing stringent obligations for processing sensitive health data. This comprehensive analysis examines the DPDP Act's application to healthcare, health data classification, patient consent mechanisms, electronic health records (EHR) regulations, and data localization requirements.
Key Statistics & Data Protection Landscape
- Health Data Volume: Over 50 million health records generated daily in India
- EHR Adoption: 15-20% of hospitals have implemented Electronic Health Records systems
- Data Breaches: 100+ healthcare data breach incidents reported annually (estimated; underreported)
- Ayushman Bharat Health Accounts: Over 50 crore Health IDs created under ABDM
- Regulatory Framework: Digital Personal Data Protection Act, 2023 (enacted August 11, 2023)
- Penalties: Up to ₹250 crore for serious data protection violations
Regulatory Authorities: Data Protection Board of India (to be constituted), Ministry of Electronics & IT, Ministry of Health & Family Welfare.
1. Digital Personal Data Protection Act, 2023: Overview
1.1 Legislative History and Enactment
Enacted: August 11, 2023 Effective From: Awaiting notification of Rules (expected 2024-2025) Replaced: Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (partially)
Key Objectives:
- Protect privacy of individuals (data principals)
- Regulate processing of digital personal data
- Establish rights of data principals and obligations of data fiduciaries
- Create enforcement framework with Data Protection Board
1.2 Applicability to Healthcare Sector
Section 2 - Territorial Applicability:
DPDP Act applies to:
- Processing of digital personal data within India
- Processing of digital personal data outside India if such processing is for offering goods/services to data principals in India
Healthcare Entities Covered:
| Entity Type | Covered? | Rationale |
|---|---|---|
| Hospitals (Government and Private) | ✅ Yes | Process patient health data |
| Diagnostic Laboratories | ✅ Yes | Process health test data |
| Pharmacies | ✅ Yes | Process prescription and purchase data |
| Telemedicine Platforms | ✅ Yes | Process teleconsultation data |
| Health Insurance Companies | ✅ Yes | Process health and claims data |
| Medical Device Manufacturers | ✅ Yes (if processing patient data) | Smart devices collecting health data |
| Pharmaceutical Companies | ✅ Yes (if processing patient data) | Clinical trials, patient assistance programs |
| Individual Doctors | ✅ Yes | Process patient medical records |
| Health Apps and Wearables | ✅ Yes | Process fitness and health tracking data |
1.3 Key Definitions
| Term | Definition (as per DPDP Act) | Healthcare Context |
|---|---|---|
| Personal Data | Data about an individual who is identifiable by or in relation to such data | Patient name, age, contact, medical history |
| Digital Personal Data | Personal data in digital form | Electronic Health Records (EHR), digital prescriptions |
| Data Principal | Individual to whom personal data relates | Patient |
| Data Fiduciary | Entity determining purpose and means of processing personal data | Hospital, doctor, diagnostic lab, telemedicine platform |
| Data Processor | Entity processing personal data on behalf of data fiduciary | Cloud storage provider for hospital's EHR, billing software vendor |
| Consent | Free, specific, informed, and unambiguous indication of data principal's wishes | Patient consent for storing/sharing health records |
| Consent Manager | Entity that enables data principal to give, manage, review, and withdraw consent | Health Data Consent Managers under ABDM |
2. Health Data as Sensitive Personal Data
2.1 Classification of Health Data
Sensitive Personal Data (as per DPDP Act and IT Rules 2011):
Health data is explicitly classified as sensitive personal data, requiring heightened protection.
