Healthcare Compliance
Our commitment to HIPAA, Indian healthcare regulations, and international data protection standards
Last updated: January 1, 2026
HIPAA
Compliant
DPDP Act
Compliant
ISO 27001
Aligned
GDPR
Ready
1. Introduction
KaeroPrescribe is designed and operated with healthcare compliance at its core. As a healthcare management platform handling sensitive patient information, we adhere to the highest standards of data protection and security, meeting both Indian regulatory requirements and international healthcare standards including HIPAA (Health Insurance Portability and Accountability Act).
This document outlines our compliance framework, security measures, and the safeguards we implement to protect Protected Health Information (PHI) and ensure the integrity of healthcare data processed through our platform.
2. Indian Healthcare Regulatory Compliance
2.1 Information Technology Act, 2000
We comply with:
- Section 43A: Compensation for failure to protect sensitive personal data
- Section 72A: Disclosure of information in breach of lawful contract
- IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
2.2 Digital Personal Data Protection Act, 2023 (DPDP Act)
Our compliance measures include:
- Consent Management: Clear, informed consent mechanisms for all data processing
- Purpose Limitation: Data used only for specified, legitimate purposes
- Data Minimization: Collection limited to what is necessary
- Data Principal Rights: Tools for access, correction, erasure, and portability
- Data Fiduciary Obligations: Robust security and accountability measures
- Cross-border Transfer: Compliance with transfer restrictions to notified countries
- Children's Data: Verifiable parental consent for minors
2.3 Clinical Establishments Act, 2010
- Support for registration and compliance requirements
- Maintenance of minimum standards for healthcare facilities
- Record-keeping as per prescribed formats and durations
2.4 Indian Medical Council Regulations
- Compliance with Professional Conduct, Etiquette and Ethics Regulations, 2002
- Support for telemedicine guidelines (Telemedicine Practice Guidelines, 2020)
- Prescription standards and documentation requirements
2.5 Drugs and Cosmetics Act, 1940
- Schedule H and H1 drug dispensing controls
- Narcotic and psychotropic substance tracking
- Pharmacovigilance reporting capabilities
3. HIPAA Compliance
While HIPAA is a U.S. regulation, we implement HIPAA-compliant safeguards as they represent global best practices for healthcare data protection. For clients handling U.S. patient data or requiring HIPAA compliance, we provide:
3.1 Administrative Safeguards
- Security Management Process: Risk analysis, risk management, sanction policies, and information system activity review
- Assigned Security Responsibility: Designated Security Officer responsible for HIPAA compliance
- Workforce Security: Authorization and supervision procedures, clearance procedures, termination procedures
- Information Access Management: Access authorization, access establishment and modification policies
- Security Awareness Training: Regular training programs, security reminders, malware protection, login monitoring
- Security Incident Procedures: Response and reporting procedures for security incidents
- Contingency Plan: Data backup, disaster recovery, emergency mode operations, testing and revision
- Evaluation: Periodic technical and non-technical evaluations
- Business Associate Agreements: Contracts with all third parties handling PHI
3.2 Physical Safeguards
- Facility Access Controls: Contingency operations, facility security plan, access control and validation
- Workstation Use & Security: Policies for workstation functions and physical access restrictions
- Device and Media Controls: Disposal, media re-use, accountability, data backup and storage
3.3 Technical Safeguards
- Access Control: Unique user identification, emergency access procedures, automatic logoff, encryption and decryption
- Audit Controls: Hardware, software, and procedural mechanisms to record and examine system activity
- Integrity Controls: Policies and procedures to protect ePHI from improper alteration or destruction
- Person or Entity Authentication: Verification of person or entity seeking access to ePHI
- Transmission Security: Integrity controls and encryption for ePHI transmitted over networks
3.4 Business Associate Agreement (BAA)
For organizations requiring HIPAA compliance, we execute Business Associate Agreements that define our obligations as a Business Associate, including PHI handling, breach notification, and subcontractor requirements. Contact compliance@kaerogroup.com for BAA execution.
4. International Standards Compliance
4.1 GDPR Compliance (EU/EEA Users)
For users in the European Union or European Economic Area, we provide:
- Lawful basis for processing (consent, contract, legitimate interests)
- Data subject rights implementation (access, rectification, erasure, portability, objection)
- Data Protection Impact Assessments (DPIA) for high-risk processing
- Standard Contractual Clauses (SCCs) for international transfers
- 72-hour breach notification to supervisory authorities
- Records of processing activities
4.2 ISO 27001 Alignment
Our information security management system aligns with ISO 27001:2022 requirements:
- Information security policies and procedures
- Asset management and classification
- Access control and cryptography
- Operations security and communications security
- Supplier relationships and incident management
- Business continuity management
4.3 HL7 FHIR Standards
We support HL7 FHIR (Fast Healthcare Interoperability Resources) standards for healthcare data exchange, enabling seamless integration with other healthcare systems and ensuring data portability.
