We have discussed in these columns, more than once, that of all the Data Fiduciaries the Digital Personal Data Protection Act, 2023 has created, the hospital occupies a category of its own.
The reason is captured in a single line that I keep returning to: in a hospital, data is life. It follows, almost as a matter of logic, that a “data breach” in a hospital is not merely a compliance event — it is a patient-safety event.
Here, we set out the full case for that proposition, and the framework — DGPSI-Hospital — that I believe hospitals must build to honour it.
Let me begin not with the law, but with a case.
A tragic illustration: when a “data” event becomes a “life” event
Consider an incident reconstructed through forensic investigation. A patient record carried a note of a known allergy. At some point before a clinical incident, the record was edited. After the event, it was edited again. The exact nature of the edits could not be fully established. What the investigation could establish was chilling: the edits were made by an unknown person, using the stolen password of the IT Administrator, from an unrecognised IP address.
On the surface this is a textbook information-security failure — an identity theft, a compromised credential, an unauthorised access. The CIA triad of Confidentiality, Integrity and Availability has every vocabulary to describe it. But notice where the story actually lands. The compromised property was the integrity of an allergy record. And the consequence of a tampered allergy record is not a leaked file or a regulatory fine. The consequence is borne by a human being on a hospital bed.
This is the whole argument in miniature. An identity theft produced an information-security breach, which culminated in a patient-safety compromise. The bits were the medium; the patient was the casualty. Any framework that stops at “we have restored the data and reset the password” has missed the event that actually mattered.
Why a hospital breach is not a bank breach
We instinctively model “data breach response” on the financial sector, because that is where breach management matured. But the analogy breaks at the most important point — reversibility.
A bank breach is largely reversible. Restoring lost data, reversing a fraudulent transaction, or curing a consent gap can substantially undo the damage. Money is fungible; records can be rebuilt; the harm, however serious, is usually recoverable.
A hospital breach is different. The harm can be irreversible. No restored backup brings back a life. A delayed treatment, a wrong dosage administered on a corrupted record, a result that reached the wrong clinician at the wrong time — these cannot be rolled back to last night’s snapshot. And because the harm is of a different character, the response and the remedies must be of a different character too.
The triggers, importantly, are varied. A patient-impacting incident in a hospital can arise from a technology failure, a human error, an AI malfunction, a privacy violation, or a malicious attack. The cause is almost incidental. What unifies them is the question that must always be asked at the end: did this hurt a patient?
Same problem, two domains
Here is the conceptual bridge on which the entire DGPSI-Hospital approach rests:
An unexpected harmful event is to a hospital what a personal-data breach is to a data fiduciary.
Both are managed through the same disciplined loop — see it, report it, fix it, and stop it from recurring. Only the names and the rulebooks differ.
On the clinical side, a patient-safety event is, in the working definition under NABH’s Patient Safety & Quality (PSQ) framework, any occurrence in the process of care that is inconsistent with the desired patient outcome or with routine hospital operations.
On the data side, a personal-data breach is, under the DPDP Act 2023, any unauthorised or accidental compromise of the confidentiality, integrity or availability of personal data.
Read those two definitions side by side and the structural parallel is unmistakable. Two domains, two vocabularies — one shape of problem.
Two rulebooks, one architecture
The two domains are governed by two very different instruments, and a hospital is simultaneously subject to both.
| NABH — PSQ chapter | DPDP Act 2023 + Rules 2025 | |
|---|---|---|
| What it is | Patient Safety & Quality Improvement standard | India’s data-protection statute |
| Issued / enforced by | Quality Council of India; 6th Edition (2025) | Data Protection Board of India |
| Nature | Voluntary accreditation standard | Binding statutory obligation |
| Core duty | Run an incident system across every unit | Safeguard data and manage every breach |
| Goal / teeth | Continual, measurable quality improvement | Penalty up to ₹250 crore for safeguard failure |
The point is not that one is “softer” than the other. The point is that they share an architecture — an incident system, an escalation path, an investigation, a remediation, a governance owner. A hospital that already runs a mature NABH patient-safety incident system is not starting from zero on DPDPA breach management. It is being asked to run a structurally identical loop on a second class of event.
Where DPDPA goes beyond NABH
That said, the convergence is not complete. NABH treats information largely as a governance and risk-management issue, which maps reasonably well to data-principal rights and PII security. But the DPDPA imposes a set of legal obligations that NABH’s 6th edition simply does not address. These are the gaps a hospital must consciously close.
