DPDP Act VS DPDP vs HIPAA: Health Data Protection Compared

DPDP vs HIPAA: Health Data Protection

India’s DPDP Act 2023 and the US Health Insurance Portability and Accountability Act (HIPAA) both protect health-related personal data, but through fundamentally different frameworks. HIPAA is sector-specific (healthcare only), while DPDP covers all personal data across all industries.

Key Differences

Feature	DPDP Act 2023	HIPAA
Scope	All personal data, all sectors	Health data from covered entities only
Covered entities	All Data Fiduciaries	Providers, plans, clearinghouses, business associates
Health data category	No separate category (yet)	Protected Health Information (PHI) explicitly defined
Consent	Required for all processing	Required for disclosures beyond treatment/payment/operations
Breach notification	To DPB + affected persons	To HHS, affected individuals + media (500+ individuals)
Max penalty	₹250 Crore per violation	$1.9M per violation category/year
Patient access rights	General data principal rights	Specific PHI access and amendment rights
De-identification	Not explicitly detailed	Expert determination or safe harbor methods defined

What This Means for Healthcare Companies

Healthcare companies operating in India cannot rely on HIPAA compliance alone. DPDP adds consent requirements, breach notification obligations, and data principal rights that go beyond HIPAA’s focus on covered entities. Indian hospitals, telemedicine platforms, and health-tech companies need DPDP-specific compliance programs alongside any international frameworks.