Privacy Policy

1. Scope and Purpose

This policy covers all digital personal data collected from patients, whether obtained online or offline and later digitised.

• Providing medical treatment and care
• Maintaining electronic health records (EHRs)
• Managing appointments and billing
• Facilitating diagnostic services (lab tests, imaging)
• Conducting research and analysis to improve hospital services (with separate consent)
• Supporting regulatory compliance and audits

2. Types of Data Collected

We collect and process the following types of personal data:

• Contact data: Name, address, phone number, email address
• Demographic data: Age, gender, date of birth
• Medical data: Medical history, diagnosis, treatment plans, prescriptions, diagnostic reports (e.g., ECGs, angiograms)
• Insurance and financial data: Insurance plan details and payment information
• Technical data (for digital platforms): IP addresses, device details, cookies, and browsing behaviour (see Cookie Policy below)

3. Consent Management

• Valid Consent: Clear, informed consent is obtained from patients before collecting or processing personal data.
• Withdrawal of Consent: Patients may withdraw consent anytime. Instructions are clearly explained and easily accessible.
• Children's Data: For patients under 18, consent is obtained from a parent/legal guardian. We do not track, monitor, or advertise directly to children.

4. Automated Decision-Making and Profiling

Currently, Heart Valve Experts do not use automated decision-making or patient profiling for clinical or administrative purposes. If any systems are introduced (e.g., AI-based diagnostics or risk stratification tools), patients will be informed, and explicit consent will be obtained.

5. Data Storage, Retention, and Security

• Confidentiality: Patient privacy and confidentiality are an ethical and legal obligation.
• Security Measures: Encryption, access controls, firewalls, and regular audits are implemented to safeguard patient data.
• Data Breach Notification: Patients and the Data Protection Board of India are notified of any breach as required by law.
• Retention Periods: Medical records: Minimum 3 years for indoor patients. Billing and financial records: 8 years. Diagnostic reports and lab results: 5 years. Digital records: As long as the patient account is active or until consent withdrawal.

6. Disclosure of Information

• Limited Disclosure: Data is shared only with authorised healthcare providers on a need-to-know basis.
• Third-party Vendors: Diagnostic labs, technology providers, or insurers are required to maintain DPDP Act-compliant safeguards.
• International Transfers: If personal data is processed or stored on servers outside India (e.g., cloud storage providers), such transfers are carried out only in compliance with DPDP Act provisions and patient consent.

7. Patient Rights and Grievance Redressal

• Right to Access: Patients may request and obtain copies of their medical data.
• Right to Correction and Erasure: Patients may request corrections or deletion of inaccurate or outdated data, subject to legal and medical record-keeping requirements.
• Right to Withdraw Consent: Patients can opt out of non-essential data use (e.g., research, cookies).
• Grievance Mechanism: A transparent redressal process is in place. For significant data fiduciaries, a Data Protection Officer (DPO) oversees compliance.

8. Legal and Regulatory Framework

Our privacy practices align with:

• The Digital Personal Data Protection (DPDP) Act, 2023
• Indian Medical Council Regulations, 2002
• National and hospital-specific healthcare standards

9. Contact Us

For any privacy-related concerns or to exercise rights regarding your data, please contact us.