HIPAA and You

HIPAA and You

Last Modified: April 03, 2017

The following set of sections lays out elements of our policy that you need to adhere to and that we monitor to ensure ongoing compliance.

The full set of policies that we have in place (in case you have further questions or need clarifications are available here. To see how these policies map to HIPAA requirements - go here.

Dowloading PHI data locally

The rule is very simple. You do not need access to PHI data. Do not download, store or open any communication containing PHI.

Incident Management

Visible Health implements an information security incident response process to consistently detect, respond, and report incidents, minimize loss and destruction, mitigate the weaknesses that were exploited, and restore information system functionality and business continuity as soon as possible.

Your responsibilities in this context are:

Key contacts and roles

Visible Health has a Security Officer and Privacy Officer appointed to assist in maintaining and enforcing safegaurds towards compliance.

The Privacy officer for Visible Health Inc. is Dave Raring. You all have access to his email and phone number through our internal directory. Under this role, his responsibilities are to:

The Chief Security Officer for Visible Health Inc. is John Cox. You all have access to his email and phone number through our internal directory. Under this role, his responsibilities are to:

Physical Access

You have been given a code to access the offices. Do not share it under any circumstances with anyone outside the company.

Do not let anyone “tailgate” you into the office.

Sanctions

Workforce sanctions are described in more detail here.

In summary,

Violations

System Access

Since we manage critical systems potentially containing sensitive PHI information on behalf of our clients, we need to ensure that all access to systems adheres to the following rules. If you notice any violation of these, please report it immediately to the Chief Security Officer.

  1. All systems access must be requested formally to the Privacy Officer, or Security Officer via this form. If access if granted, it will be retained for future reference.
    • You will only be given access if it is deemed necessary to perform your job function. All access requests are treated on a ‘least-access principle”.
  2. Your email ID (or other unique identifiers such as SSH keys) are unique to you and must not be shared with anyone else within or outside the company.
  3. You have been given a laptop by the company. Only use this laptop for any work related to the company or accessing its systems. Do not utilize any personal systems to do so without explicit permission from the Chief Security Officer.
  4. Passwords must adhere to the following standards
    • Personal workstation passwords: minimum 8 characters, no dictionary words, at least one number and at least one special character.
    • System level passwords: all access is primarily governed by keys both VPN, and SSH.
  5. Ensure your personal workstation is set to log you off and / or lock if you step away from it.
  6. Do not use your laptop for any illegal or harmful activities. If you’re not sure, don’t do it.