Employees Policy

Employees Policy

Last Modified: April 03, 2017

Visible Health is committed to ensuring all workforce members actively address security and compliance in their roles at Visible Health. As such, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.

Applicable Standards from the HITRUST Common Security Framework

Applicable Standards from the HIPAA Security Rule

Employment Policies

  1. All new workforce members, including contractors, are given training on security policies and procedures, including operations security, within 30 days of employment.
    • Records of training are kept for all workforce members.
    • Upon completion of training, workforce members complete a form which is signed off by the chiefs.
  2. All workforce members are granted access to formal organizational policies, which include the sanction policy for security violations.
  3. The Visible Health Employee Handbook clearly states the responsibilities and acceptable behavior regarding information system usage, including rules for email, Internet, mobile devices and social media usage.
  4. Visible Health does not allow mobile devices to connected to any of its production networks.
  5. All workforce members are educated about the approved set of tools to be installed on workstations.
  6. All new workforce members are given HIPAA training within 60 days of beginning employment. Training includes HIPAA reporting requirements, including the ability to anonymously report security incidents, and the levels of compliance and obligations for Visible Health and its Customers and Partners.
  7. All remote (teleworking) workforce members are trained on the risks, the controls implemented, their responsibilities, and sanctions associated with violation of policies. Additionally, remote security is maintained through the use of encrypted tunnels for all access to production systems with access to ePHI data.
  8. All Visible Health-purchased and -owned computers are to display this message at login and when the computer is unlocked: “This computer is owned by Visible Health, Inc. By logging in, unlocking, and/or using this computer you acknowledge you have seen, and follow, these policies (https://www.visiblehealth.com/compliance/) and have completed training as instructed by HR. Please contact us if you have problems with this - privacy@visiblehealth.com.”
  9. Access to internal Visible Health systems can be requested using the internal JIRA ticketing system, VH IT OPS board. All requests for access much be granted to the Visible Health Security Officer.
  10. Request for modifications of access for any Visible Health employee can be also be made using the internal JIRA ticketing system, VH IT OPS board.

Employee Communication and File Retention Policy

Visible Health employees are issued laptops and in some situations cell phones and tablets. Employees are also allowed to use their personal devices if desired. In both situations, data related to Visible Health and its customers fall under the requirements of this retention policy.

Please note that it is every employee’s repsonsibility to ensure that if they have data in a medium that is set on an auto purge schedule that needs to be retained longer, it is their responsibility to copy or relocate the data into a permanent medium such as Box.com.