Policies, Agreements, Terms & Conditions
MedStack Technology Compliance Policies
Documentation
Policies and procedures
- Create
- Create appropriate policies and procedures as required by law and as suggested by good business practices and general business ethics.
- Engage third-party experts to guide and review.
- Update
- annually
- in response to environmental or operation changes affecting the privacy or security of information
- as required by law
- Model on and make consistent with
- ISO 27001
- applicable HIPAA Rules and Regulations
- applicable US State laws and statutes
- Canadian legislation (such as PHIPA in Ontario)
- Distribution and storage
- Make all policies and procedures easily available to all employees.
- Require and train all employees to read, understand, and comply with all policies and procedures.
- Do not hold employees accountable for compliance unless they have been given access to the policies and procedures.
Code | Section | Title |
---|---|---|
ISO | A.5.1.1 | Policies for information security |
ISO | A.5.1.2 | Review of the policies for information security |
SOC2 | CC1.4 | COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. |
SOC2 | CC5.3 | COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action. |
SOC2 | CC5.3 | COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action. |
Documentation
- Document activities governed by these policies.
- Make documentation available to those employees who have a legitimate need for it, and who are authorized to access it.
- Securely maintain and store all documentation.
Retain compliance documentation
- Retain for six years
- from the date of creation, or
- from the date it was last in effect,
- whichever is later.
- This retention requirement does not apply to
- medical records
- Retain the following documentation
- risk analyses and related notes and research materials
- requests, complaints, and their disposition
- contracts, along with amendments, renewals, revisions, and terminations
- the names and titles of officers under these policies and procedures
- training provided (i.e., topics, dates, and, ideally, participants)
- sanctions imposed against non-complying work force members
- signed authorizations and revocations
Code | Section | Title |
---|---|---|
HIPAA | 164.316(b)(2)(i) | Time limit (Required) |
Enforcement
- Responsible party: All managers and supervisors
- sanctions: standard
References
Code | Section | Title |
---|---|---|
ISO | A.5 | Information security policies |
ISO | A.5.1 | Management direction for information security |
HIPAA | 164.316 | Policies and procedures |
Mental Health Check™
Life Support Mental Health Inc. @ 2023
All Rights Reserved