Authored By: Naukhaiz Aftab
Sankalp Institute of Law
Abstract
This research paper looks at the laws in the U.S.A. and India about keeping health data safe. The paper compares the United States of America’s Health Insurance Portability and Accountability Act (HIPAA) with India’s Digital Personal Data Protection Act (DPDPA). The main focus is on how these laws affect new health technologies like smartwatches and AI tools. It is very important to protect health data to ensure people trust new healthcare tools. The paper examines the laws, court cases, and official documents to see how they handle data rights, duties, and enforcement. The main findings are that HIPAA is a U.S. law specifically for healthcare and focuses on people’s rights, while DPDPA is an Indian law for all industries and is based on a person’s permission. Both laws struggle with new technologies like AI and health apps. Case studies from the Anthem breach in the U.S. and hospital data breaches in India show that the laws have weak spots in their enforcement. The paper suggests a new approach that combines specific rules for healthcare with general rules for all industries. This new method would help different systems work together and support new, ethical ideas in health technology.
KEYWORDS: – HIPAA (Health Insurance Portability and Accountability Act), DPDPA (Digital Personal Data Protection Act), Digital Health, Data Privacy, Healthcare Technology, AI in Healthcare, Data Governance, Anthem Breach, Cross-Border Data Flow, Patient Rights.
Introduction
Technology is quickly changing how we get medical care. We now have things like smartwatches that track our health, computer programs that help doctors find illnesses, and digital health records. Because of this, strong laws are needed worldwide to keep people’s private health information safe. These laws also need to allow technology to keep improving.
There are two main laws on this topic: the U.S.A.’s Health Insurance Portability and Accountability Act (HIPAA), which became a law in 1996, and India’s new Digital Personal Data Protection Act (DPDPA), which became a law in 2023. HIPAA is a long-standing U.S. law that only protects health data. In difference, DPDPA is a new, complete digital law in India that protects all kinds of digital information, including health data.
This paper will compare these two laws to see what is similar and different about them. It will also look at how they affect key groups of people, such as patients, doctors, insurance companies, and technology firms. The primary objective of the paper is to suggest new ways to improve these regulations and create smart, fair and transparent rules for digital health data.
Problem Statement
The use of digital health technology is growing, and we need a new system to manage the data. The current laws, like HIPAA in the U.S. and DPDPA in India, aren’t good enough to handle things like sending data between countries or using new technology like AI. The original purpose of these laws doesn’t match the needs of today’s digital healthcare.
Research Questions
How do the U.S. law HIPAA and India’s law DPDPA handle digital health data differently?
What are the weaknesses of HIPAA and DPDPA when it comes to new technology like artificial intelligence and smartwatches?
Methodology
This will help you see how they are the same and how they are different. By looking closely at both regulations and then using real-world stories that are case studies and checking how they impact people, this paper will be powerful and comprehensive. This will show not just what the regulation depicts, but how they truly implement it.
Sources
The sources you plan to use are excellent and show you have a clear plan.
The actual laws: Starting with the real laws, HIPAA and DPDPA, is the right way to begin.
Judicial precedence: The case against Anthem is a great example of how HIPAA is used. Mentioning new cases in India is smart because it shows you know the new law is still being tested.
Expert’s report: Using the work of well-known experts like Solove and Zuboff shows that this paper is based on good ideas.
Government reports from official institutes, such as NITI Aayog and the WHO, will strengthen this paper and demonstrate how the laws truly impact people’s lives.
Legal and Philosophical Foundations
HIPAA is a health law derived from U.S. legislation. It keeps private health data safe by making sure that certain groups, like doctors and insurance companies, follow the privacy regulation. The main objective of HIPAA is to protect a patient’s freedom, dignity and privacy while also letting the government work on public health goals.[1]
The DPDPA, on the other hand, is a law that applies to all businesses. The main point is that people have to agree to let their data be used. This law creates a central system for protecting data that can be changed to fit different areas. It shows a government-led approach, where the state is in charge of protecting people’s digital rights. It is based on Europe’s GDPR, but it is made to fit India’s needs.[2]
HIPAA is more about freedom when it comes to privacy. It sees privacy as a way to keep people safe from the government and big businesses. The DPDPA is more about the community, and it sees the state as the main protector of people’s digital rights. But people have said that both laws don’t do enough to help people who don’t have good access to technology.
Structural and Procedural Comparison
HIPAA is a law only for the healthcare world. It makes certain groups, like doctors, insurance companies, and others, follow rules. It also puts some responsibilities on the companies they work with.
