The Patient's Charter: Rights & Transparency

The Patient’s Charter: Rights of the Data Principal

Under the DPDP Act 2023, patients are classified as Data Principals. As Bagmisikha Puhan (Associate Partner, TMT & Digital Health Legal) emphasizes, the Act grants patients a comprehensive charter of rights to ensure transparency and agency over their health information.

DPDP Patient Rights Figure: The comprehensive charter of Data Principal rights under the DPDP Act 2023.

Core Rights & Protections

Right to Access: Patients can request information about their personal data being processed and a summary of all such data.
Right to Correction & Erasure: The right to update inaccurate or outdated information and the right to request deletion of data once its purpose is fulfilled.
Right to be Informed: Patients must be given information about tests, treatment options, and their associated benefits and risks.
Right to Informed Choice: The mandate to make an informed choice and provide explicit Informed Consent before any data processing begins.
Right to Safety & Security: The right to expect that healthcare providers will keep their health information safe and secure at all times.
Right to Grievance Redressal: A mandatory mechanism for addressing patient complaints regarding data handling.
Right to Nominate: The right to nominate an individual who will exercise rights on behalf of the patient in case of death or disability.
Right to Accuracy: Access to own health records to ensure factual inaccuracies are removed.
Informed Usage: The right to be informed about exactly how the patient’s information is being used by the institution.
Mandatory Identification Disclosure: While patients have rights, they must be informed that seeking treatment from a registered medical practitioner may require a mandatory requirement of identification (e.g., ABHA).

At the heart of DPDP is a new benchmark for transparency. Institutions must move beyond “fine print” to active disclosure:

The Transparency Notice

Hospitals must explicitly inform patients:

What: The kind of information being collected.
How: How the information is going to be processed.
Who: Who all the information is being shared with (Third-party TPAs, Medtech, etc.).
Why: The specific purpose for which the data is required for service provision.

Consent is no longer a “pre-ticked box.” For consent to be valid under DPDP, it must be:

Clear, Unambiguous, and Unbundled: It must be a specific, stand-alone permission, not tucked into a general “Terms and Conditions” document.
Informed Participation: In setups like Teleconsultation, patients must be briefed on the shortcomings and limitations of the platform before their data is processed.

The Strategic Shift: From Infrastructure to Empowerment

The Ayushman Bharat Digital Mission is evolving. While the initial years focused on the Highways (ABHA, HIE-CM, registries), the next phase belongs to the Citizen.

Pivot to Patient Awareness

A major highlight of the KCDH 2026 roadmap is the focus on large-scale Patient Education.

Rights over Regulation: Compliance is a burden for hospitals, but Awareness is a shield for patients. Empowerment comes when citizens understand their rights under the DPDP Act as a standard part of their clinical experience.
Transparency as Fiduciary Security: Transparency is not just a checkbox; it is a fiduciary responsibility. By educating patients on exactly how their data is processed, hospitals build a “circle of trust” that is more resilient than any firewall.
Digital Literacy: Bridging the gap requires active institutional effort to ensure that even rural and non-technical populations can navigate their digital longitudinal records with agency.