Health Data and Risk Scoring: Data Protection Compliance for Health Insurers and InsurTech Platforms Under India’s DPDP Regime

Introduction: Insurance as a Data-Driven Risk Engine

Health insurance has transformed from a largely actuarial exercise into a real-time, data-intensive risk management system. Today’s insurers and InsurTech platforms rely on continuous streams of personal data to underwrite risk, price premiums, adjudicate claims, prevent fraud and manage care pathways.

Across the ecosystem, insurers, third-party administrators, hospitals, wellness partners and digital health platforms process highly sensitive information. This includes medical histories, diagnoses, claims records, prescriptions, laboratory results and increasingly, lifestyle and behavioural data sourced from apps and wearables. These inputs are often combined to generate risk scores, fraud indicators and utilisation profiles.

Unlike discretionary consumer services, participation in health insurance is unavoidable. Individuals must disclose intimate medical details to access coverage, reimbursement or cashless care. This structural imbalance places health insurers among the highest-risk data fiduciaries under India’s data protection framework.

With the enactment of the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025, long-standing insurance practices around consent, profiling, data sharing and retention now come under DPDP compliance and require fundamental reassessment.

Applicability of the DPDP Act to Health Insurance and InsurTech

The DPDP Act applies to any entity processing digital personal data. In the health insurance context, this includes public and private insurers, digital insurance platforms, TPAs, managed care and wellness partners, hospital networks, fraud analytics vendors and reinsurers where personal data is processed.

Jurisdiction is not limited to Indian-incorporated entities. Foreign platforms and service providers processing health data of individuals in India also fall squarely within scope. Given the breadth of outsourcing and partnerships in health insurance, most market participants are touched by DPDP obligations.

Data Fiduciaries, Joint Control and Accountability Chains

Health insurance data flows are rarely linear. Insurers typically act as data fiduciaries, as they determine the purposes of processing for underwriting, pricing, claims and fraud prevention. TPAs may operate as processors for routine administration but often assume joint fiduciary roles where they exercise discretion in claims adjudication or utilisation review.

Wellness partners, analytics providers and digital health platforms may themselves become data fiduciaries where they determine secondary uses of data or develop independent profiling models. Under the DPDP Act, accountability follows actual control over purpose and means, not contractual labels.

Large insurers and InsurTech platforms processing sensitive health data at scale are also likely candidates for designation as Significant Data Fiduciaries. Such designation brings enhanced governance obligations, reflecting the systemic risk associated with health data misuse.

Health and Medical Data as High-Risk Personal Data

Health insurers process some of the most sensitive categories of personal data. This includes diagnoses, procedures, discharge summaries, chronic disease indicators, mental health information, genetic or hereditary data in certain products, and detailed claims and prescription histories.

Even derived outputs such as risk scores, utilisation flags or fraud indicators may qualify as personal data where they are linked to identifiable individuals. These insights often have real-world consequences for coverage, pricing and access to care.

Misuse or breach of health insurance data can lead to discrimination, exclusion, stigma and long-term financial or medical harm. Under the DPDP Act’s harm-based penalty framework, violations involving health data are therefore likely to attract heightened regulatory scrutiny.

Consent in Health Insurance: Structural Fragility and Limits

The DPDP Act requires consent to be free, informed, specific, unambiguous and capable of withdrawal. In health insurance, meeting this standard is particularly challenging.

Insurance contracts frequently rely on broad, bundled consent clauses embedded in standard-form policies. These are often offered on a take-it-or-leave-it basis, with open-ended permissions for “risk management” or “service improvement”. Given the power imbalance between insurer and insured, such consents are legally vulnerable. Refusal or withdrawal may result in denial of coverage, delayed claims or loss of benefits.

For many core insurance activities, consent is not the most appropriate legal basis. Processing for underwriting, claims settlement and regulatory compliance is better grounded in contractual necessity or statutory obligation. However, this basis must be clearly documented, strictly limited to what is necessary and cleanly separated from optional analytics, marketing or product development.

Using mandatory insurance processing as a gateway for secondary commercial use risks violating purpose limitation under the DPDP framework.

