Policies, Agreements, Terms & Conditions
MedStack Technology Compliance Policies
Suppliers
Ensure suppliers and vendors have appropriate safeguards
- Use only major public cloud service providers to handle PHI
- Use recognized independent standards to determine the supplier’s security and compliance, such as ISO 27001, SOC2 and HITRUST.
- Do not provide PHI to any other suppliers.
- Acquire and maintain documentation for the safeguards
- Sign contracts with suppliers that enforce our compliance requirements.
- Where HIPAA is applicable, obtain a HIPAA BAA from the supplier.
- Acquire and retain the supplier’s documentation.
- Acquire updated documentation annually.
- Review
- Review updated vendor documentation annually.
| Code | Section | Title |
|---|---|---|
| ISO | A.15.1.1 | Information security policy for supplier relationships |
| ISO | A.15.1.2 | Addressing security within supplier agreements |
| ISO | A.15.1.3 | Information and communication technology supply chain |
| ISO | A.15.2.1 | Monitoring and review of supplier services |
| SOC2 | CC2.3 | COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control. |
| SOC2 | CC2.3 | COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control. |
| SOC2 | CC3.2 | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. |
| SOC2 | CC3.2 | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. |
| SOC2 | CC3.2 | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. |
| SOC2 | CC4.2 | COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. |
| SOC2 | CC9.2 | The entity assesses and manages risks associated with vendors and business partners. |
| SOC2 | CC9.2 | The entity assesses and manages risks associated with vendors and business partners. |
| SOC2 | CC9.2 | The entity assesses and manages risks associated with vendors and business partners. |
| SOC2 | CC9.2 | The entity assesses and manages risks associated with vendors and business partners. |
| SOC2 | CC9.2 | The entity assesses and manages risks associated with vendors and business partners. |
| SOC2 | CC9.2 | The entity assesses and manages risks associated with vendors and business partners. |
| SOC2 | P6.5 | The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in accordance with established incident response procedures to meet the entity’s objectives related to privacy. |
Document security mechanisms, SLAs and management information in agreements
- with our vendors
- with our customers
| Code | Section | Title |
|---|---|---|
| ISO | A.13.1.2 | Security of network services |
Business Associate suppliers
- US law (HIPAA) requires a chain of Business Associate relationships.
- A Business Associate is a person or entity to whom a we delegate a function, activity, or service involving PHI, and who is not our employee.
- Sign Business Associate Agreement (BAA) contracts that meet all of the requirements and standards of HIPAA, State law, and our policies and procedures.
- Subcontractors of Business Associates are Business Associates themselves.
- Business Associates include the following if they handle PHI
- Sub-contractors
- Patient safety organizations
- Health Information Organizations (HIOs) (and similar organizations such as Health Information Exchanges (HIEs) and regional health information organizations)
- E-prescribing gateways
- Personal Health Record (PHR) vendors that provide services on behalf of a covered entity
- Other firms or persons who “facilitate data transmission” that requires routine access to PHI
- Business Associates include the following if they handle PHI
| Code | Section | Title |
|---|---|---|
| HIPAA | 164.308(b) | Business associate contracts and other arrangements |
| HIPAA | 164.314(a) | Standard: Business associate contracts or other arrangements |
Enforcement
- Responsible party: All managers and supervisors
- sanctions: standard
References
| Code | Section | Title |
|---|---|---|
| ISO | A.15.1 | Information security in supplier relationships |
| ISO | A.15.2 | Supplier service delivery management |
| ISO | A.15.2.2 | Managing changes to supplier services |
| CHI | PR2 | Third-Party Agreements |
| CHI | SR6 | Addressing security in third-party agreements |
| SOC2 | CC2.3 | COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control. |
| SOC2 | CC8.1 | The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
| SOC2 | CC9.2 | The entity assesses and manages risks associated with vendors and business partners. |
| SOC2 | P1.1 | The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including changes in the use of personal information, to meet the entity’s objectives related to privacy. |
| SOC2 | P2.1 | The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice. Explicit consent for the collection, use, retention, disclosure, and disposal of personal information is obtained from data subjects or other authorized persons, if required. Such consent is obtained only for the intended purpose of the information to meet the entity’s objectives related to privacy. The entity’s basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information is documented. |
| SOC2 | P6.1 | The entity discloses personal information to third parties with the explicit consent of data subjects, and such consent is obtained prior to disclosure to meet the entity’s objectives related to privacy. |
| SOC2 | P6.4 | The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those parties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary. |
Life Support Mental Health Inc. @ 2022
All Rights Reserved