Security

Safety of your data is our top priority

Multi-level security checks

Multiple data backups

Stringent data privacy policies

256-bit encryption

256-bit

encryption

ISO 27001

ISO 27001

certified

HIPAA compliant data centers

HIPAA

compliant data centers

DSCI member

DSCI

member

Security
Data Security

We don’t mix doctor’s software data with consumer data

Practo platform uses physically separated infrastructure, protected by industry grade firewalls and a stringent privacy policy, to ensure that the data from Practo’s provider software is kept isolated from Practo’s consumer data.

For Consumers

- All data is private and for your eyes only

- No Practo employee can view the patient data

- We only send appointment-related messages

- We send promotional messages with an option to opt-out any time

- Data is never shared with a third party

For Healthcare providers

- We do not have access to read or view your practice data

- We never send marketing promotions to your walk-in patients

- No Practo employee can view it

- Data is never shared with a third party

- Doctor can decide the communication to be sent to their patients

- Practices cannot see each other’s data

ISO

We’re ISO 27001 certified

BSI — a global authority in information security standards — has certified that Practo ensures confidentiality, availability and integrity of its information assets.

Secure organisational practices ensured by people awareness and stringent access controls

Secure processes ensured by strong administrative controls and monitoring

Secure systems ensured by strong technical measures and frequent vulnerability assessments and penetration testing

secure platform

Secure platform for healthcare providers

Each Practo product is designed to protect data security and privacy.

Your data has only one owner

Your data has only one owner. You.

Only you have the control over your data. Neither Practo employees nor any third-party can access your information for any purpose except as authorized by you.
We never send promotions to your walk-ins

We never send promotions to your walk-ins

We never reach out to your walk-in patients or send any promotional communication to them, as per our exhaustive privacy policy. The only way for any patient to receive any promotion from us is if they visit Practo.com or download our app independently and give us permission to contact them. Practo does not have any access to your patient database stored in Ray.
Encrypted backups

Your data has multiple encrypted backups

All the data is backed up and versioned multiple times at secure locations across the world. We also employ a smart feature called point-in-time recovery to retrieve the data from a specific time period.
Never share your data

We don’t sell your data

We are fully aware of the sensitivity of your healthcare information and take data privacy extremely seriously. We go to great lengths to protect it and never ever sell it to anyone.

Secure place for your health data

Keeping your data safe is at the core of every decision we make at Practo.

secure platform
Your data is for your eyes only

Your data is for your eyes only

Anything that you share on Practo is completely private. No one else can access it. We give unprecedented level of control so that only you can decide who sees what.
256 encryption

Everything is protected with 256-bit encryption

Practo uses world-class standards to shield your data from unauthorised intrusion. It is always protected with multiple layers of encryption (256-bit encryption over the network).
2-factor authentication

2-factor authentication prevents unauthorised access

Extra measures are good. Therefore, we let you enable 2-factor authentication so that your data is absolutely secure and no one else can access it except you.
Never share your data

Remote logout fends off suspicious logins

Whenever a new device logs into your account, Practo notifies you immediately, so that you can review the activity and log out if needed.

FAQs

What is Practo’s view on data security and Privacy?

At Practo we take data security and privacy extremely seriously. It is one of the foundational pillars of our company and is implemented at the core of every product.

We believe that healthcare data is the most sensitive information about you and must receive appropriate protection. Practo collects or uses any personal or sensitive personal information belonging to you only after receiving appropriate and clear consent from you. Further, we understand that people change their minds, so no consent is permanent and our systems are built with the flexibility so that any consent given can later be revoked.

This is why all our products have features where patients and providers are in control and can decide what they want to share and what they prefer to keep private.

What data does Practo have?

At the outset, our data is stored with 256 bit encryption on HIPAA compliant servers. Further, we are an ISO27001:2013 certified company. This certification is one of the most recognized and stringent information security certification that validates a company's efforts on protecting data and all kinds of information assets.

