Effective Date: 12-01-2026
Version: 1.3
This Privacy Policy applies to services provided under the brand name HCL Healthcare and Habit Health, operated and managed by HCL Avitas Private Limited. References to “we,” “us,” or “our” refer to HCL Avitas Private Limited. “HCL Healthcare” refers to our healthcare service brand, including services delivered through clinics, corporate healthcare programs, websites, and the Habit Health web and mobile applications.
HCL Healthcare is committed to protecting personal information, including Personal Data, Personally Identifiable Information (PII), Sensitive Personal Data, and Protected Health Information (PHI). We implement appropriate administrative, technical, and physical safeguards, supported by periodic reviews and continuous improvement.
This Privacy Policy is designed in alignment with: - Digital Personal Data Protection Act, 2023 (India) - Information Technology Act, 2000 and associated Rules - ISO/IEC 27001:2022 Information Security Management System - HIPAA-aligned healthcare privacy and security practices, where applicable (including services involving U.S. persons or U.S.-linked contractual obligations) - Other applicable healthcare and privacy regulations, as amended from time to time
This Policy explains how HCL Healthcare collects, uses, shares, stores, secures, retains, and disposes of personal and health-related information.
This Privacy Policy applies to all individuals whose information is processed by HCL Healthcare, including: - Patients and individuals receiving healthcare services - Employees of corporate clients covered under workplace health programs - Employees, consultants, contractors, and temporary staff - Clients, vendors, partners, and business associates
Key principles include lawful processing, purpose limitation, data minimization, confidentiality, transparency, accountability, and timely action in the event of a data security or privacy incident.
We collect only information that is necessary for legitimate healthcare delivery, business operations, and legal or regulatory purposes.
Information collected may include: - Basic Personal Information: Name, contact details, address, gender, date of birth, photographs, and emergency contact details - Identification Information: Government-issued identifiers such as Aadhaar, PAN, passport, or voter ID, where legally required - Health and Medical Information (PHI): Medical history, prescriptions, lab reports, diagnostic data, consultation notes, and treatment records - Employment-Related Information: Employment details, payroll, benefits, performance, and training information (where applicable) - Technical and Usage Information: Logs generated through use of websites, applications, systems, devices, and security monitoring tools. Patients may access their health records, including prescriptions, lab reports, and consultation details, through the Habit Health mobile application.
Why We Collect and Use Personal Information
HCL Healthcare processes Personal Data and PHI for legitimate and lawful purposes, including: - Providing preventive, primary, occupational, and clinical healthcare services - Managing corporate healthcare programs and contractual obligations - Medical consultation, diagnosis, treatment, and continuity of care - Workforce administration and internal operations - Compliance with legal, regulatory, insurance, and health and safety obligations - IT operations, cybersecurity, access control, monitoring, and audit logging - Business continuity, disaster recovery, and internal communications
Personal data is used only for the purposes for which it is collected, unless otherwise permitted or required by law.
Information Sharing and Disclosure
HCL Healthcare does not sell personal data. Personal Data and PHI are shared only where necessary for healthcare delivery, business operations, legal compliance, or as otherwise permitted under applicable law.
Access to Personal Data and PHI is restricted to authorized personnel on a strict need-to-know and minimum necessary basis.
Personal Data and PHI may be disclosed to: - Authorized healthcare professionals and medical practitioners - Affiliate companies and approved business associates - Third-party service providers supporting IT, diagnostics, hosting, and operations - Regulatory, judicial, or law enforcement authorities when required by law
All third parties are contractually required to protect personal and health information and process it only in accordance with HCL Healthcare’s instructions and applicable legal requirements.
Disclosure to Family Members and Caregivers (HIPAA-Aligned)
HCL Healthcare may disclose PHI to family members, caregivers, or other persons identified by an individual only when such disclosure is directly relevant to the individual’s care, payment for care, or necessary notifications, and in accordance with HIPAA-aligned practices and applicable Indian laws. Disclosures are permitted based on individual consent, opportunity to object, professional judgment in emergencies or incapacity, and always follow the Minimum Necessary standard. Relevant consent, objections, or professional assessments are appropriately documented.
HCL Healthcare retains Personal Data and PHI only for as long as necessary to fulfil healthcare, business, legal, and regulatory purposes under Indian law. Personal Data and Protected Health Information are primarily stored and processed within India, unless otherwise permitted under applicable law. Where identification is no longer required, data may be anonymized or de-identified and retained for lawful analytical, reporting, or quality improvement purposes.
Certain information may be retained after employment or service engagement ends to meet statutory, contractual, or legal obligations. Once data is no longer required, it is securely destroyed, erased, or anonymized using appropriate technical and organizational measures.
HCL Healthcare maintains a comprehensive information security program aligned with ISO/IEC 27001:2022 and applicable legal requirements. We use administrative, technical, and physical safeguards such as access controls, encryption, authentication mechanisms, logging and monitoring, vulnerability assessments, and regular security testing.
Access to personal and health information is limited to authorized personnel. While we take reasonable steps to protect information, no system can guarantee absolute security, particularly for data transmitted over the internet.
HCL Healthcare uses cookies on its websites and digital platforms, including the HCL Healthcare and Habit Health websites and mobile applications, to ensure functionality, security, and improved user experience. Cookies collect limited technical and usage information and do not collect medical or clinical data. Users may manage cookie preferences through browser or device settings.
To ensure secure and reliable service delivery, HCL Healthcare may monitor the use of its websites, applications, systems, and network infrastructure for security, operational, and compliance purposes. Monitoring is proportionate, limited, and conducted in accordance with applicable Indian laws.
HCL Healthcare maintains an incident response and breach management process aligned with ISO/IEC 27001:2022, HIPAA-aligned practices, and applicable Indian laws, including the the Digital Personal Data Protection Act, 2023. Where a reportable breach occurs, affected individuals and relevant authorities are notified within legally prescribed timelines, using clear and transparent communication.
HCL Healthcare takes prompt action to remediate security incidents, address root causes, and strengthen safeguards. Security controls and procedures are regularly reviewed and improved, supported by employee training and continuous risk assessment.
Individuals may withdraw consent for the collection or use of their personal or health information, subject to legal or contractual limitations. Requests may be submitted to [email protected]. Withdrawal applies prospectively and may affect service delivery where consent is essential.
For privacy-related questions, requests, or grievances:
Privacy Officer / Data Protection Officer
Email: [email protected]
Grievance Officer (India)
Name: Sandeep Kumar
Email: [email protected]
This Privacy Policy may be updated periodically to reflect changes in law, regulatory guidance, or business practices. The most current version will always be made available through official HCL Healthcare channels.