Let's Build a Responsible Cyber Society




Third Invasion of HIPAA into India is likely to be like a Tsunami attack

India is an important outsourcing partner for USA. There is a substantial stake for the Indian Companies in the developments in USA that may indirectly affect the outsourced business in India.

There is therefore a huge stake for Indian IT industry in the regulatory regime dictated by the Data Protection regulations of UK/EU as well as the HIPAA of USA.

When HIPAA was first enacted in 1996, and different aspects of the legislation were to be implemented at different points of time in the then future, there was very little recognition in India about the legislation. By 2000, India had its own legislation namely the Information Technology Act 2000 (ITA 2000) which could be invoked for penalizing any data vandalization or misuse.It also rendered the data processors liable for negligence both in civil and criminal terms. Though this was not treated as a data protection law, there were provisions for civil and criminal penalties for data breach and hence India was introduced to the concept of information security as a legal obligation.

By 2003 and 2004 when HIPAA was fully under implementation in USA with Privacy and Security rule obligations, Indian business associates were ready to meet the requirements of the US vendors to undertake their BA obligations. Most responsible US companies ensured that the then existing SLAs were suitably upgraded to meet the requirements of BA agreements incorporating some security obligations coupled with indemnities.

This was the first invasion of HIPAA into India when only a handful of US companies casually informed a handful of Indian associates that there is some obligation under HIPAA for privacy protection and information security.

However since even in US covered entities were not too serious about the HIPAA requirements, the impact of HIPAA on India went almost unnoticed except for techno legal academicians such as the undersigned who had an obligation to include HIPAA as part of Cyber Law Education that they promoted.

By around 2007 however some companies in India started requisitioning professional services for HIPAA training and investing in HIPAA preparation. The trend accelerated in 2008 and more companies of mid size opted for being called "HIPAA Compliant" by undergoing some form of sensitization training.

However it was not until the HITECH Act came into being in February 2009 that US companies started engaging their Indian counterparts in a serious dialogue on HIPAA compliance. With a more active HHS which imposed large penalties on many companies in USA, there was a sudden realization in USA that they needed a proper documentation on the HIPAA readiness of the Indian Counterparts. Here the second invasion of HIPAA started making inroads in India.

In October 2009, India notified the amendments to ITA 2000 and ITA 2008 was born. This added additional strength to HIPAA obligations that Indian companies took as a matter of routine in the BA agreements.

Though many did not realize, ITA 2008 acted as a supplement to the HITECH Act and HITECH Act provisions could be interpreted as also mandated under ITA 2008.

On April 11th, the notification of rules under Section 43A of ITA 2008 reminded the corporates about their privacy obligations and they are trying to digest the onslaught of a combined attack of the HITECH-ITA 2008 combination.

Now yet another shake up is visible in the form of the proposed changes in the Privacy law which HHS has notified on May 31, 2011. The changes proposed which are presently under a public comment period is likely to hit Indian outsourcing industry like a Tsunami.

The proposed changes will hit on the Data Breach Notification front with the new obligation of "Accountability for Data Disclosures".

If Indian IT companies having a stake in HIPAA donot understand the implications of the provisions and harden their security system, they are likely to lose out on their profitable business contracts.

If however Indian IT companies react quickly and appropriately to this Tsunami warning, they can be ready before their US counterparts themselves realize the new responsibilities and start making demands in the Indian service providers which includes several software developing companies.

If however the Indian companies are smart and agile they may even be able to use the huge energy flow that accompanies the Tsunami and make a big kill in the commercial front.


July 12, 2011

 Comments are Welcome at naavi@vsnl.com