Security & Compliance
Built for regulated healthcare. By design, not by patch.
Hospitals run on trust. zMed's security posture is a property of the platform — the same controls in every deployment, every unit, every country.
By Design
Certification Pathway
Audit Workflows Supported
"By Design" denotes platform architecture; "Certification Pathway" denotes programmes in progress; "Audit Workflows Supported" denotes accreditation regimes the platform produces evidence for. Use of any mark denotes platform support, not certification, unless separately stated.
Controls
What your IT and compliance teams will ask. Answered.
Role-based access, everywhere
Every screen, every action and every report is scoped by role, unit and shift. A nurse, an intensivist and a billing clerk see different systems on the same record.
One audit log, end to end
Every chart action, every AI suggestion, every override, every configuration change — captured with clinician identity, timestamp and prior value. The audit log is the inspector's primary artefact.
Encryption in transit and at rest
All traffic is encrypted in transit; clinical data is encrypted at rest. Access to production data is logged and reviewed.
PHI never leaves your boundary
AI models can run fully on-premises. When a cloud model is used, protected health information is redacted and de-identified by automated detection tooling before any request leaves your environment — and your patient data is never used to train shared or third-party models.
Data residency, your choice
On-premises, sovereign in-country cloud, or hybrid — Indian patient data can stay in India, US data in the US. The choice is the hospital's, and every option is supported as standard.
Advisory-only intelligence
The platform makes no diagnosis, prescribes no medication, orders no procedure and discharges no patient. Every output is a recommendation a clinician reviews — the chain of clinical responsibility is preserved at every step.
Deployment topologies — on-premises, sovereign cloud, hybrid and the edge appliance — are covered in detail here →
Audit readiness
The inspector reads from the system, not from someone's email.
Accreditation audits, statutory inspections and payer reviews all draw from the same canonical record — every figure in every report traceable back to the chart entry that produced it, every register serially numbered and tamper-evident.