Patients can face ₹10K fine for false information at AIIMS from mid-2027

Patients who intentionally provide incorrect personal information to healthcare providers such as AIIMS-Patna could face penalties of up to ₹10,000 from May 13, 2027, when the institute has to become fully compliant with the Digital Personal Data Protection (DPDP) Rules, 2025, under the DPDP Act, 2023.

Explaining the implications of the new law, Alvin Anthony, lawyer and chief compliance officer of Delhi NCR–based AI capacity-building firm GovernAI, said the provision would apply to deliberate misreporting of details such as age, address or blood group that could lead to incorrect processing of medical information. Anthony was speaking to this reporter on the sidelines of the first comprehensive awareness programme on cyber hygiene, cyber security and digital personal data protection held at the AIIMS-Patna auditorium on Friday.

The legislation also prescribes stringent penalties for healthcare institutions, with fines of up to ₹250 crore for failure to adhere to standard operating procedures (SOP) in the event of a data breach.

Explaining the matrix of notification, Anthony said that under the law, institutions must inform the Computer Emergency Response Team–India (CERT-In) within six hours of detecting a breach, and notify both the affected patient and the Data Protection Board within 24 hours.

“The objective is to give individuals adequate time to alert their banks, and monitor and safeguard their social media accounts and email,” he said. The SOP further mandates submission of a detailed report to the Data Protection Board within 72 hours and, if a medical device is involved, to the state and/or central licensing authority within 15 days.

Given the scale of operations at AIIMS-Patna—handling nearly one million patient records annually — Anthony recommended appointing a dedicated data protection officer within 30 days, in line with best practices for large data fiduciaries.

He also underlined that patient consent will become mandatory before processing any personal data, except in emergencies, pandemics or law-and-order situations. Currently, consent is largely limited to specific procedures, surgeries, anaesthesia and use of medical devices. “By mid-2027, a three-layer consent framework is likely to be in place in healthcare institutions with the introduction of patient consent before processing personal data,” he said.

Earlier, AIIMS-Patna executive director Prof (Brig) Dr Raju Agarwal highlighted the growing importance of cyber awareness amid rapid digitalisation of healthcare services and medical records. The programme emphasised that cyber security is integral not only to IT systems but also to clinical, academic and administrative functions, calling for responsible data handling and continuous cyber awareness across the digital healthcare ecosystem.