Somewhere in every healthcare GCC conversation, a compliance officer asks the same question a different way: “Is it even legal to send this data to India?” It’s the right instinct and the wrong framing. The question isn’t whether offshoring patient data is legal — under HIPAA, it explicitly is, and has been for years. The real question is whether the specific vendor, the specific contract, and the specific controls in place would hold up if a regulator, an auditor, or a plaintiff’s attorney ever looked closely. That’s a much harder question to answer with a vendor slide deck, and it’s the one this article is actually about.
Healthcare organizations building a GCC in India are usually navigating three separate legal regimes at once — HIPAA, GDPR, and India’s own Digital Personal Data Protection (DPDP) Act — and most of the confusion comes from treating them as one compliance problem instead of three, each with a different trigger, a different enforcement mechanism, and a different party left holding the risk.
Why These Three Laws Don’t Simplify Into One Checklist
HIPAA is a US federal law that follows the covered entity, not the data. It applies because a US healthcare provider, payer, or billing company is the one legally accountable — regardless of where the work is performed.
GDPR is an EU regulation that follows the data subject. It applies the moment a patient in the EU is involved, even if the healthcare organization has no EU office and the processing happens entirely in India.
DPDP is an Indian law that governs processing that happens on Indian soil. It applies to the GCC itself, as the entity actually handling the data inside India, independent of where the patient or the parent company is based.
A healthcare GCC in India can be subject to all three simultaneously on a single patient record — HIPAA because the data originated with a US covered entity, GDPR because the patient is an EU resident receiving cross-border care, and DPDP because the processing is physically happening in Bengaluru or Pune. None of them replace the others. None of them are optional because another one applies.
HIPAA: The Rule Most People Get Wrong
HIPAA has no geographic exemption. Any entity that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity is a business associate — whether that entity sits in Ohio or Hyderabad. HHS has been explicit on this point: HIPAA rules do not prohibit storing or processing ePHI outside the United States.
What HIPAA does require is a signed Business Associate Agreement (BAA) with the offshore partner, backed by administrative, physical, and technical safeguards that actually function day to day — access controls tied to individual roles, physical restrictions on the floor where PHI is handled, audit logging, and breach notification procedures that meet HIPAA’s timelines.
Here’s the part vendors don’t lead with: a BAA establishes legal accountability, but it doesn’t make anyone HIPAA compliant. It’s a contract, not a control. And the enforcement asymmetry cuts one way — the Office for Civil Rights pursues the US covered entity, not a business associate sitting in India. If a breach happens offshore, the legal exposure lands on the US healthcare organization first, regardless of whose systems failed. That’s exactly why the security posture of the India-based partner matters more than the paperwork around it — the contract protects you procedurally, but only real controls protect you operationally.
GDPR: The Rule That Applies Whether or Not You Think It Does
GDPR is extraterritorial by design. It doesn’t care where your company is headquartered or where the processing happens — it applies the moment you’re processing personal data belonging to someone in the EU, including health data from a telehealth patient, a clinical trial participant, or a European subsidiary’s employee health plan.
Health data is “special category” data under GDPR Article 9, which means it needs an explicit lawful basis and a higher bar of protection than ordinary personal data. And because India doesn’t currently hold an EU adequacy decision, any transfer of that data to an India-based GCC requires Standard Contractual Clauses (SCCs) — plus, post-Schrems II, a documented transfer impact assessment showing the receiving country’s legal environment doesn’t undermine the protections the SCCs promise on paper. A breach involving that data carries a 72-hour notification clock to the relevant EU supervisory authority.
The practical trap here is scope creep: a US healthcare organization that assumes “we’re not an EU company, so GDPR doesn’t touch us” is usually wrong the first time a European patient, employee, or research subject’s data enters the pipeline.
DPDP: The Law Everyone Underestimates Because It’s Still Rolling Out
India’s Digital Personal Data Protection Act was notified in 2023, but it’s being implemented in phases — the Data Protection Board and administrative provisions took effect in late 2025, the Consent Manager framework activates in November 2026, and the substantive compliance obligations for data fiduciaries and processors come fully into force in May 2027.
That phased rollout leads some GCC operators to treat DPDP as a future problem. It isn’t. DPDP governs the GCC itself as the entity physically processing personal data on Indian soil, and its consent-based framework, breach notification duties to the Data Protection Board, and — for entities classified as Significant Data Fiduciaries — potential cross-border transfer or localization restrictions, are coming into force on a fixed timeline, not a hypothetical one. DPDP doesn’t currently impose blanket data localization the way some sector-specific Indian rules do (RBI’s payment data localization mandate, for instance), but the government retains the authority to restrict transfers to specific countries or mandate localization for specific categories of significant data fiduciaries. A healthcare GCC standing up operations in India today should be building to the 2027 bar now, not waiting for enforcement to start.
