Compliance | PRISM

Our Compliance Philosophy

Healthcare operates in a highly regulated environment, and for good reason — patient safety and privacy are paramount. PRISM is designed from the ground up to meet the strictest regulatory requirements across multiple jurisdictions while enabling seamless interoperability through international healthcare standards.

1. Data Protection Regulations

PRISM complies with data protection and privacy laws across all regions where we operate:

European Union

GDPR

General Data Protection Regulation

Full compliance with the EU's comprehensive data protection framework:

Lawful basis for processing health data
Data subject rights (access, rectification, erasure, portability)
Data Protection Impact Assessments
72-hour breach notification
Data Processing Agreements with all partners
Appointed Data Protection Officer

United States

HIPAA

Health Insurance Portability and Accountability Act

Comprehensive HIPAA compliance for US healthcare:

Privacy Rule — PHI protection
Security Rule — Administrative, physical, technical safeguards
Breach Notification Rule
Business Associate Agreements
Minimum necessary standard
Regular HIPAA training for staff

India

DPDP Act

Digital Personal Data Protection Act 2023

Aligned with India's new data protection framework:

Consent-based data processing
Data Principal rights
Data localisation requirements
ABHA ID integration support
Significant Data Fiduciary obligations

Global

Other Jurisdictions

Regional & National Laws

Compliance with additional regional requirements:

UK Data Protection Act 2018
Australia Privacy Act 1988
Singapore PDPA
Brazil LGPD
Canada PIPEDA / Provincial health laws

2. Healthcare-Specific Regulations

Regulation	Jurisdiction	Scope	Status
HIPAA	United States	Protected Health Information (PHI)	Compliant
HITECH Act	United States	Electronic health records, breach notification	Compliant
MDR	European Union	Medical Device Regulation (software as medical device)	Aligned
NHS DTAC	United Kingdom	Digital Technology Assessment Criteria	Aligned
ABDM Guidelines	India	Ayushman Bharat Digital Mission standards	Compliant
My Health Record	Australia	National health record system integration	Aligned

3. Interoperability Standards

PRISM is built on internationally recognised healthcare interoperability standards to ensure seamless data exchange:

FHIR R4

HL7 FHIR

Fast Healthcare Interoperability Resources

ICD-10/11

WHO ICD

International Classification of Diseases

SNOMED CT

Clinical Terms

Systematized Nomenclature of Medicine

LOINC

Lab Codes

Logical Observation Identifiers

WHO DD

Drug Dictionary

WHO Drug Reference Standard

HL7 v2/v3

HL7 Messaging

Legacy System Integration

3.1 FHIR Implementation

Our FHIR R4 implementation supports:

Resources: Patient, Observation, Condition, MedicationStatement, DiagnosticReport, Encounter, and more
Operations: RESTful CRUD operations, search, batch/transaction bundles
Profiles: Support for national profiles (US Core, AU Base, UK Core, etc.)
Security: SMART on FHIR for authorisation, OAuth 2.0 authentication
Bulk Data: FHIR Bulk Data Access for population health exports

4. Security Certifications

Certification	Scope	Issued By	Status
ISO 27001:2022	Information Security Management System	Accredited CB	Certified
ISO 27701:2019	Privacy Information Management	Accredited CB	Certified
SOC 2 Type II	Security, Availability, Confidentiality	Independent CPA	Certified
CSA STAR Level 2	Cloud Security	Cloud Security Alliance	Certified
ISO 13485:2016	Medical Device Quality Management	Accredited CB	In Progress

5. Clinical Algorithms & Evidence

PRISM uses only peer-reviewed, clinically validated risk assessment algorithms:

Algorithm	Purpose	Validation
QRISK3	Cardiovascular disease risk	NICE recommended, validated in multiple populations
QDiabetes	Type 2 diabetes risk	Peer-reviewed, UK Biobank validated
QKidney	Chronic kidney disease risk	NICE guideline referenced
ASCVD Risk	Atherosclerotic CVD (US)	ACC/AHA guideline endorsed
CKD-EPI	Kidney function (eGFR)	KDIGO recommended

6. Audit & Accountability

6.1 Audit Trail

PRISM maintains comprehensive audit logs for compliance purposes:

All data access events with user identification
Data modifications with before/after values
Consent grants and revocations
Authentication events and failures
Administrative and configuration changes
Logs retained for minimum 7 years (configurable by jurisdiction)

6.2 Regular Audits

Annual third-party security audits
Quarterly internal compliance reviews
Continuous automated compliance monitoring
Penetration testing by certified firms

7. Data Localisation

PRISM respects data residency requirements by jurisdiction:

India: Data stored in India-based data centres (Mumbai/Hyderabad)
European Union: Data stored within EU (Frankfurt/Dublin)
Australia: Data stored in Australian data centres
United States: Data stored in US data centres

Cross-border transfers, where legally permitted, use Standard Contractual Clauses and appropriate safeguards.

8. Compliance Documentation

The following compliance documentation is available upon request:

Data Processing Agreement (DPA)
Business Associate Agreement (BAA) for US entities
Security whitepaper and architecture documentation
SOC 2 Type II report (under NDA)
Penetration test executive summary
Incident response plan overview
FHIR conformance statements

Compliance Enquiries

For compliance documentation, certifications, or regulatory questions:

Compliance Team: compliance@prismhealth.io

Data Protection Officer: dpo@prismhealth.io

Security Team: security@prismhealth.io