HIPAA Compliance - VaidyaAI

Last Updated: January 21, 2026

IMPORTANT NOTE: While HIPAA (Health Insurance Portability and Accountability Act) is a United States federal law and does not directly apply to healthcare providers in India, VaidyaAI follows HIPAA-equivalent data protection standards as a best practice for patient data security and privacy.

In India, we comply with: Information Technology Act, 2000, IT Rules 2011 (Sensitive Personal Data Protection), and Digital Personal Data Protection Act, 2023.

1. Overview of Data Protection

VaidyaAI is committed to protecting the confidentiality, integrity, and availability of patient health information (PHI). Although we operate in India, we adhere to HIPAA-equivalent security and privacy standards to ensure world-class data protection.

1.1 Applicable Indian Laws

Information Technology Act, 2000: Governs electronic data protection and cybersecurity
IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011: Mandates security for sensitive personal data including health information
Digital Personal Data Protection Act, 2023 (DPDPA): India's comprehensive data protection framework (when fully enacted)
Medical Council of India (MCI) Code of Ethics: Requires patient confidentiality and data protection

1.2 HIPAA-Equivalent Standards We Follow

Even though HIPAA is not legally required in India, we voluntarily implement HIPAA-level safeguards:

Administrative safeguards (policies, training, access controls)
Physical safeguards (secure data centers, environmental controls)
Technical safeguards (encryption, authentication, audit controls)

2. What is Protected Health Information (PHI)?

PHI includes any individually identifiable health information that we process through VaidyaAI:

Demographic Data: Age, gender, weight, height (but NOT names, addresses, or contact details - we anonymize these)
Medical History: Past illnesses, surgeries, allergies, family history
Current Health Status: Symptoms, diagnoses, vital signs
Medications: Prescriptions, dosages, frequency, duration
Laboratory Results: Blood tests, imaging reports, pathology findings
Treatment Plans: Prescribed therapies, follow-up schedules

            CRITICAL ANONYMIZATION: VaidyaAI does NOT collect or store patient names, addresses, phone numbers, or email addresses. All patient data is linked to your clinic account via an internal anonymized ID system. This design-level privacy protection exceeds HIPAA requirements.
        

3. Administrative Safeguards

3.1 Security Management Process

Risk Assessment: Annual comprehensive risk analysis of all systems handling PHI
Risk Management: Implementation of security measures to reduce identified risks
Sanction Policy: Disciplinary actions for team members who violate security policies
Information System Activity Review: Regular audits of access logs and system activity

3.2 Workforce Security

Authorization/Supervision: Role-based access controls - team members can only access data necessary for their job functions
Workforce Clearance: Background verification for all employees with access to PHI
Termination Procedures: Immediate revocation of access when employment ends

3.3 Security Awareness and Training

All VaidyaAI team members undergo mandatory training on:

Patient data privacy and confidentiality
Phishing and malware protection
Password management and authentication
Incident reporting procedures
Mobile device and workstation security

3.4 Contingency Planning

Data Backup: Daily encrypted backups stored in geographically separate locations
Disaster Recovery: Tested recovery procedures with 24-hour RTO (Recovery Time Objective)
Emergency Mode Operation: Procedures for continued access to critical patient data during system outages

3.5 Business Associate Agreements (BAAs)

VaidyaAI executes written agreements with all third-party vendors who handle PHI:

Hostinger (Cloud Hosting): BAA ensuring secure data storage and processing
Anthropic (Claude AI): Data processing agreement with encryption and confidentiality clauses
Razorpay (Payments): Limited data sharing (does NOT receive PHI)

4. Physical Safeguards

4.1 Facility Access Controls

Our data centers (provided by Hostinger) implement:

24/7 physical security with biometric access controls
Video surveillance and intrusion detection systems
Visitor logs and escort requirements
Multi-layered perimeter security

4.2 Workstation Security

Automatic screen locks after 5 minutes of inactivity
Encrypted hard drives (BitLocker/FileVault)
Prohibition of PHI storage on local devices
Secure disposal of hardware (degaussing/shredding)

4.3 Device and Media Controls

Disposal: Secure wiping or physical destruction of all media containing PHI
Media Re-use: Data sanitization before device reallocation
Accountability: Inventory tracking of all hardware containing PHI

5. Technical Safeguards

🔐 Access Control

Unique user IDs for each account
Multi-factor authentication (MFA)
Automatic session timeout (30 mins)
Role-based permissions

🔒 Encryption

TLS 1.3 for data in transit
AES-256 for data at rest
Encrypted database connections
End-to-end encryption for API calls

📝 Audit Controls

Comprehensive logging of all data access
Tamper-proof audit trails
Regular log review and analysis
Retention for 7 years

✅ Integrity Controls

Checksums to detect data tampering
Version control for all changes
Digital signatures for critical transactions
Regular data integrity audits

5.1 Transmission Security

All PHI transmitted over public networks is protected by:

TLS 1.3 with perfect forward secrecy
Certificate pinning to prevent man-in-the-middle attacks
VPN tunnels for administrative access
Prohibition of unencrypted email transmission of PHI

6. Patient Rights (Privacy Rule Equivalent)

6.1 Right to Access

You (as the healthcare provider) can provide patients with:

Electronic copies of their health records stored in VaidyaAI
Prescription history and medication records
Laboratory results and diagnostic reports
Treatment summaries

6.2 Right to Amendment

Patients may request corrections to their health information. You can update records through the VaidyaAI dashboard, and all amendments are logged in the audit trail.

