Key Takeaways
- Indian health-tech, BPO and RCM providers serving US healthcare are Business Associates under HIPAA. You are in scope regardless of where you operate from.
- BAA (Business Associate Agreement) is the contractual gate. US Covered Entities cannot legally share PHI without an executed BAA with you.
- HIPAA Security Rule mandates administrative, physical and technical safeguards (45 CFR 164.308-312). The technical safeguards overlap heavily with ISO 27001 Annex A.
- Penalties are real: civil penalties up to USD 2 million per violation category per year, plus state AG involvement, plus HITECH breach notification requirements.
- BAA-ready in 3-5 months for typical Indian health-tech with existing ISO 27001 ISMS. Without ISO 27001 foundation: 4-6 months.
Why Indian Health-Tech Cannot Skip HIPAA
HIPAA (Health Insurance Portability and Accountability Act) is a US federal regulation, but it applies extraterritorially to any organisation that handles US Protected Health Information (PHI). Indian companies serving US healthcare customers are Business Associates under HIPAA, regardless of where they operate from. The Act is enforced by the US Department of Health and Human Services Office for Civil Rights (HHS OCR), with cooperation from state attorneys general.
For Indian health-tech, BPO, RCM (Revenue Cycle Management), telehealth, medical device firms and pharmacy benefit managers serving US clients, HIPAA is a contractual gate. US Covered Entities (health plans, providers, clearinghouses) cannot legally share PHI without an executed Business Associate Agreement (BAA) with you. Without HIPAA-aligned controls and a BAA, your US clients legally cannot send you the data, and your business stops.
HIPAA penalties are real and large. Civil penalties range up to USD 2 million per violation category per year. HITECH adds mandatory breach notification with state-AG involvement. Indian press has reported multi-million-dollar settlements involving Indian BPOs after PHI exposure incidents. Beyond penalties, a HIPAA violation typically ends the customer relationship and creates a reputational headwind for years.
Are You a Business Associate? Scope Clarification
A Business Associate under HIPAA is any organisation that creates, receives, maintains or transmits PHI on behalf of a Covered Entity, or that performs functions or activities on behalf of a Covered Entity that involve the use or disclosure of PHI.
Clearly In Scope as Business Associate
Indian health-tech SaaS processing US patient data (EHR/EMR products, clinical workflow, telehealth platforms, prior-authorisation tools, patient engagement apps). Indian BPO and RCM providers handling US claims, eligibility, denials, collections. Indian medical transcription services. Indian software development firms building healthcare products under contract for US clients (you handle their PHI during development, testing, support). Indian cloud providers serving US healthcare customers (rare for India-based cloud providers, more common for India-based managed services on top of AWS/Azure/GCP). Indian pharmacy benefit managers serving US plans.
Probably In Scope (Sub-Business Associate)
Indian software vendors selling to US Business Associates (you may have a sub-BAA obligation). Indian IT services providing infrastructure or development support to US Business Associates. Indian KPO providers doing data analytics or research on PHI for US clients. Indian customer support providers handling US healthcare patient calls. Indian marketing services for US healthcare clients (depending on whether marketing data overlaps with PHI).
Probably NOT in Scope
Indian companies serving only Indian healthcare (Indian patient data is governed by DPDP Act 2023, not HIPAA). Indian companies serving US clients but not healthcare (no PHI handled). Indian companies handling only de-identified data (HIPAA-safe harbour de-identification, with specific technical criteria). Indian companies handling only synthetic test data (engineered to look like PHI but actually fictional).
Need a Compliance Programme?
Codesecure runs HIPAA, GDPR, NIST CSF, DPDP, ISO 27001 and SOC 2 compliance programmes for Indian businesses. Fixed-fee engagements, named consultants, ISO/IEC 27001:2022 certified delivery, audit-ready evidence packs.