In contrast, DPDPA is a much broader law that covers all industries, including health. It calls any company that handles personal data a “data fiduciary” and gives them duties like getting permission from people, only using data for a specific reason, and collecting as little data as possible.[3]
The kinds of groups these laws control are very different. HIPAA only applies to specific people in healthcare, but DPDPA applies to all “data fiduciaries.”. This symbolizes DPDPA’s rules cover a much bigger area. Because of this, HIPAA has very clear rules just for the health sector. DPDPA, on the other hand, will need more rules to be made later to cover different industries.
The U.S. government’s Office for Civil Rights (OCR) is in charge of making sure HIPAA is followed. It can give different types of fines and punishments depending on how bad and how often the problems are. India’s new Data Protection Board is in charge of making sure DPDPA is followed, but it is too new to know how well it will work. DPDPA fines are only money-based and can lead to a company being blocked, but there are no different levels of punishment or criminal charges.
Stakeholder Impact Analysis
Patients have clear rights under HIPAA. For example, they can see their medical records, ask for changes, and get a list of who has looked at them. But the system doesn’t make it easy to move data from one place to another or to get different systems to work together. The DPDPA also says that Indian patients have the right to see and change their information. However, many of them have trouble using these rights because they don’t know how to use technology, can’t speak the right language, or can’t get to the right offices. Neither law has made it easy for patients in rural or poor areas to file complaints.
Healthcare providers in the U.S.A. have to follow strict rules to keep patients’ information private. Certain regulations are technical, such as using encryption; some are physical, like controlling who can enter a building; and some are administrative, like training staff. People know these rules and follow them, even though they can be hard. The DPDPA adds new rules in India about getting clear permission, making sure that data is only used for its intended purpose, and building privacy into technology from the start. But since there aren’t any clear rules for the health sector, hospitals and clinics often don’t know what to do to stay within the law.
The two laws treat tech companies in different ways. If a health app isn’t linked to a doctor or hospital, it doesn’t have to follow HIPAA rules. The law has a big problem with this. DPDPA technically applies to all companies in India that deal with personal health data, including app makers. But these companies don’t know what to do because there aren’t any clear rules or guidance.
HIPAA permits the sharing of healthcare data for treatment and payment purposes but also imposes stringent regulations around marketing. The DPDPA encompasses additional aspects nonetheless; the protocol for third-party data sharing remains unclear. In India, where the health insurance market is expanding rapidly. Concerns with patient privacy and institutional liability arise due to the ambiguity in Indian legislation regarding accountability for issues.
Case Studies of HIPAA and DPDPA
A significant cyberattack on a private hospital in Delhi in 2024 results in thousands of patient records being made public.[4] This happened even though India’s new DPDPA law existed because the rules were not fully implemented. The hospital did not have a data protection officer (DPO), a way for people to complain and get grievances, or a plan to follow the rules. Because of this, the people whose information was leaked couldn’t get help, and no one was held responsible. This depicts the problems with DPDPA’s new system.
In the year 2015, a big U.S.A. health insurance company named Anthem Blue Cross Blue Shield had a data breach. The names, birth dates, and medical IDs of about 80 million patients were put at risk of data leakage [5]
After a government review, Anthem had to pay a $16 million fine. The company also faced many lawsuits from the people who were affected. Some people believe that just fining companies isn’t enough to make them truly care about protecting data.
New York-Presbyterian Hospital & Columbia University Medical Centre (2014): A data leak occurred when a physician attempted to deactivate a personal server without proper safeguards, exposing the electronic health information of over 6,800 patients. The exposed records were searchable on the internet. Both institutions were fined a total of $4.8 million for failing to implement proper policies and procedures.
Signet Health (2010): This case highlighted the importance of patient rights. Signet Health was fined $4.3 million for repeatedly failing to provide 41 patients with copies of their medical records upon request. They also failed to cooperate with the OCR’s investigation, leading to a much larger penalty.[6]
All of these examples show big problems. India’s problem is with setting up its new systems and rules. In the U.S., the issue is cultural: companies see fines as just a cost of doing business, which doesn’t always lead to safer data.
Intersections with AI and Emerging Technologies
Laws like HIPAA and DPDPA don’t fully address the problems that new technologies like AI, wearable health devices, and health apps create[7]. HIPAA doesn’t have any specific rules for AI or machine learning. It just treats AI information like any other health record, without caring if the AI is fair or easy to understand. The DPDPA’s general rules about getting consent also apply to AI, but the law doesn’t say anything specific about it either [8].
