A large Indian health insurer operates a cashless network with 400 hospitals. On admission, hospitals collect patient data (diagnosis, treatment, vitals, Aadhaar-linked biometrics). For pre-auth and claims, hospitals transmit this data to the insurer's TPA. The TPA processes claims and stores health records. The insurer also uses anonymised health data for actuarial modelling.

Health data is sensitive personal data. What additional obligations does this trigger?

The DPDP Rules 2025 empower MeitY to specify categories requiring higher protection, and health/biometric data falls squarely in this bucket. IRDAI's data governance circular independently requires enhanced security standards for health records.

For the hospital (primary Fiduciary): its consent notice must specifically mention transmission to the insurer/TPA for claims processing. In emergency admissions, §7(d) "vital interests" basis may apply — but only for the immediate treatment purpose, not ongoing insurance processing.

For the insurer: processing health data requires a DPIA (not just PIA) given sensitivity, scale, and automated decisioning. The DPIA must document risk mitigations, data minimisation measures, and access controls specific to health records.

Is the TPA a Data Processor or Data Fiduciary? This determines breach liability.

This is a fact-specific determination — the most consequential structural question in health insurance data governance.

Can the insurer use anonymised claims data for actuarial modelling without consent?

True anonymisation — where re-identification is not reasonably possible — places the output outside DPDP scope. However, pseudonymisation is not anonymisation. If a linkage key exists that could re-identify records, the data remains personal data.

The insurer must document its anonymisation methodology and have it independently reviewed. Original consent notice should also mention "statistical/actuarial research on anonymised data" for transparency even if technically exempt.