UDLCO CRH: Getting the DPDP act together into a regular WhatsApp driven workflow and avoiding DPDP induced dapadapi

 Summary:

The conversation revolves around the Digital Personal Data Protection (DPDP) Act in India and its implications on healthcare, particularly regarding the use of WhatsApp for sharing patient data. The discussion highlights concerns about data security, patient confidentiality, and the need for compliance with the DPDP Act. Participants share experiences, suggestions, and concerns about implementing secure practices, such as de-identifying patient data, obtaining informed consent, and not demonising WhatsApp but treating it as a communication tool that needs to be handled with good clinical practice such as data deidentification at source.

*Key Words:*

- DPDP Act

- Healthcare data security

- WhatsApp

- Patient confidentiality

- Data protection

- Compliance

Conversational learning Transcripts:

[10/12, 20:15]hu1: https://www.linkedin.com/posts/kumarsatyam_fhir-fhirindia-interopearbility-activity-7404222163341488128-qpTP

[10/12, 20:19]hu1: Looking for someone to  talk on DPDP in the upcoming fhir meet on 20th. A 30-45 min session on the topic, to spread awareness in context of digita health and data exchange.

[10/12, 20:30]hu2: My vote would be for @⁨⁩ 👏

He has been an immense help in helping to make us DPDP compliant and inspite of the initial fear of handling all the seemingly impossible challenges we are now relaxed and actually have started enjoying our DPDP consent taking regular workflow after all the help we received from everyone in this group to redesign it as here 👇

https://userdrivenhealthcare.blogspot.com/2025/10/pajr-consent-form-modified-for-dpdp.html?m=1

[11/12, 08:26]hu3: GDPR Breach in Healthcare

One Wrong Email. One Open Mailing List. Two GDPR Fines in Italy.

In 2025, Italian regulators penalized two healthcare institutions for simple mistakes:

Sending patient data to the wrong email recipient (€18,000 fine)

Using an open email distribution list that exposed patient identities (€8,400 fine)

No hackers. No malware.

Just everyday communication errors — yet serious enough for GDPR penalties.

Read full case: https://lnkd.in/d8dMYrTK

[11/12, 08:35]hu2: It helps to deidentify all data at source. I make it a point regularly to address the patient in a deidentified third person even while talking to the same patient in pm

[11/12, 08:48]hu4: That breaks emotional bond. I rather hear from my mom or Dr saying: ... you are eating too many rasgolas.

If I get anonymous message saying eating rasgola is harmful to health. I will happily ignore it.

Disclaimer: Being a foodie I explore world with tongue 👅

[11/12, 08:56]hu2: We are only anonymous to our current Orwellian machine systems but otherwise we do humanly recognise each other in our triadic doctor patient agentic relationship 

https://userdrivenhealthcare.blogspot.com/2025/12/udlco-crh-harnessing-agentic-ai-into.html?m=1

[11/12, 19:04]hu4: New Aadhaar cards for everyone from December

UIDAI new Aadhaar card redesign.

👉Major changes in December!

👉Why is this?

👉How is it going to be?

Full details…

👇

The Unique Identification Authority of India (UIDAI) is all set to completely redesign the Aadhaar card..

The new Aadhaar card will be released across the country from December.

This new Aadhaar card is being designed with privacy & security as its main objective.

Old Aadhaar vs New Aadhaar — Key Differences

What will the new Aadhaar card look like?

Only:

✔️ Photo

✔️ QR code

will be visible on the card.

These details that were present in the old Aadhaar will no longer be visible

❌ Name

❌ Aadhaar number

❌ Address

❌ Date of birth

❌ Gender

That is, no personal information will be printed on the card.

What is in the QR code?

The QR code in the new Aadhaar will contain…

➡️ Name

➡️ Aadhaar Number

➡️ DOB

➡️ Address

➡️ Gender

➡️ Biometric Verification Data (in encrypted form)

All will be encrypted.

This QR code can be decoded only by

✔️ Government Authorized Scanners

✔️ UIDAI Official Apps

✔️ Verification Devices

.

Hotels, Event Managers, Offices, anyone cannot view the data by taking a photocopy.

Why such a big change has been made?

According to UIDAI, the purpose of the new Aadhaar redesign is…

🔸 1. Privacy Protection: Currently, hotels, event organizers, private offices— take photocopies of Aadhaar and store names, addresses, DOB, Aadhaar numbers. This is a big risk of data leakage. This is impossible in the new Aadhaar.

