HIPAA Approach
ArogyaTrack is designed and operated in line with the HIPAA Security Rule and applicable data-protection regulations. This page describes the safeguards we have implemented today.
Certification status — read this first
ArogyaTrack has not yet completed an independent third-party HIPAA audit, and we do not currently hold SOC 2 Type II or ISO 27001 certifications under our own name. We follow the controls described on this page and align our architecture with the HIPAA Security Rule and ISO 27001 best practices, with formal certification on our roadmap. Where this page or any other on the site uses words like “aligned,” “supported” or “ready” alongside HIPAA, ISO 27001 or SOC 2, we mean architectural and procedural conformance — not a certificate from an accredited body. If you require a signed Business Associate Agreement, a SOC 2 report or an ISO 27001 certificate before evaluating ArogyaTrack for enterprise use, please contact us to discuss our roadmap.
Healthcare Data Protection
We implement administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of all protected health information (PHI) processed through our platform.
Compliance Framework
Protected Health Information (PHI)
ArogyaTrack handles sensitive health data including medical reports, lab results, vitals, medicine logs, AI-generated health scores, and family health records. We treat all individually identifiable health information as Protected Health Information (PHI) and apply safeguards aligned with the HIPAA Security Rule and equivalent Indian data-protection standards (DPDP Act 2023) to protect its confidentiality, integrity, and availability.
Administrative Safeguards
We maintain comprehensive administrative policies including a designated Privacy Officer, workforce security awareness training, information access management with role-based access control (RBAC), regular risk assessments, and incident response procedures. All personnel with access to PHI undergo background checks and sign confidentiality agreements. We conduct periodic audits to ensure ongoing compliance with our privacy and security policies.
Technical Safeguards
Our platform implements robust technical safeguards including AES-256 encryption for data at rest and TLS 1.3 for data in transit. We enforce multi-factor authentication, automatic session timeouts, unique user identification, and comprehensive audit logging of all access to PHI. Emergency access procedures are in place to ensure data availability during system emergencies. All API endpoints are secured with token-based authentication and rate limiting.
Physical Safeguards
Our infrastructure is hosted on cloud providers (AWS / GCP) whose own data centers and operating environments hold SOC 2 Type II and ISO 27001 certifications independently. Those certifications attach to the cloud provider's environment, not to ArogyaTrack itself — see our compliance status on the Disclaimer page. The provider data centers employ 24/7 physical security, biometric access controls, video surveillance, and environmental controls. ArogyaTrack workstation security policies govern the use and positioning of devices that access PHI, and hardware containing PHI is securely disposed of using industry-standard data destruction methods.
Encryption & Access Controls
All health data is encrypted using AES-256 at rest and transmitted over TLS 1.3 encrypted channels. Access to PHI is governed by role-based access control (RBAC) ensuring that users only access data relevant to their role. Family member data is isolated with separate access permissions managed by the account owner. API access requires OAuth 2.0 tokens with scoped permissions. Encryption keys are managed through a dedicated key management service with regular key rotation.
Audit Controls & Monitoring
We maintain comprehensive audit trails for all access to and modifications of PHI. Our logging system records user identity, timestamp, action performed, and data accessed. Audit logs are retained for a minimum of 6 years and are protected against tampering. Automated monitoring systems detect and alert on suspicious access patterns, unauthorized access attempts, and potential data breaches. Regular audit reviews are conducted by our security team.
Business Associate Agreements
All third-party service providers and marketplace partners (labs, chemists, doctors, imaging centers) who may access, process, or store PHI are required to sign Business Associate Agreements (BAAs). These agreements ensure that our partners maintain equivalent privacy and security standards. We regularly review partner compliance and conduct due diligence assessments before onboarding new partners to the platform.
Breach Notification
In the event of a data breach involving PHI, we follow a structured incident response process. Affected individuals will be notified within 72 hours of breach discovery via email and in-app notification. Notifications include a description of the breach, types of information involved, steps we are taking to investigate and mitigate, and recommended actions for affected users. We also notify relevant regulatory authorities as required by applicable laws.
Patient Rights
You have the right to access your complete health records stored on our platform at any time. You may request amendments or corrections to your health data. You can obtain an accounting of disclosures detailing who has accessed your PHI. You have the right to request restrictions on certain uses of your data. You may export your health data in standard formats (PDF, FHIR) for portability. All rights requests are processed within 30 days of receipt.
For questions about our HIPAA compliance or to report a privacy concern, contact our Privacy Officer at privacy@globalsynapse.tech.
Last updated: March 2026 • Global Synapse Technologies (GSTech)