| DPDPA 2023 / Rules 2025 requirement | NABH 6th-ed. coverage | Action for the hospital |
|---|---|---|
| S.8(8)–(9) + S.13 — publish DPO/contact; grievance-redressal mechanism | PRE.7 handles clinical complaints, not data grievances | Designate a data-protection contact/DPO and a data-grievance channel with defined timelines |
| S.14 — right to nominate (exercise rights on death/incapacity) | Not addressed | Offer patients a nominee option for their personal-data rights |
| S.10 + Rule 12 — Significant Data Fiduciary duties: DPIA, audit, India-based DPO | Not addressed | Large hospital groups should assess SDF-designation risk and prepare DPIA/audit capability |
| S.8(2) — processor contracts | IMS assumes in-house control; vendor data terms unspecified | Bind every HIS/cloud/AMC vendor by a DPDPA-compliant data-processing contract |
| S.16 + Rule 14 — cross-border transfer limits | IMS.1.g references law generally; no transfer-location control | Map data residency; restrict transfers to the government-notified position |
DGPSI-Hospital (The framework for DPDPA Compliance developed by Naavi for FDPPI) exists precisely to integrate the two regimes — privacy management, cyber resilience, AI-risk management and data-breach response — into a single framework, rather than leaving the hospital to reconcile a voluntary quality standard and a binding statute in two disconnected committees.
What counts as an “event”?
The two regimes also classify events differently, and the difference is instructive.
The hospital grades by severity. A sentinel event — death, severe or permanent harm — triggers an immediate investigation. An adverse event is one that reached the patient and caused harm. A near miss was caught before it reached the patient. Severity drives the response.
The data regime, by contrast, has one definition and no tiers. A personal-data breach is any compromise of confidentiality, integrity or availability of personal data — and I would add, any consent violation or denial of a data principal’s rights. There is no threshold. Every breach is, in principle, reportable. The hospital’s graded culture must therefore accommodate a co-resident regime that does not grade at all.
The convergent clock: reporting on the clock
If there is a single point from this discussion that hospital leadership should pin to the wall, it is the one about time.
The serious-event Root Cause Analysis (RCA) window in the hospital world (24–72 hours) lines up almost exactly with the statutory breach-reporting deadline under the data law. I call this the convergent clock.
On the NABH side: a sentinel event is escalated immediately to the quality team and top management; the RCA is opened within 24–72 hours; and the harm is disclosed to the patient and the family.
On the data-fiduciary side: the Data Protection Board and every affected data principal are notified “without delay”; a detailed report reaches the Board within 72 hours of awareness. And note the tighter overlay — where the incident is a cyber-security incident, the CERT-In six-hour reporting obligation also bites.
Two clocks, started by the same incident, ticking in parallel. A hospital that runs them as one synchronized process will comply with both. A hospital that runs them separately will miss at least one.
Fix the case, then fortify the system
Remediation, too, runs in parallel — first the specific case, then the system that allowed it.
On the NABH side, CAPA (corrective and preventive action) redesigns the process, retrains staff and revises the protocol; and FMEA (Failure Mode and Effects Analysis) together with tracked quality indicators closes the loop proactively.
On the data-fiduciary side, the hospital must contain and mitigate — close the gap, reset credentials, recover data and limit harm to data principals — and then harden safeguards: strengthen security controls, retain logs for at least one year, and audit periodically.
Same instinct, two vocabularies: treat the patient in front of you, then immunise the system behind you.
Ownership and consequences: who owns it, and what is at stake
A loop without an owner is a wish. Each regime assigns ownership, and each carries its own stakes.
On the hospital side, ownership sits with the Quality, Patient-Safety and Hospital-Safety committees, anchored in the International Patient Safety Goals, with board-level review of safety and risk. At stake: patient harm, accreditation and reputation.
On the data-fiduciary side, ownership sits with the Data Protection Officer (mandatory for a Significant Data Fiduciary), answerable to the Data Protection Board of India, under a statutory duty of reasonable safeguards. At stake: penalties up to ₹250 crore, and reputation.
Different owners, different penalties — but, again, the same incident triggering both.
The role the system forgets: the Patient Safety Officer
This brings me to the figure who is too often missing from the data-protection conversation in hospitals — the Patient Safety Officer (PSO).
Let me be precise about what the PSO is not. The PSO is not a second DPO, nor a junior CISO. Their job is the clinical-harm axis — not breach notification, not firewalls, but the answer to a single question: “Did this hurt a patient, and what do we do clinically about it?”
That role plays across all three phases of an incident.
Before — design and prevent. The PSO arbitrates the security-versus-safety trade-offs that no firewall engineer can resolve alone: auto-logoff in the ICU, multi-factor authentication at the crash cart, screen lockouts during a code. They bring the safety lens into DPIAs and procurement — safe failure modes, usability, alarm fatigue — and they own the clinical downtime / business-continuity model, drilling it like a code blue.
During — respond. The PSO runs the clinical-harm triage (“is this a patient-safety event?”), throws a safety-net around affected patients (who needs clinical re-checking or follow-up), and supplies the clinical-harm assessment that informs the DPO’s notification decision.
After — learn. The PSO leads the root-cause analysis of the harm pathway (delayed result → delayed treatment), routes data incidents into the adverse-event and Morbidity & Mortality reporting system, owns patient-safety KPIs for cyber resilience, and builds a just-culture for near-miss reporting.
The cleanest way I can put the division of labour is this:
The CISO asks whether the information was protected. The DPO asks whether the compliance held. The PSO asks whether the patient was safe.
