Compliance
MedStack Confidential
Metadata
- responsible officer: CTO
- date
- effective: 2018-06-20
- revised: 2018-04-10
- reviewed: 2018-06-20
Comply with the appropriate regional regulations
- Comply with HIPAA for resources and PHI in the United States of America.
- Comply with PHIPA and other provincial regulations for resources and PHI in Canada.
- Identify all relevant legislative statutory and regulatory requirements.
Comply with contractual requirements
- Identify all relevant contractual requirements.
Handle investigations, complaints and rights
- In case of an investigation by a legal authority
- immediately notify all Responsible Officers, executive management and legal counsel
- verify the identify and legal authority of the investigators
- do not impede, obstruct, or mislead investigators
- under the direction of management, cooperate with the investigators and provide all documentation or assistance required by law
- Establish procedures for individuals to complain about our compliance with our privacy policies and procedures and the Privacy Rule.
- Do not retaliate against a person for exercising rights provided by law, for assisting in an investigation by appropriate authorities, or for opposing an act or practice that the person believes in good faith violates any standard or requirement.
HIPAA/State Law Preemption
- HIPAA generally preempts state laws regarding medical or health privacy. However, state laws that provide stronger protections for confidential health data, or that provide for better patient and consumer access to health data than HIPAA, will generally preempt HIPAA regulations.
- HIPAA Covered Entities and Business Associates must follow both HIPAA law and state law when possible. If there is a conflict between the two, a preemption analysis and determination must be made to assess which laws (HIPAA, State Laws, or both) must be followed.
- When necessary, our designated Privacy Official, or other responsible party (if no Privacy Official has been designated) shall analyze HIPAA preemption issues, in cooperation with legal counsel, and make preemption determinations.
- When necessary, our designated Privacy Official, or other responsible party (if no Privacy Official has been designated), shall create, modify, or amend organization policies to accurately reflect preemption determinations and provide guidance to management on HIPAA and state law preemption issues.
- If off-the-shelf or custom preemption analyses are obtained from external sources, it is the responsibility of our designated Privacy Official, in cooperation with legal counsel, to certify the validity and accuracy of such external preemption analyses before applying those analyses to our operations.
- When necessary, our designated Privacy Official, or other responsible party (if no Privacy Official has been designated), shall conduct ongoing research to monitor legislative changes in the state(s) where we operate that could affect HIPAA preemption issues.
Enforcement
- Responsible party: All managers and supervisors
- sanctions: standard
References
| Code | Section | Title | Text |
|---|---|---|---|
| ISO | A.18.1 | Compliance with legal and contractual requirements | To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. |
| ISO | A.18.1.1 | Identification of applicable legislation and contractual requirements | All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. |
| ISO | A.18.1.3 | Protection of records | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. |
| HIPAA | 45 CFR Part 160, Subpart B | Preemption of State Law |