Underwriting, Risk Scoring and Profiling Obligations

Data-driven underwriting increasingly relies on historical claims data, lifestyle indicators and predictive analytics to assess risk and price products. While the DPDP Act does not prohibit such profiling, it imposes clear boundaries.

Risk scoring must be purpose-specific, proportionate and reasonably transparent to the insured. Opaque models that materially affect access, affordability or renewal without meaningful explanation create both compliance and reputational risk.

Automated decision-making systems may flag high-risk applicants, trigger enhanced scrutiny or influence exclusions and renewals. Insurers must be able to explain decision logic at a high level, provide grievance and review mechanisms, and guard against discriminatory outcomes based on sensitive inferences.

Claims Processing, Fraud Detection and Function Creep

Claims adjudication lies at the heart of health insurance and necessarily involves extensive data sharing among insurers, TPAs, hospitals and diagnostic centres. Such processing is generally defensible as necessary for contract performance, provided it is proportionate, secure and well-governed.

Fraud detection tools, however, present additional risk. These systems may analyse provider behaviour, patient utilisation patterns and network associations. Where fraud analytics expand into continuous behavioural surveillance without clear limits or disclosure, insurers risk crossing into unlawful profiling.

Maintaining a clear boundary between legitimate fraud prevention and generalised monitoring is essential under the DPDP regime.

Data Sharing Across the Healthcare Ecosystem

Cashless care networks depend on real-time sharing of policy information, medical details and treatment approvals. Insurers must ensure data minimisation, clear role allocation between fiduciaries and processors, and robust contractual safeguards, including audit rights.

Many insurance products now integrate wellness programmes, fitness apps and wearable devices. While such integrations promise preventive care and engagement, using wellness data for premium discounts, renewal decisions or risk stratification without clear, granular consent raises significant DPDP risk. This is especially true where data was initially collected for “wellness” rather than insurance decision-making.

Cross-Border Transfers and Reinsurance

Health insurers frequently share data with global reinsurers, actuarial consultants and analytics providers. Under the DPDP Act, cross-border transfers are permitted only to jurisdictions notified by the Indian government.

Compliance requires careful mapping of reinsurance and analytics data flows, assessment of notified jurisdictions and consideration of localisation, aggregation or anonymisation strategies. Reinsurance and vendor contracts may need revision to account for evolving transfer restrictions. Failure to anticipate these constraints can disrupt capital management and risk-sharing arrangements.

Data Breaches: Amplified Harm and Notification

Breaches involving health data trigger mandatory notification obligations to the Data Protection Board of India and affected individuals. Given the sensitivity of the data, notification thresholds are likely to be low.

Beyond DPDP enforcement, health insurance breaches can attract scrutiny from insurance regulators, invite consumer litigation and cause lasting reputational damage. Trust is foundational to health insurance markets, and data incidents strike at that core.

Penalties, Enforcement and Overlapping Regulation

The DPDP Act authorises monetary penalties of up to INR 250 crore per contravention, with the nature and sensitivity of data playing a central role in penalty assessment. Health data violations sit at the highest end of enforcement risk.

Insurers also face overlapping regulatory exposure from data protection authorities and insurance regulators. Inconsistent governance across these regimes can significantly amplify liability and remediation costs.

A Practical Compliance Roadmap for Health Insurers and InsurTech Platforms

Effective compliance begins with comprehensive data mapping and risk classification across health, wellness and derived datasets. Consent frameworks should be re-architected to unbundle permissions, rely on necessity where appropriate and strictly limit secondary use.

Insurers must strengthen governance around profiling and analytics, document model objectives and safeguards, and ensure accessible grievance mechanisms. Partner and TPA contracts should clearly allocate roles, impose DPDP-aligned safeguards and permit audits. Finally, breach preparedness should be integrated into existing IRDAI compliance and incident response playbooks.

Conclusion: Insurance, Dignity and Data Responsibility

India’s DPDP framework does not undermine risk-based health insurance. It insists that risk assessment must operate within boundaries of dignity, fairness and transparency.

Health insurers and InsurTech platforms that proactively redesign data practices curbing profiling excesses, respecting purpose limitations and strengthening accountability will be best positioned to retain consumer trust, withstand regulatory scrutiny and build sustainable, data-driven health insurance models in India.