HIPAA vs DPDP for Indian Healthtech: Patient Data Guide

Indian healthtech companies handling patient data navigate two regulatory regimes simultaneously. If you process health data of Indian users, India's Digital Personal Data Protection Act 2023 (DPDP) applies. If you touch health records of US patients or work with US hospitals, insurers, or clinics as a vendor, the Health Insurance Portability and Accountability Act (HIPAA) applies too. This guide breaks down what each law covers, where they overlap, and which controls satisfy both.

What HIPAA Covers

HIPAA, administered by the US Department of Health and Human Services (HHS), applies to covered entities — health plans, healthcare providers, and healthcare clearinghouses — and to their business associates: vendors that create, receive, maintain, or transmit Protected Health Information (PHI) on their behalf.

PHI is any individually identifiable health data in any form — name, date of birth, geographic data, IP address, and 14 other identifiers when combined with health, treatment, or payment information.

ℹ️

INFO

An Indian healthtech company becomes subject to HIPAA the moment it signs a Business Associate Agreement (BAA) with a US covered entity. The company's physical location in India does not exempt it. HHS has affirmed this extraterritorial reach.

The HIPAA Security Rule covers electronic PHI (ePHI) and requires three safeguard categories: administrative (risk analysis, workforce training), physical (device and facility controls), and technical (encryption, audit controls, access management). Full rule at hhs.gov/hipaa/for-professionals/security.

Business Associate Agreements — the trigger for Indian vendors

A BAA is a written contract between a US covered entity and its vendor. If your platform receives PHI from a US hospital or insurer, you need a BAA before data flows begin. Without one, neither party is compliant. The BAA requires the Indian company to use PHI only for the contracted purpose, apply equivalent HIPAA safeguards, notify the covered entity of any breach within a defined window, and return or destroy PHI at contract termination.

What DPDP Covers

India's Digital Personal Data Protection Act 2023 — notified by MeitY — applies to the processing of digital personal data collected in India or processed in India. The Act is at meity.gov.in/data-protection-framework.

Health data is personal data under DPDP. The Act does not create a separate health-data category as HIPAA does, but health records are implicitly high-sensitivity given their direct identification risk.

Key DPDP obligations for healthtech: purpose limitation (collect only what's necessary); explicit, revocable consent before processing; data principal rights of access, correction, and erasure; security safeguards and breach notification to CERT-In and affected individuals; and for government-designated Significant Data Fiduciaries, a mandatory Data Protection Officer and data protection impact assessments.

ABDM and Health Data in India

The Ayushman Bharat Digital Mission (ABDM) creates a national health record ecosystem. Companies integrating with ABDM process ABHA (Ayushman Bharat Health Account) records tied to Aadhaar or mobile identity. Consent for ABDM-linked records must be explicit, granular, and auditable. ABDM's Health Data Management Policy sets additional standards for data minimisation and interoperability that run alongside DPDP.

⚠️

WARNING

Companies building on top of ABDM that also serve US insurers or telehealth providers are simultaneously operating under HIPAA's BAA obligations and DPDP's consent framework. These frameworks do not automatically align — you need deliberate architectural choices.

Key Differences Between HIPAA and DPDP

Dimension	HIPAA	DPDP Act 2023
Jurisdiction trigger	Processing PHI for/with US covered entities	Processing personal data of India-based individuals
Who it applies to	Covered entities + business associates	Any Data Fiduciary processing digital personal data
Consent model	Largely Notice-and-Acknowledgement (NPP)	Explicit opt-in consent required
Data subject rights	Limited (access, amendment, accounting of disclosures)	Strong: access, correction, erasure, grievance
Breach notification	To HHS and affected individuals, 60-day window	To CERT-In and data principals (timeline in Rules)
Technical safeguards	Prescriptive Security Rule (encryption, audit logs)	Principle-based; security standards in Rules
Health-specific category	Yes — PHI with 18 identifiers	No separate health category; health data is personal data
Cross-border data transfer	Permitted with BAA	Permitted to whitelisted countries (Rules pending)
Governing body	HHS Office for Civil Rights	Data Protection Board of India (being constituted)

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

Which Regime Applies to Your Patient Data

The decision is not either/or. The following flowchart maps out which regime — or both — governs a specific data processing activity.