We have two distinct data sets. First is when health care providers use our software to store information regarding the patients they are treating. This can include information about the patient, their diagnosis, treatment plan, any clinical notes, communication and other details. All of this is stored on behalf of the provider. and Practo cannot access this. It is stored privately and securely for every provider who uses our software.

The other data set is when patients directly visit Practo and use Practo to store their health history or undertake a healthcare transaction, such as booking an appointment, online consultation and more. We store all this data on behalf of the patient and this too is stored with 256 bit encryption and HIPAA compliant servers. Any patient who uses our service, gives us permission to reach out to them from time to time with marketing and/or other communication which he/she can opt out of when he/she chooses so.

I am a doctor using your Ray software, what kind of access do you have to my data stored in Ray?

Practo does not have access to the data stored in Ray.

If you don’t have any access to data in Ray, how can you send those appointment confirmation or feedback collection SMSes to my walk-in patients?

To be clear - we build the technology that enables YOU to send the SMSes. Therefore, while our systems send the SMS, they can only be sent by the doctor explicitly allowing the system to do so. These can be toggled in the settings tab in your Ray software. Enabling this setting and/or does not give Practo access to any other aspect of your data other than what is required to complete sending of the SMS. It also does not give Practo permission for Practo to reach out to the patient for any other reason. In addition, all of this is done via an automated system with no human involvement or intervention possible.

For example, when you enable the settings to send an appointment confirmation SMS to your walk-in patient, the system will take phone number of that patient, locate the appointment detail that you have confirmed and send that information to that patient. Beyond this, Practo does not get any rights to send any other message or communication or to reach out to the patient for any reason whatsoever. Further, you can, at any time, revoke even this facility by simply changing the settings inside Ray.

How do you distinguish between patients who come to me directly and patients who come to me by booking via Practo’s website or app? For both of them, what data can you access?

Millions of patients and hundreds of thousands of providers trust us with their data. We take this responsibility extremely seriously and strive to make Practo the safest place for your health data.

We have always maintained a very clear distinction between data sets that pertain to users who directly visit Practo.com (“Online Patients”) and those that visit a clinic and are walk-in patients of the doctor (“Walk-in Patients”). Separated infrastructure and firewalls on Ray prevent Practo.com from accessing data from Practo Ray.

Online Patients:These are patients who register with Practo either via Practo.com or our app and then call or book an appointment with an affiliated clinic. Each of these patients, individually, give us permission to reach out to them with any communication that is relevant to provide services as well as for offering new products or services. Practo does not have any access to patient’s personally identifiable health information.

Walk-In Patients:Practo does not have access to information about patients that directly walk-in to the clinic and the doctor inputs their data into our software such as Ray. Inputting patient data into Ray does not give Practo rights to reach out to that patient. Further, Practo also does not have access to any personally identifiable health information for these patients either. We think this is really important and have therefore committed to every provider by writing this down in our terms of service.

I had a walk-in patient who received marketing communication from Practo. How is this possible?

There is no way your walk-in patient will receive promotional communication from Practo. The only way it is possible is if this patient who has been a walk-in patient at your clinic, later independently visits Practo.com and signs up for an account with Practo. At this point, he gives us his/her permission that Practo can reach out to him with promotional material. Only once we get this permission directly from the patient when he decided to visit our website do we reach out to him/her.

Unless your walk-in patient visits Practo independently and gives us permission, no marketing communication is received by him from Practo. The only communication they will receive will be what you have enabled in your settings in Ray. If you’d like to review these settings you can click here to log in to Ray and review your settings.

My patients complain of receiving marketing communication from other healthcare companies as soon as they registered at my clinic. Do you sell data?

Never. We do not sell any patient data – whether it is for walk-in patients or for our online patients with any third party. We also do not allow third parties to market to any user of Practo through us. We are not responsible for any promotional communications received by patients from other vendors. We recommend that you should ask the patients to immediately report such marketing campaigns to TRAI for necessary action by the regulator.

Have you ever faced a data breach?

