At Practo we take data security and privacy extremely seriously. It is one of the foundational pillars of our company and is implemented at the core of every product.

We believe that healthcare data is the most sensitive information about you and must receive appropriate protection. Practo collects or uses any personal or sensitive personal information belonging to you only after receiving appropriate and clear consent from you. Further, we understand that people change their minds, so no consent is permanent and our systems are built with the flexibility so that any consent given can later be revoked.

This is why all our products have features where patients and providers are in control and can decide what they want to share and what they prefer to keep private.

At the outset, our data is stored with 256 bit encryption on HIPAA compliant servers. Further, we are an ISO27001:2013 certified company. This certification is one of the most recognized and stringent information security certification that validates a company's efforts on protecting data and all kinds of information assets.

We have two distinct data sets. First is when health care providers use our software to store information regarding the patients they are treating. This can include information about the patient, their diagnosis, treatment plan, any clinical notes, communication and other details. All of this is stored on behalf of the provider. and Practo cannot access this. It is stored privately and securely for every provider who uses our software.

The other data set is when patients directly visit Practo and use Practo to store their health history or undertake a healthcare transaction, such as booking an appointment, online consultation and more. We store all this data on behalf of the patient and this too is stored with 256 bit encryption and HIPAA compliant servers. Any patient who uses our service, gives us permission to reach out to them from time to time with marketing and/or other communication which he/she can opt out of when he/she chooses so.

Practo does not have access to the data stored in Ray.

To be clear - we build the technology that enables YOU to send the SMSes. Therefore, while our systems send the SMS, they can only be sent by the doctor explicitly allowing the system to do so. These can be toggled in the settings tab in your Ray software. Enabling this setting and/or does not give Practo access to any other aspect of your data other than what is required to complete sending of the SMS. It also does not give Practo permission for Practo to reach out to the patient for any other reason. In addition, all of this is done via an automated system with no human involvement or intervention possible.

For example, when you enable the settings to send an appointment confirmation SMS to your walk-in patient, the system will take phone number of that patient, locate the appointment detail that you have confirmed and send that information to that patient. Beyond this, Practo does not get any rights to send any other message or communication or to reach out to the patient for any reason whatsoever. Further, you can, at any time, revoke even this facility by simply changing the settings inside Ray.

Millions of patients and hundreds of thousands of providers trust us with their data. We take this responsibility extremely seriously and strive to make Practo the safest place for your health data.

We have always maintained a very clear distinction between data sets that pertain to users who directly visit Practo.com (“Online Patients”) and those that visit a clinic and are walk-in patients of the doctor (“Walk-in Patients”). Separated infrastructure and firewalls on Ray prevent Practo.com from accessing data from Practo Ray.

Online Patients:These are patients who register with Practo either via Practo.com or our app and then call or book an appointment with an affiliated clinic. Each of these patients, individually, give us permission to reach out to them with any communication that is relevant to provide services as well as for offering new products or services. Practo does not have any access to patient’s personally identifiable health information.

Walk-In Patients:Practo does not have access to information about patients that directly walk-in to the clinic and the doctor inputs their data into our software such as Ray. Inputting patient data into Ray does not give Practo rights to reach out to that patient. Further, Practo also does not have access to any personally identifiable health information for these patients either. We think this is really important and have therefore committed to every provider by writing this down in our terms of service.

There is no way your walk-in patient will receive promotional communication from Practo. The only way it is possible is if this patient who has been a walk-in patient at your clinic, later independently visits Practo.com and signs up for an account with Practo. At this point, he gives us his/her permission that Practo can reach out to him with promotional material. Only once we get this permission directly from the patient when he decided to visit our website do we reach out to him/her.

Unless your walk-in patient visits Practo independently and gives us permission, no marketing communication is received by him from Practo. The only communication they will receive will be what you have enabled in your settings in Ray. If you’d like to review these settings you can click here to log in to Ray and review your settings.

Never. We do not sell any patient data – whether it is for walk-in patients or for our online patients with any third party. We also do not allow third parties to market to any user of Practo through us. We are not responsible for any promotional communications received by patients from other vendors. We recommend that you should ask the patients to immediately report such marketing campaigns to TRAI for necessary action by the regulator.

No we have not. We will continue to work very hard to make sure that data stored with Practo remains secure.

Absolutely. Practo is amongst the safest places for you to store your healthcare information and that of your patients.

We have a variety of measures that protect your data, some of which are:

1. HIPAA Compliant servers: All data is stored in HIPAA compliant servers
2. Encryption: All data is encrypted with 256 bit encryption during transit and at rest.
3. Two Factor: We have implemented Two-factor authentication to protect against foul-play.
4. Access Zones: We have implemented access zones that prohibit access to information from locations not specified by the user. This ensures that even if the authentication information leaks, access can only happen from the physical locations specified by the user.
5. Role Based Profiles: A doctor/clinic owner can set up different profiles for their staff with different levels of information access. This ensures that only the doctor has access to the patient files while the staff access is restricted to the clinic operations rather than the patient information.
6. Data Backup: We take multiple backups of your data and it is kept in geographically distributed locations to make sure you never have any data loss. Even in the event of a natural disaster in one geography, your data remains safe and can be recovered.
7. No Virus: Since all your data is stored in cloud, it protects you from any local virus that your computer might have, so the only virus you have to deal with is those affecting your patients :)

We have a variety of measures that protect your data, some of which are:
1. HIPAA Compliance: All data is stored in HIPAA compliant servers ensuring industry standard consent architecture and privacy policies.
2. Encryption: All data is encrypted with 256 bit encryption during transit and at rest.
3. Two Factor: We have implemented Two-factor authentication to safeguard against foul play.
4. Access Zones: We have implemented access zones that prohibit access to information from locations not specified by the user. This ensures that even if the authentication information leaks, access can only happen from the physical locations specified by the user.
5. Role Based Profiles: A doctor/clinic owner can set up different profiles for their staff with different levels of information access. This ensures that only the doctor has access to the patient files while the staff access is restricted to the clinic operations rather than the patient information.
6. Data Backup: We take multiple backups of your data to make sure you never have any data loss and even in terms of a natural disaster in one geography, your data can be recovered

We have some services - such as appointment reminders or electronic record sharing where a doctor can share records with their patients. When a doctor does that, we send a message to the patient with a link to access that record. However, if the doctor does not want such a link to be included in those SMS, he/she can opt out of it.

Merely visiting Practo.com is not sufficient. To receive marketing messages from Practo, a patient has to visit us, register for an account and give us permission to market them. Only if they give us their permission do we market to them.

Further, the database containing Ray data is separate from that used for Practo.com. As per our terms of service agreed with you, Practo cannot access the data stored in the Ray database. Hence, we are are unable to de-duplicate any patients visiting Practo.com who may have, in the past, visited you and whose information may be available in Ray database as that would be breach of privacy and of our contract with you.

No. It does not.

No. It does not.

When you share a prescription with a patient, he does not need to download the practo app to see it. He can simply click on the link you share with him and view the prescription directly. If a patient downloads our app, and gives us permission to reach out to directly, only then can we do so.

In the unlikely event that you discover a vulnerability, we do have a responsible security disclosure program that prescribes next course of action and we would love to hear from you and fix it at the earliest. Please check our Responsible Disclosure Policy and report them to us on secure@practo.com.

Of Course, Practo complies with all applicable laws in every country it operates in.