Skip to main content
Compliance & Security

Built for Indian healthcare regulations

59 verified compliance controls across 13 Indian regulations — ABDM, DPDP Act, DISHA, HIV/AIDS Act, Mental Healthcare Act, PCPNDT, Drugs & Cosmetics Act, NMC, NABH, NABL, GST, CERT-In, and BSA. MedOS doesn't bolt on compliance — it's baked into every line of code.

Healthcare data security and compliance

ABDM / Ayushman Bharat Digital Mission

ABDM-ready architecture — sandbox-validated against NHA APIs. HIP certification in progress (target Q2 2026); production HIP push goes live for your facility once your facility ID is registered with NHA.

ABHA (Health Account) verification and linking at patient registration (sandbox-validated)
Patient consent management with ABDM consent manager callbacks (GRANTED/DENIED/REVOKED)
FHIR R4 document bundles with NDHM coding system
PM-JAY claim generation via NHA API (beneficiary verification, pre-auth, claims, status)
Ayushman Card verification at OPD registration
Two-way health record exchange — HIP push (outbound) and HIU pull (inbound) with encryption
Note: HIP certification (NHA's production attestation) is in progress. The integration code is sandbox-validated; live ABDM exchange requires the certification to land. We will not market a feature as live until it is.

DPDP Act 2023 — Digital Personal Data Protection

India's data protection law (enacted August 2023). Full compliance with data principal rights.

Purpose-limited consent with 5 granular categories (treatment, billing, research, insurance, ABDM)
Children's data protection — guardian consent mandatory for patients under 18
Nominated representative for data principal rights (Section 14)
Consent expiration and version tracking
Data retention lifecycle management with automated flagging and erasure
Grievance officer designation with response deadline tracking

DISHA — Digital Information Security in Healthcare Act

Consent-driven data access framework with 72-hour breach notification.

Purpose-limited data collection with explicit consent
Right to access (full JSON data export), correct, and delete personal health data
72-hour data breach notification with automated deadline monitoring cron
Data Protection Officer designation in compliance settings
Privacy impact assessment tooling (CRUD with risk levels)
Complete consent audit trail on all 79 API endpoints (READ + WRITE)

HIV/AIDS (Prevention and Control) Act 2017

Heightened confidentiality for HIV-related health data with segregated access controls.

Automatic detection of HIV-related ICD-10 codes (B20-B24, Z21, R75) and clinical text
Segregated access: HIV_CONFIDENTIAL records visible only to treating doctor + authorized users
Per-user HIV data access consent management (ADMIN-authorized)
HIV records automatically excluded from bulk patient data exports
Dedicated audit trail for all HIV data access attempts
Criminal penalty prevention — strict enforcement per Section 9-10 of the Act

Mental Healthcare Act 2017

Special protections for psychiatric records with advance directives support.

Advance directives CRUD (treatment preferences, refusals, nominated representatives)
Mental health record segregation — visible only to treating psychiatrist + ADMIN
Clinical fields redacted for unauthorized staff viewing mental health consultations
Nominated representative for mental health decisions
MHRB (Mental Health Review Board) involuntary admission reporting
Section 23 confidentiality enforcement in all data access paths

PCPNDT Act 1994 — Pre-Natal Diagnostics

Hard block on fetal sex determination. Digital Form F. Criminal penalty prevention.

HARD BLOCK: Fetal sex recording prohibited in all radiology orders and reports
Obstetric ultrasound auto-detection (modality + body part matching)
Report text scanning for sex disclosure keywords before submission
Digital Form F with mandatory fields per PCPNDT rules
Monthly PCPNDT report generator (ultrasound count per doctor)
Up to 5 years imprisonment prevention — strictest enforcement in the system

Drugs & Cosmetics Act 1940

Schedule H1/X drug register automation. Expired medicine blocking. Prescription validity.

