Clinics & hospitals

Day 1 (~45 min)

1. Sign up at /dpo/signup, pick "Clinic" or "Hospital". Hospital tier auto-flags SDF defaults (DPIA, automated-decision logging, periodic audit).
2. Console pre-loads healthcare defaults: 7 policies, retention table with pediatric / maternal / general / radiology / lab tracks, 6 consent templates.
3. Add the Medical Superintendent / clinic owner as DPO. Add EMR admin, insurance desk, biomedical engineer as users with role-scoped access.
4. If you use ABDM, link your ABHA Health ID infrastructure now via the integration card in /dpo/integrations.

Day 2–7 (~5 hrs spread across the week)

1. Issue the first patient-registration consent via /dpo/consent/issue using the "Patient registration" template.
2. Bulk-import existing patient identifiers via CSV (hashed locally; raw PII never leaves the browser). Re-consent campaign for active patients.
3. Map data flows: EMR vendor (typically a processor), pathology lab, imaging centre, insurance / TPA networks, ABDM gateway. Each is registered in /dpo/vendors.
4. Issue procedure-consent template to a sample patient — confirm the printed receipt is legible and signed correctly.
5. If pediatric / maternity wing exists, walk the head nurse through Rule 10 (parental consent flow + extended retention).

Day 8–30

1. Per-procedure and per-admission consent runbook adopted in OPD, IPD, OT — every patient touchpoint generates a signed CR-* artifact.
2. Insurance / TPA data-sharing consent issued separately for every billed insurance claim. The CR-INS-* artifact is shared with the TPA as proof of consent.
3. Install Sentinel on EMR workstations, billing terminals, and OPD-counter PCs (Windows). Sentinel reports posture; TPMs anchor signing keys where available.
4. Run the breach tabletop drill: "ransomware on the EMR cluster." The system generates Form A + Form B + patient notice templates simultaneously.
5. Generate the first monthly compliance report, file with the Medical Superintendent + Privacy Committee.
6. Take a chain snapshot at month-end via /dpo/chain — immutable evidence checkpoint for the year-end NABH audit.

Ransomware on the EMR cluster

EMR is encrypted by ransomware at 02:00. OPD/IPD operations affected. Suspected exfiltration of patient records.

1. Within 6 hours, file CERT-In Form A in /dpo/incidents (sector: healthcare, asset class: EMR, severity: critical).
2. Within 72 hours, file the DPDP Form B with affected categories (count of patient records, fields exposed, time-window).
3. Issue patient notices via the breach-template — for healthcare, this is mandatory if records contained diagnosis, treatment, or financial fields.
4. Begin technical mitigation: isolate the cluster, restore from backup, rotate all administrative + service-account credentials, audit access logs in the 90 days prior to detect lateral movement.
5. Notify NABH (incident-reporting obligation), the State Health Department, and your insurance carrier (cyber-insurance claim).
6. If ABDM-linked records were exposed, notify the National Health Authority via their incident channel.
7. File a closure report with mitigation evidence, root-cause analysis, and the new control set within 30 days.

Lab tech emails patient list externally by mistake

A senior lab technician accidentally CC's an external Gmail address on a list of 50 patients with positive HIV / Hepatitis-C results.

1. Treat as critical — sensitive health data + identifiable patients.
2. Within 6 hours, file Form A. Within 72 hours, Form B.
3. Personal patient notification is mandatory and time-sensitive — must include type of breach, what data, mitigation, your contact.
4. Recall the email if the recipient is reachable and cooperative; document the recall.
5. Process fix: enforce DLP on outgoing email for sensitive-tag data (HIV, oncology, mental-health, genetic). Add MFA on outbound mail clients. Sentinel can prove the endpoint posture going forward.
6. Train the involved staff — record TR-* training artifact.

Insurance TPA shared patient data with re-insurer without your consent

Your hospital learns that the TPA further shared a discharge summary with a re-insurer or an external claims-investigation firm — beyond what your CR-HOSP-INSURANCE consent covered.

1. This is a processor-side breach: the TPA is a processor, you remain the controller.
2. Log the incident in /dpo/incidents (category: processor breach). Assign the TPA as the responsible vendor.
3. Request the TPA's own incident report + their corrective action; document in the linked vendor record.
4. Notify affected patients — they're owed a §11/§12 update on who has their data.
5. Update the TPA's consent template to either include re-disclosure (separately enumerated) or update the contract to forbid it.
6. If the TPA fails to take corrective action, escalate to IRDAI + DPB.

Father-of-minor demands access to teenager's record

A father insists he be given his 16-year-old daughter's reproductive-health visit record. The teen had requested confidentiality.

1. DPDP §9 + Rule 10 are about consent collection; access rights for minors fall under the existing IMC ethics + state-specific rules.
2. Default policy: parental access for medical records of minors below 18, with an exception for sensitive categories (sexual / reproductive / mental-health) — at the doctor's discretion under medical-ethics norms.
3. Log the access request as a §11 right; mark it as 'restricted access — minor sensitive category' with the doctor's clinical reasoning attached.
4. Issue a written response to the father referencing the medical-ethics framework. Offer mediation through the hospital ethics committee.
5. Update the policy, train front-desk + records-room staff on the procedure.

"Show me consent for procedure X on patient Y."

/dpo/consent — filter by patient hashed identifier + date. Click to download the signed CR-* PDF.

"Show me your retention policy for paediatric records."

/dpo/retention — paediatric row shows the 25-year horizon with the ICMR source recorded; signed RS-* artifact.

"Show me the access log for patient Z's record in the past year."

/dpo/activity with subject filter = patient Z's hash. Cross-artifact stream of every consent, view, share, correction, deletion.

"What happened with the ransomware incident in March?"

/dpo/incidents — open the IR-* artifact. Full timeline: detection → CERT-In Form A → DPB Form B → patient notice → mitigation → root-cause → closure. Each step signed.

"Have you done a DPIA for the AI-imaging diagnostic tool?"

/dpo/governance/dpia — the live DPIA register. Each entry signed DP-* with risks, mitigations, residual-risk score, sign-off.

"Are your endpoints (EMR, billing, OT, ICU) under attested posture?"

/dpo/sentinel/dashboard — live posture from Sentinel-equipped endpoints. Encryption, AV, patch, MFA, TPM-anchored signing. Each heartbeat signed.

"Show me your processor list and DPAs."

/dpo/vendors — every vendor (EMR, lab, imaging, TPA, ABDM) with signed registration + linked DPA; ready for bulk export.

"Prove these signatures are real — I'll verify offline."

Send the auditor to /verify. They paste artifact JSON, the page does Ed25519 verification in their own browser via Web Crypto. No trust in our servers required.