Clinics that digitise patient records take on legal and ethical obligations for data security. Here's what the standards require and how Clinit implements them.
Why Data Security Matters More as You Go Digital
A paper chart can be lost, damaged, or accessed by an unauthorised person walking past a filing cabinet. These are real risks — but they are bounded. A poorly secured digital record can be breached remotely, copied in seconds, and sold.
Relevant Frameworks for Egyptian Clinics
HIPAA (US): Not directly applicable to Egyptian clinics, but internationally regarded as the baseline standard for healthcare data protection. Clinit is HIPAA-aligned in its technical controls.
GDPR (EU): Applies to any clinic treating EU nationals, or using EU-based processors. Clinit is GDPR-aligned.
Egyptian Personal Data Protection Law (Law No. 151 of 2020): Requires data controller registration, patient consent for data collection, breach notification, and the right of patients to access and delete their data.
What Clinit Implements
Encryption:
- All patient data encrypted at rest (AES-256) on Supabase/PostgreSQL
- All data in transit over TLS 1.3
- Prescription and session data additionally encrypted at the application layer
Access Control:
- Role-based access: Clinic Owner, Doctor, Nurse, Receptionist — each role sees only what it needs
- Two-factor authentication (TOTP) for all admin accounts
- Device remember (30 days) with server-side token management
Audit Logging:
- Every record access, edit, and delete is logged with user ID, timestamp, and IP address
- Logs are immutable (append-only) and retained for 2 years
Patient Rights:
- Full data export available on request (JSON format)
- Account deletion removes all PII; session data is anonymised, not deleted
Certifications:
Clinit holds SOC 2 Type II readiness assessment. HIPAA and GDPR audit reports available under NDA for enterprise customers.