🔸 2. Stopping Aadhaar data misuse

Thousands of frauds are being committed through Aadhaar photocopies.

Since the new card does not have printed information:

➡️ Data misuse

➡️ Cloning

➡️ Fraud activities

The problems will be reduced significantly.

🔸 3. Upgrade to meet Digital India standards

UIDAI's goal: To make the entire identity system secure, clean and tamper-proof.

The new QR code-based system is designed to meet world-class security standards.

🔻 What will change in the future?

✔️ It is safe to give Aadhaar card to anyone

Because there are no printed details.

✔️ Even if hotels / gated communities / event entries / banks take a photocopy of your card —

. None of your personal data will be visible.

✔️ Digital verification only

Data is confirmed by a single QR code scan.

When will the new Aadhaar be available?

➡️ Release from December

➡️ Distribution across the country in phases

➡️ Old Aadhaar will remain valid, but it is possible to recommend switching to the new Aadhaar.

This is the biggest privacy reform in India's digital identity system!

With this decision, UIDAI is entering a new phase in the data security of Indian citizens.

[11/12, 20:07]hu1: Thank you Sir!! @⁨has graciously agreed.

[12/12, 08:45]hu5: https://watcher.guru/news/indias-digital-id-crumbles-as-815m-aadhaar-records-listed-for-80k

[12/12, 08:45]hu5: True?

[12/12, 08:48]hu2: Very likely!

The DPDP act needs to get it's act together ASAP.

My own data as a current voter in my village near Ramoji film City is available open access here:

 https://finalgprolls.tsec.gov.in/gpwardwisevoterlistrural1.do

@everyone

Image: 

[12/12, 09:00]hu3: WhatsApp is everywhere in healthcare. Doctors forward X rays, nurses share wound photos, labs push reports, call centres confirm appointments and families receive discharge notes by message. For clinicians this is convenient and immediate. For the law it is chaos.

Using WhatsApp to handle patient information may seem practical, but it is structurally unsafe, legally fragile, and now potentially ruinous under India’s Digital Personal Data Protection regime. What frontline staff treat as routine will be treated by regulators as unlawful processing, avoidable negligence, and in many cases an offence that invites crippling penalties and public naming.

This is not alarmism. It is a warning based on how global regulators and law are already treating instant messaging in clinical practice. This article explains how and why this practice must stop, what can happen if it continues, and how to replace WhatsApp with lawful, practical alternatives.

Read full article: https://lnkd.in/dbPG7HTQ

[12/12, 09:31]hu2: Modified  short, urgent checklist to implement this week from the full article here:https://lnkd.in/dbPG7HTQ

For your comments @

1) Issue an immediate moratorium on sharing identifiable patient data on personal WhatsApp accounts. 

Modified addendum: Ensure that all patient data is deidentified and signed informed consent is gathered before sharing from a form that can be downloaded here: https://userdrivenhealthcare.blogspot.com/2025/10/pajr-consent-form-modified-for-dpdp.html?m=1

2) 

Identify approved secure messaging platform and begin rapid roll-out to all clinical teams.

Addendum caveat: WhatsApp is a communication platform and all communication platforms are unsafe and hackable as long as we keep freely sharing sensitive personal or patient data there. What is more important and urgent is to initiate roll out good clinical practices in obtaining signed informed consent and data deidentification before engaging through any communication interface.

3) Provide work phones or configure enterprise containers so data is separable and remotely wipe-able.

Addendum caveat: That's a huge investment with lots of market players and hardware and software sellers likely to profit that makes it a difficult proposition 

3) Update consent forms and patient communication preferences to record if any patients insist on non-standard channels.

Document every such request.

Addendum: Make this a routine workflow regardless of which end the request originates. For most humans privacy is a trade off to benefit from transparency and accountability!

4) Audit last three months of messaging flows for incidents and prepare breach notifications if required.

Very important: any takers to audit our deidentified consented data for any identifiable breaches here? : https://pajrcasereporter.blogspot.com/?m=1

Potential paper: @

Require processor agreements, audit rights and deletion clauses from any third-party messaging or automation vendor.

Refer Addendum caveat 2 and 3:

Train clinicians and managers on legal risks and report any policy breaches immediately.

Absolutely necessary as a part of the regular workflow

[12/12, 09:39]hu10: Any good recommendations of low cost alternatives to WhatsApp for clinical customer notes?

