Third Invasion of HIPAA into India is likely to be like a Tsunami
attack
India is an important outsourcing partner for USA.
There is a substantial stake for the Indian Companies in the
developments in USA that may indirectly affect the outsourced business
in India.
There is therefore a huge stake for Indian IT industry in the regulatory
regime dictated by the Data Protection regulations of UK/EU as well as
the HIPAA of USA.
When HIPAA was first enacted in 1996, and different aspects of the
legislation were to be implemented at different points of time in the
then future, there was very little recognition in India about the
legislation. By 2000, India had its own legislation namely the
Information Technology Act 2000 (ITA 2000) which could be invoked for
penalizing any data vandalization or misuse.It also rendered the data
processors liable for negligence both in civil and criminal terms.
Though this was not treated as a data protection law, there were
provisions for civil and criminal penalties for data breach and hence
India was introduced to the concept of information security as a legal
obligation.
By 2003 and 2004 when HIPAA was fully under implementation in USA with
Privacy and Security rule obligations, Indian business associates were
ready to meet the requirements of the US vendors to undertake their BA
obligations. Most responsible US companies ensured that the then
existing SLAs were suitably upgraded to meet the requirements of BA
agreements incorporating some security obligations coupled with
indemnities.
This was the first invasion of HIPAA into India when only a handful of
US companies casually informed a handful of Indian associates that there
is some obligation under HIPAA for privacy protection and information
security.
However since even in US covered entities were not too serious about the
HIPAA requirements, the impact of HIPAA on India went almost unnoticed
except for techno legal academicians such as the undersigned who had an
obligation to include HIPAA as part of Cyber Law Education that they
promoted.
By around 2007 however some companies in India started requisitioning
professional services for HIPAA training and investing in HIPAA
preparation. The trend accelerated in 2008 and more companies of mid
size opted for being called "HIPAA Compliant" by undergoing some form of
sensitization training.
However it was not until the HITECH Act came into being in February 2009
that US companies started engaging their Indian counterparts in a
serious dialogue on HIPAA compliance. With a more active HHS which
imposed large penalties on many companies in USA, there was a sudden
realization in USA that they needed a proper documentation on the HIPAA
readiness of the Indian Counterparts. Here the second invasion of HIPAA
started making inroads in India.
In October 2009, India notified the amendments to ITA 2000 and ITA 2008
was born. This added additional strength to HIPAA obligations that
Indian companies took as a matter of routine in the BA agreements.
Though many did not realize, ITA 2008 acted as a supplement to the
HITECH Act and HITECH Act provisions could be interpreted as also
mandated under ITA 2008.
On April 11th, the notification of rules under Section 43A of ITA 2008
reminded the corporates about their privacy obligations and they are
trying to digest the onslaught of a combined attack of the HITECH-ITA
2008 combination.
Now yet another shake up is visible in the form of the proposed changes
in the Privacy law which HHS has notified on May 31, 2011. The changes
proposed which are presently under a public comment period is likely to
hit Indian outsourcing industry like a Tsunami.
The proposed changes will hit on the Data Breach Notification front with
the new obligation of "Accountability for Data Disclosures".
If Indian IT companies having a stake in HIPAA donot understand the
implications of the provisions and harden their security system, they
are likely to lose out on their profitable business contracts.
If however Indian IT companies react quickly and appropriately to this
Tsunami warning, they can be ready before their US counterparts
themselves realize the new responsibilities and start making demands in
the Indian service providers which includes several software developing
companies.
If however the Indian companies are smart and agile they may even be
able to use the huge energy flow that accompanies the Tsunami and make a
big kill in the commercial front.
Naavi
July 12, 2011
Comments are Welcome at
naavi@vsnl.com
