India's DPDP Rules are notified, time to gap-assess your India programmeSee how we helpEU AI Act obligations are phasing in: the privacy groundwork comes firstAI privacy advisoryTransfer documentation is a top enforcement target: SCCs, IDTA, TIAsTransfer servicesIndia's DPDP Rules are notified, time to gap-assess your India programmeSee how we helpEU AI Act obligations are phasing in: the privacy groundwork comes firstAI privacy advisoryTransfer documentation is a top enforcement target: SCCs, IDTA, TIAsTransfer services
Abhishek Bansiwal
USHealth Insurance Portability and Accountability Act

US health data has its own rulebook, and it isn't the GDPR's.

HIPAA governs protected health information held by US covered entities and their business associates. Health-tech platforms serving US customers meet it through business associate agreements and the Security Rule's safeguards, and it interacts with, rather than replaces, the privacy regimes covering the rest of their data.

At a glance

Who it catches

Covered entities (providers, plans, clearinghouses) and business associates handling protected health information

Penalties

Tiered civil penalties reaching seven figures annually per violation category; criminal exposure for knowing misuse

Key instruments

Privacy Rule, Security Rule safeguards, Breach Notification Rule, business associate agreements

Regulator

HHS Office for Civil Rights

What it requires

The obligations that matter in practice.

  • Business associate agreements before any PHI touches your platform
  • Administrative, physical, and technical safeguards under the Security Rule
  • Breach notification to individuals, HHS, and in some cases the media
  • Minimum-necessary use and disclosure of protected health information

How we help

Where our practice comes in.

FAQ

Common HIPAA questions.

Only if you're a covered entity or handle PHI for one as a business associate. Direct-to-consumer wellness data often falls outside HIPAA, but then state privacy laws and the FTC step in, so 'HIPAA doesn't apply' never means 'nothing applies'.

Start here

Tell us what you're dealing with.

Pick the service that sounds closest, or just describe the situation. You'll get an honest reply within 24 hours: where you stand, what actually needs doing, and whether we're the right fit for it.

Prefer to talk? Book a free 30-min call

Email: abhishek.adv@yahoo.com

LinkedIn: linkedin.com/in/abhishekbansiwal

Working with clients across the EU, UK, US, India, and beyond. See the privacy notice for how enquiries are handled.

Replies within 24 hours. No mailing list, no follow-up sequence.