[12/12, 09:41]hu11: Great question and leverage of community! Members should really ask what tools others are leveraging and how it is going, the good and the not so good etc!

[12/12, 09:42]hu12: Signal

[12/12, 09:43]hu13: Arattai.

[12/12, 09:54]hu14: Need more details. WhatsApp helps multiple people communicate.  You could try my Google Doc and Shared folder option. A document is primarily better for clinical documentation while WhatsApp will give you a bunch of messages.

[12/12, 10:34]hu10: This is not prescription related

[12/12, 10:38]hu10: The issue is a lot of hospitals with clinicians share case studies over WhatsApp where they are stumped (or want to share good news) to internal groups of clinicians and experts (including HoDs).  Most are anonymised poorly eg name and ID scribbled over.  We want to reduce the risks to all parties (including the institutions).

I am the Chairperson of AHPI's Digital Committee - so this is likely to get significant uptake

[12/12, 10:41]hu14: Great. Since the comms is internal, maybe they will be better off with Teams. An organisation level communication system . Even better would be a similar comms channel integrated with their EMR system.

[12/12, 10:41]hu14: Whatsapp wins due to its simplicity and almost ubiquitous presence. But what is the security, and how easy is it to tie up relevant info

[12/12, 10:46]hu14: Key point is WhatsApp based exchange has no restriction. Soon the record can be floating in the general WhatsApp universe. How does one stop that

[12/12, 10:50]hu2: [12/12, 09:31]: Modified  short, urgent checklist to implement this week from the full article here:https://lnkd.in/dbPG7HTQ

For your comments @⁨

1) Issue an immediate moratorium on sharing identifiable patient data on personal WhatsApp accounts. 

Modified addendum: Ensure that all patient data is deidentified and signed informed consent is gathered before sharing from a form that can be downloaded here:

https://userdrivenhealthcare.blogspot.com/2025/10/pajr-consent-form-modified-for-dpdp.html?m=1

2) Identify approved secure messaging platform and begin rapid roll-out to all clinical teams.

Addendum caveat: 

WhatsApp is a communication platform and all communication platforms are unsafe and hackable as long as we keep freely sharing sensitive personal or patient data there. What is more important and urgent is to initiate roll out good clinical practices in obtaining signed informed consent and data deidentification before engaging through any communication interface.

3) Provide work phones or configure enterprise containers so data is separable and remotely wipe-able.

Addendum caveat: That's a huge investment with lots of market players and hardware and software sellers likely to profit that makes it a difficult proposition 

3) Update consent forms and patient communication preferences to record if any patients insist on non-standard channels.

Document every such request.

Addendum: Make this a routine workflow regardless of which end the request originates. For most humans privacy is a trade off to benefit from transparency and accountability!

4) Audit last three months of messaging flows for incidents and prepare breach notifications if required.

Very important: any takers to audit our deidentified consented data for any identifiable breaches here? : https://pajrcasereporter.blogspot.com/?m=1

Require processor agreements, audit rights and deletion clauses from any third-party messaging or automation vendor.

Refer Addendum caveat 2 and 3:

Train clinicians and managers on legal risks and report any policy breaches immediately.

Absolutely necessary as a part of the regular workflow

[12/12, 10:03]hu3: Ah, governments interfering with free markets! Didn't expect to see that.

As long as two parties are consenting with full volition - the only purpose of the government is to honor the contract agreed by those 2 parties.

'structurally unsafe and legally fragile' are hollow words and sound very LLM written to me.

[12/12, 10:54]hu2: Security lies in the user's desire for security. Think of how humans have solved their security and privacy issues throughout evolution! Their first step toward this was to get a room (tree house or cave) and cover themselves with earthly materials distinct from their other animal peers who were okay to remain naked!

[12/12, 10:55]hu3: In this case ,also the patients desire. The user is talking about the patient .

[12/12, 12:43]hu4: I think WhatsApp can still be used with explicit consent from the patient asking the provider to send information by WhatsApp.  A consent needs to drafted for *the proposed way out* from clutches of DPDP..!!

