Key Takeaways
- HIPAA applies to Indian companies as Business Associates when they process Protected Health Information (PHI) on behalf of US Covered Entities.
- The Privacy Rule governs use and disclosure of PHI. The Security Rule governs administrative, physical and technical safeguards. The Breach Notification Rule governs notification.
- Business Associate Agreement (BAA) is the contractual mechanism. Indian Business Associates sign BAAs with US Covered Entities; their Indian subcontractors sign downstream BAAs.
- Security Rule safeguards: 18 administrative standards, 4 physical, 5 technical. Each marked Required or Addressable.
- Penalties: up to USD 1.5 million per identical violation per year. Plus state Attorney General actions and HHS enforcement.
Who Must Comply
HIPAA applies to Covered Entities (healthcare providers, health plans, healthcare clearinghouses) and Business Associates (parties processing PHI on behalf of Covered Entities). Indian companies are almost never Covered Entities (which require US healthcare licensure) but very commonly are Business Associates.
Common Indian Business Associate scenarios: medical transcription companies, revenue cycle management firms, claims processing, hospital IT outsourcing, telemedicine platforms, AI diagnostic services, EHR vendors, hosting providers, data analytics firms processing PHI, medical billing companies.
Subcontractors of Business Associates are themselves Business Associates and must sign downstream BAAs. The chain extends through every party that touches PHI.
What PHI Is
Protected Health Information is individually identifiable health information created or received by a Covered Entity or Business Associate. Includes: demographics, medical history, test results, insurance information, payment information, anything that identifies the individual when combined with health information.
De-identified data (with all 18 HIPAA identifiers removed per Safe Harbor method, or statistically verified by Expert Determination) is not PHI and not subject to HIPAA. Most working data in Indian Business Associate operations is identifiable PHI; de-identification is an exception case.
Need Compliance Programme Help?
Codesecure delivers ISO 27001, SOC 2, PCI DSS, DPDP, HIPAA, GDPR, RBI, SEBI and NIST CSF programmes for Indian businesses. ISO/IEC 27001:2022 certified delivery, named ISO 27001 LA consultants, fixed-price proposals.
See Compliance Services →Privacy Rule
The Privacy Rule governs how PHI can be used and disclosed. Permitted uses: treatment, payment, healthcare operations (TPO). Other uses require patient authorisation. Minimum necessary standard applies: limit access to PHI to the minimum necessary to accomplish the purpose.
Individual rights under the Privacy Rule include: notice of privacy practices, access to PHI, amendment, accounting of disclosures, request restrictions, confidential communications. Indian Business Associates typically do not interact directly with patients but support the Covered Entity's fulfilment of these rights.
Security Rule Safeguards
The Security Rule prescribes safeguards for electronic PHI (ePHI). Three categories: Administrative (security management process, workforce security, training, contingency plan, evaluation, BAAs), Physical (facility access controls, workstation security, device and media controls), Technical (access control, audit controls, integrity, transmission security).
Each safeguard is marked Required (must implement) or Addressable (must implement or document why an equivalent measure is sufficient). The Required versus Addressable distinction is often misread; an Addressable specification is not optional.
Common Indian Business Associate gaps: workforce training inconsistent, contingency plan documented but not exercised, audit controls not centralised, transmission encryption gap (TLS deployed but verified weakly), workstation security inconsistent, device disposal not formally tracked.
Breach Notification Rule
A breach is acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. A risk assessment determines whether there is a low probability that PHI has been compromised; without that demonstration, the incident is presumed to be a breach.
Notification: Business Associate notifies Covered Entity without unreasonable delay and no later than 60 days from discovery. The Covered Entity then notifies affected individuals, HHS, and (for breaches affecting 500 or more individuals) the media.
Indian Business Associate IR plans must integrate HIPAA notification timing (60 days to Covered Entity) alongside Indian regulatory timing (CERT-In 6 hours, DPDP per rules). Parallel notification handling is essential.
Audit Pressure or Customer Questionnaire?
Whether you need a gap assessment, an internal audit, a customer security questionnaire response or a board-ready compliance status, our compliance lead is available for a 30-minute free scoping call.
Talk to a Compliance Lead →Business Associate Agreement (BAA)
The BAA is the contractual mechanism that makes the Indian Business Associate directly liable for HIPAA compliance for the PHI it processes. Standard BAA provisions include: permitted uses and disclosures, safeguards required, subcontractor obligations, reporting of breaches and security incidents, access and amendment support, accounting of disclosures, return or destruction of PHI at termination.
Codesecure delivers BAA-readiness engagements for Indian health-tech that map every BAA requirement to a concrete control implemented in the Indian operations, with evidence the US Covered Entity can verify before signing. See our companion BAA readiness blog for the checklist.
Penalties and DPDP Overlap
HIPAA penalties are tiered by knowledge and culpability: USD 100 to 50,000 per violation, with annual caps from USD 25,000 to USD 1.5 million for identical violations. State Attorneys General can also enforce. Criminal penalties for knowing violations.
Indian healthcare entities also subject to DPDP Act 2023 for personal data of Indian residents. The two regimes overlap meaningfully: HIPAA covers PHI of US patients, DPDP covers personal data of Indian residents (including health data). A unified compliance programme covering both is the efficient approach. Roughly 60 to 70 percent control overlap.
Frequently Asked Questions
Does HIPAA apply to Indian healthcare providers serving only Indian patients?
Generally no. HIPAA applies to PHI of US patients. Indian patient data is governed by DPDP Act and sector-specific Indian regulations. HIPAA-like obligations come into play only when Indian providers serve US patients or US covered entities.
Can a single Indian company be subject to both HIPAA and DPDP?
Yes, and many are. A medical transcription company serving US hospitals (HIPAA) and Indian patients (DPDP) sits under both regimes simultaneously. Unified programmes are essential.
Who enforces HIPAA?
HHS Office for Civil Rights (OCR) is the primary enforcer. State Attorneys General can also enforce. OCR audits and complaint investigations are the typical enforcement triggers.
What about HIPAA compliance for cloud workloads?
AWS, Azure and GCP offer HIPAA-eligible services with BAA support. Indian health-tech building on these platforms must sign BAAs with the cloud provider, restrict PHI to HIPAA-eligible services, and apply the customer-side safeguards (encryption, access control, audit). Codesecure delivers HIPAA-aligned cloud architecture engagements.
Do we need HITRUST certification?
HITRUST is a private certification framework that includes HIPAA mapping plus other controls (NIST, PCI, GDPR). Not required by HIPAA itself but increasingly requested by US Covered Entities as a single assurance instrument. Codesecure delivers HITRUST readiness for Indian health-tech that needs it.
Can Codesecure help us with HIPAA?
Yes. Codesecure delivers HIPAA gap assessment, Security Rule implementation, BAA readiness, breach response integration and ongoing programme management for Indian health-tech serving US Covered Entities.
Serve US Healthcare Customers With HIPAA Confidence
Codesecure delivers HIPAA programmes and BAA readiness for Indian healthcare providers, medical billing, transcription, telemedicine and health-tech serving US Covered Entities. ISO/IEC 27001:2022 certified delivery, named consultants.