What Constitutes Health Data:
- Medical history and records
- Diagnosis and treatment information
- Prescription and medication data
- Laboratory test results (blood tests, imaging, pathology)
- Genetic and biometric data (DNA, fingerprints, retina scans)
- Mental health records
- Sexual and reproductive health information
- Insurance claims and health expenditure data
- Data from wearable health devices (heart rate, sleep patterns, activity levels)
Why Health Data is Sensitive:
- Privacy Intrusion: Reveals intimate details about individual's physical/mental condition
- Discrimination Risk: Can lead to discrimination (employment, insurance, social stigma)
- Security Risk: Attractive target for cybercriminals (ransomware, identity theft)
- Consent Criticality: Unauthorized disclosure can cause significant harm
2.2 Special Categories of Health Data
Extra-Sensitive Health Data (requiring additional safeguards):
| Category | Examples | Heightened Risk |
|---|---|---|
| Mental Health | Psychiatric diagnosis, therapy notes, hospitalization for mental illness | Severe social stigma; discrimination in employment |
| HIV/AIDS Status | HIV test results, ARV medication records | Discrimination, social ostracization |
| Genetic Data | DNA sequencing, genetic disease markers | Discrimination by insurers, employers; affects blood relatives |
| Reproductive Health | Pregnancy, abortion, infertility treatment, contraception | Privacy concerns; potential misuse |
| Substance Abuse | Drug/alcohol addiction treatment records | Social stigma, employment discrimination |
| Sexually Transmitted Diseases (STDs) | STD diagnosis and treatment | Privacy concerns, relationship disclosure |
Enhanced Protection Measures:
- Stricter access controls (need-to-know basis only)
- Prohibition on disclosure without explicit patient consent
- Anonymization before use in research or analytics
3. Patient Consent Mechanisms Under DPDP Act
3.1 Principles of Valid Consent
Section 6 of DPDP Act - Consent Requirements:
Consent must be:
- Free: Not obtained through coercion, fraud, or misrepresentation
- Specific: Clearly stated purpose (e.g., "for diagnosis and treatment" vs. vague "for medical purposes")
- Informed: Data principal aware of what data is collected, how it will be used, who it will be shared with
- Unambiguous: Clear affirmative action (explicit opt-in; silence or pre-ticked boxes NOT valid)
- Time-Bound: Consent for specific duration or until withdrawn
Mode of Consent:
- Written Consent: Signed consent form (traditional method)
- Electronic Consent: Click-to-accept, digital signature, Aadhaar-based e-sign
- Oral Consent: Acceptable ONLY in emergencies where written/electronic consent not feasible (must be documented immediately after)
3.2 Consent for Different Healthcare Purposes
Purpose-Specific Consent:
Hospitals/doctors must obtain separate consent for each distinct purpose:
| Purpose | Consent Required? | Example |
|---|---|---|
| Diagnosis and Treatment | ✅ Yes (Implied in doctor-patient relationship, but explicit consent recommended) | Patient seeks consultation; consents to medical examination and treatment |
| Sharing with Specialist | ✅ Yes | Primary care doctor shares records with cardiologist for referral |
| Sharing with Insurance Company | ✅ Yes (Explicit) | Hospital shares discharge summary with insurer for claim processing |
| Research and Clinical Trials | ✅ Yes (Explicit + Informed Consent Form) | Patient enrolls in clinical trial; separate consent for data use in research |
| Marketing and Promotional Use | ✅ Yes (Explicit Opt-In) | Hospital wants to send health tips, promotional offers via email/SMS |
| Third-Party Apps/Services | ✅ Yes | Patient uses hospital's mobile app; data shared with app developer |
| Anonymized Data for Public Health | ❌ No (if truly anonymized) | Government collects anonymized COVID-19 case data for epidemiological analysis |
Consent Withdrawal: Patient has right to withdraw consent at any time (Section 6(4)). Hospital must cease processing and delete data (subject to legal retention requirements).
3.3 Exceptions to Consent Requirement
Section 7 of DPDP Act - Processing Without Consent Permitted:
Healthcare entities can process health data without consent in the following circumstances:
- Medical Emergency: To provide immediate medical treatment (life-threatening situation)
- Public Health: To respond to public health emergencies (epidemics, pandemics)
- Legal Obligation: To comply with court order, statutory requirement (e.g., notifiable diseases reporting)
- Prevention/Detection of Unlawful Activity: To investigate suspected fraud, malpractice
Conditions:
- Processing limited to what is necessary for the stated purpose
- Data must be deleted/anonymized once purpose fulfilled (unless legal retention required)
- Data principal must be informed post-facto (when feasible)
4. Electronic Health Records (EHR): Regulatory Framework
4.1 EHR Standards Under ABDM
Ayushman Bharat Digital Mission (ABDM): Launched in 2021 to create digital health ecosystem in India.
