Who is Neuralbits?

Neuralbits Technologies is the author and publisher of the software Presco Paperless IPD, and all variants, editions, add-ons, and ancillary products, services and analytics (including all files and images contained in or generated by the software, and accompanying data, together the “Software”). Neuralbits also operates the internet resource www.Neuralbits.com/www.prescoipd.com/www.prescoipd.com (“Website”) on world wide web which is used to access the Software. Presco Software is used at healthcare practices (“Practices”) by healthcare providers (“Practitioners”, which term shall also include designated associates of the healthcare providers who work in the same Practice), and clients of the healthcare providers (“Patients”, which term shall also include members of public who search for doctors on the Website) to find, manage and organise information including but not limited to personal or non-personal information, practice information, appointments, prescriptions, medical records, billing, inventory and accounting details. All users of the Presco Software - the Practitioners, Patients, and the visitors of Website are together termed as “Users”.

How does Neuralbits protect Customer Data?

Neuralbits provides its services in SaaS (Software as a Service) model, and will host data and information in a secured cloud. Neuralbits will not reference any such User identifiable information except as provided in the terms of use, or as may be required by law. Individual records of User data may be viewed or accessed only for the purpose of resolving a problem, support issues, or suspected violation of the terms of use, or as may be required by law. Analysis of the medical record will be generated using advanced machine learning algorithms without any reference to user identifiable information. We would take all reasonable precautions for maintaining confidentiality of data.

Other Features:
  • Unlimited space: Subscriber can enjoy the freedom of limitless storage space, ensuring your data can expand without constraints.
  • Database and data access: Seamless database and data access guarantee quick retrieval and efficient management of your valuable information.
  • Extended support for enhancement for centralized billing: Subscriber can avail extended support for enhancements such as centralized billing.
Why this privacy policy?

This privacy policy is published in compliance of:

  • Section 43A of the Information Technology Act, 2000;
  • Regulation 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011 (the “SPI Rules”); and
  • Regulation 3(1) of the Information Technology (Intermediaries Guidelines) Rules, 2011.
What are Technical Standards?

Access control: The system assigns a unique number for identifying and tracking user identity and establishes controls that permit only authorized users to access electronic health information. In cases of emergency where access controls need to be suspended in order to save a life, authorized users (who are authorized for emergency situations) will be permitted to have unfettered access to electronic health information for the duration of the emergency with the access remaining in force during the validity of the emergency situation.

Access Privileges: Only clinical care providers will have access rights to a person’s clinical records. However, different institutional care providers will have widely varying access privileges specified that are institution-specific. No country-wide standards can be specified for this at least at this point in time.

Automatic log-off: An electronic session after a predetermined time of inactivity for forcible termination. To log in back, the user will have to initiate a new log in session.

Audit log:

All actions related to electronic health information in accordance with the standard specified in this document including viewing is being recorded.

Based on user-defined events is provided.

Integrity:

During data transit the fact that the electronic health information has not been altered in transit in accordance with the standard specified in this document is verifiable.

Detection of events – all alterations and deletions of electronic health information and audit logs, in accordance with the standard specified in this document is detected.

Authentication:

Locally within the system the fact that a person or entity seeking access to electronic health information is the one claimed and is authorized to access such information will be verified.

Across the network, however extensive it might be – that a person or entity seeking access to electronic health information across a network is the one claimed and is authorized to access such information in accordance with the standard specified in this document will be verified.

Encryption:

Electronic health information is encrypted and decrypted, according to user defined preferences in accordance with the best available encryption key strength.

During data exchange all electronic health information is suitably encrypted and decrypted when exchanged in accordance with an encrypted and integrity protected link.

All actions related to electronic health information is recorded with the date, time, patient identification, and user identification whenever any electronic health information is created, modified, deleted, or printed; and an indication of which action(s) took place is also recorded.

Appropriate verification that electronic health information has not been altered in transit is possible at any point in time. A secure hashing algorithm is used to verify that electronic health information has not been altered in transit and secure hash algorithm (SHA) is implemented.

A cross-enterprise secure transaction that contains sufficient identity information such that the receiver can make access control decisions and produce detailed and accurate security audit trails is used within the system.

What are Data Ownership policies? (in accordance with Govt of India Regulations)

The physical or electronic records, are owned by the healthcare provider. These are held in trust on behalf of the patient, and the contained data which are the sensitive personal data of the patient is owned by the patient himself/herself.

  • The medium of storage or transmission of such electronic health record will be owned by the healthcare provider.
  • The “sensitive personal information (SPI) and personal information (PI)” of the patient is owned by the patient themselves. Refer to IT Act 2000 for the definition of SPI and PI.
  • Sensitive Data: As per the Information Technology Act 2000, Data Privacy Rules, refer to “sensitive personal data or information” (Sensitive Data) as the subject of protection, but also refer, with respect to certain obligations, to “personal information”. Sensitive Data is defined as a subset of “personal information”. Sensitive Data is defined as personal information that relates to:
    1. Passwords;
    2. Financial information such as bank account or credit card or debit card or other payment instrument details;
    3. Physical, psychological and mental health condition;
    4. Sexual orientation;
    5. Medical/clinical records and history;
    6. Biometric information;
    7. Any detail relating to (1) – (6) above received by the body corporate for provision of services; or
    8. Any information relating to (1) – (7) that is received, stored or processed by the body corporate under a lawful contract or otherwise.

Disclosures can be performed without individual authorization in the following situations.

With Identifiers, on production of court order

However, as far as possible, and where appropriate, the data so provided will be anonymised to remove information that will allow identification of the patient. (Removing identifiers as indicated in the Patient Identifying Information Table below)

Patient Identifying Information

Data are “individually identifiable” if they include any of the under mentioned identifiers for an individual or for the individual’s employer or family member, or if the provider or researcher is aware that the information could be used, either alone or in combination with other information, to identify an individual. These identifiers are as follows:

  • Name
  • Address (all geographic subdivisions smaller than street address, and PIN code)
  • All elements (except years) of dates related to an individual (including birth date, date of death,
  • Telephone and/or Fax numbers
  • Email address
  • Medical record number
  • Health plan beneficiary number
  • Bank Account and/or Credit Card Number
  • Certificate/license number
  • Any vehicle or other any other device identifier or serial numbers
  • PAN number
  • Passport number
  • ADHAAR number
  • Voter ID card
  • Fingerprints/Biometrics
  • Voice recordings that are non-clinical in nature
  • Photographic images and that possibly can individually identify the person Any other unique identifying number, characteristic, or code