Security Policy

Purpose: The following security policy is adopted to ensure that Health Factors Empowering Self-Care Inc. (MyOutcomes®) complies fully with all federal and state security protection laws and regulations. Protection of electronic protected health information (ePHI) is of paramount importance to this organization. Violations of any of these provisions will result in severe disciplinary action including termination of employment and possible referral for criminal prosecution.

Effective Date: This policy is in effect as of December 1, 2009.

Expiration Date: This policy remains in effect until superseded or cancelled.

Policy Owner: Vic Lebouthillier, Director of Product DevelopmentSuite 501, 1630 Pandosy St,Kelowna, BC, Canada V1Y 1P7(250) 763-4775

Assigning Privacy and Security Responsibilities

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that specific individuals within our workforce are assigned the responsibility of implementing and maintaining the HIPAA Privacy and Security Rule’s requirements. Furthermore, it is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes) that these individuals will be provided sufficient resources and authority to fulfill their responsibilities.

Risk Analysis

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that a risk analysis has been completed and is periodically updated to assess potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic PHI. It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that the risk analysis includes a review of the critical nature of electronic PHI and related applications or business processes with a subsequent ranking or prioritization (criticality analysis).

Risk Management

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that security measures are in place and maintained sufficiently to reduce risks and vulnerabilities to a reasonably appropriate level in order to:

Ensure the confidentiality, integrity and availability of all electronic PHI that this organization creates, receives, maintains, stores or transmits
Protect against any reasonably anticipated threats or hazards to the security or integrity of electronic PHI
Protect against any reasonably anticipated uses or disclosures of electronic PHI that is not permitted by HIPAA or applicable state law
Ensure that all members of the workforce are aware of these requirements and comply with them

Sanctions

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that sanctions will be applied to workforce members who fail to comply with the security policies and procedures.

Information System Activity Review

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that information system activity such as security incident tracking reports are regularly reviewed.

Supervision

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that an authorized, knowledgeable person must supervise maintenance personnel whenever work is being done on a system that contains or processes electronic PHI. It is also the policy of this organization that access authorization for maintenance personnel must be set appropriately for the jobs assigned to each.

Personnel Clearance

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that personnel be cleared before access to electronic PHI is allowed.

Personnel and Workforce Termination

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that personnel and workforce will have all access to electronic PHI terminated as soon as practicable after they are terminated. This will include physical access to our facility as well as technical access.

Training and Awareness

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that all employees and contractors receive training in security awareness and in the security procedures to be followed during the performance of their duties. It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that periodic reminders and training will be provided to the workforce.

Protection from Malicious Software

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that it will implement and maintain procedures for detecting, reporting and guarding against malicious software. It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that all members of the workforce will be periodically reminded and trained regarding this policy.

Log-in Monitoring

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that log in attempts and discrepancies will be monitored to the extent practicable.

Password Management

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that a written procedure will be followed to create and assign passwords, which will include periodic changing and safeguarding of passwords.

Security Incident Policy

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that all security incidents (suspected or actual) will be documented in writing. It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that these incidents will be promptly investigated and harmful effects or violations will be mitigated to the extent practicable. All responses and follow up actions will be documented.

Contingency Plans

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) a contingency plan is in place and maintained. The contingency plan includes procedures for data backup, disaster recovery including restoration of data, and emergency mode operations. It is the policy of this organization that the contingency plan includes a procedure to allow facility access in support of restoration of lost data and to support emergency mode operations in the event of an emergency. It is the policy of this organization that access control will include procedures for emergency access to electronic PHI.

Testing

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that all security controls and measures in place be periodically tested to ensure proper functioning. It is also the policy of this organization that all procedures adopted to protect the confidentiality, integrity and availability of information and information services be tested to ensure that important security considerations have not been overlooked. It is also the policy of this organization that contingency plans and related measures will be periodically tested to ensure proper functioning and to maintain readiness in the event of a contingency.

Evaluation

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that a periodic technical and non-technical evaluation will be conducted to audit the effectiveness of the security controls and measures in place in consideration of environmental or operational changes.

Audit

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that audit controls are in place to record and examine the activity of all information systems that contain or use electronic PHI. This organization will maintain procedures to protect electronic PHI from improper alteration or destruction and to routinely authenticate that electronic PHI retains its integrity (including but not limited to version control, read only privileges).

