Privacy & security FAQs
What are the data privacy and security features implemented by EHR.Network platform?
We have been in the Clinical data space since 2012 and have a deep understanding of the sensitivity of personal healthcare data. So from ground up design, we have tried to incorporate many features that enhance privacy and security of data on the platform. Just to list a few
- Federated services and data - The platform and data are segregated into federated services, each with their own databases. So the demographic, EHR and other related data are in separate databases.
- Patients have separate UUIDs for demographic data and EHR data. The ‘ehrid’ is never exposed outside the platform.
- All traffic from and to the platform are secured using TLS. Nothing travels over HTTP
- Extensive type casting and validation at entity level to prevent sql injection
- User, organization and role based RBAC for all platform resources
- Additional profession option for fine grained control of EHR data sets
- Gateway level API security & authorization
- API gateway service that implements apiKey and security features such as rate limiting and bot detection
- Encrypted password option for added password security over the standard TLS
- Compliance to OWASP Top 10 recommendations for webapp security
- All configuration files are encrypted
- Configurable data backup interval and location etc.
Though we have put in a lot of effort to make the platform as secure as possible, we are also aware that data security in technology, especially on the cloud is a moving target and continue to make efforts to keep things updated.
We are also aware that our knowledge is not exhaustive and security & safety of data is a collective effort. We are open to suggestions from all stakeholders & well wishers on further improvements and look forward to your inputs to continue making it even better as we move forward.
Is EHR.Network HIPAA compliant?
Given the lack of a legal framework to assess and it's relevance in India, we refrain from committing to being HIPAA compliant. We just cannot demonstrate it either way.
However if the question is about the spirit of the relevant provisions such as access to data centre, commitment to ensuring technology security etc., we can safely claim to be closely aligned to it. As far as we understand, HIPAA covers a lot of ground, data security being just one aspect of it. If you have any questions on specific clauses of HIPAA that have relevance to India, we can attempt a more precise response.
Just to outline our business strategy - We do not access or share any information without a person’s consent. We make our best effort to ensure that the technology that we use remains secure. We build our solutions using the OECD Privacy by design principles. We keep a watch on the local regulations as they evolve and adapt if needed. Our business is not built around aggregating personal data and building services on top of it.
Is it valid to assume that many Indian digital health solutions comply with HIPAA since there is no equivalent "standard" in India?
It is not true that India does not have any HIPAA equivalent standards. We have many regulations that address the privacy & security of personal data that are at different stages of implementation. Some of these include
- MCI Professional Conduct, Etiquette and Ethics regulations 2002 - Regulations relating to the Professional Conduct, Etiquette and Ethics for registered medical practitioners
- Information Technology Act, 2000 - Legal framework that governs transactions carried out by means of electronic data interchange and other means of electronic communication
- ABDM Health data management policy - ABDM’s guiding principle of “Security and Privacy by Design” for the protection of individuals’ personal digital health data
- Personal Data Protection(PDP) bill - Currently under the consideration of the parliament and being reviewed by a parliamentary committee. This is expected to be passed into a law soon
However, the majority of our domain professionals’ understanding of EHR data privacy & security have come from our service engagements in US centric HIT projects. So in products & solutions involving such professionals, HIPAA compliance is often wrongly cited as a differentiator, though it has no relevance in India.
India’s regulatory approach to the protection of personal data is more aligned to the European GDPR, and not to US HIPAA.