See Compliance Services →BAA Readiness Checklist: 10 Items to Complete Before Signing
Before a US Covered Entity will sign a BAA with you, they typically run vendor security due diligence. The Indian Business Associates who pass smoothly have these 10 items in place:
1. Documented HIPAA Risk Analysis
Formal risk analysis per 45 CFR 164.308(a)(1)(ii)(A). Identifies threats and vulnerabilities to PHI confidentiality, integrity and availability. Documents likelihood, impact and risk-treatment decisions. Most US Covered Entities ask for the latest risk analysis date and a summary during due diligence. Codesecure produces this as part of HIPAA engagement, refreshed annually.
2. Administrative Safeguards Documented (164.308)
Security management process, assigned security responsibility, workforce security, information access management, security awareness and training, security incident procedures, contingency plan, evaluation, BAA management. Specific policies for each. Many overlap with ISO 27001 Annex A.5 and A.6 controls.
3. Physical Safeguards Documented (164.310)
Facility access controls, workstation use, workstation security, device and media controls. For Indian Business Associates operating from offices: badge access, visitor management, clean desk policy, removable media controls. For cloud-only operations: documented exclusion of physical-safeguard items applicable to your AWS/Azure/GCP region (covered by cloud provider's BAA).
4. Technical Safeguards Documented and Implemented (164.312)
Access control (unique user identification, emergency access, automatic logoff, encryption and decryption), audit controls, integrity controls, person or entity authentication, transmission security (encryption in transit). These are the controls US Covered Entity security teams test most rigorously during due diligence.
5. Encryption At Rest and In Transit
PHI must be encrypted in transit (TLS 1.2+, modern cipher suites). PHI at rest must be encrypted using AES-256 or stronger. Document encryption inventory: what PHI is stored where, with what encryption. Failure to encrypt PHI is the #1 finding US Covered Entities flag in vendor due diligence. Indian BAs often have database-level encryption but miss application-layer fields or backup encryption.
6. Access Control with MFA and Least Privilege
Unique user accounts (no shared accounts), MFA on all admin access plus PHI-touching access, role-based access control with documented role-to-permission mapping, quarterly access review, immediate revocation on employee departure. Documented access provisioning and deprovisioning procedures.
7. Audit Logging and Monitoring
All PHI access logged. Logs include: who accessed, what data, when, from where, action taken. Logs retained for at least 6 years per HIPAA. Centralised log aggregation (cloud-native or SIEM). Alerting on suspicious patterns (mass downloads, off-hours access, repeated failed authentications). Codesecure managed SOC for SMBs covers this for Indian BAs.
8. Workforce Security Awareness Training
All workforce members trained on HIPAA basics before accessing PHI. Annual refresher training. Documented training records (who completed, when, score on assessment). Role-specific training for higher-risk roles (database admins, security team, customer support handling PHI). HHS OCR investigations frequently identify training gaps as a contributing factor in breaches.
9. Breach Notification Playbook
60-day breach notification clock under HITECH (notification to Covered Entity, then onward to HHS and affected individuals). Documented playbook with: detection criteria, severity classification, risk-of-compromise analysis (4 factors per HHS guidance), notification templates, escalation paths. Tabletop exercise the playbook annually. Codesecure includes this in the HIPAA engagement.
10. BAA Template Reviewed By Legal
Have your own BAA template reviewed by US healthcare counsel (or US-trained Indian counsel familiar with HIPAA). Most US Covered Entities will use their own BAA template; some will accept yours. Your template should be ready as a fallback. Also review every upstream BAA from your Covered Entity customers carefully: some include unreasonable indemnification, data localisation requirements, or audit rights you cannot operationalise.
How HIPAA Overlaps with ISO 27001 (60-70 Percent)
If your Indian health-tech already runs ISO 27001:2022, you have done 60-70 percent of the HIPAA implementation work. ISO 27001 Annex A.5, A.6, A.7 and A.8 cover the administrative, physical and technical safeguards that HIPAA Security Rule requires. The marginal work for HIPAA is: HIPAA-specific risk analysis methodology, BAA template, Privacy Rule alignment, breach notification under HITECH (60-day clock), workforce training tailored to HIPAA, accounting of disclosures.
