• Documentation
  • Metadata
  • Policies and procedures
  • Documentation
  • Retention
  • Enforcement
  • References

Documentation

MedStack Confidential

Metadata

• responsible officer: CTO
• date
  • effective: 2018-06-20
  • revised: 2018-04-12
  • reviewed: 2018-06-20
• Applicability: standard

Policies and procedures

• Create
  • Create appropriate policies and procedures as required by law and as suggested by good business practices and general business ethics.
  • Engage third-party experts to guide and review.
• Update
  • annually
  • in response to environmental or operation changes affecting the privacy or security of information
  • as required by law
• Model on and make consistent with
  • ISO 27001
  • applicable HIPAA Rules and Regulations
  • applicable US State laws and statutes
  • Canadian legislation (such as PHIPA in Ontario)
• Distribution and storage
  • Make all policies and procedures easily available to all employees.
  • Require and train all employees to read, understand, and comply with all policies and procedures.
  • Do not hold employees accountable for compliance unless they have been given access to the policies and procedures.

    Code	Section	Title	Text
    ISO	A.5.1.1	Policies for information security	A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.
    ISO	A.5.1.2	Review of the policies for information security	The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.

Documentation

• Document activities governed by these policies.
• Make documentation available to those employees who have a legitimate need for it, and who are authorized to access it.
• Securely maintain and store all documentation.

Retention

• Retain documentation for six years
  • from the date of creation, or
  • from the date it was last in effect,
  • whichever is later.
• This retention requirement does not apply to
  • medical records
• Retain the following documentation
  • risk analyses and related notes and research materials
  • requests, complaints, and their disposition
  • contracts, along with amendments, renewals, revisions, and terminations
  • the names and titles of officers under these policies and procedures
  • training provided (i.e., topics, dates, and, ideally, participants)
  • sanctions imposed against non-complying work force members
  • signed authorizations and revocations

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title	Text
ISO	A.5	Information security policies
ISO	A.5.1	Management direction for information security	Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
HIPAA	164.316	Policies and procedures	A covered entity or business associate must, in accordance with § 164.306: (a) Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. (b) (1) Standard: Documentation. (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. (2) Implementation specifications: (i) Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later. (ii) Availability (Required). Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains. (iii) Updates (Required). Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.

November 13, 2019

Powered by