HIPAA & DPDPA Compliance
Patient data protection is not an afterthought. Athreya Medtech India Pvt Ltd operates with HIPAA and DPDPA compliance built into the architecture — not bolted on.
HIPAA Compliant
Privacy, Security & Breach Notification Rules
DPDPA Aligned
India Digital Personal Data Protection Act 2023
FDA SaMD Pathway
Software as a Medical Device — Pre-submission Phase
HIPAA Compliance Stance
Athreya MedTech adheres to all three HIPAA rules for all patient-identifiable health information.
Privacy Rule
Patient data is collected only with informed consent, used for the minimum necessary purpose, and protected from unauthorised disclosure. De-identification standards (Safe Harbor and Expert Determination) are applied before any data enters the AI training pipeline.
Security Rule
Electronic Protected Health Information (ePHI) is stored exclusively on on-premise hardware at our clinical and engineering facilities. SHA-256 encryption at rest, TLS in transit, RBAC access controls, JWT authentication, and immutable audit logging are in place.
Breach Notification Rule
Incident response procedures are defined. Any breach of unsecured PHI triggers notification to affected individuals, HHS, and (if applicable) media within HIPAA-mandated timelines.
India DPDPA Compliance
Athreya Medtech India Pvt Ltd complies with the Digital Personal Data Protection Act, 2023.
Data Residency
India patient data stays in India. All clinical data collected at De Cure Center, Bengaluru is stored on on-premise infrastructure located in India. No cross-border transfer of patient data without explicit consent and legal basis.
Purpose Limitation
Data is collected exclusively for ophthalmic AI research as stated in the informed consent. It is not used for advertising, profiling, or any purpose outside the MERIT AI research scope.
Data Principal Rights
Patients (Data Principals) have the right to access their data, correct inaccuracies, and request erasure. Contact: decurecenter@gmail.com or dmf.careteam@gmail.com.
Three Layers of Protection
Administrative, physical, and technical safeguards working together.
Administrative Safeguards
- HIPAA privacy policies and procedures
- Workforce training on data handling
- Risk assessment and management programme
- Business associate agreements with all processors
- DPDPA consent management
Physical Safeguards
- On-premise servers at De Cure Center and DMF
- Facility access controls
- Device disposal and sanitisation protocols
- Hardware-level encryption
- Physical security monitoring
Technical Safeguards
- SHA-256 encryption at rest and in transit (TLS)
- Role-Based Access Control (RBAC)
- JWT authentication for all API access
- Immutable audit trail logging
- Automatic session timeout
Regulatory Pathways
MERIT AI is being developed with regulatory commercialisation in mind.
FDA SaMD
Software as a Medical Device — 510(k) or De Novo pathway post-prototype. FDA Regulatory Consultant: Brijesh Shah (activated post-SBIR approval phase).
CDSCO India
Central Drugs Standard Control Organisation approval required for AI diagnostic software in India. Aligned with Indian medical device regulations.
CE Mark EU
EU Medical Device Regulation (MDR) pathway for future European market entry.
IRB Oversight
Institutional Review Board ethics oversight for all patient data collection under the MERIT AI research protocol.