Indian Business Associates without ISO 27001 face a longer programme: 4-6 months versus 3-4 months. Codesecure typically recommends running combined ISO 27001 + HIPAA programmes for Indian health-tech that does not yet have either, because the combined programme costs only 1.3-1.5x of either alone and produces an ISMS that satisfies both frameworks.
Frequently Asked Questions
Do Indian companies serving US healthcare actually need HIPAA?
Yes, if you create, receive, maintain or transmit US Protected Health Information on behalf of a US Covered Entity, you are a Business Associate under HIPAA. The Act applies extraterritorially. Most US Covered Entities will not sign a BAA without evidence of HIPAA-aligned controls, and without the BAA they cannot legally share PHI with you. This is a contractual blocker, not just a regulatory nice-to-have.
How long does HIPAA programme implementation take for Indian Business Associates?
3-5 months for typical Indian health-tech with existing ISO 27001:2022 ISMS. 4-6 months for organisations starting fresh. Codesecure phase structure: weeks 1-2 scoping and risk analysis, weeks 3-6 Security Rule implementation, weeks 7-10 Privacy Rule and workforce training, weeks 11-14 breach playbook and BAA readiness, weeks 15-20 internal pre-audit and remediation.
What is the difference between HIPAA Covered Entity and Business Associate?
Covered Entity is a health plan, healthcare provider or healthcare clearinghouse in the US that directly handles PHI for healthcare operations. Business Associate is anyone who handles PHI on behalf of a Covered Entity (including Indian outsourcing partners). Both have HIPAA obligations; Business Associates have a contractual obligation via BAA plus direct HHS OCR liability under HITECH. Most Indian healthcare-adjacent companies are Business Associates, not Covered Entities.
Can HIPAA-related work satisfy our DPDP Act obligations for Indian patient data?
Partially. HIPAA covers US PHI; DPDP covers digital personal data of Indian Data Principals. The underlying controls overlap significantly (encryption, access management, audit logging, incident response). If you process both US PHI and Indian patient data, run combined HIPAA + DPDP programmes. Codesecure runs these combined programmes for Indian health-tech with mixed US and Indian customer bases.
What about ISO 27017 (cloud) and HITRUST?
ISO 27017 (cloud-specific extension to ISO 27001) helps if you operate as a cloud BAA. HITRUST is a US healthcare-specific framework that some Covered Entities prefer over plain HIPAA. HITRUST certification is significantly more expensive than HIPAA programme (USD 50K-200K+ for HITRUST CSF certification vs INR 1.5L-4L for Codesecure HIPAA programme). Most Indian BAs achieve HIPAA + ISO 27001 first; add HITRUST only if a specific large Covered Entity customer demands it.
Will our HIPAA programme satisfy a SOC 2 audit?
Largely yes. HIPAA Security Rule controls map cleanly to SOC 2 Common Criteria CC6, CC7, CC8. SOC 2 audit additionally requires the CPA attestation and the AICPA Trust Service Criteria framing. Most Indian health-tech serving US Covered Entities runs combined HIPAA + SOC 2 programmes because: HIPAA satisfies the BAA gate, SOC 2 satisfies the broader vendor due diligence.
Do you provide the BAA legal review or only the technical compliance?
Codesecure delivers the technical compliance programme (Security Rule implementation, Privacy Rule alignment, risk analysis, breach playbook, workforce training, BAA template review for technical aspects). Legal review of the BAA terms must be done by US healthcare counsel or US-trained Indian counsel familiar with HIPAA. We coordinate with legal counsel on the technical clauses but do not provide legal opinions ourselves.
Get HIPAA BAA-Ready in 3-5 Months With a Fixed-Fee Programme
Codesecure runs HIPAA compliance programmes for Indian Business Associates end to end. Risk analysis, Security Rule and Privacy Rule build, BAA template, breach playbook, workforce training. ISO/IEC 27001:2022 certified delivery, fixed-fee engagements.
