Visible Health implements policies and procedures to maintain compliance and integrity of data. The Security Officer and Privacy Officer are responsible for maintaining policies and procedures and assuring all Visible Health workforce members, business associates, customers, and partners are adherent to all applicable policies. Previous versions of polices are retained to assure ease of finding policies at specific historic dates in time.
Applicable Standards from the HITRUST Common Security Framework
- 12.c - Developing and Implementing Continuity Plans Including Information Security
Applicable Standards from the HIPAA Security Rule
- 164.316(a) - Policies and Procedures
- 164.316(b)(1)(i) - Documentation
Maintenance of Policies
- All policies are stored and up to date to maintain Visible Health compliance with HIPAA, HITRUST, NIST, and other relevant standards. Updates and version control is done similar to source code control.
- Policy update requests can be made by any workforce member at any time. Furthermore, all policies are reviewed annually by both the Security and Privacy Officer to assure accurate and up-to-date.
- Edits and updates made by appropriate and authorized workforce members are done on their own versions, or branches. These changes are only merged back into final, or master, versions by the Privacy or Security Officer, similarly to a pull request. All changes are linked to workforce personnel who made them and the Officer who accepted them.
- All policies are made accessible to all Visible Health workforce members. The current master policies are published here.
- Changes can be requested to policies by creating a JIRA ticket.
- All policies, and associated documentation, are retained for 6 years from the date of its creation or the date when it last was in effect, whichever is later
- Version history of all Visible Health policies is done via Github.
- The policies and information security policies are reviewed and audited annually. Issues that come up as part of this process are reviewed by Visible Health management to assure all risks and potential gaps are mitigated and/or fully addressed. The policy review documentation is stored in Box.
Additional documentation related to maintenance of policies is outlined in the Security officers responsibilities.