MedStack Technology Compliance Policies

Compliance

Comply with the appropriate regional regulations

  • Comply with HIPAA for resources and PHI in the United States of America.
  • Comply with PHIPA and other provincial regulations for resources and PHI in Canada.
  • Comply with GDPR for resources in the European Union.
  • Comply with other regional laws as appropraite.
  • Identify all relevant legislative statutory and regulatory requirements.

Comply with contractual requirements

  • Identify all relevant contractual requirements.

Who is accountable and responsible

  • The Board of Directors will
    • Ensure that we are in compliance with applicable laws, regulations and rules and with these policies.
  • The CEO will
    • Review and approve these policies and implementation.
  • The CTO is the Chief Privacy and Security Officer (CPSO) and will
    • Implement and manage the the Information Privacy Program and the Information Security Management Program (ISMP).
    • Establish, review and approve of these policies.
    • Oversee and be responsible for the implementation for these policies.
    • Maintain up to date knowledge of compliance technology and laws, rules and regulations, and keep the policies up to date.
    • Be the designated HIPAA officer.
    • Serve as liaison to government agencies, industry groups and privacy activists in all matters relating to our privacy practices.
  • All management in all departments will
    • Integrate compliance into their projects based on these policies.
    • Demonstrate leadership and commitment to compliance.
  • All employees and contractors will
    • Understand and follow all of these policies.
    • Safeguard the privacy and confidentiality of PHI.
    • Work together to prevent, detect and respond to security and privacy incidents.
    • Protect passwords and authentication devices.
CodeSectionTitle
HIPAA164.308(a)(2)Assigned security responsibility
SOC2CC1.1COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.
SOC2CC1.2COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
SOC2CC1.3COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
SOC2CC5.3COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.

Handle investigations, complaints and rights

  • In case of an investigation by a legal authority
    • immediately notify all Responsible Officers, executive management and legal counsel
    • verify the identify and legal authority of the investigators
    • do not impede, obstruct, or mislead investigators
    • under the direction of management, cooperate with the investigators and provide all documentation or assistance required by law
  • Establish procedures for individuals to complain about our compliance with our privacy policies and procedures and the Privacy Rule.
  • Do not retaliate against a person for exercising rights provided by law, for assisting in an investigation by appropriate authorities, or for opposing an act or practice that the person believes in good faith violates any standard or requirement.

HIPAA and state law preemption in the United States

  • Follow HIPAA over state law in general, as HIPAA preempts state laws regarding PHI, unless the state law provides stronger protections.
  • Conflicts between HIPAA and state law do not generally affect us.

Enforcement

  • Responsible party: All managers and supervisors
  • sanctions: standard

References

CodeSectionTitle
ISOA.18.1Compliance with legal and contractual requirements
ISOA.18.1.1Identification of applicable legislation and contractual requirements
ISOA.18.1.3Protection of records
HIPAA45 CFR Part 160, Subpart BPreemption of State Law
SOC2CC3.1COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
SOC2CC3.1COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
SOC2CC3.1COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.