Policy 1.1. Information Security and Privacy Governance Policy
Health Factors Empowering Self-Care Inc. possesses information that is sensitive and valuable (for example, personal health information, personally identifiable information, financial data, building plans, and research information) as well as information that is required for business processes. Some information is protected by federal and state laws and/or contractual obligations that prohibit its unauthorized use or disclosure. Access to this information by unauthorized individuals could cause irreparable harm to Health Factors Empowering Self-Care Inc. or members of the Health Factors Empowering Self-Care Inc. community, and could also subject Health Factors Empowering Self-Care Inc. to fines or other government sanctions. Additionally, if Health Factors Empowering Self-Care Inc.’s information were tampered with or made unavailable, it could impair Health Factors Empowering Self-Care Inc.’s ability to do business.
Health Factors Empowering Self-Care Inc. therefore requires all employees and contracted workers to protect information, and the supporting information assets (such as computing devices and storage media) as specified within the associated information security and privacy policies and supporting procedures. All employees are required to know and follow all these policies.
The purposes of Health Factors Empowering Self-Care Inc. Information Security and Privacy Policies are to:
- Protect Health Factors Empowering Self-Care Inc. information and system resources. From this point forward, Health Factors Empowering Self-Care Inc. will be referred to in Policies and Procedures as the Company.
- Help to ensure the confidentiality, integrity, and availability of information assets.
- Create awareness for personnel and other workforce personnel in making information security decisions in accordance with information security and privacy policies.
- Help protect patient, insured, customer and employee information from unauthorized use, disclosure, modification, or destruction.
- Provide direction to those responsible for the design, implementation and maintenance of systems that support the Company’s operations.
- Clarify management and other workforce personnel responsibilities and duties with respect to the protection of information assets and resources.
- Support compliance with HIPAA, HITECH and other applicable legal and regulatory requirements.
- Establish the basis for internal and external audits, reviews and assessments.
- The Company information security and privacy policies define security and privacy requirements for all Company personnel and systems that create, maintain, store, access, process or transmit information.
- The Company information security and privacy policies apply to all Company personnel, including contracted workers, consultants and others given access to The Company applications, systems, and/or information.
- The policies pertain to all Company systems, applications and information in all forms in all locations where the Company business processes are performed.
- The policies also apply to information resources owned by others, such as contractors of the Company, entities in the private sector, in cases where Company has a legal, contractual or fiduciary duty to protect said resources while in Company custody. In the event of a conflict, the more restrictive measures apply.
- The policies cover the Company network system which is comprised of various hardware, software, communication equipment and other devices designed to assist the Company in the creation, receipt, storage, processing, and transmission of information. This definition includes equipment connected to any Company domain or VLAN, either hardwired or wirelessly, and includes all stand-alone equipment that is deployed by the Company at its office locations or at remote locales, and the personally-owned computing devices used for Company purposes.
- The policies will be maintained according to the Information Security and Privacy Program Purpose and Scope Review and Maintenance Procedure.
- The policies will be communicated to all personnel who have any type of access to business information assets.
Common terms and acronyms that may be used throughout the Company information security and privacy policies include:
- Breach: The unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. The term “breach” does not include-
- any unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate if such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the covered entity or business associate; and
- such information is not further acquired, accessed, used, or disclosed by any person; or
- any inadvertent disclosure from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated individual at same facility; and
- any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person.
- Business Associate: An entity that “creates, receives, maintains, or transmits” protected health information (PHI) on behalf of a covered entity as described in § 164.308(b) of the Security Rule and § 164.502(e) of the Privacy Rule.
- Education Records: Not Applicable.
- Electronic Protected Health Information (EPHI): Protected health information (PHI) in any type of electronic form.
- Health Information Technology (HIT): The term ‘health information technology’ means hardware, software, integrated technologies or related licenses, intellectual property, upgrades, or packaged solutions sold as services that are designed for or support the use by health care entities or patients for the electronic creation, maintenance, access, or exchange of health information.
