If you’re evaluating telehealth compliance India vs United States rules for the first time, here’s the short version: these are two entirely different rulebooks, written by different bodies, enforced in different ways, and built around different assumptions about how healthcare should work. A platform that satisfies India’s Telemedicine Practice Guidelines won’t automatically satisfy HIPAA. And a US-compliant build won’t meet the Digital Personal Data Protection Act’s requirements without real changes.
We’ve spent years building TeleSecure360 around this exact problem — giving doctors and patients a secure way to connect without forcing clinics to gamble on which compliance standard actually applies to them. This guide breaks down what separates the two systems, where they overlap, and what it actually takes to run a compliant virtual practice in either country (or both).
Why Telehealth Compliance Looks So Different in India and the US
The gap isn’t accidental. India built its telemedicine framework around a single national licensing body and a unified data law. The US built its system around fifty separate state medical boards, a federal patient-privacy statute written in 1996, and a controlled-substances law from 2008 that never anticipated home-based video visits.
That history matters for clinic owners. In India, one looks to the National Medical Commission (NMC) and a handful of central statutes. In the US, compliance depends on where the patient is sitting during the call — not where the doctor is licensed.
The Regulatory Foundations: Who Actually Makes the Rules

India’s Framework — NMC, Telemedicine Practice Guidelines, and DPDP Act
India’s core telemedicine rulebook is the Telemedicine Practice Guidelines (TPG), issued in March 2020 by the Board of Governors in supersession of the Medical Council of India, and now overseen by the NMC. The guidelines continue to govern telemedicine practice in 2026, with ongoing emphasis on integration with the Ayushman Bharat Digital Mission (ABDM) for seamless health data exchange. Dreams Landing
A few foundational rules sit underneath the TPG:
- Eligibility: Only physicians registered with the NMC or State Medical Councils are permitted to practice telemedicine. CMS
- Standard of care: Practitioners must adhere to the same standard of care, ethics, and confidentiality as in-person consultations. CMS
- Data law: The Digital Personal Data Protection Act (DPDP Act), 2023, layers on top of the TPG, governing how patient data is collected, stored, and shared.
There’s no separate “telehealth license” in India — a doctor’s existing medical registration covers virtual consultations, as long as the TPG’s procedural rules are followed.
The US Framework — HIPAA, State Medical Boards, and the DEA
The US system runs on three separate tracks that all apply at once:
- HIPAA governs how protected health information (PHI) is handled during and after a telehealth visit — security, transmission, storage, and breach notification.
- State medical boards govern who can practice and where. As one compliance guide for clinics puts it, providers must hold a valid license in the state where the patient is located, follow state-specific prescribing rules, and meet HIPAA requirements for telehealth. Curogram
- The DEA, through the Ryan Haight Act, governs controlled substance prescribing specifically.
This is the single biggest structural difference in any discussion of telehealth compliance India vs United States: India regulates the practitioner’s registration. The US regulates the patient’s location — meaning a doctor licensed in California generally cannot legally treat a patient physically sitting in Texas without a Texas license, regardless of where the platform is hosted.
Data Privacy and Patient Information — DPDP Act vs HIPAA
This is where most platform-compliance conversations actually live, because health data is the asset both regimes are trying to protect — just through different mechanisms.
How India’s DPDP Act Treats Health Data
The DPDP Act establishes comprehensive data protection measures, including patient consent, data security, breach notifications, and rights to access and erasure of personal data. Health information generally falls under the Act’s broader personal-data protections rather than a separate “special category,” but consent and purpose-limitation requirements apply with particular weight to medical records. CMS
Separately, the TPG itself requires practitioners to comply with all applicable data protection laws and confidentiality regulations, and holds the registered medical practitioner personally liable for confidentiality breaches — except where the breach originates from the technology platform itself, which shifts that specific liability to the platform provider.