5. Security Controls
5.1 Encryption
| Type | Standard | Application |
|---|---|---|
| Data at Rest | AES-256 | All stored PHI and sensitive data |
| Data in Transit | TLS 1.3 | All network communications |
| Database | Transparent Data Encryption | Database files and backups |
| Key Management | HSM/KMS | Cryptographic key protection |
5.2 Access Controls
- Role-Based Access Control (RBAC): Permissions based on job function and minimum necessary access
- Multi-Factor Authentication (MFA): Required for all users accessing PHI
- Session Management: Automatic timeout after inactivity, secure session handling
- Unique User Identification: Individual accounts with no shared credentials
- Password Policies: Strong password requirements, periodic rotation, no reuse
5.3 Audit Logging
- Comprehensive logging of all access to PHI
- User activity monitoring and anomaly detection
- Immutable audit trails with timestamps
- Log retention for minimum 7 years
- Regular audit log reviews
5.4 Network Security
- Web Application Firewall (WAF)
- Intrusion Detection and Prevention Systems (IDS/IPS)
- DDoS protection
- Network segmentation
- Regular vulnerability scanning and penetration testing
6. Breach Notification
In the event of a security breach affecting PHI, we follow strict notification procedures:
6.1 Indian Law Requirements
- Notification to CERT-In as required under IT Act
- Notification to Data Protection Board as required under DPDP Act
- Notification to affected data principals without unreasonable delay
6.2 HIPAA Requirements (for covered entities)
- Notification to covered entity within 24 hours of discovery
- Support for covered entity's 60-day notification to affected individuals
- Notification to HHS for breaches affecting 500+ individuals
6.3 GDPR Requirements (for EU data subjects)
- 72-hour notification to supervisory authority
- Without undue delay notification to affected individuals (for high-risk breaches)
6.4 Breach Response Process
- Identification: Detection and initial assessment of the incident
- Containment: Immediate steps to limit the breach scope
- Investigation: Forensic analysis to determine cause and extent
- Notification: Timely notification to authorities and affected parties
- Remediation: Corrective actions to prevent recurrence
- Documentation: Complete documentation of incident and response
7. Compliance Verification
7.1 Internal Audits
- Quarterly internal security assessments
- Annual comprehensive compliance audits
- Continuous monitoring and automated compliance checks
7.2 Third-Party Assessments
- Annual third-party security audits
- Regular penetration testing by certified professionals
- Vulnerability assessments and remediation tracking
7.3 Compliance Reports
Enterprise customers may request compliance reports and evidence of security controls. Contact compliance@kaerogroup.com for compliance documentation.
8. Customer Responsibilities
Compliance is a shared responsibility. Healthcare Providers using KaeroPrescribe are responsible for:
Access Management
- • Properly provisioning/de-provisioning users
- • Enforcing MFA for all staff
- • Regular access reviews
- • Protecting user credentials
Data Handling
- • Obtaining patient consent
- • Accurate data entry
- • Appropriate data sharing
- • Secure device usage
Policy Compliance
- • Internal privacy policies
- • Staff training on data protection
- • Incident reporting
- • Regulatory compliance
Physical Security
- • Secure workstation use
- • Screen privacy in patient areas
- • Secure device disposal
- • Clean desk policies
9. Data Center and Infrastructure
- Location: Primary data centers in India with geographic redundancy
- Certifications: SOC 2 Type II, ISO 27001 certified data centers
- Physical Security: 24/7 security, biometric access, CCTV surveillance
- Environmental Controls: Redundant power, cooling, fire suppression
- Disaster Recovery: Real-time replication, multiple availability zones
- Uptime SLA: 99.9% availability commitment
10. Data Retention and Disposal
10.1 Retention Periods
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Medical Records | Minimum 3 years from last treatment | IMC Regulations |
| Prescription Records | 3 years | Drugs & Cosmetics Act |
| Financial Records | 8 years | Income Tax Act |
| Audit Logs | 7 years | Compliance requirements |
| Consent Records | Duration of relationship + 7 years | DPDP Act |
10.2 Secure Disposal
- Cryptographic erasure for digital data
- NIST SP 800-88 compliant media sanitization
- Certificate of destruction for physical media
- Documented disposal procedures
11. Training and Awareness
- Mandatory HIPAA/privacy training for all employees
- Role-specific security training
- Annual refresher training and certifications
- Phishing simulation and security awareness programs
- Incident response training and tabletop exercises
12. Contact Information
Compliance Officer
Email: compliance@kaerogroup.com
Response Time: Within 48 business hours
Security Team
Email: security@kaerogroup.com
Security Incidents: 24/7 monitoring
Address
Kaero Group, Kolkata, West Bengal, India
Our Commitment
KaeroPrescribe is committed to maintaining the highest standards of healthcare data protection. We continuously monitor regulatory developments and update our compliance measures to ensure your data remains protected under evolving legal frameworks.