Key Components:
| Component | Purpose | Status |
|---|---|---|
| Health ID (ABHA - Ayushman Bharat Health Account) | Unique 14-digit health identifier for every citizen | 50+ crore created |
| DigiDoctor | Registry of doctors with digital credentials | Operational |
| Health Facility Registry (HFR) | Database of hospitals, clinics, labs | Operational |
| Personal Health Records (PHR) | Digital vault for citizen's health data | Operational (via CoWIN, ABHA app) |
| Health Information Exchange (HIE) | Interoperable exchange of health data between facilities | Pilot phase |
| Health Data Consent Managers | Enable patients to grant/revoke consent for data sharing | Operational |
4.2 EHR Data Standards
Interoperability Standards:
HL7 FHIR (Fast Healthcare Interoperability Resources): ABDM has adopted HL7 FHIR as the standard for health data exchange.
Benefits:
- Seamless data exchange between different hospital systems
- Patient's health records accessible across facilities (with consent)
- Reduces duplication of diagnostic tests
Data Elements in EHR:
| Element | Description |
|---|---|
| Demographics | Name, age, sex, address, contact |
| Medical History | Past illnesses, surgeries, allergies |
| Vital Signs | Blood pressure, heart rate, temperature, BMI |
| Diagnoses | ICD-10 codes for diseases |
| Medications | Current and past prescriptions |
| Laboratory Results | Blood tests, imaging, pathology reports |
| Immunization Records | Vaccination history |
| Clinical Notes | Doctor's consultation notes, discharge summaries |
| Consent Records | Patient consent for data sharing |
4.3 EHR Access Controls
Role-Based Access Control (RBAC):
| User Role | Access Permissions |
|---|---|
| Treating Doctor | Full access to patient's EHR (read, write) |
| Specialist (Referral) | Access only to relevant medical history and test results (with patient consent) |
| Nurse | Access to vital signs, medication administration records |
| Pharmacist | Access to prescriptions only |
| Laboratory Technician | Access to lab orders and results only |
| Billing Staff | Access to demographic and billing data only (NO clinical data) |
| Patient | Full access to own EHR (read-only); can share with any provider via consent |
Audit Trails: Every access to EHR must be logged (who accessed, when, what data viewed, purpose). Audit logs retained for minimum 5 years.
5. Data Localization Requirements
5.1 Storage Location of Health Data
Section 16 of DPDP Act - Cross-Border Data Transfer:
The Act does NOT explicitly mandate data localization for all personal data. However, the Central Government has powers to:
- Notify countries to which data CANNOT be transferred (based on data protection inadequacy)
- Mandate data localization for certain categories of sensitive data (to be notified via Rules)
Expected Health Data Localization Mandate:
Based on draft Rules and government statements, health data is likely to be subject to strict data localization:
- All health data must be stored on servers physically located in India
- Cross-border transfer permitted ONLY for specific purposes (e.g., international second opinion, clinical trials with approval) and with patient consent
- Backup servers can be outside India, but primary data must be in India
Rationale:
- Sovereign control over citizens' health data
- Easier enforcement of data protection laws
- Prevent foreign governments from accessing Indian health data under their laws (e.g., US CLOUD Act)
5.2 Compliance for Healthcare Entities
For Hospitals and Clinics:
- Ensure EHR systems store data on servers in India
- If using cloud services (e.g., AWS, Azure), select India region (Mumbai, Chennai, Hyderabad data centers)
- Verify cloud service provider's data residency certification
- Include data localization clause in contracts with IT vendors
For Telemedicine Platforms:
- Host platform on Indian servers
- Ensure video/audio consultation data (if recorded) stored in India
- Patient health records and consultation notes stored in India
For Health Apps and Wearables:
- Store user health data on Indian servers
- If using foreign servers, migrate data to India by notified deadline
- Provide users option to download and delete their data
6. Data Breach Notification and Response
6.1 Obligation to Report Data Breaches
Section 8 of DPDP Act - Breach Notification:
If a data breach occurs, data fiduciary must:
- Notify Data Protection Board: Within 72 hours of becoming aware of breach
- Notify Affected Data Principals (Patients): Promptly (timeline to be specified in Rules)
What Constitutes a "Breach":
- Unauthorized access to health data (hacking, insider theft)
- Accidental disclosure (e.g., email sent to wrong recipient)
- Loss of data (e.g., unencrypted laptop stolen)
- Ransomware attack encrypting patient records
Information to Include in Notification:
- Nature of breach (what data was compromised)
- Estimated number of affected data principals
- Likely consequences of breach
- Measures taken to mitigate harm
- Contact point for queries
6.2 Penalties for Data Breaches
Section 33 of DPDP Act - Penalties:
| Violation | Penalty (Per Violation) |
|---|---|
| Failure to protect data (causing breach) | Up to ₹250 crore |
| Failure to notify breach | Up to ₹200 crore |
| Failure to implement reasonable security practices | Up to ₹200 crore |