graph TD
    A[Patient data being processed] --> B{Data principal based in India?}
    B -- Yes --> C[DPDP applies]
    B -- No --> D{Data from US covered entity or US patient?}
    D -- Yes --> E[HIPAA applies]
    D -- No --> F[Check other jurisdictions]
    C --> G{Also received via BAA with US entity?}
    G -- Yes --> H[Both HIPAA and DPDP apply]
    G -- No --> I[DPDP only]
    E --> J{Also processing Indian residents data?}
    J -- Yes --> H
    J -- No --> K[HIPAA only]
    H --> L[Implement dual-compliant controls]
    I --> M[DPDP controls sufficient]
    K --> N[HIPAA controls sufficient]

    style A fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style C fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style D fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style E fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style F fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style G fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style H fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style I fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style J fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style K fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style L fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style M fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style N fill:#1e3d2f,stroke:#10B981,color:#e2e8f0

Scope Comparison: HIPAA vs DPDP

The chart below compares key scope dimensions qualitatively across both frameworks.

xychart-beta
    title "HIPAA vs DPDP - Scope Comparison"
    x-axis ["Consent Strength", "Data Subject Rights", "Technical Prescriptiveness", "Cross-border Reach", "Breach Notification Speed", "Health-specific Rules"]
    y-axis "Relative Stringency" 0 --> 10
    bar [4, 3, 9, 6, 7, 10]
    bar [9, 9, 5, 7, 8, 4]

HIPAA leads on technical prescriptiveness and health-specific rules. DPDP leads on consent strength and data principal rights. Cross-border rules remain pending under DPDP.

India Health Data Context: CERT-In and Breach Reporting

60 daysHIPAA breach notification window to HHS for breaches affecting 500+ individuals (HHS.gov 2024)

5,000+Breaches of unsecured PHI reported to HHS since 2009 portal launch (HHS Breach Portal 2024)

2023Year DPDP Act received Presidential assent — Rules under finalization (MeitY 2023)

CERT-In's 2022 directions require all entities to report cybersecurity incidents within six hours of detection. DPDP's breach notification obligations layer on top. The effective requirement is the stricter of the two: report patient record breaches to CERT-In immediately, then follow up with affected data principals as DPDP Rules require.

🛡️

SECURITY

If you process both PHI (HIPAA scope) and Indian patient data (DPDP scope), a single breach event may trigger three parallel reporting tracks: HHS notification, CERT-In incident report, and DPDP Data Protection Board notification. Build your incident response runbook with all three tracks mapped before a breach happens — not during one.

Practical Controls That Satisfy Both Regimes

The good news is that the technical control sets overlap substantially. Implementing a robust security baseline for HIPAA largely satisfies DPDP's principle-based security requirements too.

Control Area	HIPAA Requirement	DPDP Requirement	Dual-compliant approach
Encryption at rest	Addressable (strongly recommended)	Implied by security obligation	AES-256 for all health record storage
Encryption in transit	Addressable	Implied	TLS 1.2+ minimum on all APIs
Access control	Role-based, minimum necessary	Purpose limitation + access control	RBAC tied to declared processing purpose
Audit logging	Required — user actions on ePHI	Implied by accountability	Immutable audit log with 6-year retention for HIPAA; retain per DPDP Rules
Breach detection	Risk analysis required	Security safeguards required	SIEM or log-alerting with 24-hour internal SLA
Consent management	Notice of Privacy Practices	Explicit opt-in consent + withdrawal	Consent ledger with timestamp, purpose, and revocation state
Vendor contracts	BAA mandatory	Data Processing Agreement	Execute both BAA and DPA for any sub-processor
Data deletion	Right to request restriction	Right of erasure	Technical erasure workflow with audit trail

Risk Analysis: the HIPAA requirement most Indian vendors miss

HIPAA's Security Rule requires a documented risk analysis — an assessment of threats and vulnerabilities to ePHI. Indian business associates often implement the technical controls but skip formal risk analysis documentation, leaving them non-compliant on paper. A VAPT covering APIs, cloud configuration, authentication flows, and data storage addresses this requirement and simultaneously produces evidence for DPDP's security obligation. A free VAPT scan is the practical starting point.

When to Execute a BAA

The BAA is a legal instrument, but the trigger is operational: if your platform receives, stores, processes, or transmits data that includes PHI — even in a de-identified-but-not-fully-safe-harbor form — you need a BAA with the US covered entity before data flows begin.

