HIPAA Compliance Statement

Name: SehatDoc
Author: SehatDoc

Effective Date: April 03, 2026

1. Commitment to Healthcare Standards

Sehat Doc is engineered to meet and exceed the privacy and security standards established by the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Our platform is built specifically to protect Protected Health Information (PHI) within clinical workflows in Pakistan.

As a Business Associate (BA) to healthcare providers, our role is to maintain the security of the systems that store and transmit medical records, ensuring that clinical judgment is supported by a robust, secure infrastructure.

2. Technical Safeguards

Our engineering team implements rigorous technical controls to protect clinical data from unauthorized access or accidental loss:

Advanced Encryption: We utilize AES-256 encryption for data at rest and TLS 1.2 or higher for data in transit. This ensures that even in the case of intercept, patient medical records remain unreadable.
Access Control & Authentication: We enforce unique user identifiers, automatic session timeouts, and role-based access controls (RBAC) to ensure that only authorized personnel can access specific medical records.
Audit Controls: Our system maintains persistent, unalterable logs of all activities related to PHI, allowing clinics to track exactly who accessed which record and when.
Integrity Protection: We employ checksums and versioning to ensure that medical records have not been altered or destroyed in an unauthorized manner.

3. Physical Safeguards

We leverage world-class infrastructure providers that maintain strict physical security for the servers housing Sehat Doc data:

Secure Data Centers: Our servers are located in ISO 27001 and SOC 2 Type II certified data centers with 24/7 onsite security, biometric access, and surveillance.
Disaster Recovery: We maintain offsite, encrypted backups to ensure that clinical records can be recovered in the event of a natural disaster or hardware failure.
Device Security: Our workstations are encrypted, and we enforce strict data disposal policies for all internal hardware.

4. Administrative Safeguards

Compliance is not just about code; it's about rigorous internal processes:

Risk Assessments: We perform regular internal security audits and vulnerability scans to identify and mitigate potential risks to our infrastructure.
Staff Training: Every member of the Sehat Doc team undergoes comprehensive HIPAA training regarding the handling of sensitive clinical data.
Business Associate Agreements (BAA): We enter into formal BAAs with our core infrastructure partners to ensure that the entire chain of data processing is compliant.

5. Practitioner Responsibilities

While Sehat Doc provides the secure infrastructure, HIPAA compliance is a shared responsibility. Practitioners using our platform must:

Enforce strong password policies for all clinic staff.
Never share login credentials between staff members.
Ensure that workstations used to access Sehat Doc are locked when unattended.
Obtain proper patient consent for digital record keeping as per local healthcare commission guidelines.

Compliance Officer: compliance@sehatdoc.com

1. Commitment to Healthcare Standards

2. Technical Safeguards

Our engineering team implements rigorous technical controls to protect clinical data from unauthorized access or accidental loss:

Advanced Encryption: We utilize AES-256 encryption for data at rest and TLS 1.2 or higher for data in transit. This ensures that even in the case of intercept, patient medical records remain unreadable.

Access Control & Authentication: We enforce unique user identifiers, automatic session timeouts, and role-based access controls (RBAC) to ensure that only authorized personnel can access specific medical records.

Audit Controls: Our system maintains persistent, unalterable logs of all activities related to PHI, allowing clinics to track exactly who accessed which record and when.

Integrity Protection: We employ checksums and versioning to ensure that medical records have not been altered or destroyed in an unauthorized manner.

3. Physical Safeguards

We leverage world-class infrastructure providers that maintain strict physical security for the servers housing Sehat Doc data:

Secure Data Centers: Our servers are located in ISO 27001 and SOC 2 Type II certified data centers with 24/7 onsite security, biometric access, and surveillance.

Disaster Recovery: We maintain offsite, encrypted backups to ensure that clinical records can be recovered in the event of a natural disaster or hardware failure.

Device Security: Our workstations are encrypted, and we enforce strict data disposal policies for all internal hardware.

4. Administrative Safeguards

Compliance is not just about code; it's about rigorous internal processes:

Risk Assessments: We perform regular internal security audits and vulnerability scans to identify and mitigate potential risks to our infrastructure.

Staff Training: Every member of the Sehat Doc team undergoes comprehensive HIPAA training regarding the handling of sensitive clinical data.

Business Associate Agreements (BAA): We enter into formal BAAs with our core infrastructure partners to ensure that the entire chain of data processing is compliant.

5. Practitioner Responsibilities

While Sehat Doc provides the secure infrastructure, HIPAA compliance is a shared responsibility. Practitioners using our platform must:

Enforce strong password policies for all clinic staff.

Never share login credentials between staff members.

Ensure that workstations used to access Sehat Doc are locked when unattended.

Obtain proper patient consent for digital record keeping as per local healthcare commission guidelines.