| Failure to comply with Data Protection Board's directions | Up to ₹250 crore |
Factors Determining Penalty Amount:
- Severity of breach (number of patients affected, sensitivity of data)
- Whether breach resulted from negligence or intentional act
- Steps taken to mitigate harm
- Previous violations by entity
Additional Consequences:
- Reputational damage (loss of patient trust)
- Civil liability (patients can sue for compensation)
- Regulatory action (license suspension by NABH, state health department)
6.3 Data Breach Response Plan
Recommended Steps:
| Stage | Action |
|---|---|
| 1. Detection | Deploy intrusion detection systems; regular security audits; employee training to report suspicious activity |
| 2. Containment | Immediately isolate affected systems; revoke compromised credentials; block unauthorized access |
| 3. Assessment | Determine scope of breach (what data, how many patients); forensic investigation |
| 4. Notification | Notify Data Protection Board within 72 hours; notify affected patients; notify insurance carrier |
| 5. Remediation | Patch vulnerabilities; enhance security measures; provide credit monitoring to affected patients (if financial data compromised) |
| 6. Review | Conduct post-incident review; update security policies; train staff |
7. Security Safeguards for Health Data
7.1 Reasonable Security Practices (Section 8)
Minimum Security Measures:
Technical Safeguards:
- Encryption: AES-256 encryption for data at rest; TLS 1.2+ for data in transit
- Access Controls: Multi-factor authentication (MFA) for accessing EHR
- Firewalls and Intrusion Detection: Network security to prevent unauthorized access
- Antivirus and Anti-Malware: Regular updates and scans
- Regular Backups: Daily automated backups; stored securely (encrypted)
- Patch Management: Timely installation of security patches for software/systems
Administrative Safeguards:
- Data Protection Policy: Written policy on data collection, storage, access, sharing, deletion
- Staff Training: Annual training on data protection and security best practices
- Access Audit: Quarterly review of who has access to what data; revoke unnecessary access
- Vendor Management: Vet third-party vendors (IT, billing, analytics) for data protection compliance
- Incident Response Plan: Written plan for responding to data breaches
Physical Safeguards:
- Secure Server Room: Restricted access; CCTV surveillance; biometric access control
- Locked Storage for Backups: Physical backups (if any) stored in locked cabinets
- Secure Disposal: Shred physical records; securely wipe digital storage devices before disposal
7.2 Certification and Compliance Standards
ISO 27001 (Information Security Management System):
- International standard for ISMS
- Hospitals should obtain ISO 27001 certification for EHR systems
NABH Digital Health Accreditation:
- National Accreditation Board for Hospitals has introduced digital health standards
- Covers EHR security, patient data protection, interoperability
HIPAA Compliance (For International Operations):
- If Indian hospital serves international patients or partners with US hospitals, consider HIPAA compliance
- HIPAA (Health Insurance Portability and Accountability Act, USA) has stricter standards than Indian regulations
8. Rights of Data Principals (Patients)
8.1 Comprehensive Rights Under DPDP Act
Section 11 - Rights of Data Principals:
| Right | Description | Healthcare Application |
|---|---|---|
| Right to Access | Data principal can request summary of personal data processed | Patient can request copy of their medical records |
| Right to Correction | Data principal can request correction of inaccurate data | Patient can request correction of wrong diagnosis/medication in records |
| Right to Erasure | Data principal can request deletion of data | Patient can request deletion of records (subject to legal retention requirements) |
| Right to Data Portability | Data principal can request data in machine-readable format | Patient can download health records and share with another hospital |
| Right to Grievance Redressal | Data principal can file complaint with Data Protection Board | Patient can complain if hospital refuses to provide records or shares data without consent |
| Right to Nominate | Data principal can nominate another person to exercise rights (in case of death/incapacity) | Patient can nominate family member to access records if patient becomes incapacitated |
8.2 Procedure for Exercising Rights
How to Request Access to Medical Records:
- Submit Written Request: Patient submits written request to hospital's Data Protection Officer (or designated contact)
- Identity Verification: Hospital verifies patient's identity (government ID, patient registration number)
- Processing Timeline: Hospital must respond within 7 days (DPDP Act) - provide records or explain reason for denial
- Format: Records provided in electronic format (PDF, HL7 FHIR standard) or physical copies (if patient requests)
- Fee: Hospital can charge reasonable fee for physical copies (typically ₹2-5 per page); electronic copies should be free
Grounds for Denial:
- Legal obligation to retain data (e.g., medico-legal cases)
- Disclosure would harm third party (e.g., donor identity in organ transplant)
- Data is subject to legal privilege (e.g., pending litigation)
Appeal: If hospital denies request, patient can appeal to Data Protection Board.
