Summary: Aftermath of the DPDP act implementation news seeping into institutions:
Sample pan India institutional health administration notices (deidentified )
to all faculty to delete WhatsApp groups:
[12/12, 13:18]: Department of Biochemistry official group deleted sir.
[12/12, 13:25]: Good afternoon sir Department of Pathology official group deleted
[12/12, 13:29]: Good afternoon sir. Microbiology department whatsapp group deleted.
[12/12, 13:33]: Good afternoon sir. DVL department whatsapp group deleted.
[12/12, 14:18]: Physiology department faculty WhatsApp group dissolved.
[12/12, 14:49]: Good afternoon sir. Forensic Medicine department whatsapp group deleted.
[12/12, 16:00]: Anaesthesia group deleted
[12/12, 17:32]: Good evening air.We don't have pg faculty group or any ug faculty group.we had only ENT faculty group. We deleted that today sir.thank you
Department of ENT
[12/12, 19:34]: Ophthalmology WhatsApp group deleted sir
Other groups:
[12/12, 20:42]hu1: Deidentified Foundation
Welcomes you on a webinar on
Doctor’s ... Special on DPDP Act & Medical AI Compliance
on 12th Dec 2025 at 9 pm to 10.30 pm
Delegate Registration and Joining Link
[13/12, 08:09]hu3: It was a wonderful session.. Eye opener ..
New laws, its additional compliance, complexity involving day to day simple data handling at routine consultation, more legal burden on clinician, more requirements in documentation, additional data security liabilty, and more and more cost all looks like scary future, especially when we are shifting to digital practice.
But its inevitable, we have to atleast know the laws perfectly and start implementing, for betterment society at large.
Can we get the recording please, it will be very helpful.
Big thanks to *deidentified* π
[13/12, 08:22]hu2: Here's a modified short, urgent DPDP checklist to implement in every physician workflow that has been modified from the full article shared yesterday here in another group :https://lnkd.in/dbPG7HTQ
1) Issue an immediate moratorium on sharing identifiable patient data on personal WhatsApp accounts.
Modified addendum: Ensure that all patient data is deidentified and signed informed consent is gathered before sharing from a form that can be downloaded here: https://userdrivenhealthcare.
2) Identify approved secure messaging platform and begin rapid roll-out to all clinical teams.
Addendum caveat: WhatsApp is a communication platform and all communication platforms are unsafe and hackable as long as we keep freely sharing sensitive personal or patient data there. What is more important and urgent is to initiate roll out good clinical practices in obtaining signed informed consent and data deidentification before engaging through any communication interface.
3) Provide work phones or configure enterprise containers so data is separable and remotely wipe-able.
Addendum caveat: That's a huge investment with lots of market players and hardware and software sellers likely to profit that makes it a difficult proposition
3) Update consent forms and patient communication preferences to record if any patients insist on non-standard channels.
Document every such request.
Addendum: Make this a routine workflow regardless of which end the request originates. For most humans privacy is a trade off to benefit from transparency and accountability!
4) Audit last three months of messaging flows for incidents and prepare breach notifications if required.
Very important: any takers to audit our deidentified consented data for any identifiable breaches here? : https://pajrcasereporter.
Require processor agreements, audit rights and deletion clauses from any third-party messaging or automation vendor.
Refer Addendum caveat 2 and 3:
Train clinicians and managers on legal risks and report any policy breaches immediately.
Absolutely necessary as a part of the regular workflow
[13/12, 08:32]hu4: The webinar explains how the Digital Personal Data Protection (DPDP) Act tightens rules on collecting, using, and sharing health data in India while still allowing well-governed use for care, research, and public health.
*What counts as health data*
• Health records, diagnostics, prescriptions, insurance info, app-generated vitals
• Treated as sensitive data
• Anything beyond direct care needs a clear legal basis and usually explicit consent
*Key duties for healthcare entities*
• Hospitals, clinics, labs, TPAs, insurers, health-tech firms act as data fiduciaries
• Need strong privacy design, security, breach reporting, and purpose limits
• Must give clear notices, take and record consent, allow withdrawal, and support access, correction, and deletion
*Impact on daily workflow*
• Registration, OPD/IPD, labs, teleconsults, discharge all need consent and purpose clarity
• Staff training needed to stop sharing reports via WhatsApp, email, or unsecured drives
• Standard processes needed for sharing reports, images, and referrals
*Research, AI, and secondary use*
• Allowed for research and public interest if data is de-identified and governed well
• AI training, registries, and analytics need ethics checks and strong safeguards
• Commercial reuse needs granular consent, opt-outs, and full transparency
*Patient rights and provider risks*
• Patients can ask how their data is used, request correction or deletion, or complain to the Board
• Breaches, unlawful sharing, poor consent records, or ignoring requests can trigger heavy penalties and reputational harm
*Source:* https://www.youtube.com/live/
[13/12, 08:33]hu4: Another useful webinar conducted by FICCI on the same topic that I attended recently, they are planning an entire further deep dive series on this I guess π
[13/12, 08:33]hu3: Immediate fallout will be our WhatsApp groups involving residents, care coordinator and nursing staff.
Like we have a chest pain triage group where in our ER residents post clinical information and ECG, lab reports for expert opinion from cardiologist and intensivist. Later if patient referred to particular cardiologist, referral letter is shared with cardiologist as well their hospital ER , coordinator so that cathlab is mobilized and by the time patient reaches , including precath investigation are ready, and taken for primary angioplasty will be done without any delay.
It will be difficult to hide patient details in lab reports, referral letters, at the same time it may lead to errors if anonymity done.
How do we go further .. any other compliant platform available
[13/12, 08:36]hu3: May be doctors only to envision and start a platform where in patient identity will be masked automatically and so sharing the data becomes safe..
Big brothers to look into thisπ
[13/12, 08:38]hu2: The solution is to train everyone in existing groups on good clinical practices in data handling by training on how to obtain consent and for those who can't read and write, how to obtain video consent and then how to deidentify all patient data even at the point of data capture as per HIPAA guidelines. We have been doing this for a decade long before DPDP etc
[13/12, 08:42]hu3: Wonderful Sir..
We are still navie in this field.
Will like to have some structured practical program or course on this issue. Especially getting digital consent and deidentify the data.
If any reference or article will be very helpful. ππ
[13/12, 09:14]hu2: Here could be a starting point π
No comments:
Post a Comment