6.3 Right to an Accounting of Disclosures

Our system maintains a complete audit log showing:

Who accessed patient records (user ID, timestamp)
What data was viewed or modified
When the access occurred
Purpose of access (if documented)

6.4 Right to Request Restrictions

Patients may request limitations on how their information is used. VaidyaAI provides tools for you to:

Mark records as "sensitive" with restricted access
Exclude specific data from reports or exports
Set custom privacy preferences per patient

7. Breach Notification

7.1 Definition of a Breach

A breach is an unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the information.

7.2 Notification Timeline

In the event of a breach affecting patient data:

To You (Healthcare Provider): Within 72 hours of discovery
To Affected Patients (Your Responsibility): Within 60 days via mail or email
To Regulatory Authorities: Within 72 hours if required by law
To Media (if >500 patients affected): Prominent notice on our website

7.3 Breach Response

Our incident response plan includes:

Immediate containment to prevent further exposure
Forensic investigation to determine scope and cause
Notification to affected parties with remediation steps
Post-incident review and security improvements
Cooperation with law enforcement if criminal activity suspected

8. Security Certifications and Audits

8.1 Current Certifications

ISO 27001:2022 (Hostinger): Information Security Management System
SOC 2 Type II (Anthropic Claude): Service Organization Controls for security and availability
PCI DSS Level 1 (Razorpay): Payment Card Industry Data Security Standard

8.2 Regular Audits

Annual Security Audit: Independent third-party assessment of all security controls
Quarterly Vulnerability Scans: Automated and manual penetration testing
Monthly Compliance Reviews: Internal verification of policy adherence
Weekly Log Analysis: Automated monitoring for suspicious activity

9. Your Responsibilities as a Healthcare Provider

SHARED RESPONSIBILITY MODEL: Data security is a partnership. While VaidyaAI provides the infrastructure and technical safeguards, you must also implement best practices at your clinic.

9.1 Access Control

Assign unique logins to each user (do not share credentials)
Implement role-based permissions (doctors, nurses, admins)
Revoke access immediately when staff members leave
Require strong passwords (min 8 chars, mix of letters/numbers/symbols)
Enable multi-factor authentication (MFA) for all accounts

9.2 Workstation Security

Position screens away from public view (shoulder surfing prevention)
Lock computers when stepping away (Ctrl+Alt+Del → Lock)
Use privacy filters on monitors in patient areas
Prohibit use of VaidyaAI on personal devices unless approved

9.3 Patient Consent

Obtain informed consent before entering patient data into VaidyaAI
Explain how AI tools will be used in their care
Provide privacy notice describing data practices
Document consent in patient records

9.4 Incident Reporting

You must report to VaidyaAI within 24 hours if you:

Suspect unauthorized access to your account
Lose a device with VaidyaAI credentials
Experience a phishing or malware attack
Discover a former employee still has access
Accidentally disclose patient data

10. Frequently Asked Questions

Q1: Is VaidyaAI HIPAA-compliant even though it operates in India?

A: HIPAA is a U.S. law and does not legally apply to Indian healthcare providers. However, VaidyaAI voluntarily implements HIPAA-equivalent security standards as a best practice. We comply with Indian laws: IT Act 2000, IT Rules 2011, and DPDPA 2023.

Q2: Can VaidyaAI sign a Business Associate Agreement (BAA)?

A: Yes, for enterprise customers (₹9,999/month plan), we can execute a formal data processing agreement equivalent to a HIPAA BAA. Contact us for details.

Q3: Where is patient data stored?

A: All data is stored on secure servers in India operated by Hostinger (ISO 27001 certified). Data never leaves India unless you explicitly export it.

Q4: Do you use patient data to train AI models?

A: We use ANONYMIZED and AGGREGATED data to improve AI models. Patient names, IDs, and direct identifiers are NEVER used in training. All data is de-identified per IT Rules 2011.

Q5: What happens to my data if I cancel my subscription?

A: You can export all patient data within 30 days of cancellation. After 30 days, we anonymize the data (not delete) to comply with medical record retention laws (7-year requirement). Anonymized data may be retained for research.

Q6: Can patients request deletion of their data?

A: Under DPDPA 2023, patients have the "right to erasure." However, healthcare providers in India must retain medical records for 7 years per MCI guidelines. We anonymize patient data (remove identifiers) rather than delete it to balance patient rights with legal obligations.

Q7: How do I report a security incident?

A: Email vaidya07.ai@gmail.com with subject line "SECURITY INCIDENT" or call our 24/7 hotline (provided to Pro/Enterprise subscribers). We respond within 4 hours.

11. Contact Us

For questions about data security, privacy, or compliance:

VaidyaAI Security & Compliance Team
Team vaidya
Email: vaidya07.ai@gmail.com
Website: https://clinical.careandcures.icu
Response Time: Within 24 hours for security inquiries

← Back to VaidyaAI

HIPAA Compliance & Data Security