9. Compliance Checklist for Healthcare Entities
9.1 Immediate Compliance Actions (Pre-Rules Notification)
Governance:
- Appoint Data Protection Officer (DPO) - senior executive responsible for data protection compliance
- Conduct Data Mapping Exercise - identify all personal/health data collected, stored, processed, shared
- Draft Data Protection Policy - document how data is collected, used, protected, shared, deleted
- Update Privacy Policy - clearly explain to patients how their data is used; publish on website and display in hospital
Consent Management:
- Review existing consent forms - ensure they meet DPDP Act requirements (free, specific, informed, unambiguous)
- Implement Consent Management System - digital platform to record, track, and manage patient consents
- Obtain fresh consent for marketing/promotional use - if using patient data for marketing, obtain explicit opt-in consent
Security:
- Conduct Security Audit - identify vulnerabilities in IT systems, EHR, networks
- Implement Encryption - encrypt all health data at rest and in transit
- Enable Multi-Factor Authentication (MFA) - for all staff accessing EHR
- Deploy Intrusion Detection/Prevention Systems - monitor network for unauthorized access
- Regular Backups - automate daily backups; test restoration process quarterly
Vendor Management:
- Review Vendor Contracts - ensure vendors (IT, cloud, billing, analytics) comply with data protection laws
- Data Processing Agreements - sign DPAs with vendors processing patient data on hospital's behalf
- Vendor Audits - conduct annual audits of vendors' data protection practices
9.2 Post-Rules Notification Compliance (Expected 2024-2025)
Once DPDP Rules are notified:
- Register with Data Protection Board (if required for significant data fiduciaries)
- Conduct Data Protection Impact Assessment (DPIA) - for high-risk processing activities
- Implement Data Localization - migrate health data to servers in India (if mandated)
- Establish Grievance Redressal Mechanism - dedicate staff/system to handle patient data complaints
- Mandatory Breach Notification - set up systems to detect and report breaches within 72 hours
- Annual Compliance Audit - engage external auditor to assess DPDP Act compliance
10. Penalties and Enforcement
10.1 Data Protection Board of India
Section 18 - Establishment of Board:
Central Government to establish Data Protection Board of India to:
- Adjudicate complaints of data protection violations
- Investigate suo motu violations
- Impose penalties on data fiduciaries
- Issue directions for compliance
- Conduct awareness programs
Composition:
- Chairperson and Members (to be notified)
- Expected to have judicial, technical, and legal expertise members
10.2 Penalty Framework
Section 33 - Penalties:
| Violation Category | Maximum Penalty |
|---|---|
| Non-compliance with Act's provisions | ₹250 crore |
| Failure to implement reasonable security practices | ₹200 crore |
| Failure to notify data breach | ₹200 crore |
| Processing data in violation of children's data protection provisions | ₹200 crore |
| Failure to comply with Board's orders | ₹250 crore |
Determination of Penalty Amount:
Board considers:
- Nature, gravity, and duration of violation
- Type and nature of personal data involved
- Repetitive nature of violation
- Financial gain from violation
- Steps taken to mitigate harm
10.3 Enforcement Case Studies (Hypothetical Scenarios)
Scenario 1: Hospital Sells Patient Data to Pharmaceutical Company
Facts: Hospital sells anonymized patient prescription data to pharmaceutical company for ₹50 lakh without patient consent.
Violation: Processing data for purpose other than original purpose (diagnosis/treatment) without consent (Section 6)
Penalty: Board imposes ₹10 crore penalty + direction to refund ₹50 lakh to patients + publish public apology
Scenario 2: Telemedicine Platform Suffers Data Breach; Fails to Notify
Facts: Telemedicine platform hacked; 1 lakh patient records leaked. Platform discovers breach but does not notify Board or patients for 6 months.