Three different questions about one event — and only when all three are answered is the event truly closed.
From the CIA Triad to the CDP Human Triad
All of this exposes the limitation of the model on which information security has rested for three decades — the CIA triad.
The CIA triad protects information. Confidentiality: information is not disclosed to anyone not authorised to see it. Integrity: information is not altered or tampered with without authorisation. Availability: information and systems are accessible whenever needed. It was built for an era when systems were seen mainly as repositories of data, and the impact of a breach was measured in lost or leaked information.
But the harm now lands on people, and the CIA triad cannot see it. Consider three cases in which the information is technically “fine” and yet a human is harmed:
- A ransomware attack compromises availability — but the real consequence is delayed treatment for a patient.
- A faulty AI recommendation leaves confidentiality and availability perfectly intact — yet a wrong output can still expose a patient to harm.
- A privacy violation damages no data at all — yet the person’s autonomy and freedom of choice are undermined.
In each case the CIA triad reports “all clear” while a human being is hurt. That gap is the reason I have proposed graduating from the CIA Information Triad to the CDP Human Triad for the hospital environment.
Three guardians, three mandates
The CDP Human Triad translates into a governance structure of three guardians, each with a distinct mandate.
CISO — protects the Information. Information and network security, cyber defence and incident response, business continuity, technology resilience. Asks: “Are the systems, and the data in them, protected?”
DPO — protects the Privacy. Consent governance, privacy and DPDPA compliance, data-principal rights, purpose limits and breach notice. Asks: “Are the person’s rights and choices protected?”
PSO — protects the Patient. Clinical safety, human-impact and AI-safety oversight, digital risk to patient care, incident management and harm mitigation. Asks: “Is the patient protected — whatever the cause?”
This is the heart of a new jurisprudence in DPDPA compliance for hospitals: the role of the DPO in a hospital must be re-thought, not lifted unchanged from a bank or an IT company. DGPSI-Hospital adopts exactly this CISO–DPO–PSO structure as its framework of compliance.
Governance in practice: a RACI for the triad
To stop the triad from becoming three silos that each sign off on a separate audit, responsibility has to be allocated activity by activity. The following RACI matrix — Responsible (does the work), Accountable (owns the outcome), Consulted, Informed — is how DGPSI-Hospital distributes the work of a single incident.
| Activity | CISO | DPO | PSO |
|---|---|---|---|
| Detect, contain & technically recover the incident | A / R | I | C |
| Clinical-harm triage — is this a patient-safety event? | C | C | A / R |
| Breach notification (Board & patients) + CERT-In 6-hr report | C | A / R | C |
| Safety-net affected patients (clinical follow-up / re-check) | I | C | A / R |
| Run clinical downtime / business-continuity operations | C | I | A / R |
| Root-cause analysis of the harm pathway | C | C | A / R |
| Security-vs-safety control trade-offs (auto-logoff, MFA) | R | C | A |
| DPIA & vendor / SBOM assurance for care-critical systems | R | A / R | C |
Read down the columns and you can see each guardian’s centre of gravity; read across the rows and you can see that no single incident belongs to any one of them alone.
The same loop, end to end
To close the circle, here is the entire lifecycle of an incident, shown in both vocabularies at once. Different stakes — a life versus a record — but the same disciplined loop.
| Stage | Hospital · NABH | Data fiduciary · law |
|---|---|---|
| Identify | Incident reporting: near-miss / adverse / sentinel | Detect and become aware of the breach |
| Classify | Grade by severity and by domain | Assess scope and risk to data principals |
| Report | Escalate sentinels; disclose to patient | Notify Board + principals; 72-hour report |
| Investigate | Root-cause analysis (5-Whys) | Forensic investigation of the breach |
| Remediate | CAPA — corrective & preventive action | Containment and mitigation |
| Prevent | FMEA + continual quality improvement | Stronger safeguards + log retention |
| Govern | Quality & safety committees | DPO + Data Protection Board |
The takeaway is simple to state and hard to live: see it, classify it, report it on the clock, find the root cause, fix the system, prevent recurrence — on both axes, every time.
The roadmap: DGPSI-Hospital
DGPSI-Hospital is a framework of DPDPA compliance that integrates information security, privacy and patient-safety principles into one framework. Its central thesis is the one I have tried to build across this entire discussion:
Healthcare security must graduate from the CIA Information Triad to the CDP Human Triad — and must build the CISO–DPO–PSO structure to deliver it.
A hospital that internalises this stops asking the narrow question, “How do we avoid a ₹250-crore penalty?” and starts asking the right one: “How do we make sure that, when something goes wrong with our data, no patient is harmed — and if one is, that we see it, treat it, report it and learn from it?”
That is what it means to say that a hospital is a fiduciary for human life, and not merely a fiduciary for personal data. The data law gives us the discipline. Patient safety gives us the purpose. DGPSI-Hospital is the bridge between them.
Comments and counter-views are welcome, as always. This discussion will continue as the DGPSI-Hospital framework is finalised.
Naavi