[12/12, 13:05]hu2: We have already shared the link to our drafted consent form that we are using regularly but I'm sharing it here again for further inputs 👇

https://userdrivenhealthcare.blogspot.com/2025/10/pajr-consent-form-modified-for-dpdp.html?m=1

[12/12, 13:14]hu2: Think of identifiable potent patient data as these left over atracurium vials!👇

⚖️ MEDICOLEGAL CASE STUDY 💉🩸📿

*“Atracurium Injection Tragedy: Chain of Negligence Leading to Two deaths"* “Unsecured Anaesthetic Drug → Diversion → Two Deaths-- *Neurosurgeon with other 4 booked for negligence*

https://youtu.be/EYQQMygiX5Y?si=9FeR5iWp-JW0bjmI

1. Background 🩺💉

- Two adults found dead in an autorickshaw after self-injecting Atranium 25 mg, a powerful anaesthetic muscle relaxant.

- A third person survived with dizziness.

- Police traced the drug back to a hospital OT, where leftover vials were not secured after surgery.

2. Key Facts 📌

- Hospital purchased 25 vials for neurosurgery. Only 4 vials used; remaining vials were left unattended in OT.

- A staff member stole the vials due to easy access.

- Stolen vials were illegally sold in the local drug network.

- Three individuals injected themselves → 2 deaths due to respiratory paralysis.

3. Negligence Identified ⚠️

A. Hospital / Doctor-Related ?

- Lack of secure storage for controlled anaesthetic drugs.

- No drug register, inventory log, or pharmacy billing.

- Untrained personnel had free access to OT drugs.

- No post-procedure drug reconciliation (used vs. unused vs. returned).

B. Staff-Related 👨‍🔧

- Theft of vials due to poor supervision.

- Illegal distribution and street-level drug misuse.

4. Legal Implications ⚖️🚨

- IPC 304 – Culpable homicide (negligence enabling death).

- Drugs & Cosmetics Act – Improper storage, no documentation, diversion of controlled drug.

- Hospital vicarious liability – Failure in governance & supervision.

- NMC professional misconduct – Unsafe drug handling practices.

5. Medicolegal Analysis 🧐

- Even though the injections were taken outside the hospital, the chain of causation began with:

👉 Unsecured drugs inside the OT

This foreseeable risk makes it gross negligence of omission.

6. TAKE-HOME MEDICOLEGAL MESSAGES 🧠💡

✔ Secure Anaesthetic & Critical Drugs 🔐

- Double-lock storage

- Limited key access

- Authorised staff only

✔ No Unused Vials Left in OT 🚫💉

- Return immediately to pharmacy

- Document received–used–returned–wasted

✔ Restrict Access 👮‍♀️

- Ward boys / cleaners must never access drugs

- Controlled drug cupboards under CCTV

✔ Maintain Proper Records 📑

- Drug issue–return register

- Pharmacy indent & billing

- OT logbook

- Daily reconciliation

✔ Criminal Liability Is Real 🚔

- Hospital negligence → drug theft → misuse → death = Charges against doctor, staff, and hospital administration

🔎 One-Line Summary

 🩺

“A drug left unsecured in OT can become a death outside the hospital — and a criminal case against you.”

🩺⚖️Dr.

Medicolegal Consultant

Nashik

[12/12, 16:30]hu5: Hospital Management needs to learn from this street vendor... what is enough!

https://youtube.com/shorts/o7ZJjRqB2_Q?si=oVSdpolxz9bZc1Ws

[12/12, 16:37]hu2: Hospital management or the owners don't have an alternate source of revenue but hospital employees who get enough salary do continue to go out of their way regularly to provide neem juice services to their patients

[13/12, 07:50]hu6: What will tweaking DPDPA help? The rules and guidelines can be given. However, if they aren't implemented, the consequences are all out there for all to witness.

[13/12, 07:51]hu7: Isn't DPDP bad enough with an axe of 250 crore on our Dr neck?

[13/12, 07:52]hu6: The axe will fall only if folks wilfully disregard the provisions. Like using WhatsApp like mad.

[13/12, 07:53]hu7 : Even without it the Act is draconian. True case of throwing baby out with bath water

[13/12, 07:58]hu7: बडॆ लोग को मारने निकले, आघ लगा दी जंगल मे

[13/12, 07:59]hu6: _Au contraire mon ami_, it actually is super duper for healthcare. Just follow the rules and there will be that hint of spring in the air as the gentle fragrances of newly bloomed flowers wafts through the air like a zephyr to calm our souls and delight our hearts.

[13/12, 08:02]hu7: A la silence of the lambs? We go willingly to the slaughter house bobbing our heads.

Nay sire. DPDP2023 is unfit for Healthcare. And Education.

