India's regulatory framework for clinic WhatsApp communication has two clear lanes.
Lane 1: Transactional (no explicit opt-in needed)
These are directly tied to the service relationship and are pre-permitted:
- Appointment reminders for booked slots.
- Prescription delivery as PDF.
- Test report sharing.
- Follow-up reminders for return visits the doctor told the patient to schedule.
- Payment receipts and invoices.
Lane 2: Marketing (explicit opt-in required)
These require a checkbox at registration or a double-opt-in:
- Recall campaigns to lapsed patients beyond 6 months.
- Festival greetings and promotions.
- New service announcements.
- Health tips and newsletters.
Best-practice opt-in language at registration: "I consent to receive appointment reminders and clinic updates via WhatsApp."
Hard rules under DPDP Act 2023
- Patient phone numbers are personal data — must be encrypted at rest and in transit.
- Numbers may not be shared with third parties without explicit consent.
- Patient must have a clear opt-out path; one tap, no friction.
- Bulk blasts via unapproved tools are not just risky for compliance — they get the sending number banned by Meta.
What gets clinics in trouble
- Bulk-blasting a list bought from a third party.
- Sending marketing without opt-in.
- Using personal WhatsApp instead of business-verified.
- No opt-out instruction in messages.
Vaidya OS handles transactional and marketing flows separately, with consent capture and opt-out built in.