HIPAA vs DPDP for AI Scribes: What Each Demands

HIPAA and India's DPDP both govern how an AI scribe may handle patient data, but they're built on different machinery. HIPAA turns on a signed Business Associate Agreement and the Security Rule. DPDP turns on patient consent and your duties as a Data Fiduciary. If you're buying a scribe in either country, or both, this is the obligation map that tells you what each law actually demands and what to verify before you sign.

Key takeaways

• HIPAA runs on the BAA-plus-Security-Rule model; DPDP runs on the consent-plus-Data-Fiduciary model.
• HIPAA breach: notify individuals within 60 days; notify HHS within 60 days for 500+ affected, annually for smaller breaches.
• DPDP breach: intimate people and the Data Protection Board without delay, then a detailed report to the Board within 72 hours.
• DPDP has no blanket data-localisation rule. HIPAA has none either. Residency is a contract question, not a statutory mandate in either law.
• The engineering that satisfies both, encryption, access control, minimal retention, is largely the same. The paperwork differs.

Sources: HHS HIPAA Breach Notification Rule (45 CFR 164.404, 164.408); PIB / MeitY DPDP Rules 2025.

HIPAA vs DPDP: the obligation map for an AI-scribe buyer

Here's the side-by-side. Each row is a real obligation that bears on the scribe you buy, not a generic legal summary.

The shape of the difference: HIPAA hands you a contract (the BAA) and a rulebook (the Security Rule), and compliance flows from honouring both. DPDP hands you a relationship with the patient (consent) and a role (Data Fiduciary), and compliance flows from respecting purpose limitation and securing the data. A scribe that's built right satisfies both with the same underlying engineering.

If you operate in both regions, the practical move is to ask one vendor the BAA question and the consent question side by side. You can do that on a call: book a short demo and put both regimes to the same tool.

What does HIPAA actually require from an AI scribe?

Three things, in order of how often buyers get them wrong.

A signed BAA. This is non-negotiable and it's the first thing to verify. Under 45 CFR 164.502(e) and 164.504(e), a covered entity must have a written contract with any business associate that creates, receives, maintains, or transmits PHI on its behalf. An ambient scribe processing visit audio and notes is squarely a business associate. The BAA has to carry the required safeguard and breach-notification terms; an oral assurance doesn't count. If a vendor won't sign one, the conversation is over.

Security Rule safeguards. The vendor has to implement administrative, physical, and technical safeguards for the PHI it holds: access controls, encryption, audit logging, the standard set. HIPAA deliberately doesn't certify software, so "HIPAA certified" is a phrase to distrust; no such certificate exists. What exists is a vendor who maps its controls to the Security Rule and can show you how. Our full take on this is in the HIPAA and AI scribes guide.

Breach notification. If unsecured PHI is breached, the clock starts at discovery. Affected individuals get notice without unreasonable delay and no later than 60 calendar days (45 CFR 164.404). HHS gets notice within 60 days when 500 or more people are affected, or on an annual log for smaller breaches (45 CFR 164.408). For a breach at the vendor, the business associate notifies you, the covered entity, and you remain responsible for individual notice.

What does DPDP actually require from an AI scribe?

A different starting point: the patient's consent, and your role as the one accountable for the data.

Consent and purpose limitation. Under DPDP, you process patient data on consent that's free, specific, informed, and unambiguous, and you use it only for the purpose you stated. A scribe that quietly repurposed patient data for model training would break this; ask every vendor directly whether your patients' data trains anything.

Data Fiduciary accountability. You're the Data Fiduciary. When you hand data to a processor like a scribe, their handling becomes your exposure. That's why vendor diligence under DPDP isn't optional, it's the law making your procurement decision a compliance decision.

Breach and timelines. The DPDP Rules 2025 were notified on 13 November 2025 and commence in phases, with the bulk operational obligations landing by 13 May 2027. On breach, the duty is to intimate affected people and the Data Protection Board without delay, then file a detailed report to the Board within 72 hours. The phased calendar, and what your clinic must do by when, is laid out in the DPDP Rules 2025 timeline.

Does either law force patient data to stay in-country?

This is the most over-claimed point in the whole area, so here's the clean version. Neither HIPAA nor DPDP imposes a blanket data-residency mandate on a health-tech vendor.

• HIPAA has no localisation rule. Where PHI is stored is governed by your BAA and your own risk decisions, not a statute that says "US-only."
• DPDP uses a negative-list model under Section 16 of the Act: cross-border transfer is permitted except to jurisdictions the central government specifically restricts. There's no general "data must stay in India" command in the Act itself. Sector regulators (for example in banking) can impose their own localisation, but those rules come from elsewhere, not DPDP.

So "where does the data live" is a real question, but it's a contract-and-risk question you settle with the vendor, not a box a law ticks for you. A vendor who answers it in one sentence has told you they've thought about it. For the India residency angle in detail, see where your patient data lives.

How can one AI scribe satisfy both regimes?

By building to the stricter technical floor and handling the paperwork per region. The notable thing, once you map both laws, is how much they agree on at the engineering level: encrypt the data, control and log access, don't keep what you don't need, let the customer export or delete. HIPAA reaches that through the Security Rule and the BAA; DPDP reaches it through reasonable-security-safeguards and purpose-limitation. Same destination, different signposts.

AI Scribe by Patient Square is an ambient AI medical scribe that listens during the visit and hands back a structured SOAP note, ICD-10 suggestions, and a prescription draft, ready to review and sign about two minutes after the visit. The compliance posture is built to clear both floors:

• US: safeguards mapped to the HIPAA Security Rule, and a BAA available to every customer. We don't say "HIPAA certified," because that certificate doesn't exist.
• India: patient data handled to DPDP Act 2023 standards, consent-first and purpose-limited. We describe this as handling-to-standards, not certification, because DPDP vendor certification isn't a thing that exists either. (Our ABDM integration is on our roadmap, not live, and we won't claim otherwise.)
• Both: visit audio is processed in memory and discarded the moment the note is drafted, so there's no audio archive to breach, notify on, or localise. Notes are encrypted in transit (TLS 1.2+) and at rest (AES-256), access is role-scoped and logged, and the notes belong to your practice, exportable or deletable any time.

One opinion, stated as one: the cleanest compliance answer in both countries is to hold less data, not to paper over holding a lot of it. Audio you never store is the breach you never have to report, the residency question you never have to answer, and the subpoena that finds nothing.

The full technical posture, in the same plain terms for both regions, is on our security page. If you want to put it to the test, book a short demo and ask the BAA question (US) or the consent-and-purpose question (India) directly, or run the 7-day trial and watch where the audio goes. Nowhere. That's the design.