Needs to be chopped up and redone. One size can not fit all. Never

[13/12, 08:03]hu6: Perhaps you can justify your statement?

[13/12, 08:07]hu7: Start with the penalty. In my A&E I am not 100% sure of even the straight forward cases. Leave alone the red herrings.

How does one practise medicine? With a knife held to neck.

[13/12, 08:17]hu2: One just needs to be careful to pick up the leftover atracurium vials that's all 👍

[13/12, 08:24]hu6: The act makes it explicit. Wilful disregard, non-reporting of breaches. If due care is exercised, ABDM Compliance with robust security features implemented, then no penalty. Yes, there is a good possibility that there will be legal challenges, but adherents will remain unmolested. Unjustified fear is not good. And note that the act makes it legal to use data for research provided one takes consent. In the absence of consent, anonymised data can be used. I would not recommend it as there is always a chance that someone will find all sorts of legal contortions to try prove that the data principal intended otherwise.

[13/12, 08:49]hu2: Unmolested! 😅

[13/12, 09:07]hu7: R u responding to the earlier chain on atracurium

[13/12, 09:09]hu7: Sahi pakde

[13/12, 09:10]hu2 : I would also suggest a few more members from this community here for your DPDP meeting on 20th. I'm sure you would have approached many of them already.

@⁨ @⁨ @⁨ who will bring effective triangulation on this topic to the table.

Popular speakers such as @⁨ @⁨ also come to mind.

@⁨ can bring mainstream medicine expertise from his current NHS and his past India experienced 

 @⁨ can bring her global experiences on grounded research around usage models 

 @⁨⁩ is a very young and amazing person who brings years of maturity to the table with astounding insights born out of his grounded regular immersion in hospitals for his start-up 

@ a PhD in law , she has been instrumental in designing DPDP consent forms and would bring a lot of value

@⁨⁩ a young mainstream medicine specialist with an interest in informatics is the right person who will grow into your panel

I'm sure you have asked @⁨⁩ who is the most balanced global mentor on DPDP available

[13/12, 09:10]hu2: The left over chain

[13/12, 09:12]hu7: I and SBB were 🤺 on DPDP - dapidapi

[13/12, 09:12]hu2: In Bengali it's called dapadapi! 😅

[13/12, 09:14]hu7: Dapi in Tamil = small container. It is also a derogatory word for silly

[13/12, 09:15]hu2: 👆the emoji that you have shared here is all about a swordsman doing dapa dapi in Bengali

[13/12, 09:21]hu7: Sword fight?

[13/12, 09:26]hu8: The DPDP ACT & THE 250 Crore bomb

It is one more case of lack of coordination in policy pronouncements and Acts. 

There are no coordinated steps taken from the health ministry, NABH, NMC, MeITY to build awareness and capabilities of addressing the DPDP act's smooth implementation in healthcare. 

I see more fear mongering from so-called experts. 

When the EMR implementation rate in Indian hospitals is 10 percent ( as per FICCI Study), the whole scare-mongering will push back much needed Digital Health mission in India. 

How will every doctor in cities, towns and villages be tracked? 

Like the Truckers strike against the draconian laws; which compelled the government to roll back the law a couple of years ago. 

Patient Data Safety is important, but how to build awareness, capabilities and capacities in Indian healthcare is the moot question. 

We are seeing only one red flag - 250 crore fine. 

Such poorly thought of acts should not become tools of harassment for the medical fraternity.

Equally important, the healthcare community also need to raise itself by being ready for DPDP ACT and not caught unaware as far as possible.

Shortcuts won't help us

The DPDP implementation and Execution - Keep watching this space

[13/12, 09:26]hu2: AI to the rescue:

দাপাদাপি" (dapadapi) in Bengali means noisy running around, romping, bustling, or showing off/bullying with authority, often involving loud footsteps or a show of dominance, like children playing wildly or a powerful person acting imperiously. It conveys a sense of energetic, sometimes disruptive, presence or a repeated display of power.

[13/12, 09:31]hu2: Will be posting more from deidentified healthcare institutional grounds and different physician groups the amount of dapadapi disruption DPDP has currently created which is much more than accidentally disturbing wild bee hives but in the end as @⁨SBB⁩ said one can look forward to beneficial outcomes

[13/12, 09:32]hu7: Oh man. Nasha uthaar dhee

[13/12, 09:32]hu7: I thought we were like bulls in a Spanish ring

[13/12, 09:33]hu8: The act per se is not wrong. 

