India’s healthcare AI story is moving fast. AI scribes are entering clinics, diagnostic models are supporting doctors, and hospitals are increasingly experimenting with automation across workflows.
But beneath the excitement, sits a harder reality.
AI diagnostic performance can drop by 20% to 40% when applied to populations outside their training data. Up to 80% of health data used in global AI systems comes from limited geographic or demographic groups. And nearly 60% of clinical AI models are deployed without external validation.
In a country as vast and diverse as India, these statistics describe the real risk of putting undertested, biased AI into hospitals and clinics that serve hundreds of millions of people.
And the challenge isn’t that India lacks regulation. It’s that the rules are spread across multiple frameworks, policies, ethical guidelines, and operational layers, instead of one sweeping AI law.
In the April 2026 edition of AI Rules in India: A Healthcare Perspective, published by HealthInnovation Toolbox, researchers have brought together India’s fragmented AI-healthcare rules into one coherent view.
Drawing from the paper, in this article, we break down: what each framework does, why it matters, and what startups, hospitals, and healthtech companies actually need to pay attention to.
The six layers shaping healthcare AI in India
India’s healthcare AI ecosystem is structured across six key layers:
- SAHI → guidance
- BODH → validation
- DPDP → data protection
- ABDM → data exchange
- ICMR → ethics
- CDSCO → regulation
Together, they cover nearly the entire lifecycle of healthcare AI. From how systems are trained and validated to how patient data is shared, protected, and regulated in clinical settings.
SAHI: The guidance layer
SAHI (Strategy for Artificial Intelligence in Healthcare for India) acts as the ecosystem’s north star. It is the guiding framework that defines how AI should be built and used and what “good healthcare AI” should look like in the Indian context.
A model can achieve impressive accuracy scores in a lab and still fail in the real world. India’s healthcare system is too diverse for one-size-fits-all AI. Disease patterns, languages, access to care, infrastructure quality, and patient demographics vary massively across regions.
SAHI pushes developers to think beyond benchmark scores.
The framework emphasises:
- reliability across diverse populations
- interpretability for clinicians
- transparency around limitations
- accountability when systems fail
- Understandable to clinicians
There is no formal compliance checklist attached to SAHI. But the expectations it sets are increasingly influencing hospitals, regulators, and enterprise buyers.
For startups, building AI tools, SAHI signals that a model working well for urban tertiary-care hospitals alone is no longer enough. Buyers increasingly want proof that systems can generalise across different care environments.
For global companies entering India, it is a direct message: solutions validated in other markets need meaningful adaptation to local data, workflows, and population diversity before they belong here.
BODH: The validation layer
If SAHI defines the philosophy, BODH focuses on proving whether the AI actually works.
BODH (Benchmarking Open Data Platform for Health AI) tests AI systems before they are deployed. It is crucial because many models perform well in controlled environments but struggle in real clinical deployment.
The framework pushes for external validation.
How BODH works
Under BODH, testing your model on the same type of data it was trained on is not enough.
For instance, you are building a pneumonia detection tool using imaging data from large urban hospitals. BODH expects you to test that system on datasets from rural hospitals, too. If accuracy drops, your model is not reliable.
It also emphasises error analysis.
If a triage system consistently misclassifies high-risk patients, developers are expected to investigate and identify why:
- Was the training data biased?
- Were patient histories incomplete?
- Did infrastructure quality affect outputs?
- Were some demographic groups underrepresented?
What this means in practice
For developers, BODH raises the operational burden and the credibility bar.
External validation, multi-site testing, and performance consistency across diverse settings are essential. A startup that validates across ten hospitals will likely inspire far more trust than one validated at a single institution.
For hospitals, BODH introduces a more cautious mindset around procurement. AI vendors increasingly need evidence, not just claims.
DPDP: The data protection layer
The Digital Personal Data Protection (DPDP) Act 2023 governs how personal data is handled in India.
Among all six frameworks, DPDP is the only enforceable law. Everything else in this ecosystem largely functions as guidance, strategy, or operational architecture.
Almost every healthcare interaction generates personal data: diagnoses, prescriptions, scans, lab reports, consultation notes, wearable data, insurance information, etc.
DPDP governs how all of that data can be collected, processed, stored, and shared. The law applies to anyone handling the personal data of Indian citizens, regardless of where your company is headquartered.
The Act empowers the Data Protection Board of India to investigate violations and impose financial penalties of up to Rs 250 crore per instance of breach, depending on the nature and severity of the violation.
Five core principles of DPDP
1. Consent: Patients must knowingly agree to how their data is being used, and that consent must be specific to the purpose.
