Protection of personal data/protected health information (PHI)/personally identifiable information (PII) is important to Indegene and its clients.

Indegene has established this Data Privacy Policy to protect and control collection, processing, storage, and/or transmission of such data.

This policy is intended to be shared with our clients, vendors, business associates and employees so that they are aware of the policies and practices with respect to personal data/PHI/PII managed by Indegene as part of any services delivered.



Indegene is committed to protect personal information in accordance with its responsibilities under various regulatory frameworks and individual rights. As a healthcare solutions company, Indegene's leadership, management, employees and its business associates shall strive to protect personal information by:

  • Identifying internal and external interested parties and the extent to which they are involved in the governance of the organization's personal information management system

  • Providing best-in-class resources and methods to process personal information lawfully, fairly and in a transparent manner in relation to the rights of data principles or data subjects

  • Safeguarding the personal information by collecting, processing, storing and transmitting in forms that permit identification of individuals for nothing other than explicit, specified purposes

  • Providing clear information to natural persons (including special safeguards while collecting information from children) about how their personal information can be used and by whom; and by respecting individual's rights in relation to their personal information

  • Assuring that further processing or archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes

  • Processing in a secure manner that ensures protection against unauthorized or unlawful processing and against accidental loss, destruction or damage

  • Taking adequate steps to establish that the personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

  • Taking reasonable steps to ensure accuracy of the personal information

  • Following best practices for safe data storage, transmission and destruction

  • Implementing appropriate backup and disaster recovery systems

  • Responding to personal data breaches in the most appropriate and fastest manner possible: In the events such as accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, Indegene shall promptly assess the risk to individual's rights and freedoms and report such breach to the Data Protection Cell (Refer to section 5:Governance Structure for Personal Data Protection) for taking further actions as per the regulatory requirements

General Provisions to This Policy:

  • Applicability: This policy is applicable to all personal information processed at Indegene.

  • Ongoing Compliance: The Data Protection Cell shall be responsible for Indegene's compliance with this policy.

  • Cognizance: This policy shall be made available to all employees and associates of Indegene as documented information and shall also be communicated appropriately.

    This policy shall be made aware to all of Indegene's employees, its associates, and interested parties effectively.

    Review: This policy shall be reviewed at least once annually.



  • This policy applies to all personal data/PII and PHI processed by Indegene.

  • This policy would be relevant to all applicable services or projects managed for Indegene's clients.








Business Associate Agreement


Refers to the agreement between the business associate (Indegene) and the covered entity.

Business Unit (BU)

Refers to different departments in Indegene.


Covered Entity


Refers to an organization that routinely handles personal information, PII, and PHI.


Data Protection Officer (DPO)


Refers to the person heading all data privacy-related programmes and initiatives within the organization.



Refers to the project, programme or engagement conducted or performed by Indegene on behalf of its clients or covered entity.


Electronic Protected Health Information (EPHI)


Refers to all individually identifiable health information that is created, maintained or transmitted electronically.


General Data Protection Regulation (GDPR)/(EU) 2016/679


Legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).


Health Insurance Portability and Accountability Act (HIPAA)


Act of 1996 that specifies laws for the protection and use of personal (or protected) health information (PHI), which is essentially an individual's medical records.


Personal identifiable information (PII)


Refers to any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered as PII. Any information about an individual's identity such as their name, social security number, date and place of birth, mother's maiden name and biometric records can be considered as PII.


PII also can constitute “PHI” under HIPAA Act of 1996.


Privacy Rule


Refers to the part of the HIPAA rule that addresses the saving, accessing and sharing of medical and personal information of an individual, including a patient's own right to access.


Refers to any information that identifies an individual AND relates to:

  • The individual's past, present or future physical or mental health; OR

  • The provision of healthcare to the individual; OR

  • The past, present or future payment for healthcare.


Privacy Single Point of Contact (SPOC)

Refers to the person monitoring the personal data/PII/PHI management under each BU.

Security Rule

Refers to the part of the HIPAA rule that outlines national security standards intended to protect health data created, received, maintained or transmitted electronically.


Refers to the single point of contact/point persons.

Online Channel

Preselected website that can automatically send updated information for immediate display or viewing on request.

Special categories of personal information

The following types of data are categorized as special categories of personal information:

  • Racial or ethnic origin

  • Political opinions

  • Religious or philosophical beliefs

  • Trade-union membership

  • The processing of genetic information