Authentication

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that all information system users be authenticated before access to information processing resources is allowed. Specifically, each user must have their system account, and passwords must never be shared.

Authorization and Termination

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that authority to access electronic PHI is granted or supervision is provided to users who will work with electronic PHI. When these users no longer require their access or are terminated, all authorization will cease including the revocation and deletion of passwords, user ID’s and system privileges.

Access to Protected Health Information

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that all access control mechanisms must be configured to allow access only to the information and information processing functions needed by each employee or contractor to perform their assigned duties. It is also the policy of this organization that proper procedures must be followed whenever access to health information is authorized, established or modified and that records of access authorizations must be maintained. Access will be granted and maintained to the extent possible at a system level, role or job function (and application software) level, and workstation or device level. It is the policy of this organization that access control will include unique name/and or numbers to identify and track user identity. It is the policy of this organization that access controls will include automatic log offs for unattended computer sessions and applicable encryption of electronic PHI (including system level encryption for stored data). It is the policy of this organization that appropriate password protection will be implemented. It is the policy of this organization that emergency access will be maintained by relying on a backup list of user IDs and passwords.

Device and Media Access Control

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that reusable media, such as tapes, zip disks or diskettes, or hardware that contains electronic PHI must be securely erased or otherwise destroyed before being discarded to prevent unauthorized access to electronic PHI. This policy extends to media that will be re-used by another party. It is the policy of this organization to safeguard and account for the receipt and removal of all hardware and media containing electronic PHI. It is the policy of this organization to backup devices that contain critical electronic PHI or applications prior to their relocation as appropriate.

Physical Access Control

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that areas with physical access to electronic information systems (including diagnostic equipment that maintains electronic PHI) be limited to those properly authorized. It is also the policy of this organization that appropriate safeguards are in place to protect these systems and the electronic PHI they contain from tampering, theft or destruction. It is the policy of this organization that visitors sign in and are verified and monitored. It is the policy of this organization to review and supervise any repairs or modifications to the facility that could compromise security.

Workstation Use Guidelines

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that workstations be positioned in such a manner as to avoid accidental, unauthorized exposure of health information. It is the policy of this organization that displays be locked when unattended. It is the policy of this organization that access to workstations be restricted to authorized users. This workstation policy extends to desktop computers, laptop computers, PDA’s, electronic diagnostic equipment and all storage media connected or stored in the immediate environment.

Secure Data Transmission

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that data communications that contain electronic PHI must be encrypted or transmitted using a secure transmission protocol if they traverse public networks such as the Internet. It is also the policy of this organization that all data transmission methods must incorporate data integrity and authentication controls.

Configuration Management

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that proper procedures be followed for the installation or removal of all hardware devices or software programs. It is also the policy of this organization that the hardware/software inventory must be kept current and that the configuration must be documented in sufficient detail to be rebuilt in the case of an emergency.

Business Associates

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that business associates must be contractually bound to protect electronic PHI as required in applicable federal regulations. It is also the policy of this organization that business associates who violate their agreement will be dealt with first by an attempt to correct the problem, and if that fails by termination of the agreement and discontinuation of services by the business associate. It is the policy of this organization that any business associate agreement that cannot be terminated, and has not corrected the violation will be reported to the Secretary of the Department of Health and Human Services.

Identity Theft Compliance

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that it will comply with state laws regulating the response to any breach of unencrypted or de-identified information that could be used for identity theft.

Document retention, availability and currency

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes & Leap) that these policies and all related procedures be retained for 6 years from the date of its creation or the date when it was last in effect, whichever is later. It is also the policy of this organization to make this documentation available to those persons responsible for implementing the related procedures and that this documentation and policy will be kept current in response to relevant environmental or operational changes or changes in law.

Investigation and Enforcement

It is the policy of Health Factors Empowering Self-Care Inc. (MyOutcomes®) that in addition to cooperation with Security Oversight Authorities, this organization will follow procedures to ensure that investigations are supported internally and that members of our workforce will not be retaliated against for cooperation with any authority. It is our policy to attempt to resolve all investigations and avoid any penalty phase if at all possible.