Documentation
MedStack Confidential
Metadata
- responsible officer: CTO
- approved by: CTO
- date
- effective: 2018-06-20
- revised: 2020-11-23
- reviewed: 2022-08-31
- Applicability: standard
Policies and procedures
- Create
- Create appropriate policies and procedures as required by law and as suggested by good business practices and general business ethics.
- Engage third-party experts to guide and review.
- Update
- annually
- in response to environmental or operation changes affecting the privacy or security of information
- as required by law
- Model on and make consistent with
- ISO 27001
- applicable HIPAA Rules and Regulations
- applicable US State laws and statutes
- Canadian legislation (such as PHIPA in Ontario)
- Distribution and storage
- Make all policies and procedures easily available to all employees.
- Require and train all employees to read, understand, and comply with all policies and procedures.
- Do not hold employees accountable for compliance unless they have been given access to the policies and procedures.
| Code | Section | Title |
|---|---|---|
| ISO | A.5.1.1 | Policies for information security |
| ISO | A.5.1.2 | Review of the policies for information security |
| HIPAA | 164.316(a) | Standard: Policies and procedures |
| HIPAA | 164.316(b)(2)(ii) | Updates (Required) |
| SOC2 | CC1.4 | COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. |
| SOC2 | CC5.3 | COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action. |
| SOC2 | CC5.3 | COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action. |
Documentation
- Document activities governed by these policies.
- Make documentation available to those employees who have a legitimate need for it, and who are authorized to access it.
- Securely maintain and store all documentation.
| Code | Section | Title |
|---|---|---|
| HIPAA | 164.316(b)(1) | Standard: Documentation |
| HIPAA | 164.316(b)(2)(ii) | Availability (Required) |
Retain compliance documentation
- Retain for six years
- from the date of creation, or
- from the date it was last in effect,
- whichever is later.
- This retention requirement does not apply to
- medical records
- Retain the following documentation
- risk analyses and related notes and research materials
- requests, complaints, and their disposition
- contracts, along with amendments, renewals, revisions, and terminations
- the names and titles of officers under these policies and procedures
- training provided (i.e., topics, dates, and, ideally, participants)
- sanctions imposed against non-complying work force members
- signed authorizations and revocations
| Code | Section | Title |
|---|---|---|
| HIPAA | 164.316(b)(2)(i) | Time limit (Required) |
Enforcement
- Responsible party: All managers and supervisors
- sanctions: standard
References
| Code | Section | Title |
|---|---|---|
| ISO | A.5 | Information security policies |
| ISO | A.5.1 | Management direction for information security |