MedStack Technology Compliance Policies

Documentation

Policies and procedures

• Create
  • Create appropriate policies and procedures as required by law and as suggested by good business practices and general business ethics.
  • Engage third-party experts to guide and review.
• Update
  • annually
  • in response to environmental or operation changes affecting the privacy or security of information
  • as required by law
• Model on and make consistent with
  • ISO 27001
  • applicable HIPAA Rules and Regulations
  • applicable US State laws and statutes
  • Canadian legislation (such as PHIPA in Ontario)
• Distribution and storage
  • Make all policies and procedures easily available to all employees.
  • Require and train all employees to read, understand, and comply with all policies and procedures.
  • Do not hold employees accountable for compliance unless they have been given access to the policies and procedures.

Documentation

• Document activities governed by these policies.
• Make documentation available to those employees who have a legitimate need for it, and who are authorized to access it.
• Securely maintain and store all documentation.

Retain compliance documentation

• Retain for six years
  • from the date of creation, or
  • from the date it was last in effect,
  • whichever is later.
• This retention requirement does not apply to
  • medical records
• Retain the following documentation
  • risk analyses and related notes and research materials
  • requests, complaints, and their disposition
  • contracts, along with amendments, renewals, revisions, and terminations
  • the names and titles of officers under these policies and procedures
  • training provided (i.e., topics, dates, and, ideally, participants)
  • sanctions imposed against non-complying work force members
  • signed authorizations and revocations

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References