Compliance

MedStack Confidential

Metadata

responsible officer: CTO
approved by: CTO
date
- effective: 2018-06-20
- revised: 2020-06-18
- reviewed: 2022-08-31

Comply with HIPAA for resources and PHI in the United States of America.
Comply with PHIPA and other provincial regulations for resources and PHI in Canada.
Comply with GDPR for resources in the European Union.
Comply with other regional laws as appropraite.
Identify all relevant legislative statutory and regulatory requirements.

Code	Section	Title
HIPAA	45 CFR Part 160, Subpart B (§§ 160.201 - 160.205)	Preemption of State Law

The Board of Directors will
- Ensure that we are in compliance with applicable laws, regulations and rules and with these policies.
The CEO will
- Review and approve these policies and implementation.
The CTO is the Chief Privacy and Security Officer (CPSO) and will
- Implement and manage the the Information Privacy Program and the Information Security Management Program (ISMP).
- Establish, review and approve of these policies.
- Oversee and be responsible for the implementation for these policies.
- Maintain up to date knowledge of compliance technology and laws, rules and regulations, and keep the policies up to date.
- Be the designated HIPAA officer.
- Serve as liaison to government agencies, industry groups and privacy activists in all matters relating to our privacy practices.
All management in all departments will
- Integrate compliance into their projects based on these policies.
- Demonstrate leadership and commitment to compliance.
All employees and contractors will
- Understand and follow all of these policies.
- Safeguard the privacy and confidentiality of PHI.
- Work together to prevent, detect and respond to security and privacy incidents.
- Protect passwords and authentication devices.

Code	Section	Title
HIPAA	164.308(a)(2)	Standard: Assigned security responsibility
SOC2	CC1.1	COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.
SOC2	CC1.2	COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
SOC2	CC1.3	COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
SOC2	CC5.3	COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.

In case of an investigation by a legal authority
- immediately notify all Responsible Officers, executive management and legal counsel
- verify the identify and legal authority of the investigators
- do not impede, obstruct, or mislead investigators
- under the direction of management, cooperate with the investigators and provide all documentation or assistance required by law
Establish procedures for individuals to complain about our compliance with our privacy policies and procedures and the Privacy Rule.
Do not retaliate against a person for exercising rights provided by law, for assisting in an investigation by appropriate authorities, or for opposing an act or practice that the person believes in good faith violates any standard or requirement.

Follow HIPAA over state law in general, as HIPAA preempts state laws regarding PHI, unless the state law provides stronger protections.
Conflicts between HIPAA and state law do not generally affect us.

Code	Section	Title
ISO	A.18.1	Compliance with legal and contractual requirements
ISO	A.18.1.1	Identification of applicable legislation and contractual requirements
ISO	A.18.1.3	Protection of records
SOC2	CC3.1	COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
SOC2	CC3.1	COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
SOC2	CC3.1	COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.