2. Purpose limitation: Data collected for one reason cannot quietly be repurposed for another. For example, billing data cannot be used for training an AI model.
3. Data minimisation: Collect only the data you genuinely need, nothing more.
4. Security: Healthcare organisations are expected to secure data at every stage of storage, transfer, and processing.
5. User rights: Patients can request access to, corrections to, or deletion of their information.
For healthcare AI companies, DPDP changes data strategy completely. “Collect everything now and figure out use cases later” is becoming a far riskier approach.
ABDM: The data exchange layer
One of India’s biggest healthcare problems has always been fragmentation.
A patient’s records at one hospital often have no connection to another hospital, diagnostic lab, pharmacy, insurance platform or health app. Doctors work with incomplete information. AI systems train on disconnected silos.
ABDM (Ayushman Bharat Digital Mission) is India’s attempt to solve that infrastructure problem. It is India’s national framework for health data exchange.
Its backbone is the ABHA ID, a unique health identifier that links a patient’s records across healthcare systems, while keeping consent explicitly under patient control. The patient decides what gets shared and with whom.
How it works
ABDM focuses on:
- interoperability between systems
- consent-based data sharing
- standardised health data formats
- connected provider networks
- Unique health identifiers
The goal is not just digitisation. It is interoperability at the national scale.
What this means for companies
For startups and healthcare providers, ABDM integration is the baseline requirement. It includes:
- supporting ABHA IDs
- integrating with ABDM’s Health Information Exchange
- following national health data standards
- enabling consent management workflows
Ignoring ABDM does not just create a compliance risk. It increasingly means building a product that cannot connect to India’s growing health data network, which is a significant competitive disadvantage as the ecosystem matures.
ICMR: The ethics layer
The ICMR layer focuses on ensuring that AI systems in healthcare are used in a safe, fair, and responsible manner. In clinical settings, even small errors or biases can lead to serious consequences, which makes ethical oversight essential.
ICMR emphasises that AI systems must deliver consistent outcomes across different patient groups. For example, if a diagnostic model performs well on urban populations but underperforms for rural patients, it can lead to unequal care.
Similarly, AI recommendations should be understandable to clinicians. If a system provides outputs without clear reasoning, it becomes difficult to trust and use in decision-making.
Black-box outputs may work in consumer tech. In healthcare, they create hesitation and risk.
One of ICMR’s strongest positions is its push for India-centric training data.
Many global AI systems are trained predominantly on Western populations. But disease prevalence, genetic diversity, environmental exposure, and healthcare access patterns differ significantly in India.
That means imported models may not behave the same way here.
ICMR is essentially arguing for contextual AI: systems trained and validated for Indian realities rather than simply adapted from elsewhere.
CDSCO: The regulatory layer
CDSCO (Central Drugs Standard Control Organisation) is India’s national regulatory authority for medical devices.
As AI systems move into diagnostics, clinical decision support, and treatment planning, many of them cross a threshold. They become Software as a Medical Device, or SaMD.
Once that happens, they are treated much more like regulated medical technologies than ordinary software products.
And CDSCO becomes a gatekeeper they must pass before deployment.
How it works
CDSCO uses a risk-based classification approach. The higher the clinical impact of your system, the more rigorous the scrutiny.
For example:
- An appointment scheduling assistant faces relatively lighter oversight
- A cancer diagnosis support tool faces significantly stricter evaluation
Also, approval is not the final line.
CDSCO expects post-market surveillance. Once deployed, companies must continue monitoring how systems behave in the real world and report adverse events.
What this means for builders
For healthtech startups, this changes timelines, documentation requirements, and go-to-market planning.
Clinical AI increasingly requires:
- regulatory documentation
- risk assessments
- evidence generation
- ongoing monitoring systems
It shows how healthcare AI is no longer being viewed purely as software. In many cases, it is being treated as clinical infrastructure.
Looking forward
These six frameworks differ in scope, enforcement, and maturity. But they all point toward the same larger direction: India wants healthcare AI to scale responsibly.
The country is trying to build guardrails early instead of reacting after large-scale failures emerge.
At the same time, the frameworks remain fragmented. There is no single-window system that helps companies understand:
- which rules apply to them
- how approvals connect
- what compliance path they should follow
This lack of a unified system increases complexity and slows innovation.
Going forward, India can create a more coordinated approach, such as a single-window system or integrated guidelines, to make rules easier to navigate.
This would reduce friction, make compliance clearer, and help startups build and scale faster while still maintaining safety and trust.
Because ultimately, the goal is to ensure that the AI entering hospitals is safe, reliable, transparent, and built for the realities of Indian healthcare.
-By Rinkle Dudhani and the AHT Team
