Most Indian healthtech founders encounter HIPAA at the worst possible moment. You’ve built a clinical AI product or health data platform. You’ve had excellent conversations with a hospital. The clinical team loves it. Then the IT department gets involved.
They send a vendor security checklist. Near the top: ‘HIPAA Business Associate Agreement, Yes/No.’
You Google HIPAA. You realise it’s an American law. Your company is Indian. Your product might be deployed in India. You’re confused about why it applies to you.
Then procurement explains that it doesn’t matter where your company is incorporated. The hospital’s security policy requires a BAA from any vendor handling patient data. No BAA, no pilot.
Welcome to healthcare enterprise sales.
When HIPAA applies to you regardless of geography
HIPAA governs how Protected Health Information must be handled. PHI is any information that can identify a patient and relates to their health condition, healthcare provision, or payment for healthcare.
HIPAA applies to Covered Entities (US hospitals, health plans, and healthcare providers) and to their Business Associates, meaning any third party that handles PHI on behalf of a covered entity. If your product processes, stores, or transmits information about identified patients at a US hospital, you are a Business Associate and HIPAA applies to you regardless of where your company is incorporated or where your servers are located.
Selling to US hospitals directly: HIPAA applies immediately
Selling to Indian private hospitals that serve international patients or process US insurance billing: HIPAA can apply
Building a clinical AI tool that accesses EHR data: HIPAA almost certainly applies because EHR data is PHI
Selling to any institution that has adopted HIPAA as their voluntary security standard, including many JCI-accredited hospitals globally
What HIPAA’s Security Rule actually requires from your engineering team
HIPAA’s Security Rule has three categories of safeguards. The technical safeguards are where engineering work lives.
- Unique user identification, no shared accounts
- Audit controls recording all PHI access activity
- Transmission security (TLS 1.2 minimum)
- Emergency access procedure for PHI
- Automatic session logoff (15-30 min standard)
- Encryption at rest (AES-256)
- Integrity controls for PHI
- Multi-factor authentication
Note: HHS proposed making MFA and encryption at rest mandatory in a 2025 rulemaking. If your architecture was designed around the current ‘addressable’ standard, review now.
The audit log requirement is more demanding than most founders appreciate. You need to be able to answer: who accessed patient record X between dates Y and Z, from what device, and what actions did they take? At scale, this requires indexed, queryable audit logs — not just logs that exist somewhere in a storage bucket.
The 60-day breach notification requirement
If you experience a breach of unsecured PHI, you must notify affected individuals and the covered entity within 60 calendar days of discovering the breach. Breaches affecting 500 or more individuals in a state also require notification to HHS and, in many cases, to prominent media in that state.
The 60-day clock starts from the moment you or any employee could reasonably have known about the breach, not when you confirmed it and not when you contained it. If an attacker accessed patient records for six weeks before your monitoring detected it, the clock started at the beginning of that six weeks. You may already be in violation before you know a breach occurred.
This is why continuous monitoring — a WAF detecting attacks, EDR detecting anomalous behaviour, cloud posture management flagging misconfigurations — isn’t optional infrastructure under HIPAA. It’s what makes breach notification obligations achievable.
SOC 2 and HIPAA together
SOC 2 is not the same as HIPAA compliance. But achieving SOC 2 Type II is the most efficient way for an Indian healthtech startup to demonstrate to US hospitals that you have the security programme HIPAA requires.
A SOC 2 Type II audit with the Healthcare Criteria — Availability, Confidentiality, and Privacy trust service criteria — substantially overlaps with HIPAA’s administrative and technical safeguard requirements. Many US hospitals will accept a SOC 2 Type II with Healthcare Criteria as sufficient evidence to proceed with a BAA.
DPDPA adds another layer for patient data in India
If you’re also processing Indian patient data, DPDPA adds obligations that HIPAA doesn’t cover. Health data is classified as sensitive personal data under DPDPA with stricter security safeguard requirements and an anticipated 72-hour breach notification to India’s Data Protection Board.
HIPAA’s security infrastructure — WAF, EDR, audit logs, access controls — substantially satisfies DPDPA’s security safeguard standard simultaneously. The breach notification workflows are different but a well-designed incident response procedure can handle both. Build for the stricter standard and you’re covered for both.
Where to start
If your first US hospital conversation is six months away, here’s the sequence that makes you ready:
The window between ‘we started our security programme’ and ‘we’re hospital-ready’ is four to six months if you build on the right infrastructure from day one. Most Indian healthtech companies discover this timeline six weeks before they need it.
The US hospital market is large and the clinical problems worth solving are real. The founders who build the compliance infrastructure before they need it get into deals their peers can’t.
Osto helps Indian healthtech teams get HIPAA-ready before the hospital questionnaire arrives.
We deploy the security infrastructure you need — WAF, endpoint protection, audit logging, continuous monitoring — write the policies, run the VAPT, and get your SOC 2 observation period underway. All from one platform, without a dedicated in-house security team.
If you’re building a clinical AI product or health data platform and selling to hospitals, we can help you get from unprepared to hospital-ready in a fraction of the time it would take on your own.