Common scenarios: diagnostic AI for US radiology groups (DICOM metadata is PHI); revenue cycle management SaaS for US clinics; telehealth platforms connecting US doctors with patients; health data analytics for US insurers where claims data is PHI.

💡

TIP

Even if you are not directly handling PHI, if your service sits in a technology stack that processes PHI upstream or downstream, your US client's legal team will request a BAA. Preparing a standard BAA template in advance — reviewed by a US healthcare attorney — shortens your sales cycle with US health systems significantly.

ABDM Integration and DPDP Compliance

Companies integrating with ABDM must align their consent architecture with the ABDM Health Data Management Policy and the emerging DPDP framework. Practically this means using ABDM consent artifacts — structured objects specifying data requester, provider, purpose, and expiry — as the basis for your internal consent records. Consent revocation must propagate to all systems where the health record was shared. Treat ABHA-linked data as high-sensitivity personal data under DPDP, with enhanced access controls and audit logging. Getting ABDM consent right positions you well for DPDP compliance once Rules are finalized.

🎯Key Takeaway

Indian healthtech companies serving both markets cannot treat HIPAA and DPDP as sequential tasks. The dual-regime scenario is the default for any platform processing Indian patient records via ABDM and simultaneously serving US covered entities as a business associate. Build your consent ledger, access controls, audit logs, and breach response runbook to satisfy the stricter requirement on each dimension — HIPAA's technical prescriptiveness combined with DPDP's consent-first model. That intersection is your minimum viable compliance posture.

For more compliance guidance, explore the Bachao.AI blog or the dedicated DPDP compliance page. The platform is built by Dhisattva AI Pvt Ltd, a DPIIT Recognized Startup focused on automated security for Indian businesses.

Frequently Asked Questions

Does HIPAA apply to an Indian company that never physically operates in the US?

Yes. HIPAA's reach follows the data, not the company's location. If an Indian company signs a Business Associate Agreement with a US covered entity and processes PHI on its behalf, HIPAA's Security and Privacy Rules apply in full. Physical presence in the US is not a requirement for HIPAA applicability.

Is health data treated as a special category under India's DPDP Act?

The DPDP Act 2023 does not create a separate "sensitive personal data" category the way earlier PDPB drafts did. Health data is personal data under the Act. However, the government may notify certain classes of Data Fiduciaries handling health records as Significant Data Fiduciaries, triggering additional obligations like data protection impact assessments and a mandatory Data Protection Officer.

What is a Business Associate Agreement and when must an Indian company sign one?

A BAA is a legally required contract between a US HIPAA covered entity and any vendor that creates, receives, maintains, or transmits PHI on its behalf. An Indian SaaS or AI platform must execute a BAA before any PHI flows from the US client. Operating without a BAA makes both parties non-compliant and creates significant legal exposure for the Indian vendor in US courts.

How does ABDM interact with DPDP compliance?

ABDM's Health Data Management Policy requires structured, auditable consent before health records can be accessed or shared. DPDP independently mandates explicit, revocable consent for personal data processing. Both require that processing stays within the declared purpose. Companies integrating with ABDM should build their consent architecture to satisfy both frameworks simultaneously, since ABDM consent artifacts are a strong foundation for DPDP consent records.

Can a single set of technical controls satisfy both HIPAA and DPDP?

Substantially yes. AES-256 encryption, TLS in transit, role-based access control, immutable audit logs, documented risk analysis, and a structured breach response process satisfy HIPAA's Security Rule requirements and also meet DPDP's principle-based security obligations. The main additive requirement from DPDP is an explicit consent management system with revocation support, which HIPAA does not mandate in the same form.

What should Indian healthtech companies do first to prepare for dual compliance?

Start with a data flow mapping exercise — trace exactly which patient records enter your system, from which source, for which purpose, and where they are stored or forwarded. Then run a vulnerability assessment of your health data infrastructure to identify technical gaps. These two steps give you the evidence base for both HIPAA's required risk analysis documentation and DPDP's security safeguards obligation.

HIPAA vs DPDP for Indian Healthtech: Patient Data Guide

Get cybersecurity insights for Indian SMBs

Exposed to CVEs like this? Run a free VAPT scan — risk score in 2 hours, no credit card.