No we have not. We will continue to work very hard to make sure that data stored with Practo remains secure.

Is my data really safe with Practo?

Absolutely. Practo is amongst the safest places for you to store your healthcare information and that of your patients.


We have a variety of measures that protect your data, some of which are:


1. HIPAA Compliant servers: All data is stored in HIPAA compliant servers
2. Encryption: All data is encrypted with 256 bit encryption during transit and at rest.
3. Two Factor: We have implemented 2-factor authentication to protect against foul-play.
4. Access Zones: We have implemented access zones that prohibit access to information from locations not specified by the user. This ensures that even if the authentication information leaks, access can only happen from the physical locations specified by the user.
5. Role Based Profiles: A doctor/clinic owner can set up different profiles for their staff with different levels of information access. This ensures that only the doctor has access to the patient files while the staff access is restricted to the clinic operations rather than the patient information.
6. Data Backup: We take multiple backups of your data and it is kept in geographically distributed locations to make sure you never have any data loss. Even in the event of a natural disaster in one geography, your data remains safe and can be recovered.
7. No Virus: Since all your data is stored in cloud, it protects you from any local virus that your computer might have, so the only virus you have to deal with is those affecting your patients :)

What specific measures do you use to ensure security of data stored with you?

We have a variety of measures that protect your data, some of which are:
1. HIPAA Compliance: All data is stored in HIPAA compliant servers ensuring industry standard consent architecture and privacy policies.
2. Encryption: All data is encrypted with 256 bit encryption during transit and at rest.
3. Two Factor: We have implemented 2-factor authentication to safeguard against foul play.
4. Access Zones: We have implemented access zones that prohibit access to information from locations not specified by the user. This ensures that even if the authentication information leaks, access can only happen from the physical locations specified by the user.
5. Role Based Profiles: A doctor/clinic owner can set up different profiles for their staff with different levels of information access. This ensures that only the doctor has access to the patient files while the staff access is restricted to the clinic operations rather than the patient information.
6. Data Backup: We take multiple backups of your data to make sure you never have any data loss and even in terms of a natural disaster in one geography, your data can be recovered

My offline patients receive SMS from Practo software which mentions Practo and that leads them to your website/app. They are not your direct online patients. How can you market to them?

We have some services - such as appointment reminders or electronic record sharing where a doctor can share records with their patients. When a doctor does that, we send a message to the patient with a link to access that record. However, if the doctor does not want such a link to be included in those SMS, he/she can opt out of it.

I have been asking my patients to go to Practo and book appointment with me there. They are still my patients and not Practo’s, hence can you market to them?

Merely visiting Practo.com is not sufficient. To receive marketing messages from Practo, a patient has to visit us, register for an account and give us permission to market them. Only if they give us their permission do we market to them.

Further, the database containing Ray data is separate from that used for Practo.com. As per our terms of service agreed with you, Practo cannot access the data stored in the Ray database. Hence, we are are unable to de-duplicate any patients visiting Practo.com who may have, in the past, visited you and whose information may be available in Ray database as that would be breach of privacy and of our contract with you.

When I send my patients a prescription through Practo and when they open it, does that make them Practo’s direct online patients?

No. It does not.

When I ask my walk-in patients to give me a feedback - does that make them Practo’s direct online patients?

No. It does not.

If a Walk-in Patient downloads and signup through Practo app to view prescription etc. shared by the doctor does he/she becomes Online Patient?

When you share a prescription with a patient, he does not need to download the practo app to see it. He can simply click on the link you share with him and view the prescription directly. If a patient downloads our app, and gives us permission to reach out to directly, only then can we do so.

What if I find a security vulnerability in any of your applications?

In the unlikely event that you discover a vulnerability, we do have a responsible security disclosure program that prescribes next course of action and we would love to hear from you and fix it at the earliest. Please check our Responsible Disclosure Policy and report them to us on secure@practo.com.

Is Practo compliant with the data security and privacy laws in India?

Of Course, Practo complies with all applicable laws in every country it operates in.