How HIPAA Protects PHI
HIPAA’s Security Rule requires covered entities to run risk analyses, enforce access controls, maintain audit logs, and secure data in transit — and it requires signed Business Associate Agreements (BAAs) with any vendor that touches PHI. Providers must adopt platforms and workflows that satisfy the HIPAA Security Rule, including risk analysis, access controls, audit logging, integrity controls, and transmission security, and execute business associate agreements with vendors that handle protected health information. AccountableHQ
Side-by-Side Comparison: DPDP Act vs HIPAA
| Factor | India (DPDP Act) | United States (HIPAA) |
| Scope | All personal data, including health data | Specifically protected health information (PHI) |
| Consent | Explicit, purpose-specific consent required | Authorization required for most disclosures |
| Vendor agreements | Data fiduciary/processor contractual obligations | Mandatory Business Associate Agreement (BAA) |
| Breach notification | Mandatory breach reporting | Mandatory breach reporting (60-day rule) |
| Patient rights | Right to access, correction, erasure | Right to access and amend records |
| Enforcement body | Data Protection Board of India | HHS Office for Civil Rights (OCR) |
Licensing and Practitioner Eligibility
India’s Single-Registration Model
In India, the bar is comparatively simple: a Registered Medical Practitioner (RMP) under the NMC or a State Medical Council can treat patients anywhere in the country via telemedicine, without needing separate state-by-state registration. Registered Medical Practitioners can conduct telemedicine consultations after disclosing their name, qualifications, and registration details to the patient. Digital Health News
The US’s State-by-State Licensing Maze
The US has no equivalent. As one 2026 compliance breakdown describes it: a patient logs on from their living room in Texas, their doctor is based in California, and the legal trail that follows can stretch across two states, multiple rule sets, and a stack of compliance questions a front desk was never trained for. Curogram
There is movement toward easing this. There is ongoing advocacy for broader licensure portability that would allow providers to see patients across state lines with a single national license, but as of 2026, no federal law has passed to mandate this. Until that changes, clinics operating across multiple states need either a license in every state they serve, or participation in an interstate compact where one exists for their specialty. Curogram
Prescribing Rules — What You Can and Can’t Prescribe Online

This is the area where the two systems diverge most sharply — and where compliance mistakes carry the most risk.
India’s List O, A, and B Medicine Categories
India’s TPG sorts prescribable medicines into clear tiers: List O covers over-the-counter medicines safe to prescribe, List A covers commonly used medicines for follow-ups or video consultations, and List B covers medicines that can be prescribed after a video consultation. Narcotics, psychotropics, and Schedule X drugs cannot be prescribed via telemedicine under any circumstances. Dreams Landing
Records matter just as much as the prescription itself — practitioners are expected to maintain digital records for at least three years and share prescriptions and advice securely. Dreams Landing
The Ryan Haight Act and DEA Controlled Substance Rules
In the US, the federal floor is the Ryan Haight Online Pharmacy Consumer Protection Act of 2008, which requires at least one in-person visit before prescribing Schedule II through V controlled substances via telemedicine, enforced by the DEA. Curogram
That said, this requirement has been in flux for years. The DEA and HHS issued a fourth temporary extension of COVID-era telemedicine flexibilities, effective through December 31, 2026, allowing DEA-registered practitioners to prescribe Schedule II–V controlled substances via telemedicine without a prior in-person evaluation when required conditions are met. The agencies framed the extension around continuity of care: past expirations of telemedicine policies caused sharp declines in access, including a 24 percent drop in fee-for-service telemedicine visits after flexibilities lapsed in September 2025. Federal RegisterHHS.gov
A permanent fix is reportedly coming. The extension is meant to give the DEA and HHS time to finalize permanent regulations, including a proposed Special Registration for Telemedicine that would set clear standards for prescribing controlled substances remotely while preserving patient safety. Until that’s finalized, US-based platforms need to track this deadline closely — it’s a moving target, not a settled rule. State law can also tighten this further regardless of what federal flexibility allows. HHS.gov
Practical note: Don’t confuse the DEA’s prescribing rule with Medicare’s separate in-person visit requirement for telehealth mental health services. As one industry newsletter clarified, the Medicare mental health in-person requirement is tied to reimbursement rules and applies only to Medicare beneficiaries, whereas the DEA’s requirement governs all practitioners prescribing controlled substances nationwide, regardless of payer. They’re frequently confused, and conflating them leads to unnecessary restrictions in workflows that don’t need them. NASCSA
Patient Consent and Identity Verification Requirements
Both systems require informed consent before a telehealth visit — but the verification mechanics differ.
India: Practitioners must verify patient identity, preferably with a photo ID or ABHA ID, and obtain explicit consent for telemedicine, preferably recorded. First consultations are generally permitted via telemedicine for most conditions, which is a notably more permissive starting point than several US states allow. Dreams Landing
United States: Consent requirements are set at the state level and vary by jurisdiction, but typically require providers to confirm patient location, document the consent itself, and — increasingly — disclose the limitations of telehealth versus in-person care. Many states also require providers to verify the patient’s physical location at the time of the visit, since that location determines which state’s law applies.
