India's Digital Personal Data Protection Act (DPDP) 2023 sets explicit rules for how clinic patient data must be handled.
The non-negotiable checklist
- India-hosted: data residency in Indian data centres. Cross-border storage is allowed only for whitelisted countries — most clinic software vendors don't qualify.
- Encryption at rest: 256-bit AES is the modern minimum.
- Encryption in transit: TLS 1.2 or higher between client and server.
- Consent capture: patient must opt in to data collection at first visit, with the opt-in record stored.
- Right to export: clinic must be able to download all patient data in a standard format (CSV/JSON) on demand.
- Right to delete: clinic must be able to delete a specific patient's record on request.
- Audit log: every access to patient data should be logged with timestamp and user.
Red flags that signal non-compliance
- Vendor can't tell you where the database physically lives.
- "Data export" requires writing to support and waiting days.
- No consent dialog at patient registration.
- Patient data treated as a marketing asset of the platform.
- No incident response or breach notification policy.
Why this matters now
DPDP penalties for healthcare data breaches reach ₹250 crore. Beyond the fine, a clinic loses patient trust permanently. The compliance lift is small but the downside is asymmetric.
Vaidya OS is DPDP-compliant by design: India-hosted, 256-bit encryption, full CSV export, audit logs, HIPAA-aligned architecture.