The rapid advancement of Artificial Intelligence (AI) is transforming industries worldwide, including the healthcare sector. AI technologies enable faster decision-making, predictive analysis, and improved patient care. However, the healthcare domain is inherently data-intensive, involving numerous interconnected data points that are analyzed collectively to derive medical insights and treatment outcomes.

At the same time, the fragmented structure of the healthcare ecosystem makes data governance increasingly complex. Determining how healthcare data is collected, stored, processed, and potentially reused in the future remains a major challenge for healthcare organizations and technology providers.

The implementation of the Digital Personal Data Protection Act, 2023 (DPDPA 2023) introduces a new regulatory framework for managing personal and sensitive data, making it essential for healthcare and HealthTech platforms to reassess their data governance, consent management, and privacy practices.

Current Challenges in the Indian Healthcare Ecosystem

With respect to India, the healthcare sector continues to face several structural and operational challenges, including:

• Lack of adequate awareness and education among patients regarding digital health data rights
• Limited investment in digital healthcare infrastructure
• Absence of widely implemented centralized medical document repositories
• Continued reliance on paper-based records and manual processes
• Lack of an integrated healthcare data grid, resulting in limited digital governance, monitoring, privacy protection, and cybersecurity safeguards
• Several additional systemic challenges across the healthcare ecosystem

These gaps create a complex environment where healthcare data is generated at scale but governed inconsistently.

How Healthcare AI Platforms Capture and Use Data

The rapid adoption of Healthcare AI solutions has encouraged developers and service providers to introduce platforms offering services such as:

• Digital healthcare awareness programs
• AI-assisted prescription recommendations
• Virtual or AI-based medical assistance
• Automated report management systems
• Patient monitoring and predictive health analytics

During these processes, healthcare AI platforms often capture and process multiple types of patient data in order to train AI models and improve analytical capabilities.

Some of the common data processing activities include:

• Capturing multiple healthcare data points to continuously train AI agents and models
• Accumulating prescription data and related information to identify potential health trends and medical conditions
• Analyzing therapeutic effectiveness for treating physical health challenges
• Indexing and ranking patient interactions and content usage on healthcare platforms
• Categorizing user profiles based on physical, emotional, or mental health indicators
• Recording communications between patients and doctors to enable predictive consultation and healthcare recommendations

In fact, numerous platform features—often exceeding 50 or more functionalities—can potentially capture sensitive personal health information, frequently through mechanisms as simple as cookie consent prompts, without fully explaining what data is collected, how it will be used, why it is required, and where it will be stored.

DPDPA 2023 and the Emerging Compliance Gap

Although DPDPA 2023 is currently under phased implementation, many Healthcare AI product and service providers still assume that their platforms fall outside the scope of the law.

This assumption raises significant concerns.

Healthcare data—whether related to past medical history, current treatment records, or predictive health insights—contains highly sensitive personal information. Such data should ideally be governed by strict policies for data collection, storage, processing, retention, and deletion.

Critical Questions Around Patient Data Governance

Several important questions remain largely unanswered within many healthcare platforms:

• Are patients clearly informed about what personal and health information is being collected?
• Where is this information stored, and for how long is it retained?
• Do healthcare platforms provide user dashboards or interfaces where patients can modify their data preferences and permissions?
• Are patients notified through text messages, email alerts, or voice notifications that their activities on the platform may be monitored or analyzed?
• Are users informed that their sensitive health information might be shared across multiple processing layers or service providers?
• Do healthcare AI platforms clearly communicate the process through which patients can exercise their Right to Erasure or “Right to Forget”?
• Do these platforms ensure that patient data is removed from all downstream sharing chains once deletion is requested?

The Road Ahead for Healthcare AI Compliance

It is increasingly evident that once the full enforcement of DPDPA 2023 begins, many healthcare and HealthTech organizations may find themselves scrambling to align with regulatory requirements.

Healthcare data represents one of the most sensitive categories of personal data, and the integration of AI-driven platforms further increases the complexity of privacy governance, transparency, and accountability. Organizations operating in the healthcare AI ecosystem will therefore need to move toward stronger data governance frameworks, transparent consent mechanisms, and demonstrable compliance practices to ensure alignment with evolving regulatory expectations.