Designing DPDP-Compliant Notices & Registration Flows (Healthcare)

In healthcare, your registration desk and patient app are not just operational touchpoints — they are your DPDP compliance front door. Here’s how to design notices and registration flows that are clear, defensible, and patient-friendly across OPD/IPD, diagnostics, billing, and telemedicine.

What DPDP expects from a “notice”

Your notice must be:

  • Standalone (understandable on its own)
  • Written in clear, plain language
  • Specific about what personal data you collect/process
  • Clear about why you process it (the purpose) and what service it enables
  • Easy for the patient to find how to withdraw consent, exercise rights, and raise a grievance / complaint

In healthcare, avoid one massive privacy page at the bottom of a form. Patients should not have to “hunt” for the notice.

The golden rule for Healthcare UX: “Just-in-time notices”

Instead of showing one long notice during registration, show short, contextual notices at the exact moment data is collected or shared. This keeps consent meaningful, reduces confusion, and increases trust.

Recommended “notice moments” in healthcare

  1. Registration / Admission (front desk, kiosk, portal)
  2. Telemedicine start (before video/audio begins)
  3. Diagnostics sharing (lab/radiology orders, report delivery)
  4. TPA/Insurance / claims (billing authorisation and submissions)
  5. WhatsApp/SMS communications (reminders, follow-ups, health tips)
  6. Recordings or sensitive access (call recordings, session recordings, CCTV disclosures where applicable)

Each notice should clearly state:

• what data is collected now
• why it is needed now
• who it may be shared with now (only when relevant)
• patient choices (what’s optional vs required for care coordination)
• how to withdraw/manage preferences

DPDP-compliant registration flows (recommended patterns)

Screen/Step A: Minimal registration

  • Name, age (or DOB), mobile, address (only if needed), OPD reason category

Notice block (must-have)

  • “We collect these details to create your patient record, schedule consultation, and enable care delivery.”

Screen/Step B: Optional communications

  • Separate toggles:
    • Appointment reminders (service)
    • Lab report notifications (service)
    • Health tips/offers/camps (optional)

Best practice

  • Provide a QR code at the desk: “Manage consent & communication preferences” for easy withdrawal later.

Admission often collects more data and involves multiple departments.

Flow

  1. Admission registration notice (patient record creation + treatment coordination)
  2. Department access notice (ward/ICU/OT)
  3. Billing/TPA notice (where relevant)
  4. Discharge + follow-up communication preferences

Implementation note: Don’t allow a “full account” creation for a child until the parent step is completed.

Best practice

  • Use a “layered notice” approach: short upfront + deeper detail link/QR.

Screen 1: OTP login + profile

  • Keep fields minimal initially

Screen 2: Notice + consent controls

  • Required: account + care delivery communications
  • Optional: marketing, feedback surveys, health education campaigns

Screen 3: Preferences dashboard

  • WhatsApp/SMS/email toggles
  • “Download my data / request changes” link
  • “Raise grievance” link

Just-in-time notice moments

  • Before camera/mic permissions
  • Before prescription generation (if shared externally)
  • Before storing any recording (if you record)
  • Before third-party tools (video vendor, chatbot, transcription)

Best practice

  • If recording is used, treat it as a separate, explicit notice with retention duration.

Diagnostics is a major “sharing” point.

Flow

  • Patient notice: “Your details and test order will be shared with [Lab/Imaging] to perform diagnostics and deliver reports.”
  • Report delivery notice: SMS/WhatsApp/email delivery preferences
  • Consent separation: care delivery vs optional research/analytics/marketing (if any)

Best practice

  • Maintain a vendor list link: “Who processes my data” (vendor map).

Notice must clarify

  • What data is shared with the TPA/insurer
  • Why it is shared (authorisation, claim processing)
  • How long billing records are retained (high-level)

Best practice

  • Don’t hide this in billing fine print — make it a short “claims notice” tile.

Mandatory links you must publish

You should prominently publish:

  • How patients can submit rights requests
  • What identifier you need (patient ID/MRN, mobile/email, visit ID, etc.)
  • How patients can raise a grievance, and the response timeline

Practical UX tip: put these links in

  • Registration notice footer: “Manage Consent | Rights | Grievance”
  • Patient portal settings: “Privacy & DPDP”
  • Help/Support page
  • Discharge summary footer (QR link)

What your registration notice should contain

Examples: name, contact details, age/DOB, visit type, identifiers you generate (patient ID), appointment details.

Examples: registration, appointment management, clinical care coordination, report delivery, billing.

Examples: labs, imaging centres, TPAs/insurers, telemedicine video provider, patient communication vendor.

Separate toggles for:

  • service notifications (reminders/report delivery)
  • optional campaigns (health tips, camps, promotions)
  • withdraw consent / manage preferences
  • rights request link
  • grievance link

High-risk healthcare screens

WhatsApp/SMS outreach

✔ Separate consent for promotional/health campaigns
✔ Simple opt-out (“Stop” + portal toggle)

Telemedicine recording / call recording

✔ Clear notice: what is recorded, purpose, retention, who can access

Diagnostics sharing (Lab/PACS)

✔ Short disclosure: data shared + purpose + delivery method

TPA/Insurance claims

✔ Disclosure + patient contact channel for questions

Staff/admin access

✔ Patients care about “who can see my records.” Add a short statement about access controls and audit.

Implementation blueprint

Minimum backend objects (recommended)

  • NoticeVersion (versioned notice text, language, effective date)
  • ConsentLedger (append-only: asked / given / withdrawn; with purpose tags)
  • PatientIdentifierMap (MRN/Patient ID/Visit ID mapping)
  • CommunicationPreferences (WhatsApp/SMS/email toggles)
  • DisclosureLog (when data is shared with lab/TPA/vendor + purpose)

Minimum logs to keep (audit-friendly)

  • Notice version shown at registration
  • Consent timestamp + channel (front desk / portal / telemedicine)
  • Preference change history
  • Disclosure events (lab/TPA/vendor)
  • Admin access logs (who accessed, when, why)

Quick compliance checklist

  • Registration notice is clear, plain-language, and purpose-specific
  • Optional communications (marketing/health campaigns) are separate toggles
  • “Just-in-time notices” exist for telemedicine, diagnostics sharing, TPA/insurance
  • Withdrawal / preference changes are easy and visible
  • Rights + grievance links are prominently published
  • Vendor sharing is tracked and reflected in disclosures
  • Logs exist for notice/consent/disclosures/access events

Need these screens designed?

We can design your registration notices, consent controls, preference dashboard, disclosure micro-notices, and consent ledger schema — aligned to DPDP and tailored to OPD/IPD + telemedicine workflows.

Get the Healthcare UX Kit