Record-Keeping and Documentation Standards
Both regimes treat documentation as a liability shield, not paperwork.
In India, the TPG calls for retaining digital records for a minimum of three years, with prescriptions and clinical advice shared through secure channels. In the US, HIPAA’s documentation requirements are tied to the broader Security Rule — meaning records must be encrypted, access-logged, and recoverable, with retention periods set by individual state law (commonly five to ten years, sometimes longer for pediatric records).
The common thread: in both countries, a missing or poorly secured record is treated as seriously as a missing consent form during an audit or a malpractice claim.
Penalties for Non-Compliance — What’s at Stake
Non-compliance isn’t a paperwork inconvenience in either country.
India: Violations of the TPG can lead to disciplinary action under NMC regulations, which can include suspension or cancellation of medical registration — effectively ending a practitioner’s ability to practice at all, online or in person. Dreams Landing
United States: Penalties stack across multiple regulators simultaneously. A HIPAA breach can trigger OCR civil penalties; practicing without a license in the patient’s state can trigger state board discipline; and unauthorized controlled-substance prescribing can trigger DEA enforcement — meaning a single workflow mistake can expose a clinic to three separate regulatory bodies at once.
Building a Platform That Works for Both Markets
If you’re a clinic owner or platform operator weighing telehealth compliance India vs United States requirements because you’re expanding across either market, a few practical decisions matter more than the rest:
- Build consent and identity verification as a mandatory first step, not an afterthought — both regimes treat it as foundational.
- Separate your data architecture by jurisdiction rather than trying to build one global compliance layer. DPDP Act obligations and HIPAA obligations don’t map onto each other cleanly enough to share infrastructure safely.
- Track prescribing eligibility dynamically. India’s List O/A/B framework and the US’s shifting DEA flexibilities both change based on conditions that aren’t static — your platform should flag what’s prescribable in real time, not rely on a fixed rule set.
- Treat licensing as a per-jurisdiction gate, especially in the US, where practicing across a state line without the right license is one of the most common — and most expensive — compliance failures we see clinics make.
- Sign BAAs with every vendor touching PHI if you operate in the US; this is non-negotiable and frequently overlooked by smaller practices moving online for the first time.
This is the same logic we built into TeleSecure360 from day one — giving healthcare professionals a secure virtual practice that handles identity verification, encrypted communication, and remote monitoring without forcing the clinic to reinvent its compliance posture for every new patient population it serves.
Frequently Asked Questions
Is a US doctor allowed to treat a patient in India via telemedicine?
Generally, no — without an Indian medical registration, a US-licensed doctor cannot legally treat patients located in India, and vice versa. Telemedicine licensing in both countries is tied to where the patient is physically located at the time of the consultation, not where the platform is hosted.
Does HIPAA apply to telehealth platforms used in India?
No. HIPAA is a US federal law and only applies to covered entities and their business associates operating under US jurisdiction. Indian platforms instead fall under the DPDP Act and the Telemedicine Practice Guidelines, which have different (though comparably strict) requirements.
Can Indian doctors prescribe controlled substances via telemedicine?
No. India’s TPG explicitly prohibits prescribing narcotics, psychotropics, and Schedule X drugs through telemedicine under any circumstances — a stricter blanket rule than the US, where controlled substance prescribing is conditionally allowed under current DEA flexibilities.
What happens if a US telehealth platform doesn’t sign a BAA with its vendors?
Operating without signed Business Associate Agreements is a direct HIPAA violation. It exposes both the covered entity and the vendor to civil penalties from the HHS Office for Civil Rights and significantly increases liability in the event of a data breach.
Is video the only acceptable format for telemedicine in India?
No. The TPG recognizes multiple communication modes, including video, audio (phone or VoIP), text-based messaging, and asynchronous formats like email — though the appropriate mode depends on the clinical scenario and the type of consultation being conducted.
Conclusion: What to Do Next
The core difference in any telehealth compliance India vs United States comparison comes down to this: India regulates around the doctor’s registration and a unified data law, while the US regulates around the patient’s location and a patchwork of state and federal rules layered on top of HIPAA.
Neither system is “easier” — they just demand attention to different things. If you’re building or buying a telehealth platform, start by mapping exactly where your patients are located, then work backward to figure out which licensing, consent, and prescribing rules actually apply to each one. Skipping that step is where most compliance failures start.
If you’re evaluating a HIPAA-ready, securely encrypted platform built around exactly this kind of compliance-first architecture, explore how TeleSecure360 supports virtual practice management for clinics navigating these requirements every day.