Sector wise readiness
Healthcare: what applies on day one, and what does not
One misconception I keep seeing when healthcare startups read DPDP checklists: they assume every box applies from day one. It does not.
A clinic management app on its first 500 patients is not expected to operate like Apollo Hospitals. A two doctor telehealth startup does not need every compliance product a hospital chain buys. A sector map is a superset, not a launch checklist.
What applies from the start, whatever your size
- ✅ Notice
- ✅ Consent and easy withdrawal
- ✅ Security safeguards (encryption, access control, audit logs on health records)
- ✅ Rights handling
- ✅ Grievance mechanism
- ✅ Processor contracts, including overseas cloud, transcription and tele-reporting vendors
- ✅ Breach response
What may not apply to you yet
- ❌ SDF obligations. These switch on only if the Central Government notifies you as a Significant Data Fiduciary. Sensitive health data and high volume make large chains candidates to assess, but size alone does not make you an SDF.
- ❌ Annual DPIAs
- ❌ Independent audits
- ❌ Dedicated DPO
- ❌ Enterprise grade tooling
Two things healthcare founders consistently get wrong
The child health exemption is narrow. It covers providing health services to a child to the extent necessary for their health. Marketing, analytics or research on a child's health data falls outside it.
Erasure and medical record law pull in opposite directions. DPDP says erase when the purpose ends. Clinical record retention duties say keep. You need a documented reconciliation, not a guess.
The better question
The better question is not "does healthcare have this requirement?"
It is "have I actually triggered this requirement?"
Law creates obligations. Scale and risk influence implementation. Confusing the two is how health startups spend on tools they do not need while missing the basics.
Which obligation do you see health startups over implementing most? Drop it in the comments.