MedStack Technology Compliance Policies

Documentation

Policies and procedures

  • Create
    • Create appropriate policies and procedures as required by law and as suggested by good business practices and general business ethics.
    • Engage third-party experts to guide and review.
  • Update
    • annually
    • in response to environmental or operation changes affecting the privacy or security of information
    • as required by law
  • Model on and make consistent with
    • ISO 27001
    • applicable HIPAA Rules and Regulations
    • applicable US State laws and statutes
    • Canadian legislation (such as PHIPA in Ontario)
  • Distribution and storage
    • Make all policies and procedures easily available to all employees.
    • Require and train all employees to read, understand, and comply with all policies and procedures.
    • Do not hold employees accountable for compliance unless they have been given access to the policies and procedures.
CodeSectionTitle
ISOA.5.1.1Policies for information security
ISOA.5.1.2Review of the policies for information security
SOC2CC1.4COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
SOC2CC5.3COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.
SOC2CC5.3COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.

Documentation

  • Document activities governed by these policies.
  • Make documentation available to those employees who have a legitimate need for it, and who are authorized to access it.
  • Securely maintain and store all documentation.

Retain compliance documentation

  • Retain for six years
    • from the date of creation, or
    • from the date it was last in effect,
    • whichever is later.
  • This retention requirement does not apply to
    • medical records
  • Retain the following documentation
    • risk analyses and related notes and research materials
    • requests, complaints, and their disposition
    • contracts, along with amendments, renewals, revisions, and terminations
    • the names and titles of officers under these policies and procedures
    • training provided (i.e., topics, dates, and, ideally, participants)
    • sanctions imposed against non-complying work force members
    • signed authorizations and revocations
CodeSectionTitle
HIPAA164.316(b)(2)(i)Time limit (Required)

Enforcement

  • Responsible party: All managers and supervisors
  • sanctions: standard

References

CodeSectionTitle
ISOA.5Information security policies
ISOA.5.1Management direction for information security
HIPAA164.316Policies and procedures