Understanding HIPAA Compliance for Indian Healthcare Providers

Medixar editorial · 4 May 2026 · 8 min read · Not legal advice — talk to your counsel for binding answers.

HIPAA — the Health Insurance Portability and Accountability Act of 1996, plus its Privacy Rule, Security Rule, and Breach Notification Rule — is a US federal law. It applies to "covered entities" (US healthcare providers, health plans, clearinghouses) and to "business associates" who handle Protected Health Information on behalf of those covered entities. An Indian hospital treating Indian patients in India is, in the strict legal sense, not a covered entity.

So why does it keep coming up in Indian boardrooms?

Three real reasons HIPAA shows up for Indian providers

1. Medical tourism with American patients

A hospital in Kochi or Chennai that treats American patients does not become a HIPAA-covered entity by treatment alone. But the moment the hospital partners with a US-based facilitator, accepts US insurance reimbursement, or shares records with the patient's American physician on follow-up, the partner organisation often demands a Business Associate Agreement (BAA) that contractually binds the Indian hospital to HIPAA-equivalent obligations.

The contract — not the law — is what makes HIPAA enforceable on the Indian side. But the enforcement is real: a breach that exposes a US patient's data is grounds for the partner to terminate, withhold payment, and pursue indemnification under the BAA.

2. JCI / international accreditation

Joint Commission International accreditation, the gold standard sought by hospitals serving international patients, includes information-management standards (the IMS chapter) that map almost cleanly onto HIPAA's Security Rule technical safeguards. A hospital pursuing JCI effectively has to implement HIPAA-style controls — encryption, access control, audit, breach response — even if no US patient is involved. Auditors will ask, and the answers had better be "yes, here is the policy and here is the audit log."

3. American business associates working in India

Many Indian IT services firms process PHI on behalf of US healthcare clients. Those firms are business associates and do have direct HIPAA obligations. A clinic or hospital is rarely in this position; an Indian software vendor or BPO often is.

What HIPAA actually requires (in 200 words)

The Security Rule (45 CFR §164.302–318) — the part that affects software vendors most — has three categories of safeguard: administrative, physical, and technical. The technical safeguards are the operational ones:

• §164.312(a) Access control — unique user IDs, automatic logoff, encryption of stored PHI, role-based authorisation.
• §164.312(b) Audit controls — append-only logs of every PHI access, retained for six years.
• §164.312(c) Integrity — controls to detect and prevent improper alteration of PHI.
• §164.312(d) Person or entity authentication — strong authentication, MFA where appropriate.
• §164.312(e) Transmission security — encryption in transit (TLS) and integrity controls.

The Breach Notification Rule (45 CFR §164.400) adds a 60-day notification window for breaches affecting 500+ individuals, with HHS OCR notification and, for large breaches, public disclosure.

How DPDPA 2023 maps onto HIPAA

India's Digital Personal Data Protection Act 2023 covers personal data broadly — including health data — under a different framework. The high-level mapping looks like this:

• Lawful basis — DPDPA requires consent or legitimate use; HIPAA defines covered entities and permitted disclosures under Treatment, Payment, Operations.
• Data principal rights — DPDPA gives access, correction, erasure, grievance. HIPAA gives access, amendment, and accounting of disclosures.
• Breach notification — DPDPA requires notification "as may be prescribed" (rules pending in 2026); HIPAA mandates 60 days.
• Penalties — DPDPA up to ₹250 crore; HIPAA up to $1.5 million per category per year.

A practical implication: a clinic that builds for HIPAA technical safeguards is roughly 80% of the way to DPDPA technical compliance. The remaining 20% is mostly procedural — appointing a data-protection officer, publishing a privacy notice, the consent-artefact infrastructure described in our ABDM article.

The "BAA available" question

The single question that resolves most HIPAA conversations between an Indian provider and a US partner is: does your software vendor sign a BAA?

A BAA is a contract between a covered entity and a business associate that establishes the business associate's HIPAA obligations. If your hospital handles US patients and your EMR vendor will not sign a BAA, the hospital cannot legally let the EMR see those records under US law. This is a frequent reason Indian hospitals find themselves operating two parallel systems — the daily-use system and a separate "international" system that only the BAA-signing vendor touches.

The fix is to choose a vendor that signs a BAA from day one. Medixar does. Most legacy Indian-market HMS vendors do not, because the contractual exposure is meaningful.

What you should ask your vendor

1. Will you sign a BAA? Yes/no. Get the position in writing.
2. What is your encryption posture at rest and in transit? AES-256 at rest, TLS 1.3 in transit, key management in a hardware-security-module-backed KMS, period.
3. What is your audit retention? Six years for HIPAA, seven for compounded DPDPA / NABH expectations. Append-only.
4. What is your breach notification process? 72-hour notification to your named contact for confirmed PHI breach is the modern bar.
5. Where does the data physically live? If your sub-processors are US-located for PHI, that is fine but you need data-transfer language in the contract.
6. Do you have a third-party penetration test report? Once a year is the modern bar; available under NDA is the modern norm.

What HIPAA does not require

Worth saying because it gets conflated:

• HIPAA does not mandate a specific technology — there is no "HIPAA-certified server" product. Compliance is procedural and depends on the controls in place at the covered entity.
• HIPAA does not require data to live in the US. It requires that any sub-processor handling PHI is bound by a BAA. India is a perfectly valid location for hosting if the BAA chain is intact.
• HIPAA does not preclude AI processing of PHI, provided the AI processor is a business associate under a BAA and the use is consistent with the patient's authorised purpose.

Bottom line for an Indian hospital in 2026

If you treat international patients, partner with US institutions, or pursue JCI, treat HIPAA as the floor for technical safeguards. The investments are not wasted — they double up on DPDPA compliance and on NABH information-management requirements. If you serve only Indian patients with Indian payers, focus on DPDPA 2023, the IT Act / SPDI Rules, and NABH digital standards, and let HIPAA show up only when a partner asks.

Either way, the technical foundations — encryption, role-based access, append-only audit, consent management, breach notification — are the same. Build them once.