What does ISO 27001 certification cost in India?

ISO 27001 certification in India typically costs ₹3–8 lakhs for consulting plus certification audit, depending on company size. MYITMANAGER delivers end-to-end ISO 27001 implementation with full ownership — from gap assessment to certification — at transparent pricing.

Who needs DPDP Act compliance in India?

Every organisation that processes personal data of Indian citizens must comply with India's Digital Personal Data Protection (DPDP) Act. This includes startups, SaaS companies, fintech, healthcare, and e-commerce businesses. Non-compliance penalties can reach ₹250 crore.

What is a vCISO and does my company need one?

A vCISO (Virtual CISO) provides strategic cybersecurity leadership without the cost of a full-time hire. MYITMANAGER's vCISO service delivers board-ready risk reporting, compliance roadmaps, and security program ownership for Indian companies at a fraction of in-house cost.

What do RBI Cybersecurity Guidelines 2026 require for banks and NBFCs?

RBI's 2026 cybersecurity guidelines require banks and NBFCs to implement annual VAPT by CERT-In empanelled firms, adopt a formal ISMS, conduct third-party risk assessments, and maintain incident response plans. MYITMANAGER helps financial institutions achieve full RBI compliance end-to-end.

Does HIPAA apply to Indian companies?

Yes. HIPAA applies to Indian companies that create, receive, maintain, or transmit US Protected Health Information (PHI) on behalf of a US Covered Entity (hospital, health plan, healthcare clearinghouse). Indian health IT vendors, medical billing companies, telemedicine platforms, and healthtech SaaS companies serving the US market are treated as Business Associates under HIPAA and are directly subject to the Security Rule, Privacy Rule, and Breach Notification Rule.

What is a Business Associate Agreement (BAA)?

A Business Associate Agreement is a mandatory HIPAA contract between a Covered Entity (US healthcare provider or health plan) and any vendor (including Indian IT companies) that handles PHI on its behalf. The BAA specifies permitted uses of PHI, security obligations, breach notification timelines (usually 24–60 hours to the Covered Entity), and the vendor's liability for HIPAA violations. You cannot legally handle US PHI without a signed BAA.

What is Protected Health Information (PHI)?

PHI is any individually identifiable health information created, received, maintained, or transmitted by a Covered Entity or Business Associate — in any form (electronic, paper, oral). PHI includes 18 identifiers: name, address, dates (except year), phone, fax, email, SSN, medical record number, health plan number, account number, certificate/license number, vehicle identifiers, device identifiers, URLs, IP addresses, biometrics, full-face photos, and any unique identifying number. Electronic PHI (ePHI) is PHI in electronic form and is subject to the Security Rule.

What are HIPAA penalties for Indian companies?

HIPAA civil penalties range from USD 100 to USD 50,000 per violation, capped at USD 1.9 million per calendar year per violation category. Criminal penalties for wilful violations reach USD 250,000 and 10 years imprisonment. The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has jurisdiction over Business Associates including Indian vendors — OCR has pursued enforcement actions against foreign entities.

What is a HIPAA Security Risk Assessment?

The HIPAA Security Rule (45 CFR 164.308(a)(1)) requires every Covered Entity and Business Associate to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI. This Security Risk Assessment (SRA) must be documented, must cover all ePHI in all forms and locations, must be repeated after significant changes, and must be available for HHS OCR audit.

What are the HIPAA breach notification requirements?

Under HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D): Covered Entities must notify HHS OCR within 60 days of breach discovery; notify affected individuals without unreasonable delay (within 60 days); for breaches affecting 500+ residents of a state, notify prominent media outlets. Business Associates (Indian vendors) must notify the Covered Entity without unreasonable delay and within 60 days of discovery — BAA contracts typically impose a 24–48 hour notification requirement on the BA.

Does HIPAA require data to be stored in the US?

HIPAA does not mandate data localisation — ePHI can be stored outside the US. However, Business Associates remain fully liable for HIPAA compliance regardless of data location. Covered Entities must perform due diligence on their Business Associates' security controls, and most require contractual data localisation. Indian healthtech companies should clarify data residency requirements with each US client before contract signing.

How long does HIPAA compliance take for an Indian company?

HIPAA compliance for a focused Indian healthtech startup or IT services company typically takes 4–6 months: 4–6 weeks for Security Risk Assessment and gap analysis, 8–12 weeks for policy development and control implementation, 4–6 weeks for staff training and BAA execution, and ongoing annual risk assessment and training refresh.