- Individual Notice: Notice provided to an individual, with respect to a breach, that is provided promptly and in the following form:
- Written notification by first-class mail to the individual (or the next of kin of the individual if the individual is deceased) at the last known address of the individual or the next of kin, respectively, or, if specified as a preference by the individual, by electronic mail. The notification may be provided in one or more mailings as information is available.
- In the case in which there is insufficient, or out-of-date contact information (including a phone number, email address, or any other form of appropriate communication) that precludes direct written (or, if specified by the individual, electronic) notification to the individual, a substitute form of notice shall be provided, including, in the case that there are 10 or more individuals for which there is insufficient or out-of-date contact information, a conspicuous posting for a period determined by the Secretary on the home page of the Web site of the covered entity involved or notice in major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside. Such a notice in media or web posting will include a toll-free phone number where an individual can learn whether or not the individual’s unsecured protected health information is possibly included in the breach.
- In any case determined to require urgency because of possible imminent misuse of unsecured protected health information, in addition to notice described in (A), notice may be provided to individuals by telephone or other means, as appropriate.
- Individually identifiable health information (IIHI): This has the same meaning as protected health information (PHI).
- Protected Health Information (PHI): Protected health information (PHI) means individually identifiable health information:
- That is:
- Transmitted by electronic media;
- Maintained in electronic media; or
- Transmitted or maintained in any other form or medium.
- PHI excludes individually identifiable health information in:
- Education records covered by the Family Educational Rights and Privacy Act (see definition of Education Records).
- Records on a student who is eighteen years of age or older, or is attending an institution of postsecondary education, which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his professional or paraprofessional capacity, or assisting in that capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment, except
that such records can be personally reviewed by a physician or other appropriate professional of the student’s choice.
- Employment records held by a covered entity in its role as employer
- Regarding a person who has been deceased for more than 50 years.
- PHI is information that is a subset of health information, including demographic information collected from an individual, and:
- Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
- That identifies the individual; or
- With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
- That is:
- The following are the 19 explicitly identified PHI items:
- Geographic subdivisions smaller than a state
- All elements of dates directly related to the individual (Dates of birth, marriage, death, etc.)
- Telephone numbers
- Facsimile numbers
- Driver’s license numbers
- Electronic mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers, certificate/license numbers
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers
- Full face photographic images and any comparable images
- Genetic data that is individually unique. Additionally, any information that can be linked to a specific individual will also be considered to be PHI.
- includes patient demographic and clinical health information, such as medical history and problem lists; and
- has the capacity—
- to provide clinical decision support;
- to support physician order entry;
- to capture and query information relevant to health care quality; and
- to exchange electronic health information with, and integrate such information from other sources.
- The Company must follow all HIPAA and HITECH requirements in addition to all other applicable laws, mandates, regulations and legal requirements.
- The Company will identify and document all legal requirements by following the Regulatory, Contractual & Standards Compliance Procedure.
- Exceptions to the information security and privacy policies may be granted in unusual and unique circumstances when it is not possible to be in compliance with a specific policy.
- Exceptions will be coordinated with Management and granted after following the Policy Exceptions Procedure.
- The Information Security Officer (Farida Contractor) or the Corporate Privacy Officer (Karl A. Peuser) must document within the Information Security & Privacy Exception Request Form, written approval for an exception and the mitigating controls that must be followed for the exception, along with the reasonable time period for which the exception is granted.
- Information Security and Privacy Program Purpose and Scope Review and Maintenance Procedure
- Regulatory, Contractual & Standards Compliance Procedure
- Policy Exceptions Procedure,
Supports the following regulations and standards:
- HIPAA § 164.306 Security standards: General rules
- HIPAA § 164.308 Administrative safeguards.(a)(4)(ii)(C)Access establishment and modification
- HIPAA § 164.316(a)
- HIPAA § 164.316(b)(1) (includes Time Limit, Availability, Updates)
- HIPAA § 164.316(b)(2)(iii)
- HIPAA NIST SP 800-66 Section 4.21
- NIST SP 800-66 Section 4.21
- NIST SP 800-53 Security Controls Mapping RA-1, PL-1, PL-2, PL-3, RA-1, RA-3
- ISO/IEC 27001: A.5 Security policy
- ISO/IEC 27002: 2005 Section 5: Security Policy