Summary:
The conversation revolves around the Digital Personal Data Protection (DPDP) Act in India and its implications on healthcare, particularly regarding the use of WhatsApp for sharing patient data. The discussion highlights concerns about data security, patient confidentiality, and the need for compliance with the DPDP Act. Participants share experiences, suggestions, and concerns about implementing secure practices, such as de-identifying patient data, obtaining informed consent, and not demonising WhatsApp but treating it as a communication tool that needs to be handled with good clinical practice such as data deidentification at source.
*Key Words:*
- DPDP Act
- Healthcare data security
- Patient confidentiality
- Data protection
- Compliance
Conversational learning Transcripts:
[10/12, 20:15]hu1: https://www.linkedin.com/
[10/12, 20:19]hu1: Looking for someone to talk on DPDP in the upcoming fhir meet on 20th. A 30-45 min session on the topic, to spread awareness in context of digita health and data exchange.
[10/12, 20:30]hu2: My vote would be for @ ๐
He has been an immense help in helping to make us DPDP compliant and inspite of the initial fear of handling all the seemingly impossible challenges we are now relaxed and actually have started enjoying our DPDP consent taking regular workflow after all the help we received from everyone in this group to redesign it as here ๐
[11/12, 08:26]hu3: GDPR Breach in Healthcare
One Wrong Email. One Open Mailing List. Two GDPR Fines in Italy.
In 2025, Italian regulators penalized two healthcare institutions for simple mistakes:
Sending patient data to the wrong email recipient (€18,000 fine)
Using an open email distribution list that exposed patient identities (€8,400 fine)
No hackers. No malware.
Just everyday communication errors — yet serious enough for GDPR penalties.
Read full case: https://lnkd.in/d8dMYrTK
[11/12, 08:35]hu2: It helps to deidentify all data at source. I make it a point regularly to address the patient in a deidentified third person even while talking to the same patient in pm
[11/12, 08:48]hu4: That breaks emotional bond. I rather hear from my mom or Dr saying: ... you are eating too many rasgolas.
If I get anonymous message saying eating rasgola is harmful to health. I will happily ignore it.
Disclaimer: Being a foodie I explore world with tongue ๐
[11/12, 08:56]hu2: We are only anonymous to our current Orwellian machine systems but otherwise we do humanly recognise each other in our triadic doctor patient agentic relationship
[11/12, 19:04]hu4: New Aadhaar cards for everyone from December
UIDAI new Aadhaar card redesign.
๐Major changes in December!
๐Why is this?
๐How is it going to be?
Full details…
๐
The Unique Identification Authority of India (UIDAI) is all set to completely redesign the Aadhaar card..
The new Aadhaar card will be released across the country from December.
This new Aadhaar card is being designed with privacy & security as its main objective.
Old Aadhaar vs New Aadhaar — Key Differences
What will the new Aadhaar card look like?
Only:
✔️ Photo
✔️ QR code
will be visible on the card.
These details that were present in the old Aadhaar will no longer be visible
❌ Name
❌ Aadhaar number
❌ Address
❌ Date of birth
❌ Gender
That is, no personal information will be printed on the card.
What is in the QR code?
The QR code in the new Aadhaar will contain…
➡️ Name
➡️ Aadhaar Number
➡️ DOB
➡️ Address
➡️ Gender
➡️ Biometric Verification Data (in encrypted form)
All will be encrypted.
This QR code can be decoded only by
✔️ Government Authorized Scanners
✔️ UIDAI Official Apps
✔️ Verification Devices
.
Hotels, Event Managers, Offices, anyone cannot view the data by taking a photocopy.
Why such a big change has been made?
According to UIDAI, the purpose of the new Aadhaar redesign is…
๐ธ 1. Privacy Protection: Currently, hotels, event organizers, private offices— take photocopies of Aadhaar and store names, addresses, DOB, Aadhaar numbers. This is a big risk of data leakage. This is impossible in the new Aadhaar.
๐ธ 2. Stopping Aadhaar data misuse
Thousands of frauds are being committed through Aadhaar photocopies.
Since the new card does not have printed information:
➡️ Data misuse
➡️ Cloning
➡️ Fraud activities
The problems will be reduced significantly.
๐ธ 3. Upgrade to meet Digital India standards
UIDAI's goal: To make the entire identity system secure, clean and tamper-proof.
The new QR code-based system is designed to meet world-class security standards.
๐ป What will change in the future?
✔️ It is safe to give Aadhaar card to anyone
Because there are no printed details.
✔️ Even if hotels / gated communities / event entries / banks take a photocopy of your card —
. None of your personal data will be visible.
✔️ Digital verification only
Data is confirmed by a single QR code scan.
When will the new Aadhaar be available?
➡️ Release from December
➡️ Distribution across the country in phases
➡️ Old Aadhaar will remain valid, but it is possible to recommend switching to the new Aadhaar.
This is the biggest privacy reform in India's digital identity system!
With this decision, UIDAI is entering a new phase in the data security of Indian citizens.
[11/12, 20:07]hu1: Thank you Sir!! @has graciously agreed.
[12/12, 08:45]hu5: https://watcher.guru/news/
[12/12, 08:45]hu5: True?
[12/12, 08:48]hu2: Very likely!
The DPDP act needs to get it's act together ASAP.
My own data as a current voter in my village near Ramoji film City is available open access here:
@everyone
Image:
[12/12, 09:00]hu3: WhatsApp is everywhere in healthcare. Doctors forward X rays, nurses share wound photos, labs push reports, call centres confirm appointments and families receive discharge notes by message. For clinicians this is convenient and immediate. For the law it is chaos.
Using WhatsApp to handle patient information may seem practical, but it is structurally unsafe, legally fragile, and now potentially ruinous under India’s Digital Personal Data Protection regime. What frontline staff treat as routine will be treated by regulators as unlawful processing, avoidable negligence, and in many cases an offence that invites crippling penalties and public naming.
This is not alarmism. It is a warning based on how global regulators and law are already treating instant messaging in clinical practice. This article explains how and why this practice must stop, what can happen if it continues, and how to replace WhatsApp with lawful, practical alternatives.
Read full article: https://lnkd.in/dbPG7HTQ
[12/12, 09:31]hu2: Modified short, urgent checklist to implement this week from the full article here:https://lnkd.in/dbPG7HTQ
For your comments @
1) Issue an immediate moratorium on sharing identifiable patient data on personal WhatsApp accounts.
Modified addendum: Ensure that all patient data is deidentified and signed informed consent is gathered before sharing from a form that can be downloaded here: https://userdrivenhealthcare.
2)
Identify approved secure messaging platform and begin rapid roll-out to all clinical teams.
Addendum caveat: WhatsApp is a communication platform and all communication platforms are unsafe and hackable as long as we keep freely sharing sensitive personal or patient data there. What is more important and urgent is to initiate roll out good clinical practices in obtaining signed informed consent and data deidentification before engaging through any communication interface.
3) Provide work phones or configure enterprise containers so data is separable and remotely wipe-able.
Addendum caveat: That's a huge investment with lots of market players and hardware and software sellers likely to profit that makes it a difficult proposition
3) Update consent forms and patient communication preferences to record if any patients insist on non-standard channels.
Document every such request.
Addendum: Make this a routine workflow regardless of which end the request originates. For most humans privacy is a trade off to benefit from transparency and accountability!
4) Audit last three months of messaging flows for incidents and prepare breach notifications if required.
Very important: any takers to audit our deidentified consented data for any identifiable breaches here? : https://pajrcasereporter.
Potential paper: @
Require processor agreements, audit rights and deletion clauses from any third-party messaging or automation vendor.
Refer Addendum caveat 2 and 3:
Train clinicians and managers on legal risks and report any policy breaches immediately.
Absolutely necessary as a part of the regular workflow
[12/12, 09:39]hu10: Any good recommendations of low cost alternatives to WhatsApp for clinical customer notes?
[12/12, 09:41]hu11: Great question and leverage of community! Members should really ask what tools others are leveraging and how it is going, the good and the not so good etc!
[12/12, 09:42]hu12: Signal
[12/12, 09:43]hu13: Arattai.
[12/12, 09:54]hu14: Need more details. WhatsApp helps multiple people communicate. You could try my Google Doc and Shared folder option. A document is primarily better for clinical documentation while WhatsApp will give you a bunch of messages.
[12/12, 10:34]hu10: This is not prescription related
[12/12, 10:38]hu10: The issue is a lot of hospitals with clinicians share case studies over WhatsApp where they are stumped (or want to share good news) to internal groups of clinicians and experts (including HoDs). Most are anonymised poorly eg name and ID scribbled over. We want to reduce the risks to all parties (including the institutions).
I am the Chairperson of AHPI's Digital Committee - so this is likely to get significant uptake
[12/12, 10:41]hu14: Great. Since the comms is internal, maybe they will be better off with Teams. An organisation level communication system . Even better would be a similar comms channel integrated with their EMR system.
[12/12, 10:41]hu14: Whatsapp wins due to its simplicity and almost ubiquitous presence. But what is the security, and how easy is it to tie up relevant info
[12/12, 10:46]hu14: Key point is WhatsApp based exchange has no restriction. Soon the record can be floating in the general WhatsApp universe. How does one stop that
[12/12, 10:50]hu2: [12/12, 09:31]: Modified short, urgent checklist to implement this week from the full article here:https://lnkd.in/dbPG7HTQ
For your comments @
1) Issue an immediate moratorium on sharing identifiable patient data on personal WhatsApp accounts.
Modified addendum: Ensure that all patient data is deidentified and signed informed consent is gathered before sharing from a form that can be downloaded here:
2) Identify approved secure messaging platform and begin rapid roll-out to all clinical teams.
Addendum caveat:
WhatsApp is a communication platform and all communication platforms are unsafe and hackable as long as we keep freely sharing sensitive personal or patient data there. What is more important and urgent is to initiate roll out good clinical practices in obtaining signed informed consent and data deidentification before engaging through any communication interface.
3) Provide work phones or configure enterprise containers so data is separable and remotely wipe-able.
Addendum caveat: That's a huge investment with lots of market players and hardware and software sellers likely to profit that makes it a difficult proposition
3) Update consent forms and patient communication preferences to record if any patients insist on non-standard channels.
Document every such request.
Addendum: Make this a routine workflow regardless of which end the request originates. For most humans privacy is a trade off to benefit from transparency and accountability!
4) Audit last three months of messaging flows for incidents and prepare breach notifications if required.
Very important: any takers to audit our deidentified consented data for any identifiable breaches here? : https://pajrcasereporter.
Require processor agreements, audit rights and deletion clauses from any third-party messaging or automation vendor.
Refer Addendum caveat 2 and 3:
Train clinicians and managers on legal risks and report any policy breaches immediately.
Absolutely necessary as a part of the regular workflow
[12/12, 10:03]hu3: Ah, governments interfering with free markets! Didn't expect to see that.
As long as two parties are consenting with full volition - the only purpose of the government is to honor the contract agreed by those 2 parties.
'structurally unsafe and legally fragile' are hollow words and sound very LLM written to me.
[12/12, 10:54]hu2: Security lies in the user's desire for security. Think of how humans have solved their security and privacy issues throughout evolution! Their first step toward this was to get a room (tree house or cave) and cover themselves with earthly materials distinct from their other animal peers who were okay to remain naked!
[12/12, 10:55]hu3: In this case ,also the patients desire. The user is talking about the patient .
[12/12, 12:43]hu4: I think WhatsApp can still be used with explicit consent from the patient asking the provider to send information by WhatsApp. A consent needs to drafted for *the proposed way out* from clutches of DPDP..!!
[12/12, 13:05]hu2: We have already shared the link to our drafted consent form that we are using regularly but I'm sharing it here again for further inputs ๐
[12/12, 13:14]hu2: Think of identifiable potent patient data as these left over atracurium vials!๐
⚖️ MEDICOLEGAL CASE STUDY ๐๐ฉธ๐ฟ
*“Atracurium Injection Tragedy: Chain of Negligence Leading to Two deaths"* “Unsecured Anaesthetic Drug → Diversion → Two Deaths-- *Neurosurgeon with other 4 booked for negligence*
1. Background ๐ฉบ๐
- Two adults found dead in an autorickshaw after self-injecting Atranium 25 mg, a powerful anaesthetic muscle relaxant.
- A third person survived with dizziness.
- Police traced the drug back to a hospital OT, where leftover vials were not secured after surgery.
2. Key Facts ๐
- Hospital purchased 25 vials for neurosurgery. Only 4 vials used; remaining vials were left unattended in OT.
- A staff member stole the vials due to easy access.
- Stolen vials were illegally sold in the local drug network.
- Three individuals injected themselves → 2 deaths due to respiratory paralysis.
3. Negligence Identified ⚠️
A. Hospital / Doctor-Related ?
- Lack of secure storage for controlled anaesthetic drugs.
- No drug register, inventory log, or pharmacy billing.
- Untrained personnel had free access to OT drugs.
- No post-procedure drug reconciliation (used vs. unused vs. returned).
B. Staff-Related ๐จ๐ง
- Theft of vials due to poor supervision.
- Illegal distribution and street-level drug misuse.
4. Legal Implications ⚖️๐จ
- IPC 304 – Culpable homicide (negligence enabling death).
- Drugs & Cosmetics Act – Improper storage, no documentation, diversion of controlled drug.
- Hospital vicarious liability – Failure in governance & supervision.
- NMC professional misconduct – Unsafe drug handling practices.
5. Medicolegal Analysis ๐ง
- Even though the injections were taken outside the hospital, the chain of causation began with:
๐ Unsecured drugs inside the OT
This foreseeable risk makes it gross negligence of omission.
6. TAKE-HOME MEDICOLEGAL MESSAGES ๐ง ๐ก
✔ Secure Anaesthetic & Critical Drugs ๐
- Double-lock storage
- Limited key access
- Authorised staff only
✔ No Unused Vials Left in OT ๐ซ๐
- Return immediately to pharmacy
- Document received–used–returned–wasted
✔ Restrict Access ๐ฎ♀️
- Ward boys / cleaners must never access drugs
- Controlled drug cupboards under CCTV
✔ Maintain Proper Records ๐
- Drug issue–return register
- Pharmacy indent & billing
- OT logbook
- Daily reconciliation
✔ Criminal Liability Is Real ๐
- Hospital negligence → drug theft → misuse → death = Charges against doctor, staff, and hospital administration
๐ One-Line Summary
๐ฉบ
“A drug left unsecured in OT can become a death outside the hospital — and a criminal case against you.”
๐ฉบ⚖️Dr.
Medicolegal Consultant
Nashik
[12/12, 16:30]hu5: Hospital Management needs to learn from this street vendor... what is enough!
[12/12, 16:37]hu2: Hospital management or the owners don't have an alternate source of revenue but hospital employees who get enough salary do continue to go out of their way regularly to provide neem juice services to their patients
[13/12, 07:50]hu6: What will tweaking DPDPA help? The rules and guidelines can be given. However, if they aren't implemented, the consequences are all out there for all to witness.
[13/12, 07:51]hu7: Isn't DPDP bad enough with an axe of 250 crore on our Dr neck?
[13/12, 07:52]hu6: The axe will fall only if folks wilfully disregard the provisions. Like using WhatsApp like mad.
[13/12, 07:53]hu7 : Even without it the Act is draconian. True case of throwing baby out with bath water
[13/12, 07:58]hu7: เคฌเคกॆ เคฒोเค เคो เคฎाเคฐเคจे เคจिเคเคฒे, เคเค เคฒเคा เคฆी เคंเคเคฒ เคฎे
[13/12, 07:59]hu6: _Au contraire mon ami_, it actually is super duper for healthcare. Just follow the rules and there will be that hint of spring in the air as the gentle fragrances of newly bloomed flowers wafts through the air like a zephyr to calm our souls and delight our hearts.
[13/12, 08:02]hu7: A la silence of the lambs? We go willingly to the slaughter house bobbing our heads.
Nay sire. DPDP2023 is unfit for Healthcare. And Education.
Needs to be chopped up and redone. One size can not fit all. Never
[13/12, 08:03]hu6: Perhaps you can justify your statement?
[13/12, 08:07]hu7: Start with the penalty. In my A&E I am not 100% sure of even the straight forward cases. Leave alone the red herrings.
How does one practise medicine? With a knife held to neck.
[13/12, 08:17]hu2: One just needs to be careful to pick up the leftover atracurium vials that's all ๐
[13/12, 08:24]hu6: The act makes it explicit. Wilful disregard, non-reporting of breaches. If due care is exercised, ABDM Compliance with robust security features implemented, then no penalty. Yes, there is a good possibility that there will be legal challenges, but adherents will remain unmolested. Unjustified fear is not good. And note that the act makes it legal to use data for research provided one takes consent. In the absence of consent, anonymised data can be used. I would not recommend it as there is always a chance that someone will find all sorts of legal contortions to try prove that the data principal intended otherwise.
[13/12, 08:49]hu2: Unmolested! ๐
[13/12, 09:07]hu7: R u responding to the earlier chain on atracurium
[13/12, 09:09]hu7: Sahi pakde
[13/12, 09:10]hu2 : I would also suggest a few more members from this community here for your DPDP meeting on 20th. I'm sure you would have approached many of them already.
@ @ @ who will bring effective triangulation on this topic to the table.
Popular speakers such as @ @ also come to mind.
@ can bring mainstream medicine expertise from his current NHS and his past India experienced
@ can bring her global experiences on grounded research around usage models
@ is a very young and amazing person who brings years of maturity to the table with astounding insights born out of his grounded regular immersion in hospitals for his start-up
@ a PhD in law , she has been instrumental in designing DPDP consent forms and would bring a lot of value
@ a young mainstream medicine specialist with an interest in informatics is the right person who will grow into your panel
I'm sure you have asked @ who is the most balanced global mentor on DPDP available
[13/12, 09:10]hu2: The left over chain
[13/12, 09:12]hu7: I and SBB were ๐คบ on DPDP - dapidapi
[13/12, 09:12]hu2: In Bengali it's called dapadapi! ๐
[13/12, 09:14]hu7: Dapi in Tamil = small container. It is also a derogatory word for silly
[13/12, 09:15]hu2: ๐the emoji that you have shared here is all about a swordsman doing dapa dapi in Bengali
[13/12, 09:21]hu7: Sword fight?
[13/12, 09:26]hu8: The DPDP ACT & THE 250 Crore bomb
It is one more case of lack of coordination in policy pronouncements and Acts.
There are no coordinated steps taken from the health ministry, NABH, NMC, MeITY to build awareness and capabilities of addressing the DPDP act's smooth implementation in healthcare.
I see more fear mongering from so-called experts.
When the EMR implementation rate in Indian hospitals is 10 percent ( as per FICCI Study), the whole scare-mongering will push back much needed Digital Health mission in India.
How will every doctor in cities, towns and villages be tracked?
Like the Truckers strike against the draconian laws; which compelled the government to roll back the law a couple of years ago.
Patient Data Safety is important, but how to build awareness, capabilities and capacities in Indian healthcare is the moot question.
We are seeing only one red flag - 250 crore fine.
Such poorly thought of acts should not become tools of harassment for the medical fraternity.
Equally important, the healthcare community also need to raise itself by being ready for DPDP ACT and not caught unaware as far as possible.
Shortcuts won't help us
The DPDP implementation and Execution - Keep watching this space
[13/12, 09:26]hu2: AI to the rescue:
เฆฆাเฆชাเฆฆাเฆชি" (dapadapi) in Bengali means noisy running around, romping, bustling, or showing off/bullying with authority, often involving loud footsteps or a show of dominance, like children playing wildly or a powerful person acting imperiously. It conveys a sense of energetic, sometimes disruptive, presence or a repeated display of power.
[13/12, 09:31]hu2: Will be posting more from deidentified healthcare institutional grounds and different physician groups the amount of dapadapi disruption DPDP has currently created which is much more than accidentally disturbing wild bee hives but in the end as @SBB said one can look forward to beneficial outcomes
[13/12, 09:32]hu7: Oh man. Nasha uthaar dhee
[13/12, 09:32]hu7: I thought we were like bulls in a Spanish ring
[13/12, 09:33]hu8: The act per se is not wrong.
The implementation and Execution challenges for the stakeholders ( medical fraternity) are a big challenge.
[13/12, 09:33]hu2: Bulls in a Spanish ring fighting each other would be labeled in Bengali as doing dapadapi
[13/12, 09:33]hu2: The end will come after acceptance comes to an end. Hai na
[13/12, 09:34]hu2: And I'm sure we shall all rise to the challenge
[13/12, 09:34]hu2: Yes end is always after dapadapi ends and everyone relaxes and goes to sleep
[13/12, 09:35]hu7: Those of us on ground know what a losing battle we fight when it comes to eHealth.
This is one more loadstone round my neck now
[13/12, 09:35]hu7: Always look for opportunities. Problems are omnipresent. Finding avenues to effectively address them is the real trick. The entire profession of law is built around it.
[13/12, 09:36]hu7: Who in their right mind will come up with such a fine?
[13/12, 09:36]hu7: Aha..so we remain heroes
[13/12, 09:37]hu6: Those who can do, do. The rest fret, howl, shriek.
[13/12, 09:38]hu7: I am not so confident being the doubting thomas having been beaten up black and blue by loving customers
[13/12, 09:39]hu7: Like anbe sivam dialogue: 2to2to2
[13/12, 09:41]hu7: https://youtu.be/VE4mlIurybQ?
[13/12, 09:42]hu2: Golden words of wisdom ๐๐
[13/12, 09:42]hu2: Translating again in Bengali:
Those who can do DPDP do DPDP.
The rest do dapadapi!
[13/12, 09:43]hu7: Had a good dapadapi yday night with one of your students. In the end we smoked peace pipe
[13/12, 09:43]hu7: U r full on weekend mood
[13/12, 09:44]hu2: With a busy OPD to boot
[13/12, 09:45]hu2: Lucky to have all the physical healthcare dapadapi done by our students while I take care of the WhatsApp dapadapi front.
*Thematic Analysis:*
1. *DPDP Act and Healthcare:* The conversation emphasizes the importance of understanding and complying with the DPDP Act in healthcare settings to protect patient data.
2. *Data Security Concerns:* Participants express concerns about the risks associated with sharing patient data on WhatsApp and the need for secure alternatives.
3. *Compliance and Implementation:* The discussion highlights the challenges of implementing DPDP compliance in healthcare, including obtaining informed consent, deidentifying patient data, and training staff.
4. *Alternatives to WhatsApp:* Participants suggest exploring alternative secure messaging platforms, such as Signal or Teams, to ensure compliance with the DPDP Act.
5. *Awareness and Education:* The conversation emphasizes the need for awareness and education among healthcare professionals about the DPDP Act and its implications on their practice.
No comments:
Post a Comment