Policy Management Policy
Next Health Choice implements policies and procedures to maintain compliance and integrity of data. The Security Officer and Privacy Officer are responsible for maintaining policies and procedures and assuring all Next Health Choice workforce members, business associates, customers, and partners are adherent to all applicable policies. Previous versions of polices are retained to assure ease of finding policies at specific historic dates in time.
Applicable Standards from the HITRUST Common Security Framework
- 12.c - Developing and Implementing Continuity Plans Including Information Security
Applicable Standards from the HIPAA Security Rule
- 164.316(a) - Policies and Procedures
- 164.316(b)(1)(i) - Documentation
Maintenance of Policies
- All policies are stored and up to date to maintain Next Health Choice compliance with HIPAA, HITRUST, NIST, and other relevant standards. Updates and version control is done similar to source code control.
- Policy update requests can be made by any workforce member at any time. Furthermore, all policies are reviewed annually by both the Security and Privacy Officer to assure accurate and up-to-date.
- Edits and updates made by appropriate and authorized workforce members are done on their own versions, or branches. These changes are only merged back into final, or master, versions by the Privacy or Security Officer, similarly to a pull request. All changes are linked to workforce personnel who made them and the Officer who accepted them.
- All policies are made accessible to all Next Health Choice workforce members. The current master policies are published here.
- Changes can be requested to policies using this form.
- All policies, and associated documentation, are retained for 6 years from the date of its creation or the date when it last was in effect, whichever is later
- Version history of all Next Health Choice policies is done via Github.
- Backup storage of all policies is done with Github.
- The policies and information security policies are reviewed and audited annually. Issues that come up as part of this process are reviewed by Next Health Choice management to assure all risks and potential gaps are mitigated and/or fully addressed.
Additional documentation related to maintenance of policies is outlined in the Security officers responsibilities.