Schedule H1 register — auto-created on every Schedule H1 drug dispensing
Schedule X register — requires double verification, auto-logged with batch tracking
Expired medicine dispensing BLOCKED at pharmacy checkout
Prescription validity enforcement (30 days for H/H1, 7 days for Schedule X)
Drug recall management with batch-level tracking
NDPS-compatible controlled substance audit trail

NABH — National Accreditation Board for Hospitals

Pre-built templates and workflows that map to NABH quality standards.

SOP templates for clinical processes (with department and review cycle tracking)
Quality manual documentation framework (5 document types with approval workflow)
Incident reporting and tracking module (10 categories including near-miss)
Patient safety indicator dashboards with severity distribution
Medication error tracking with root cause analysis
NABH checklist with 11 chapters (AAC, COP, MOM, PRE, HIC, QI, ROM, FMS, HRM, IMS, CQI)

NABL — ISO 15189 Laboratory Accreditation

Lab module designed from the ground up for NABL compliance.

Multi-level result validation (technician > pathologist > release) — 4-stage enforced workflow
Sample barcode tracking with Code128B SVG generation at collection
HL7 v2.x message parser + ingestion endpoint for bi-directional analyzer interfacing
TAT reporting with percentile calculations (P50, P90, P95) per test category
Westgard quality control rules (1-3s, 2-2s, R-4s, 4-1s, 10x) with Levey-Jennings data API
Critical value alerting with configurable ranges and auto-notification

NMC Regulations 2023 + Notifiable Disease Reporting

Generic drug name mandate, doctor registration enforcement, and IHIP disease surveillance.

Generic drug name mandatory on all prescription items (NMC 2023 mandate)
Doctor NMC registration number auto-populated on prescriptions
20 notifiable diseases seeded with ICD-10 patterns (TB, malaria, dengue, COVID, etc.)
Auto-detection on consultation save — flags notifiable diseases instantly
Disease surveillance report management with IHIP-compatible export format
24-hour reporting compliance for immediate-category diseases

BSA 2023 + Consumer Protection Act 2019

Legal evidence certificates for EMR and patient grievance management.

Section 63(4) BSA legal evidence certificates with SHA-256 hash verification
Unique certificate numbering for court-admissible electronic medical records
Patient grievance/complaint management with auto-assignment to grievance officer
30-day resolution deadline tracking with escalation workflow
Patient portal grievance submission and status tracking
Full audit trail of all grievance actions for Consumer Court evidence

Enterprise-grade security

Your patient data is protected at every layer

Encryption

  • Field-level encryption for sensitive identifiers (AES-256-GCM)
  • TLS 1.3 encryption in transit
  • Database hosted with infrastructure-level encryption

Infrastructure

  • Database in AWS Mumbai region (ap-south-1) via Turso
  • Application compute in India (Cloudflare Workers, Mumbai placement)
  • File storage in APAC region (migrating to AWS S3 Mumbai)

Access Controls

  • Role-based access control (RBAC)
  • OTP-based authentication
  • Auto session timeout (30 min)

Audit & Monitoring

  • Audit trail for data creation, modification, deletion, and access
  • Role-based audit log review
  • Cloudflare observability with 100% request logging

Additional standards

IT Act 2000 / SPDI Rules

Sensitive Personal Data handling with AES-256-GCM encryption and access controls

GST Compliance

Auto CGST/SGST/IGST with SAC codes and NIC e-invoice (IRN) generation

HIPAA-Aligned Safeguards

30-min auto-logoff, unique user IDs, 7-role RBAC, TLS 1.3, complete audit trail

HL7 FHIR R4

FHIR R4 document bundles with NDHM coding system for ABDM exchange

HL7 v2.x

ORM/ORU message parser + ingestion endpoint for lab analyzer integration

CERT-In Guidelines

Incident report generator with CERT-In taxonomy and 6-hour reporting format

24/7 Health Monitoring

Automated health checks for database, ABDM gateway, and application with email alerts

Clinical Establishments Act

Digital record-keeping and reporting templates for state health departments

Compliance should not be an afterthought

MedOS handles ABDM, DPDP, DISHA, HIV Act, PCPNDT, NMC, NABH, NABL, GST, and 4 more regulatory frameworks — so you can focus on patient care.

Start Free TrialRequest Compliance Report