How the Three Actually Stack for a Healthcare GCC
| Dimension | HIPAA | GDPR | DPDP |
|---|---|---|---|
| Triggered By | US covered entity involvement | EU data subject involvement | Processing occurring in India |
| Governs | Business Associate relationship | The personal data itself, wherever it goes | The processing entity in India |
| Core Mechanism | Business Associate Agreement (BAA) | Standard Contractual Clauses (SCCs) + Data Processing Agreement (DPA) | Consent & notice under DPDP Rules |
| Breach Notification | As required under the HIPAA Breach Notification Rule | Within 72 hours to the relevant EU supervisory authority | To India’s Data Protection Board |
| Primary Liability | US covered entity | Data controller, regardless of location | Data fiduciary and processor in India |
| Certification Available | None — no official HIPAA certification exists | None — GDPR has no official vendor certification mechanism | Still evolving; enforcement framework is being phased in |
That last row is the one that matters most for anyone trying to evaluate a healthcare GCC partner. None of the three frameworks that actually govern this data give you a certificate to check. HIPAA compliance is self-attested and contract-based. GDPR has no processor certification scheme in practical use. DPDP’s enforcement infrastructure is still being built. A healthcare organization asking “can you show me your HIPAA certification” is asking for something that doesn’t exist — which means the real question has to be different: how do you verify, independently, that the controls these three laws all require — access management, encryption, physical security, incident response, audit logging — are actually operating, not just documented in a policy binder?
Why ISO 27001:2022 Is the Answer to the Question HIPAA and GDPR Can’t Settle
This is where ISO 27001:2022 stops being a badge on a footer and starts doing real work. It’s an internationally recognized, independently audited information security management system certification — meaning a third-party auditor, not the vendor itself, verifies on an ongoing basis that access controls, physical security, encryption, incident response, and data governance practices actually function the way they’re documented to.
It doesn’t substitute for a BAA, and it doesn’t make an organization automatically HIPAA or GDPR compliant on its own — those are legal and contractual obligations that sit with the covered entity and controller, not something a certification transfers away. What ISO 27001:2022 does is give a healthcare organization something HIPAA and GDPR structurally can’t: independently verified proof that the underlying security controls those laws require are real, current, and re-audited — not a one-time claim from a sales conversation.
OwnGCC is ISO 27001:2022 certified for exactly this reason. When PHI, EU patient data, or personal data processed under DPDP moves through an OwnGCC-enabled healthcare GCC, the security controls around that data aren’t just contractually promised — they’re independently audited against a recognized global standard, on an ongoing basis, by a party with no incentive to take a vendor’s word for it.
FAQs
Is it legal to send patient data to a GCC in India?
Yes, under HIPAA specifically — there’s no geographic restriction, and HHS has confirmed offshore processing of ePHI is permitted with a proper Business Associate Agreement and adequate safeguards in place. Whether GDPR or DPDP also apply depends on whether EU patients are involved and where the processing physically occurs.
If we only serve US patients, does GDPR still matter?
Usually not — GDPR is triggered by the involvement of an EU data subject, not by the location of your GCC. But “US patients only” is worth verifying carefully; clinical research participants, EU-based employees on a health plan, or telehealth patients abroad can bring GDPR into scope in ways that aren’t always obvious upfront.
Who’s liable if there’s a data breach at the India-based GCC?
Under HIPAA, enforcement action concentrates on the US covered entity, even when the offshore business associate’s systems were the point of failure — which is exactly why the security posture of the GCC partner matters more than the BAA alone. Under GDPR and DPDP, liability can extend to the processing entity in India directly, alongside the controller or fiduciary.
Does ISO 27001 certification mean we’re automatically HIPAA or GDPR compliant?
No — and any vendor that claims otherwise is overstating it. ISO 27001:2022 independently verifies that information security controls are in place and operating; it doesn’t replace the BAA required under HIPAA or the SCCs and Data Processing Agreement required under GDPR. It’s evidence the underlying controls are real, not a substitute for the legal instruments those laws require.
Does DPDP require us to keep healthcare data physically inside India?
Not as a blanket rule today. DPDP doesn’t currently impose general data localization, though the government can restrict cross-border transfers or mandate localization for specific categories of data processed by Significant Data Fiduciaries. Sector-specific rules — like RBI’s localization requirement for payment data — are separate and stricter. A healthcare GCC should track this by data category rather than assume one rule covers everything.









