Healthcare Compliance

Last updated: April 6, 2026

Effective date: April 6, 2026

1. DPDP Act, 2023 Compliance

MediHost™ AI is designed to comply with the Digital Personal Data Protection (DPDP) Act, 2023 of India. As a Data Processor, we implement the following measures:

  • Purpose limitation — data is processed only for the specific purposes described in our Privacy Policy.
  • Data minimisation — we collect only the data necessary to provide the Service.
  • Storage limitation — data is retained only as long as necessary, with defined retention periods.
  • Data Principal rights — we provide mechanisms for access, correction, erasure, and grievance redressal.
  • Grievance Officer — appointed as required under the Act (see our Privacy Policy).
  • Breach notification — we will notify the Data Protection Board and affected Data Fiduciaries within the timeframes mandated by the Act.

2. Healthcare Data Practices

We employ the following technical measures to protect healthcare data:

  • Encryption in transit — all data is transmitted over TLS 1.3 encrypted connections. No unencrypted HTTP traffic is permitted.
  • Infrastructure security — our application is hosted on Railway, which maintains SOC 2 Type II compliance for their infrastructure.
  • Role-Based Access Control (RBAC) — granular permissions ensure staff members only access data relevant to their role (doctor, receptionist, lab technician, admin).
  • Audit logs — all significant actions (login, data access, modifications, deletions) are logged with timestamps, user identity, and IP address.
  • LIS data segregation — laboratory data is logically segregated from general clinic data, with separate access controls and audit trails.

3. HIPAA Alignment

HIPAA (Health Insurance Portability and Accountability Act) is a United States regulation. MediHost™ AI primarily serves clinics in India and is governed by the DPDP Act, 2023 and the Information Technology Act, 2000 (including the IT Rules, 2011).

However, we recognise that many of our healthcare data protection practices align with HIPAA standards, including:

  • Access controls and authentication requirements
  • Audit trail and activity logging
  • Encryption of protected health information in transit and at rest
  • Role-based access to patient records
  • Breach notification procedures

If you require a formal Business Associate Agreement (BAA) for US-based operations, please contact legal@medihost.in.

4. ABDM Readiness

We are actively working towards integration with the Ayushman Bharat Digital Mission (ABDM) framework. Our planned timeline:

  • ABHA (Ayushman Bharat Health Account) integration — targeted for Q3 2026, enabling patients to link their ABHA IDs with clinic records on MediHost™ AI.
  • Support for Health Information Exchange standards as defined by ABDM.
  • Compliance with ABDM’s consent framework for health data sharing.

5. LIS Compliance

Our Laboratory Information System (LIS) module is designed with alignment to ISO 15189 and NABL (National Accreditation Board for Testing and Calibration Laboratories) standards:

  • 9-step workflow — sample registration, collection, accessioning, processing, analysis, verification, reporting, dispatch, and archival.
  • Data segregation — laboratory data is logically isolated from general clinic records with independent access controls.
  • Dual signature — lab reports require verification by both the testing technician and the authorising pathologist before release.
  • Rejection logging — sample rejections are logged with reasons, timestamps, and responsible personnel for quality tracking.
  • Complete audit trail — every action on a lab order (creation, modification, verification, printing, dispatch) is logged with user identity and timestamp.

6. Security Practices

  • Password hashing — all passwords are hashed using bcrypt with appropriate salt rounds. Plain-text passwords are never stored.
  • Session management — sessions use JWT tokens stored in httpOnly cookies, preventing client-side JavaScript access.
  • Rate limiting — API endpoints are rate-limited to prevent brute-force attacks and abuse.
  • CORS policy — strict Cross-Origin Resource Sharing policies restrict API access to authorised domains only.

7. Vulnerability Disclosure

We take security seriously. If you discover a vulnerability in MediHost™ AI, please report it responsibly:

Email: security@medihost.in

Response: We will acknowledge your report within 24 hours.

Subject line: Security Vulnerability — [Brief Description]

  • Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.
  • Do not access, modify, or delete data belonging to other users during your research.
  • We will not take legal action against researchers who follow responsible disclosure practices.