HIPAA-Aligned Security Standards

HIPAA Compliance & Health Data Protection

QikDoc is committed to protecting your Protected Health Information (PHI) through comprehensive administrative, technical, and physical safeguards aligned with HIPAA Security and Privacy Rules.

End-to-End Encryption

Access Controls

Business Associate Agreements

Regular Audits

Purpose Applicability PHI Definition Privacy Rule Security Rule Encryption Breach Notification Contact

1. Purpose of This Document

This document outlines QikDoc's compliance and alignment with the requirements of the:

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA Privacy Rule (45 CFR Part 160 and Subparts A & E of Part 164)

HIPAA Security Rule (45 CFR Part 160 and Subparts A & C of Part 164)

HIPAA Breach Notification Rule

QikDoc is committed to protecting Protected Health Information (PHI) through administrative, technical, and physical safeguards.

2. Applicability

QikDoc is a digital teleconsultation platform that:

Platform Capabilities

  • Connects patients with licensed medical practitioners
  • Stores and processes electronic health records (EHR)
  • Facilitates digital prescriptions
  • Enables lab and radiology booking
  • Provides AI-based health assistance tools

QikDoc's Role

Business Associate

When working with healthcare providers

Healthcare Technology Platform

Facilitating PHI exchange

3. Definition of Protected Health Information (PHI)

QikDoc treats the following as PHI when linked to identifiable individuals:

Personal Identifiers

  • • Name
  • • Phone number
  • • Email address
  • • Date of birth
  • • Address

Medical Information

  • • Medical history
  • • Surgical history
  • • Prescriptions
  • • Diagnostic reports
  • • Lab results

Consultation Data

  • • Consultation recordings
  • • Health tracking metrics
  • • Appointment data
  • • Treatment plans
  • • Clinical notes

Important: All PHI is treated with the highest level of security and confidentiality, regardless of the format (electronic, paper, or oral).

4. HIPAA Privacy Rule Compliance

A
Minimum Necessary Rule

Access to PHI is restricted to only those personnel who require it for service delivery. QikDoc implements role-based access controls to ensure that employees and contractors can only access the minimum amount of PHI necessary to perform their job functions.

B
Patient Rights

Access Rights

Users have the right to access their health records at any time through the platform.

Correction Rights

Users can request corrections to inaccurate or incomplete health information.

Deletion Rights

Users can request data deletion, subject to legal retention requirements.

Accounting of Disclosures

Users can receive a record of who has accessed their PHI.

C
Authorization Requirements

Explicit patient consent is obtained before:

  • Sharing PHI with third parties
  • Using PHI for secondary purposes (research, marketing, etc.)
  • Disclosing PHI beyond treatment, payment, and healthcare operations

5. HIPAA Security Rule Compliance

QikDoc implements safeguards under three categories to protect electronic PHI (ePHI):

I
Administrative Safeguards

Designated Data Protection Officer

Dedicated personnel responsible for privacy and security compliance

Role-Based Access Control (RBAC)

Access permissions based on job responsibilities

Workforce Confidentiality Agreements

All employees sign HIPAA confidentiality agreements

HIPAA Training

Regular training for all employees on privacy and security

Risk Assessment Procedures

Regular evaluation of security risks and vulnerabilities

Incident Response Plan

Documented procedures for handling security incidents

Periodic Internal Audits

Regular audits to ensure compliance with policies and procedures

II
Technical Safeguards

End-to-End Encryption

TLS 1.2 or higher for all data transmission

Encrypted Databases

AES-256 or equivalent encryption for data at rest

Secure Authentication

Strong password policies and secure protocols

Multi-Factor Authentication

MFA required for admin and privileged access

Secure API Integrations

All third-party APIs use secure authentication

Automatic Session Timeouts

Sessions expire after period of inactivity

Audit Logs

Comprehensive logging of all PHI access

Intrusion Detection

Real-time monitoring for security threats

III
Physical Safeguards

Secure Cloud Hosting

Enterprise-grade cloud infrastructure with physical security

Controlled Data Center Access

Restricted physical access via hosting provider

Device Encryption

All devices accessing PHI are encrypted

Secure Workstation Controls

Physical security measures for workstations accessing PHI

6. Data Encryption Standards

All PHI is Protected With:

Encrypted in Transit

HTTPS / SSL / TLS 1.2 or higher for all data transmission

Encrypted at Rest

AES-256 encryption for all stored data

Key Management

Secured with enterprise key management protocols

Encrypted Backups

Backup systems are encrypted and access-controlled

7. Business Associate Agreements (BAA)

QikDoc enters into Business Associate Agreements with third-party service providers to ensure HIPAA compliance throughout the data processing chain:

BAA Partners Include:

  • Cloud service providers (AWS, Google Cloud, etc.)
  • Video consultation API providers
  • Data storage vendors
  • Third-party healthcare partners (if required)
  • Payment processors
  • Email and SMS service providers

BAA Requirements:

These agreements ensure that all third-party partners:

  • Comply with HIPAA requirements
  • Implement appropriate safeguards
  • Report any breaches promptly
  • Return or destroy PHI upon termination

8. Breach Notification Policy

In the event of a PHI breach, QikDoc follows a comprehensive response protocol:

1

Immediate Internal Investigation

A thorough investigation is initiated immediately to determine the scope and impact of the breach.

2

Individual Notification

Affected individuals are notified without unreasonable delay (within 60 days of discovery as required by HIPAA).

3

Regulatory Notification

Regulatory authorities (HHS, state agencies) are notified as required by law based on breach size and impact.

4

Corrective Measures

Immediate corrective measures are implemented to prevent similar breaches in the future.

5

Documentation

Complete incident documentation is maintained for compliance and audit purposes.

9. Data Retention & Disposal

Retention Policy

PHI is retained only as long as required by:

  • • Applicable law
  • • Healthcare standards
  • • NMC Telemedicine Guidelines (minimum 3 years)
  • • Business requirements

Secure Disposal

After retention period:

  • • Secure deletion methods used
  • • Data anonymization where possible
  • • Certificate of destruction maintained
  • • Backup copies also securely deleted

10. AI Tool Compliance

AI-based tools within QikDoc (including symptom analysis) operate under strict compliance guidelines:

AI Tool Limitations

  • Do NOT independently diagnose conditions
  • Operate as assistive decision-support systems only
  • Always require doctor verification for medical advice

AI Data Security

  • Process PHI securely under encrypted environments
  • Follow minimum necessary data access principle
  • No PHI retained by AI service providers

Important: AI symptom analysis is for informational purposes only and does not constitute medical advice, diagnosis, or treatment. Always consult a qualified healthcare professional.

11. Third-Party Integrations

All third-party integrations undergo rigorous security review:

Vendor Security Review

All vendors undergo comprehensive security assessment

Data Protection Assurances

Vendors must provide written data protection commitments

Regulatory Compliance

Must comply with applicable healthcare privacy regulations

12. User Authentication & Access Controls

Unique User IDs

Each user has a unique identifier for accountability

Strong Password Enforcement

Complexity requirements and regular rotation policies

Account Lockout

Automatic lockout after multiple failed login attempts

Token-Based Authentication

Secure JWT tokens for session management

Access Log Monitoring

Regular monitoring and review of access logs

Role-Based Access

Access permissions based on user role and need

13. Risk Assessment & Ongoing Compliance

QikDoc conducts regular compliance activities to maintain security standards:

Regular Assessments

  • Periodic security risk assessments
  • Penetration testing (if applicable)
  • Vulnerability scanning
  • Policy updates as per evolving regulations

Compliance Documentation

  • Security policies and procedures
  • Risk assessment reports
  • Training records
  • Incident response documentation

14. International Data Transfers

If PHI is transferred across borders, QikDoc ensures:

Appropriate Safeguards

Legal and technical safeguards implemented

Data Protection Agreements

Formal agreements with receiving parties

Encryption Standards

Maintained throughout transfer process

15. Contact for Compliance

For questions or concerns about HIPAA compliance, data protection, or privacy practices:

Email

qikdoc@gmail.com

For compliance inquiries

Phone

+91 9226081448

Support line

Website

www.qikdoc.com

QikDoc Health

Address: QikDoc Health, Mumbai, Maharashtra, India

16. Declaration

QikDoc affirms that it has implemented administrative, technical, and physical safeguards aligned with HIPAA Security and Privacy Rules to protect Protected Health Information.

This document may be submitted for regulatory or platform verification purposes.

"QikDoc follows HIPAA-aligned data protection standards though it operates under Indian healthcare and data protection laws."

Need This Document?

Download the complete HIPAA Compliance & Health Data Protection Statement as a PDF for your records.