Data Protection & Compliance

HIPAA & DPDPA Compliance

Patient data protection is not an afterthought. Athreya Medtech India Pvt Ltd operates with HIPAA and DPDPA compliance built into the architecture — not bolted on.

HIPAA Compliant

Privacy, Security & Breach Notification Rules

DPDPA Aligned

India Digital Personal Data Protection Act 2023

FDA SaMD Pathway

Software as a Medical Device — Pre-submission Phase

HIPAA

HIPAA Compliance Stance

Athreya MedTech adheres to all three HIPAA rules for all patient-identifiable health information.

Privacy Rule

Patient data is collected only with informed consent, used for the minimum necessary purpose, and protected from unauthorised disclosure. De-identification standards (Safe Harbor and Expert Determination) are applied before any data enters the AI training pipeline.

Security Rule

Electronic Protected Health Information (ePHI) is stored exclusively on on-premise hardware at our clinical and engineering facilities. SHA-256 encryption at rest, TLS in transit, RBAC access controls, JWT authentication, and immutable audit logging are in place.

Breach Notification Rule

Incident response procedures are defined. Any breach of unsecured PHI triggers notification to affected individuals, HHS, and (if applicable) media within HIPAA-mandated timelines.

DPDPA

India DPDPA Compliance

Athreya Medtech India Pvt Ltd complies with the Digital Personal Data Protection Act, 2023.

Data Residency

India patient data stays in India. All clinical data collected at De Cure Center, Bengaluru is stored on on-premise infrastructure located in India. No cross-border transfer of patient data without explicit consent and legal basis.

Purpose Limitation

Data is collected exclusively for ophthalmic AI research as stated in the informed consent. It is not used for advertising, profiling, or any purpose outside the MERIT AI research scope.

Data Principal Rights

Patients (Data Principals) have the right to access their data, correct inaccuracies, and request erasure. Contact: decurecenter@gmail.com or dmf.careteam@gmail.com.

Safeguards

Three Layers of Protection

Administrative, physical, and technical safeguards working together.

📋

Administrative Safeguards

  • HIPAA privacy policies and procedures
  • Workforce training on data handling
  • Risk assessment and management programme
  • Business associate agreements with all processors
  • DPDPA consent management
🔒

Physical Safeguards

  • On-premise servers at De Cure Center and DMF
  • Facility access controls
  • Device disposal and sanitisation protocols
  • Hardware-level encryption
  • Physical security monitoring
⚙️

Technical Safeguards

  • SHA-256 encryption at rest and in transit (TLS)
  • Role-Based Access Control (RBAC)
  • JWT authentication for all API access
  • Immutable audit trail logging
  • Automatic session timeout
Regulatory

Regulatory Pathways

MERIT AI is being developed with regulatory commercialisation in mind.

FDA SaMD

Software as a Medical Device — 510(k) or De Novo pathway post-prototype. FDA Regulatory Consultant: Brijesh Shah (activated post-SBIR approval phase).

CDSCO India

Central Drugs Standard Control Organisation approval required for AI diagnostic software in India. Aligned with Indian medical device regulations.

CE Mark EU

EU Medical Device Regulation (MDR) pathway for future European market entry.

IRB Oversight

Institutional Review Board ethics oversight for all patient data collection under the MERIT AI research protocol.