The implementation and Execution challenges for the stakeholders ( medical fraternity) are a big challenge.

[13/12, 09:33]hu2: Bulls in a Spanish ring fighting each other would be labeled in Bengali as doing dapadapi

[13/12, 09:33]hu2: The end will come after acceptance comes to an end. Hai na

[13/12, 09:34]hu2: And I'm sure we shall all rise to the challenge

[13/12, 09:34]hu2: Yes end is always after dapadapi ends and everyone relaxes and goes to sleep

[13/12, 09:35]hu7: Those of us on ground know what a losing battle we fight when it comes to eHealth.

This is one more loadstone round my neck now

[13/12, 09:35]hu7: Always look for opportunities. Problems are omnipresent. Finding avenues to effectively address them is the real trick. The entire profession of law is built around it.

[13/12, 09:36]hu7: Who in their right mind will come up with such a fine?

[13/12, 09:36]hu7: Aha..so we remain heroes

[13/12, 09:37]hu6: Those who can do, do. The rest fret, howl, shriek.

[13/12, 09:38]hu7: I am not so confident being the doubting thomas having been beaten up black and blue by loving customers

[13/12, 09:39]hu7: Like anbe sivam dialogue: 2to2to2

[13/12, 09:41]hu7: https://youtu.be/VE4mlIurybQ?si=BMLxpOSg6-G5A42y

[13/12, 09:42]hu2: Golden words of wisdom 👏👏

[13/12, 09:42]hu2: Translating again in Bengali:

Those who can do DPDP do DPDP.

The rest do dapadapi!

[13/12, 09:43]hu7: Had a good dapadapi yday night with one of your students. In the end we smoked peace pipe

[13/12, 09:43]hu7: U r full on weekend mood

[13/12, 09:44]hu2: With a busy OPD to boot

[13/12, 09:45]hu2: Lucky to have all the physical healthcare dapadapi done by our students while I take care of the WhatsApp dapadapi front.

*Thematic Analysis:*

1. *DPDP Act and Healthcare:* The conversation emphasizes the importance of understanding and complying with the DPDP Act in healthcare settings to protect patient data.

2. *Data Security Concerns:* Participants express concerns about the risks associated with sharing patient data on WhatsApp and the need for secure alternatives.

3. *Compliance and Implementation:* The discussion highlights the challenges of implementing DPDP compliance in healthcare, including obtaining informed consent, deidentifying patient data, and training staff.

4. *Alternatives to WhatsApp:* Participants suggest exploring alternative secure messaging platforms, such as Signal or Teams, to ensure compliance with the DPDP Act.

5. *Awareness and Education:* The conversation emphasizes the need for awareness and education among healthcare professionals about the DPDP Act and its implications on their practice.

Conversational citations:

Vasanth Karthikeyan  2nd

Geriatrician | Group Medical Director, Geri Care | Insights on Elder Care, Healthy Ageing & Healthcare Leadership

3w

𝗗𝗣𝗗𝗣 𝗔𝗰𝘁 𝘃𝘀 𝗪𝗵𝗮𝘁𝘀𝗔𝗽𝗽: a user’s thought from the ground Many hospital operations today still run on WhatsApp. • Owners want dashboards on WhatsApp • Patients want reports on WhatsApp • Doctors want images on WhatsApp • Appointments happen on WhatsApp • Nursing handovers happen on WhatsApp Now imagine a 𝗵𝗼𝘀𝗽𝗶𝘁𝗮𝗹 𝘄𝗶𝘁𝗵𝗼𝘂𝘁 𝗪𝗵𝗮𝘁𝘀𝗔𝗽𝗽 for even one day. You’ll quickly see why it’s everywhere—and why it’s so hard to replace. 𝗜𝘁’𝘀 𝗳𝗿𝗲𝗲 (at least for users), it’s on every phone, and it works instantly with almost no learning curve. The DPDP Act is important. 𝗣𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗻𝗴 𝗽𝗮𝘁𝗶𝗲𝗻𝘁 𝗱𝗮𝘁𝗮 𝗺𝗮𝘁𝘁𝗲𝗿𝘀. But healthcare doesn’t operate in theory—it operates in real time, under pressure. Most future “DPDP-compliant” communication tools are 𝘂𝗻𝗹𝗶𝗸𝗲𝗹𝘆 𝘁𝗼 𝗯𝗲 𝗳𝗿𝗲𝗲. And those costs will eventually flow back into healthcare delivery. Instead of only thinking about replacing WhatsApp, maybe there’s also room to think about how WhatsApp-like communication can be made safer—with clearer consent, defined boundaries, and accountability. 𝗔𝗳𝘁𝗲𝗿 𝗮𝗹𝗹, 𝗹𝗮𝘄 𝗶𝘀 𝗺𝗲𝗮𝗻𝘁 𝘁𝗼 𝗲𝗻𝗮𝗯𝗹𝗲 𝘂𝘀𝗲𝗿𝘀, 𝗻𝗼𝘁 𝗱𝗶𝘀𝗮𝗯𝗹𝗲 𝘀𝘆𝘀𝘁𝗲𝗺𝘀 that already work at scale. Just a food for thought—from someone using these tools every single day at the ground level.

