MediPact Docs← Back to App

Compliance & Standards

MediPact is designed to comply with international healthcare data protection regulations and standards, ensuring patient privacy and data security at every level.

Regulatory Compliance

GDPR Compliance

Full compliance with the General Data Protection Regulation (GDPR) through data minimization, purpose limitation, and patient rights enforcement.

  • Right to access
  • Right to erasure
  • Data portability
  • Consent management

HIPAA Alignment

Designed with HIPAA principles in mind, including administrative, physical, and technical safeguards for protected health information (PHI).

  • Access controls
  • Audit trails
  • Encryption at rest and in transit
  • Business associate agreements

Regional Standards

Adaptable to regional data protection laws including Uganda's Data Protection and Privacy Act, Kenya's Data Protection Act, and other African Union frameworks.

  • Local data sovereignty
  • Cross-border data transfer controls
  • National ID protection

Technical Standards

FHIR Compliance

MediPact uses the Fast Healthcare Interoperability Resources (FHIR) standard for data representation, ensuring compatibility with existing healthcare systems and enabling seamless data exchange.

FHIR Resources

  • Patient
  • Observation
  • Condition
  • Medication
  • Procedure

Benefits

  • Interoperability
  • Standardized data format
  • Industry-wide adoption
  • Future-proof architecture

Cryptographic Standards

Encryption

AES-256-GCM: Industry-standard symmetric encryption for data at rest and in transit

Hashing

SHA-256: Secure hashing algorithm for data integrity verification and blockchain proofs

Key Derivation

PBKDF2: Password-based key derivation for secure key generation from user credentials

Blockchain Standards

Built on Hedera Hashgraph, which provides enterprise-grade security and compliance features:

  • Hedera Consensus Service (HCS): Immutable message logging for consent and data provenance
  • Hashgraph Algorithm: Asynchronous Byzantine Fault Tolerance (aBFT) for consensus
  • Public Auditability: All transactions verifiable on HashScan explorer
  • Regulatory Compliance: Hedera's governance model ensures regulatory alignment

Privacy Standards

K-Anonymity (K=5)

Each record in the dataset is indistinguishable from at least 4 other records, preventing re-identification attacks. This is a proven privacy model used in healthcare research.

Differential Privacy

Through K-anonymity and demographic grouping, MediPact provides strong privacy guarantees that protect against statistical inference attacks.

Data Protection Measures

Data Minimization

Only the minimum necessary data is collected and processed. All PII is removed before storage, and demographic data is generalized to prevent re-identification.

Purpose Limitation

Data is collected for specific, explicit purposes (medical research) and is not used for any other purposes without explicit patient consent.

Storage Limitation

Data is retained only for as long as necessary for the stated purpose. Patients can request data deletion at any time, and their requests are processed promptly.

Integrity & Confidentiality

All data is encrypted using AES-256-GCM, and access is controlled through API keys and role-based permissions. Blockchain hashes provide immutable integrity verification.

Patient Rights

Right to Access

Patients can view all their data, consent records, and data access history through the patient portal.

Right to Rectification

Patients can request corrections to their data, which are processed through the hospital that collected the data.

Right to Erasure

Patients can request deletion of their data. While blockchain records are immutable, all database records and future access are revoked.

Right to Data Portability

Patients can export their data in standard formats (FHIR JSON) for transfer to other systems.

Right to Object

Patients can opt-out of data sharing at any time, which immediately prevents new researcher access to their data.

Consent Withdrawal

Patients can withdraw consent at any time. While past blockchain records remain (for audit), all future access is blocked.

Audit & Accountability

Comprehensive Audit Trail

MediPact maintains detailed audit logs for all data access and modifications:

  • Blockchain Records: All consent decisions and data proofs are immutably recorded on Hedera HCS
  • Access Logs: Every researcher query and data purchase is logged with timestamp, researcher ID, and data accessed
  • Consent History: Complete history of patient consent decisions, including opt-in, opt-out, and researcher approvals
  • Data Provenance: Full chain of custody from hospital upload to researcher access, verifiable on blockchain
  • Revenue Transactions: All revenue distribution transactions are publicly auditable on HashScan

Security Certifications & Best Practices

Security Best Practices

Infrastructure

  • HTTPS/TLS encryption for all communications
  • Secure database connections
  • Environment variable protection
  • Regular security updates

Application

  • Bcrypt password hashing (12 rounds)
  • API key authentication
  • Rate limiting and DDoS protection
  • Input validation and sanitization

Compliance Roadmap

MediPact is continuously working towards additional certifications and compliance standards:

  • ISO 27001 (Information Security Management)
  • ISO 27701 (Privacy Information Management)
  • SOC 2 Type II (Security, Availability, Processing Integrity)
  • HITRUST CSF (Healthcare Information Trust Alliance)

Contact & Reporting

For compliance inquiries, data protection requests, or security concerns, please contact our team through the contact page.

For detailed privacy information, please see our Privacy & Security documentation.