The Health Insurance Portability and Accountability Act (HIPAA, 1996) and the Health Information Technology for Economic and Clinical Health Act (HITECH, 2009) establish comprehensive requirements for protecting Protected Health Information (PHI) in the United States. HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule apply to Covered Entities (healthcare providers, health plans, clearinghouses) and their Business Associates — any third party that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity.

For Indian IT firms, healthcare BPOs, medical coding companies, software providers, and cloud services handling US patient data, Business Associate (BA) status under HIPAA is automatic once they access PHI — regardless of where they are headquartered. Business Associates must sign Business Associate Agreements (BAAs), implement HIPAA Security Rule safeguards, and comply with Breach Notification requirements. HITECH significantly increased penalties — up to $1.9 million per violation category per year — and extended HIPAA directly to Business Associates and their subcontractors.

🔴 India Exposure: Any Indian IT firm handling US EHR data, medical records, insurance claims, or health analytics for US clients is a HIPAA Business Associate. HIPAA enforcement extends to Business Associates globally — HHS OCR has assessed fines against non-US entities. A signed BAA does not create compliance — your security controls must actually meet the Security Rule requirements.