MedStack Technology Compliance Policies

Suppliers

Ensure suppliers and vendors have appropriate safeguards

  • Use only major public cloud service providers to handle PHI
    • Use recognized independent standards to determine the supplier’s security and compliance, such as ISO 27001, SOC2 and HITRUST.
    • Do not provide PHI to any other suppliers.
  • Acquire and maintain documentation for the safeguards
    • Sign contracts with suppliers that enforce our compliance requirements.
    • Where HIPAA is applicable, obtain a HIPAA BAA from the supplier.
    • Acquire and retain the supplier’s documentation.
    • Acquire updated documentation annually.
  • Review
    • Review updated vendor documentation annually.
CodeSectionTitle
ISOA.15.1.1Information security policy for supplier relationships
ISOA.15.1.2Addressing security within supplier agreements
ISOA.15.1.3Information and communication technology supply chain
ISOA.15.2.1Monitoring and review of supplier services
SOC2CC2.3COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control.
SOC2CC2.3COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control.
SOC2CC3.2COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
SOC2CC3.2COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
SOC2CC3.2COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
SOC2CC4.2COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
SOC2CC9.2The entity assesses and manages risks associated with vendors and business partners.
SOC2CC9.2The entity assesses and manages risks associated with vendors and business partners.
SOC2CC9.2The entity assesses and manages risks associated with vendors and business partners.
SOC2CC9.2The entity assesses and manages risks associated with vendors and business partners.
SOC2CC9.2The entity assesses and manages risks associated with vendors and business partners.
SOC2CC9.2The entity assesses and manages risks associated with vendors and business partners.
SOC2P6.5The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in accordance with established incident response procedures to meet the entity’s objectives related to privacy.

Document security mechanisms, SLAs and management information in agreements

  • with our vendors
  • with our customers
CodeSectionTitle
ISOA.13.1.2Security of network services

Business Associate suppliers

  • US law (HIPAA) requires a chain of Business Associate relationships.
  • A Business Associate is a person or entity to whom a we delegate a function, activity, or service involving PHI, and who is not our employee.
  • Sign Business Associate Agreement (BAA) contracts that meet all of the requirements and standards of HIPAA, State law, and our policies and procedures.
  • Subcontractors of Business Associates are Business Associates themselves.
    • Business Associates include the following if they handle PHI
      • Sub-contractors
      • Patient safety organizations
      • Health Information Organizations (HIOs) (and similar organizations such as Health Information Exchanges (HIEs) and regional health information organizations)
      • E-prescribing gateways
      • Personal Health Record (PHR) vendors that provide services on behalf of a covered entity
      • Other firms or persons who “facilitate data transmission” that requires routine access to PHI
CodeSectionTitle
HIPAA164.308(b)Business associate contracts and other arrangements
HIPAA164.314(a)Standard: Business associate contracts or other arrangements

Enforcement

  • Responsible party: All managers and supervisors
  • sanctions: standard

References

CodeSectionTitle
ISOA.15.1Information security in supplier relationships
ISOA.15.2Supplier service delivery management
ISOA.15.2.2Managing changes to supplier services
CHIPR2Third-Party Agreements
CHISR6Addressing security in third-party agreements
SOC2CC2.3COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control.
SOC2CC8.1The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
SOC2CC9.2The entity assesses and manages risks associated with vendors and business partners.
SOC2P1.1The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including changes in the use of personal information, to meet the entity’s objectives related to privacy.
SOC2P2.1The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice. Explicit consent for the collection, use, retention, disclosure, and disposal of personal information is obtained from data subjects or other authorized persons, if required. Such consent is obtained only for the intended purpose of the information to meet the entity’s objectives related to privacy. The entity’s basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information is documented.
SOC2P6.1The entity discloses personal information to third parties with the explicit consent of data subjects, and such consent is obtained prior to disclosure to meet the entity’s objectives related to privacy.
SOC2P6.4The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those parties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary.