Compliance

Built around the regulations that govern your practice — wherever you operate.

Healthcare web infrastructure must meet strict regulatory standards across every jurisdiction. Here's exactly how Seculogica.health aligns with PHIPA/PIPEDA, HIPAA/HITECH, GDPR, and the Australian Privacy Act — with full transparency into our controls.

🇨🇦 Canada 🇺🇸 United States 🇬🇧 UK / EU 🇦🇺 Australia

International Compliance Matrix

Click on any jurisdiction to see exactly how we handle consent, encryption, audit trails, and data sovereignty requirements.

PHIPA / PIPEDA Canada

Personal Health Information Protection Act & Personal Information Protection and Electronic Documents Act

Ontario's PHIPA governs the collection, use, and disclosure of personal health information by health custodians. Canada's federal PIPEDA applies to private-sector organizations across all provinces, covering accountability, consent, and data minimization.

Consent

Explicit consent mechanisms built into every patient-facing form. Consent logs maintained and accessible for audit under both PHIPA and PIPEDA.

Encryption

AES-256 encryption at rest, TLS 1.3 in transit. No personal health information is ever stored in plaintext.

Audit Trails

Complete logging of every access, modification, and disclosure event with timestamps and user identity.

Access Controls

Role-based access with multi-factor authentication. Principle of least privilege enforced across all systems.

Breach Notification

72-hour notification protocol to the Information and Privacy Commissioner and affected individuals. Data stored in Canadian data centres.

Quebec Law 25

Additional controls for Quebec-based clients including mandatory privacy impact assessments and enhanced individual rights.

HIPAA / HITECH United States

Health Insurance Portability and Accountability Act & Health Information Technology for Economic and Clinical Health Act

For US-based clients, we implement full HIPAA/HITECH controls covering the Privacy Rule, Security Rule, and Breach Notification Rule, hosted in US-based infrastructure with BAAs executed with all subprocessors.

Privacy Rule

Controls on use and disclosure of PHI. Minimum necessary standard applied to all access requests.

Security Rule

Administrative, physical, and technical safeguards for ePHI. Risk assessments conducted annually.

Breach Notification

60-day notification to HHS and affected individuals. Data hosted on US-based, HIPAA-eligible infrastructure.

BAA Compliance

Business Associate Agreements executed with all subprocessors and cloud service providers handling PHI.

Access Management

Unique user identification, emergency access procedures, automatic logoff, and encrypted transmission.

HITECH Extensions

Expanded breach notification scope, increased penalties enforcement, and enhanced patient rights to electronic access of records.

GDPR European Union & United Kingdom

General Data Protection Regulation

For clients operating in EU member states or the UK, we build under GDPR principles with special category health data protections applied. UK operations follow UK GDPR post-Brexit. We also address country-specific extensions such as Germany's KHZG and France's HDS certification requirements.

Lawful Basis

Processing of health data under Article 9 explicit consent or Article 9(2)(h) for medical purposes, documented per individual.

Data Subject Rights

Automated workflows for access, rectification, erasure, portability, and restriction requests within 30-day statutory timelines.

Data Minimization

Only data strictly necessary for the stated clinical or operational purpose is collected, retained, and processed.

Privacy by Design

Privacy-first architecture embedded at the design stage, not retrofitted. DPIAs conducted for high-risk processing activities.

Cross-Border Transfers

No personal data transferred outside EEA/UK without Standard Contractual Clauses or adequacy decisions in place.

DPO & Records

Data Protection Officer engagement supported where mandated. Full Article 30 Records of Processing Activities maintained.

Privacy Act / My Health Records Australia

Privacy Act 1988 · Australian Privacy Principles · My Health Records Act 2012

For Australian healthcare providers, we align with the 13 Australian Privacy Principles under the Privacy Act 1988 and the strict obligations under the My Health Records Act 2012, including mandatory breach notification under the Notifiable Data Breaches scheme.

APPs Compliance

All 13 Australian Privacy Principles applied: open and transparent management, anonymity options, collection limitation, and use/disclosure controls.

My Health Records

Strict access and disclosure controls aligned with the MHR Act. No unauthorised secondary use of health records data.

NDB Scheme

Mandatory notification to the OAIC and affected individuals within 30 days of an eligible data breach.

Data Sovereignty

Patient data hosted in Australian data centres. Cross-border disclosure assessed against APP 8 requirements.

Sensitive Information

Health information treated as sensitive information per the Act, with enhanced collection and handling requirements.

Privacy Impact Assessments

PIAs conducted for new systems and significant changes involving personal health information.

Additional compliance commitments

Consent Management

Granular consent tracking with opt-in/opt-out mechanisms auditable by regulation.

Data Subject Rights

Built-in workflows for access requests, correction requests, and data deletion.

Incident Response

Documented, tested incident response plan with clear escalation and notification paths.

Documentation

Complete compliance documentation available upon request, including PIAs and TRAs.

Need a compliance review of your current website?

We'll identify compliance gaps and provide a clear remediation roadmap — free of charge.

Request Compliance Assessment