HIPAA Compliance for Indian Healthtech Companies — Complete 2026 Guide

June 24, 2026

HIPAA and Indian Healthtech — The Business Reality in 2026

India’s healthtech sector — telemedicine platforms, medical billing companies, clinical data analytics firms, hospital IT vendors, and radiology AI companies — generated over USD 4 billion in revenue in 2025, with the US as the largest export market. What many Indian founders and CIOs underestimate: every Indian company that touches US patient data is subject to HIPAA, regardless of where its servers are, where its employees sit, or whether it has a US entity.

HHS Office for Civil Rights (OCR) has made clear that HIPAA jurisdiction extends to Business Associates located outside the US. The consequences of non-compliance are not theoretical — OCR has pursued enforcement actions against foreign-based Business Associates, and US Covered Entities are increasingly conducting formal HIPAA audits of their Indian vendors before contract execution.

Who Is a HIPAA Business Associate? — The Indian Company Test

Under 45 CFR 160.103, a Business Associate is any person or entity that performs functions or activities involving the use or disclosure of PHI on behalf of a Covered Entity. Indian companies that qualify as Business Associates include:

Health IT and EHR vendors providing software that stores or processes US patient records
Medical billing and coding companies processing US insurance claims containing patient diagnoses and procedures
Telemedicine platforms facilitating consultations between US patients and Indian physicians
Radiology and pathology AI companies analysing US medical images or lab results
Medical transcription services converting US physician dictation (containing PHI) to text
Clinical research organisations (CROs) managing US patient trial data
Healthcare analytics firms processing de-identified data that could be re-identified
IT managed services providers maintaining US healthcare client infrastructure containing ePHI

The Three HIPAA Rules — What Indian Business Associates Must Comply With

1. Privacy Rule (45 CFR Part 164, Subpart E)

The Privacy Rule governs how PHI can be used and disclosed. As a Business Associate, your permitted uses of PHI are limited to what is specified in your BAA — typically the specific service you are providing. You cannot use PHI for your own purposes, share it with sub-contractors without a sub-BAA, or retain it beyond what your BAA permits. Patients (data subjects) have rights to access their PHI, request amendments, and receive an accounting of disclosures — your BAA will specify how to support the Covered Entity in honouring these rights.

2. Security Rule (45 CFR Part 164, Subpart C)

The Security Rule applies specifically to electronic PHI (ePHI) and requires three categories of safeguards:

Safeguard Category	Key Requirements	Indian Company Examples
Administrative (45 CFR 164.308)	Security management process, workforce training, contingency plan, access management, evaluation	Written HIPAA policies, annual SRA, incident response plan, background checks for ePHI-access roles
Physical (45 CFR 164.310)	Facility access controls, workstation use, workstation security, device and media controls	Server room access logs, clean desk policy for PHI screens, encrypted laptops, certified media destruction
Technical (45 CFR 164.312)	Access control (unique user IDs, automatic logoff, encryption), audit controls, integrity, transmission security	Role-based access to ePHI, full audit logging, encryption at rest (AES-256) and in transit (TLS 1.2+), VPN for remote access

Importantly, the Security Rule is technology-neutral and scalable — it specifies required outcomes, not specific products. A small Indian medical billing company and a large clinical analytics platform have different implementations but must achieve the same security outcomes.

3. Breach Notification Rule (45 CFR Part 164, Subpart D)

When a security incident results in unauthorised acquisition, access, use, or disclosure of PHI, it is a presumptive breach — unless you can demonstrate low probability that PHI was compromised (the “four-factor risk assessment”). As a Business Associate, you must notify your Covered Entity without unreasonable delay and within the BAA-specified window (typically 24–48 hours). The Covered Entity then notifies HHS OCR (within 60 days) and affected individuals.

The four-factor risk assessment to determine whether a breach is reportable: nature and extent of PHI involved; who accessed or used the PHI; whether PHI was actually acquired or viewed; extent to which risk has been mitigated. All four factors must point to low probability for the breach to be excluded from reporting.

