Skip to content

Latest commit

 

History

History
30 lines (21 loc) · 2.82 KB

policy_management_policy.md

File metadata and controls

30 lines (21 loc) · 2.82 KB
Raw

Policy Management Policy

Pact implements policies and procedures to maintain compliance and integrity of data. The Security Officer and Privacy Officer are responsible for maintaining policies and procedures and assuring all Pact workforce members, business associates, customers, and partners are adherent to all applicable policies. Previous versions of polices are retained to assure ease of finding policies at specific historic dates in time.

Applicable Standards from the HITRUST Common Security Framework

  • 12.c - Developing and Implementing Continuity Plans Including Information Security

Applicable Standards from the HIPAA Security Rule

  • 164.316(a) - Policies and Procedures
  • 164.316(b)(1)(i) - Documentation

Maintenance of Policies

  1. All policies are stored and up to date to maintain Pact compliance with HIPAA, HITRUST, NIST, and other relevant standards. Updates and version control is done similar to source code control.
  2. Policy update requests can be made by any workforce member at any time. Furthermore, all policies are reviewed annually by both the Security and Privacy Officer to ensure that they are accurate and up-to-date.
  3. Edits and updates made by appropriate and authorized workforce members are done on their own versions, or branches. These changes are only merged back into final, or master, versions by the Privacy or Security Officer, similarly to a pull request. All changes are linked to workforce personnel who made them and the Officer who accepted them. #TODO - change links to point to Pact
  4. All policies are made accessible to all Pact workforce members. The current master policies are published here.
    • Changes can be requested to policies using this form.
  5. All policies, and associated documentation, are retained for 6 years from the date of its creation or the date when it last was in effect, whichever is later
    1. Version history of all Catalyze policies is done via Github.
    2. Backup storage of all policies is done with Box.
  6. The policies and information security policies are reviewed and audited annually. Issues that come up as part of this process are reviewed by Catalyze management to assure all risks and potential gaps are mitigated and/or fully addressed. The policy review form can be found here.

Not sure if this is necessary

  1. Catalyze utilizes the HITRUST MyCSF framework to track compliance with the HITRUST CSF on an annual basis. Catalyze also tracks compliance with HIPAA and publishes results here.

Additional documentation related to maintenance of policies is outlined in the Security officers responsibilities.