HIPAA Compliance Policy

1. Introduction

HealthOS is committed to ensuring the confidentiality, integrity, and availability of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and its implementing regulations. While HIPAA is a U.S. regulation, we align with its standards to provide world-class security and privacy controls for our customers globally, including in India.

2. Scope

This policy applies to all systems, personnel, processes, and data under the control of HealthOS that interact with or store PHI or other sensitive healthcare data.

3. Safeguards Implemented

• Administrative Safeguards: Role-based access, regular HIPAA training, incident response plans, and vendor agreements.
• Physical Safeguards: Secure data center access, device management, encrypted backups.
• Technical Safeguards: End-to-end encryption, audit logging, multi-factor authentication, data loss prevention tools.

4. Data Access & Usage

Access to PHI is limited to authorized personnel only and is based on job responsibilities. All data is encrypted at rest and in transit using industry-standard protocols such as AES-256 and TLS 1.2+.

5. Data Hosting

Our infrastructure is hosted on HIPAA-compliant cloud providers with secure storage, access controls, disaster recovery, and regular audits. We sign Business Associate Agreements (BAAs) with cloud vendors where applicable.

6. Patient Rights

We support healthcare providers in enabling patient rights as outlined by HIPAA, including access, amendment, and accounting of disclosures. HealthOS acts as a data processor and does not directly interact with patients.

7. Children’s Data (Minors)

HealthOS is used by pediatricians and child specialists who manage data of patients under the age of 18. All such data is handled with additional security and is accessible only by licensed professionals with proper consent. We do not directly collect data from minors.

8. Breach Notification

In the event of a data breach involving PHI, HealthOS will notify all affected customers and regulatory authorities (as per applicable jurisdiction) within the required timeframe, and will fully cooperate during investigations.

9. Employee Training

All HealthOS employees undergo mandatory HIPAA training during onboarding and annually thereafter. Access to PHI is granted only to staff who have completed training and signed confidentiality agreements.

10. Compliance Review & Audits

We conduct regular internal reviews, risk assessments, and third-party audits to ensure ongoing compliance with HIPAA and data privacy standards. Logs and documentation are maintained securely.