Violation:
- Failure to implement reasonable security (Section 8)
- Failure to notify breach (Section 8)
Penalty: Board imposes ₹50 crore penalty (₹25 crore for security failure + ₹25 crore for notification failure) + direction to provide credit monitoring to affected patients
11. Future Outlook and Recommendations
11.1 Expected Rules and Notifications
DPDP Rules (2024-2025):
- Definition of "significant data fiduciary" (entities processing large volumes of health data)
- Format for Data Protection Impact Assessment (DPIA)
- Procedures for Data Protection Board (complaint filing, adjudication, appeals)
- Standards for consent managers
- Data localization requirements (specific to health data)
- Notification of countries to which data transfer is restricted
11.2 Integration with Ayushman Bharat Digital Mission
Synergy:
- ABDM provides technical infrastructure (Health ID, EHR standards, consent managers)
- DPDP Act provides legal framework for data protection
- Together, they enable secure, interoperable digital health ecosystem
Consent Managers Under ABDM:
- Patients can grant/revoke consent for data sharing via Health Data Consent Managers
- Consent managers log all consent transactions (audit trail)
- Hospitals and doctors must honor patient's consent preferences
11.3 Recommendations for Stakeholders
For Hospitals and Clinics:
- Proactively invest in data security infrastructure (encryption, MFA, intrusion detection)
- Train all staff (doctors, nurses, administrative staff) on data protection
- Obtain ISO 27001 certification for EHR systems
- Implement patient-centric consent management
- Prepare for data localization (migrate to Indian servers)
For Telemedicine Platforms and Health Apps:
- Conduct Data Protection Impact Assessment (DPIA) before launching new features
- Implement Privacy-by-Design principles (minimize data collection, anonymize where possible)
- Provide clear, simple privacy policies in vernacular languages
- Enable easy consent withdrawal and data deletion
For Patients:
- Exercise your rights (access, correction, deletion)
- Read privacy policies before sharing health data
- Use ABHA (Ayushman Bharat Health Account) to manage health data sharing
- Report data protection violations to Data Protection Board
For Policymakers:
- Expedite notification of DPDP Rules to provide regulatory clarity
- Strengthen enforcement (adequate funding and staffing for Data Protection Board)
- Promote data protection awareness among citizens
- Harmonize DPDP Act with sector-specific regulations (ABDM, Telemedicine Guidelines, Clinical Establishment Act)
Conclusion
The Digital Personal Data Protection Act, 2023 marks a paradigm shift in healthcare data protection in India, placing patients at the center of data governance. Key achievements:
- Legal Recognition of Health Data Sensitivity: Explicit classification as sensitive personal data
- Patient Rights: Comprehensive rights (access, correction, erasure, portability)
- Consent-Centric Framework: Mandatory consent for data processing with easy withdrawal
- Data Localization: Expected mandate for health data to be stored in India (sovereignty and security)
- Stringent Penalties: Up to ₹250 crore penalties for violations (strong deterrent)
- Independent Oversight: Data Protection Board for enforcement and grievance redressal
Challenges Ahead:
- Implementation complexity (hospitals need to upgrade IT infrastructure)
- Cost of compliance (especially for small clinics and individual practitioners)
- Balancing data protection with data utility (for research, public health, AI/ML)
- Awaiting Rules for full regulatory clarity
Way Forward:
With ABDM providing technical infrastructure and DPDP Act providing legal framework, India is poised to build a world-class digital health ecosystem that respects patient privacy while enabling innovation and improved healthcare delivery.
Healthcare stakeholders must proactively embrace data protection as not just legal obligation, but fundamental patient right and competitive advantage in the digital age.
References & Resources
Statutes and Policies:
- Digital Personal Data Protection Act, 2023
- Information Technology Act, 2000
- Ayushman Bharat Digital Mission Framework
- Telemedicine Practice Guidelines, 2020
Official Resources:
- Ministry of Electronics & IT: https://www.meity.gov.in
- Ayushman Bharat Digital Mission: https://abdm.gov.in
- National Health Authority: https://nha.gov.in
- Data Protection Board of India: (to be established)
International Standards:
- ISO 27001 (Information Security Management)
- HL7 FHIR (Fast Healthcare Interoperability Resources)
- HIPAA (Health Insurance Portability and Accountability Act, USA)
- GDPR (General Data Protection Regulation, EU)