HIPAA & DPDPA 2023 Data Protection

Protected Health Information (PHI) is any individually identifiable information relating to a person's health, healthcare, or payment for healthcare. In CareQ, PHI includes: patient names, mobile numbers, dates of birth, visit records, diagnoses, prescriptions, and billing details.

Roles under HIPAA terminology:

• Covered Entity: Your clinic or hospital — the healthcare provider who creates and uses PHI. You are the covered entity.
• Business Associate: CareQ — a vendor that handles PHI on behalf of the covered entity to provide a service.

As a Business Associate, CareQ commits to using PHI only as necessary to provide the Service, to safeguarding it with appropriate technical and organisational measures, and to cooperating with you in meeting your own compliance obligations.

Encryption

• In transit: All communication between users' browsers/devices and CareQ servers is encrypted using TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS.
• At rest: Patient records and sensitive fields in our database are encrypted using AES-256. Encrypted backups are stored in geographically redundant locations.

Access controls

• Unique user identification: Every user has a unique account. Shared logins are not permitted.
• Role-based access control: Clinic owners assign roles (Owner, Doctor, Receptionist, Viewer) that determine exactly which features and records each staff member can access.
• Automatic session timeout: Inactive sessions are expired to prevent unauthorised access from unattended devices.
• Multi-factor authentication: Supported via Google OAuth for accounts using Google Sign-In.

Audit controls

• All data access and modification events are logged with timestamp and user identity.
• Logs are retained for 90 days and are available to CareQ's security team for incident investigation.

Data integrity

• Database transactions use ACID guarantees to prevent corruption.
• Daily backups with point-in-time restore capability for up to 30 days.

Security policies

CareQ maintains internal security policies covering: data handling, access management, incident response, vendor risk management, and employee training. These policies are reviewed at least annually.

Workforce training

All CareQ employees with access to production systems or PHI undergo security and privacy training as part of onboarding and annually thereafter.

Access management

Access to production systems is limited to a small number of authorised engineers. Access is granted on a least-privilege basis and reviewed quarterly. All access requires multi-factor authentication and is logged.

Incident response

CareQ maintains a formal incident response plan. Any suspected data breach is investigated within 24 hours of detection. See Section 6 for our breach notification commitments.

Risk assessment

We conduct periodic risk assessments to identify and mitigate threats to the confidentiality, integrity, and availability of patient data.

CareQ's infrastructure runs on enterprise cloud data centres that maintain:

• Physical access controls including biometric entry, security personnel, and CCTV surveillance.
• Environmental controls including redundant power, cooling, and fire suppression.
• ISO 27001-certified facilities operated by our infrastructure providers.

CareQ employees do not have physical access to servers. All administrative access is remote, authenticated, and logged.

CareQ uses a limited set of sub-processors to operate the platform. All sub-processors who may handle PHI are:

• Reviewed for security and privacy practices before engagement.
• Bound by data processing agreements that include confidentiality and security obligations equivalent to those we commit to you.
• Limited to using PHI only as necessary to provide their specific service to CareQ.

Our primary sub-processors include cloud infrastructure providers (for hosting and database services) and payment processors. We do not share patient records with any marketing or analytics platforms.

In the event of a confirmed or suspected data breach involving PHI, CareQ will:

• Investigate within 24 hours of detecting a potential breach.
• Notify affected clinics within 72 hours of confirming a breach, including: the nature of the breach, the PHI involved, the likely cause, and the steps we are taking to contain and remediate it.
• Cooperate fully with your own breach notification obligations to affected patients and regulatory authorities under applicable Indian law.
• Document all breaches and our response actions in our internal incident log.

To report a suspected breach or security vulnerability: info@amdcode.com

CareQ provides the platform and safeguards, but your clinic also has responsibilities for PHI protection:

• User accounts: Do not share login credentials. Deactivate staff accounts promptly when employees leave your clinic.
• Device security: Ensure devices used to access CareQ (computers, tablets, phones) are protected with passwords and kept updated.
• Patient consent: Obtain appropriate patient consent for digital record-keeping and for any WhatsApp communications sent via CareQ.
• Data accuracy: You are responsible for the accuracy of patient records entered into CareQ.
• Staff training: Train your staff on the safe and appropriate use of CareQ and on your clinic's own data protection policies.
• Regulatory compliance: Ensure your use of CareQ complies with all applicable Indian healthcare regulations and state-specific requirements for your medical specialty.

CareQ is designed with Indian law as its primary compliance framework. The Digital Personal Data Protection Act, 2023 (DPDPA) is the governing legislation for any entity that processes personal data of Indian residents — including clinics storing patient records digitally.

How DPDPA applies to your clinic

Under the DPDPA, your clinic is a Data Fiduciary — the entity that determines the purpose and means of processing patient data. CareQ acts as a Data Processor, processing data only on your instructions to provide the platform service. This distinction matters for your compliance obligations:

• Consent: As Data Fiduciary, you must obtain patient consent before collecting and processing their personal data. A notice at the point of registration — physical or digital — is the minimum. CareQ's booking flow supports adding a consent statement to patient-facing communications.
• Purpose limitation: Patient data collected for appointment booking and treatment may not be used for unrelated purposes (e.g. marketing to patients without separate consent).
• Data minimisation: Collect only the data required for the purpose of care. CareQ's patient profiles are structured to capture the minimum required fields.
• Patient rights: Under DPDPA, patients have the right to access their data, correct inaccuracies, and request erasure. CareQ can provide a patient data export in response to such requests — contact us at info@amdcode.com.
• Breach notification: The DPDPA requires notification to the Data Protection Board in the event of a breach. CareQ will notify your clinic within 72 hours of confirming any breach involving your patients' data, providing the information you need to meet your notification obligations.

CareQ's obligations as Data Processor

• Process patient data only on documented instructions from your clinic.
• Maintain technical and organisational security measures consistent with DPDPA requirements.
• Not engage sub-processors without informing you, and ensure sub-processors are bound by equivalent obligations.
• Assist you in responding to patient rights requests.
• Delete or return all patient data at the end of the service relationship, as directed.

Information Technology (SPDI) Rules, 2011

We also follow the security practices under the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 for sensitive personal data, including health information.

Data localisation

Patient data is stored on servers located in India. We will notify affected clinics in advance of any change to this arrangement.

A Business Associate Agreement (BAA) is a contract between a covered entity (your clinic) and a business associate (CareQ) that establishes each party's responsibilities for PHI protection, use, and disclosure.

If you operate a clinic that is subject to HIPAA (for example, because you serve US-based patients) or if your institution's compliance programme requires a formal BAA, CareQ can provide one.

For any questions about CareQ's security or compliance practices:

• Security issues / vulnerabilities: info@amdcode.com
• BAA requests / legal compliance: info@amdcode.com
• General questions: info@amdcode.com

We take security reports seriously. If you discover a vulnerability in CareQ, please report it responsibly and we will investigate and respond within 24 hours.