HIPAA doesn’t always cover wearable devices and mobile apps unless they are connected to a doctor or hospital. This signifies that a lot of patient data is not safe[9]. DPDPA protects all digital data, even data from wearables, but it doesn’t have clear rules for how to use information about someone’s body or behaviour. Both of these laws also don’t do a good job of fixing the problem of unfairness in AI. HIPAA doesn’t say anything about making profiles with data or making sure that data is fair. And the DPDPA doesn’t give people real ways to ask questions about or have a say in AI decisions. Both laws need to be updated quickly to deal with the risks that come with AI, especially since it is being used more and more to make decisions about a person’s health and insurance[10].
Policy Recommendations
India can improve its digital healthcare rules by looking at HIPAA’s clear and specific rules. The DPDPA should have specific healthcare rules, like the Privacy Rule of HIPAA, that the government should think about. These rules would tell doctors, insurance companies, and tech companies what they need to do. Second, any new digital health project that wants to use private data should have to do a Data Protection Impact Assessment (DPIA) first. This would help find risks, especially for health apps or AI tools that are new. Third, India should make it easier for people to get help when someone uses their data without their permission. It could set up a digital health ombudsman or local complaint systems that are simple to use and come in a lot of different languages of the Eighth Schedule of the Indian Constitution. We can also derive insights from the positive aspects of HIPAA, such as its precise definitions and its structured system of tiered penalties for equitable enforcement. Also, HIPAA works better because different parts of the government work together to make sure the rules are followed. India could do the same thing. India and the U.S.A. both need to change their laws to meet international standards. They should make special agreements to make it easier, safer and more transparent to share healthcare data with other countries. They should also use the same standards to make sure that new technology is fair and that different systems can work together. This can be done with special audits, certifications and compliance[11].
Conclusion
As new digital health tools change the way healthcare is given around the world, laws must also change to handle new problems. These include keeping data safe when technology is hard to understand and making rules for data that crosses countries. The HIPAA in the USA and the DPDPA in India are different regulations, but both teach us important things about how to make legal systems that are flexible and strong to protect the medical data.
This paper has shown that HIPAA’s focus on one area must be balanced with DPDPA’s broadness across all areas. Neither law is good enough at dealing with new technologies like AI or wearable devices. In the absence of specific regulations, people like patients and tech developers do not know what to expect.
We need a new kind of legal system that combines general rules for all industries with specific rules for each one. This must happen along with changes to how organisations work, checking technology for safety, and making rules match globally. Only then will digital health rules be fair, open to everyone, and good for new ideas.
Footnotes
Daniel J. Solove, A Taxonomy of Privacy, 154 U. Pa. L. Rev. 477 (2006).
Comm. of Experts, Rep. of the Comm. of Experts Under the Chairmanship of Justice B.N. Srikrishna to Deliberate on a Data Protection Framework for India (2018).
Shoshana Zuboff, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power (2019).
Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (codified as amended in scattered sections of 29 and 42 U.S.C.).
Digital Personal Data Protection Act, No. 22 of 2023, India Code (2023).
WHO, Global Strategy on Digital Health 2020–2025 (2021).
NITI Aayog, Responsible AI for All: Strategy for India’s National AI Program (2020).
In re Anthem, Inc. Data Breach Litig., 343 F. Supp. 3d 982 (N.D. Cal. 2018).
TNN, Servers of two city hospitals hacked; police register FIR, Times of India (June 13, 2025).
[1] Daniel J. Solove, A Taxonomy of Privacy, 154 U. Pa. L. Rev. 477, 482 (2006).
[2] Comm. of Experts Under the Chairmanship of Justice B.N. Srikrishna, Rep. on a Data Protection Framework for India 34–36 (Dec. 2018).
[3] Digital Personal Data Protection Act, No. 22 of 2023, Acts of Parliament, § 5, § 22 (India).
[4] Servers of Two City Hospitals Hacked; Police Register FIR, Times of India (June 13, 2025), https://timesofindia.indiatimes.com/(last visited Aug. 10, 2025)
[5] In re Anthem, Inc. Data Breach Litig., 343 F. Supp. 3d 982, 996 (N.D. Cal. 2018)
[6] Columbia University Medical Centre
[7] WHO, Global Strategy on Digital Health 2020–2025 (2021).
[8] NITI Aayog, Responsible AI for All: Strategy for India’s National AI Program 27–29 (June 2020).
[9] Shoshana Zuboff, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power 120 (PublicAffairs 2019).
[10] NITI Aayog, Responsible AI for All: Strategy for India’s National AI Program 27–29 (June 2020).
[11] WHO, Global Strategy on Digital Health 2020–2025 (2021).