https://lnkd.in/g3syinG9

From Paulomi Dey on LinkedIn:

https://www.linkedin.com/posts/paulomi-dey-_whatsapp-monetisation-and-why-this-matters-activity-7414277410315014145-xPfX

Paulomi Dey  1st

CEO | Founder | Ex–Fortune 10 | Healthcare Systems Expert & Leader | Reforming Patient-First, Equitable & Ethical Healthcare with AI

WhatsApp, monetisation, and why this matters for healthcare communication

I want to start by appreciating Shyam Chakraborty for raising this discussion. His observation about usability, security trade-offs, and the limits of consumer platforms sets the right frame for a deeper, platform-level conversation.

From a healthcare standpoint, the conclusion remains unchanged: consumer communication platforms are not designed for regulated, high-risk communication. Healthcare systems require default identity assurance, auditability, consent management, traceability, and clear accountability when something goes wrong. These are core system properties, not optional add-ons.

WhatsApp itself is not a high-risk communication platform in its intended context, and it does not monetise user message content. A more structured and controlled use is possible through the WhatsApp Business API, but that requires deliberate integration and governance.

WhatsApp does not monetise the content of private messages. End-to-end encryption means message text and calls are not readable by WhatsApp or Meta and are not used for advertising or content-based targeting.

WhatsApp’s primary monetisation today comes from business services, not from individual users or message content. Businesses pay Meta to use the WhatsApp Business API for customer communication, notifications, authentication messages, and support at scale.  WhatsApp has also started introducing ads in non-chat areas such as the Updates tab and Channels, not inside private conversations.

WhatsApp does collect metadata such as usage patterns, device information, and account details, as disclosed in its privacy policy. However, private message content remains encrypted and inaccessible for advertising. This means WhatsApp’s revenue model is not built on reading private conversations, even though it participates in Meta’s broader ecosystem through metadata and business messaging.

From a technical standpoint, WhatsApp account takeovers occur when identity controls are bypassed at the user or telecom layer, such as OTP sharing, SIM swap or cloning, call-forwarding abuse, or when two-step verification is not enabled.

None of the above makes WhatsApp unsafe in its intended consumer context. It is optimised for scale, simplicity, and frictionless communication, and its design choices are aligned with that goal.

The challenge arises because, in real-world practice, WhatsApp is increasingly used by doctors not just for communication, but informally as a record-keeping and follow-up tool. Messages, images, prescriptions, reports, and clinical decisions often accumulate in chat threads, effectively turning WhatsApp into a de facto EMR-cum-communication system.

This is where the mismatch becomes critical.

Healthcare communication requires systems designed for accountability first, not convenience. When governance, auditability, and clinical responsibility matter, consumer defaults are no longer sufficient.

5

10 Comments

Shyam Chakraborty, graphic

Shyam Chakraborty

Managing Director at Oy Trinnect Ltd.

7h

Thanks Paulomi Dey for taking up this issue. Amitav Bachchan once said: "the devil is in the details"- and this 'Amrut-Vani' stuck hard in my head! He is my spiritual Guru . 

There are two major issues (and a few minor issues also). The first is, whether WhatsApp is extensively used for doctor-patient information transaction? My take is, yes it is used extensively in doctor- patient, and even intra- hospital communication. Someone just posted on DPDP compliance of WhatsApp very recently.    

