HIPAA Guide 2026: Healthcare Data Compliance for India Teams

01What HIPAA is

HIPAA is a US federal law (1996, with subsequent updates including HITECH 2009 and Omnibus 2013) that governs how Protected Health Information (PHI) is used and disclosed by Covered Entities (healthcare providers, health plans, clearinghouses) and the Business Associates that process PHI on their behalf. The HHS Office for Civil Rights (OCR) enforces it. Penalties scale with culpability and run up to $1.9M per violation category per year; criminal penalties exist for willful misuse.

For Indian organisations, HIPAA almost never applies directly — but it cascades through contracts. If your customer is a US Covered Entity or Business Associate and they hand you PHI, you become a Business Associate (or Subcontractor BA). Then HIPAA applies through your Business Associate Agreement (BAA).

02Does HIPAA apply to me?

Three-question test for Indian organisations:

Does my customer create, receive, transmit, or maintain Protected Health Information of US individuals? If yes — they are a CE or BA.
Do I receive PHI from that customer or process it on their behalf? If yes — I am a Business Associate or Subcontractor BA.
Do I have a signed Business Associate Agreement? If no — you are operating in violation; remediate immediately.

De-identified data: data that meets the HIPAA Safe Harbor or Expert Determination de-identification standard is no longer PHI. If the data your customer sends has been properly de-identified, HIPAA technically doesn't apply to that dataset — but verify the de-identification (most "anonymised" datasets we audit are not Safe-Harbor-compliant).

03Covered Entity, Business Associate, Subcontractor

Covered Entity (CE) — health plans, healthcare providers, clearinghouses.
Business Associate (BA) — entity that creates/receives/maintains/transmits PHI on behalf of a CE. Indian SaaS / BPO / IT-services serving US healthcare typically sit here.
Subcontractor BA — your downstream cloud provider, MSP, sub-processor. They become BAs by virtue of accessing PHI; you must have BAAs with them.
Hybrid entities — mixed-purpose orgs that designate which functions are HIPAA-covered.

04The BAA — what it must include

A BAA is the legal vehicle that pushes HIPAA obligations down. Required elements (45 CFR §164.504(e)):

Permitted and required uses/disclosures of PHI.
Restriction: BA will not use PHI other than as permitted.
Safeguards: BA will use appropriate safeguards (the Security Rule).
Subcontractors: BA must obtain BAAs from any subcontractor accessing PHI.
Reporting: BA must report security incidents and breaches.
Access & amendment: BA will assist CE in fulfilling individual rights.
Accounting: BA will provide accounting of disclosures.
OCR access: BA will allow OCR access to records, books, and policies as required.
Termination: return or destroy PHI on termination.
BA's liability for breach.

Indian vendors should NOT sign a vendor's standard MSA without a HIPAA-compliant BAA exhibit. Add it; or refuse the engagement.

05Privacy Rule

The Privacy Rule (45 CFR Part 164 Subpart E) governs use and disclosure of PHI. Key concepts for BAs:

Minimum necessary — only access/use the minimum PHI necessary for the task.
Permitted uses — for treatment, payment, healthcare operations (TPO) of the CE.
Authorisations — non-TPO use requires individual authorisation.
Marketing & sale — strict limits; sale of PHI generally prohibited.
Notice of Privacy Practices (NPP) — CE responsibility; BAs assist.
Right of access, amendment, accounting — patient rights flowed through to BAs to support.

06Security Rule (the technical part)

The Security Rule (45 CFR Part 164 Subpart C) is the control library. It is principles-led with "Required" and "Addressable" specifications. Three safeguard categories:

Administrative safeguards

Security Management Process — risk analysis (R), risk management (R), sanction policy (R), info system activity review (R).
Assigned Security Responsibility (R).
Workforce Security — authorisation, supervision, termination procedures.
Information Access Management — access auth, establishment, modification.
Security Awareness & Training (A — but de-facto required).
Security Incident Procedures.
Contingency Plan — data backup (R), DR plan (R), emergency mode operation (R), testing (A), criticality analysis (A).
Evaluation — periodic technical + non-technical review.
BAAs.

Physical safeguards

Facility Access Controls — contingency ops, facility security plan, access control validation, maintenance records.
Workstation Use & Workstation Security.
Device & Media Controls — disposal, re-use, accountability, backup & storage.

Technical safeguards

Access Control — unique user IDs (R), emergency access (R), automatic logoff (A), encryption/decryption (A — de-facto required).
Audit Controls — record & examine activity in systems containing ePHI.
Integrity — protect from improper alteration; mechanism to authenticate ePHI.
Person/Entity Authentication.
Transmission Security — integrity controls + encryption.