Business Associate Agreement — What Your BAA Must Include

The BAA is the foundational HIPAA document for Indian vendors. HHS regulations at 45 CFR 164.504(e) specify minimum BAA requirements. A compliant BAA must establish:

Permitted uses and disclosures of PHI — limited to the specific service purpose
Prohibition on unauthorised use or disclosure
Requirement to use appropriate safeguards and comply with the Security Rule for ePHI
Requirement to report breaches to the Covered Entity within the specified timeline
Sub-contractor BAA requirement — you must sign BAAs with any sub-processor that touches PHI
Patient rights support — assist the Covered Entity in honouring access, amendment, and accounting requests
Return or destruction of PHI upon contract termination — or justification for why return/destruction is infeasible
HHS audit access — make internal practices available to HHS for compliance determination

HIPAA Security Risk Assessment — The Most Overlooked Requirement

The Security Risk Assessment (SRA) under 45 CFR 164.308(a)(1) is the cornerstone of HIPAA compliance. It is also the requirement most frequently missing in OCR audits of small and mid-size Business Associates. The SRA must:

Identify all ePHI systems, storage locations, and data flows within your environment
Identify all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI
Assess the current probability and potential impact of each identified threat
Document risk levels and prioritise risk treatment
Be repeated after significant changes to systems, operations, or environment
Be retained for a minimum of 6 years (HIPAA documentation retention requirement)

HHS OCR has published a free SRA Tool (available at healthit.gov) designed for small providers and vendors — Indian companies can use it as a starting framework. For larger or more complex environments, a professional HIPAA risk assessment conducted by a qualified consultant is recommended.

HIPAA vs DPDP Act — What Indian Healthtech Must Manage Simultaneously

Dimension	HIPAA	DPDP Act 2023
Data covered	Protected Health Information (PHI) of US individuals	Personal data of Indian individuals
Legal basis for processing	Treatment, payment, operations (TPO) — no consent required; or consent for other purposes	Consent-first; legitimate use for specific purposes
Breach notification	Business Associate: notify Covered Entity within BAA window (typically 24–48h); CE to HHS within 60 days	72 hours to Data Protection Board of India (Section 8(6), Rule 7)
Data subject rights	Access, amendment, accounting of disclosures, restriction requests	Access, correction, erasure, nomination (Sections 12–14)
Penalties	USD 100 – USD 50,000 per violation; up to USD 1.9M per year	Up to Rs 250 crore per instance
Regulator	HHS Office for Civil Rights (US)	Data Protection Board of India

Indian healthtech companies serving both US and Indian patients must maintain dual compliance. The SRA under HIPAA and the security safeguards under DPDP Section 8(1) can be addressed through a common ISO 27001-based ISMS — reducing duplication while satisfying both regulators.

Telemedicine and HIPAA — India-Specific Considerations

Telemedicine platforms connecting Indian physicians with US patients must address specific HIPAA requirements for the telehealth context. HHS guidelines (updated 2026) specify: video consultation platforms must use HIPAA-compliant communication tools — standard Zoom, Skype, or Teams without a BAA are not compliant; all communications must be encrypted in transit and logged for audit; patient records created during teleconsultations are PHI and must be stored with Security Rule safeguards; prescription data transmitted to US pharmacies is PHI and requires BAA with any intermediary platform; and remote diagnostic data (vitals, ECG, imaging) transmitted from US patients to Indian clinicians is ePHI and subject to full Security Rule requirements.

HIPAA Compliance for Your Indian Healthtech Company

MYIT Manager delivers HIPAA readiness programmes for Indian healthtech companies, medical billing firms, and health IT vendors — Security Risk Assessment, policy development, BAA review, staff training, and ongoing compliance management. Achieve HIPAA compliance in 4–6 months.

Get a Free HIPAA Readiness Assessment

MYITMANAGER

Cyber Security & Risk Advisory

Digital Trust & Privacy

IT Compliance

HIPAA Compliance for Indian Healthtech Companies — Complete 2026 Guide

HIPAA and Indian Healthtech — The Business Reality in 2026

Who Is a HIPAA Business Associate? — The Indian Company Test

The Three HIPAA Rules — What Indian Business Associates Must Comply With

1. Privacy Rule (45 CFR Part 164, Subpart E)

2. Security Rule (45 CFR Part 164, Subpart C)

3. Breach Notification Rule (45 CFR Part 164, Subpart D)

Business Associate Agreement — What Your BAA Must Include

HIPAA Security Risk Assessment — The Most Overlooked Requirement

HIPAA vs DPDP Act — What Indian Healthtech Must Manage Simultaneously

Telemedicine and HIPAA — India-Specific Considerations

HIPAA Compliance for Your Indian Healthtech Company

Related Compliance Guides

Related Services & Resources

Need help?

Don't hesitate to contact us.

MYITMANAGER

Contact Info

Industries Supported

Case Studies