The second part is, whether WhatsApp's security provisions are adequate for transacting medical informations. You have mentioned WhatsApp is not unsafe for its intended use. Here the question comes, what are the intended use and what are unintended use (of-lebel use). In principle, any user to user communication, be it in real time or a messaging serrvice,  should be within the ambit of WA 

Like

Reply

Paulomi Dey, graphic

Paulomi Dey

CEO | Founder | Ex–Fortune 10 | Healthcare Systems Expert & Leader | Reforming Patient-First, Equitable & Ethical Healthcare with AI

5h

Thank you, Shyam Chakraborty. That’s a fair point on jurisdiction. I have worked with the US healthcare system in the past, so I am naturally more familiar with HIPAA, which is why I sometimes reference it.

My intent is not to apply US law to the Indian context, but to highlight that the core principles behind HIPAA are universal in healthcare: patient integrity, privacy, consent, accountability, and traceability. Legal frameworks differ by country, but the underlying goals are the same everywhere.

You’re absolutely right that, in India, we are largely dealing with the consumer version of WhatsApp. Its ease of use, ubiquity, and strong security messaging have driven widespread adoption, while the limitations and caveats are rarely discussed. That asymmetry is a real problem.

On the Business API point, I agree that it is currently adopted mainly by larger institutions.

Healthcare communication needs deliberate system design, whether built in-house or via third-party platforms.

So the concern is less about which regulation applies, and more about ensuring that whichever framework governs us, healthcare communication systems are designed to uphold those shared principles rather than relying on convenience-driven defaults.

Liked

1 Reaction

Shyam Chakraborty, graphic

Shyam Chakraborty

Managing Director at Oy Trinnect Ltd.

5h

Paulomi Dey we are primarily dealing within the scope of India and HIPAA is legally not relevant- though it is often mentioned due to our US centric thought process. It is also old and manifests serious gaps in the Indian environment. I am also not sure if BAA has any relevance in India. 

The problem is, we in India, are dealing primarily with the consumer version, free easy to use and pervasive, and with explicit mention of strong security provisions. The caveats are neither discussed nor indicated. I have also not seen much use of WhatsApp business version here in Finland, every organisation has their own overlay communication servers and services.

DPDP 2023 is the legal provision in India so far, but I doubt even many private practitioners have ever heard about it. So far I have noticed only one mention in the multitude of posts in Linkedin. 

Like

Shyam Chakraborty, graphic

Shyam Chakraborty

Managing Director at Oy Trinnect Ltd.

6h

Shyam Chakraborty 'of-label' -> 'off-label'

Like

Paulomi Dey, graphic

Paulomi Dey

CEO | Founder | Ex–Fortune 10 | Healthcare Systems Expert & Leader | Reforming Patient-First, Equitable & Ethical Healthcare with AI

6h

It is also important to separate the consumer app from the WhatsApp Business API. The Business API is an enterprise, server-to-server communication platform and is already used by banks and other regulated institutions for client-level authentication, alerts, statements, and real-time interactions. In this model, WhatsApp functions purely as a communication channel connected to institutional systems, with identity, access control, logging, and governance handled on the organisation’s side. It is chargeable, requires verified integration, and the cost is absorbed by the institution, not the user.

From a regulatory standpoint, WhatsApp Business API can be used as a communication channel within HIPAA and DPDP compliant architectures, but it is not itself a compliant healthcare platform. Compliance is achieved through system design, consent management, audit logging, and contractual controls around the API. Responsibility remains with the healthcare provider, not the channel.

The real risk arises when the consumer app, which is not designed to meet healthcare compliance requirements such as BAA, is used informally as a record, workflow, or EMR substitute. That gap between real-world use and design intent is where problems begin.

Liked

1 Reaction

Paulomi Dey, graphic

Paulomi Dey

CEO | Founder | Ex–Fortune 10 | Healthcare Systems Expert & Leader | Reforming Patient-First, Equitable & Ethical Healthcare with AI

6h

Thank you, Shyam Chakraborty. I agree with you on both points. WhatsApp is indeed used extensively today for doctor–patient and intra-hospital communication, largely because it fills a practical gap where formal systems are either absent or difficult to use.

On the question of intended versus unintended use, I see the distinction less at the user-to-user level and more at the risk and responsibility level. While WhatsApp is designed for general communication, once that communication starts carrying clinical decisions, records, or continuity of care, the requirements change.

In that context, the distinction is not between “secure” and “insecure,” but between general communication and regulated clinical communication. Encryption alone is not sufficient. Identity assurance, consent, auditability, traceability, and accountability become essential.