Modern interpretation: encryption-at-rest with AES-256, TLS 1.2+ in transit, MFA on all access, audit logging with retention, RBAC, segregation of PHI data stores, regular vulnerability management. The Security Rule is being modernised by HHS NPRM (Notice of Proposed Rulemaking) to make many "Addressable" controls explicitly required — track this.

07Breach Notification Rule

Trigger	Notify	Window
BA discovers breach of unsecured PHI	CE	Without unreasonable delay; within 60 calendar days
CE notifies affected individuals	Patients	Within 60 calendar days of discovery
CE notifies HHS for breach <500 individuals	HHS via portal	Annually
CE notifies HHS for breach ≥500 individuals	HHS + media	Within 60 calendar days; media if same-state ≥500

"Unsecured PHI" = PHI not rendered unusable through encryption (per HHS guidance). Encryption is the practical safe harbour against breach notification — this alone justifies encrypting everything.

08Annual Risk Analysis

The single most enforced HIPAA control. Required elements:

Identify and document all systems / processes that create, receive, maintain, transmit ePHI.
Identify threats and vulnerabilities (administrative, physical, technical).
Assess current security measures.
Determine likelihood and impact of threats.
Determine level of risk.
Document the analysis and the risk-management plan.

Refresh annually and after material changes. Most OCR settlements cite missing or inadequate risk analysis as the underlying violation.

09Audits, OCR & HIPAA enforcement

OCR (HHS Office for Civil Rights) investigates breaches, complaints, and conducts compliance audits.
Tiered penalties — Did Not Know / Reasonable Cause / Willful Neglect-Corrected / Willful Neglect-Not Corrected — with caps per violation category per year.
Resolution Agreements — most settlements include a Corrective Action Plan with multi-year monitoring.
State Attorneys General can also enforce HIPAA since HITECH.
Plaintiff bar — individuals cannot directly sue under HIPAA but state-law claims (negligence, contract) often follow breaches.

10Indian-vendor specifics

BAA jurisdiction — most US CEs require US-state-law governance; negotiate carefully.
OCR access — your BAA will commit to allowing OCR access. Ensure your contracts with sub-processors flow this down.
Cloud region — many CEs require ePHI to remain in US AWS / Azure / GCP regions. Architect for this.
HITRUST CSF — increasingly demanded by US healthcare buyers as third-party assurance. HITRUST is a multi-framework certification incorporating HIPAA controls.
SOC 2 Type II + HITRUST is the typical Indian-vendor evidence stack.
DPDP overlap — health data is sensitive under DPDP. If you also process Indian patients' data, DPDP applies in parallel.
Workforce training — your Indian workforce processing US PHI needs HIPAA training annually with documented completion.

11Common mistakes

Operating without a signed BAA.
Subcontractors (cloud, MSP, support tools) accessing PHI without sub-BAAs.
Risk analysis missing or 3+ years stale.
Treating "Addressable" Security Rule items as optional. They're not — they require documentation if not implemented.
Encryption gaps — backups not encrypted, in-region replication unencrypted, log files containing PHI.
Workforce training deferred or untracked.
"Production" data used in non-prod environments — common BPO failure mode.
BAA termination obligations ignored — PHI not returned/destroyed at engagement end.
HHS "Wall of Shame" inclusion (≥500-person breach) not anticipated in incident playbook.

1290-day roadmap

Days 1–15. BAA inventory — every customer + every sub-processor with PHI access. Gap-fix any missing BAA.
Days 15–35. Risk analysis kickoff — comprehensive ePHI inventory, threat / vulnerability identification, risk-rating, mitigation plan.
Days 35–55. Security Rule controls implementation gaps — encryption everywhere, MFA, RBAC, audit logging, automatic logoff.
Days 55–70. Workforce training rollout; sanctions policy; security incident procedures.
Days 70–85. Contingency plan + DR test; documented business continuity; data backup verification.
Days 85–90. Tabletop exercise on breach scenario; OCR-access readiness; HITRUST or SOC 2 + HIPAA assessment scoping.

If you remember nothing else: the missing risk analysis is the #1 finding in OCR enforcement actions. Do it, document it, refresh it annually. Without it, every other control is undefended.

From PHI handed to you to HIPAA-defensible

A 30-minute consultation. We map your engagement model (BA / Subcontractor BA), inventory your PHI flows, and give you a 90-day roadmap with risk-analysis kickoff and Security Rule gaps prioritised.

Book free consultation Indian Compliance Hub