Information Security Policy & Procedures

Overview

OPIE Choice Network is dedicated to our clients, and their security needs within the HIPAA space. The OPIE Choice Analytics service is designed with security in mind, and we are dedicated to keeping our client’s data, and private information confidential. We have established the below Policies and Procedures to ensure all OPIE Choice Analytics users understand the critically of our client’s data.

Purpose

The purpose of the policy is to provide guidance that limits the use of PHI or ePHI. Additionally, this policy provides direction to ensure that regulations are followed and legal authority is granted for the dissemination and use of encryption technologies. This policy applies to all OPIE employees and its affiliates

Scope

This policy covers the entirety of the OPIE Choice Analytics service.

General Policy

Recognized and Classified PHI and ePHI:

The HIPAA privacy rule protects most ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral. The Privacy Rule calls this information protected health information.

Encryption Policy

Guidance on the use of encryption technologies to protect ePHI.

Data Breach Response Policy

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases, the media of a breach of unsecured PHI. Most notifications will be provided without unreasonable delay and no later than 5 days following the discovery of a breach. Notifications of smaller breaches affecting fewer than 500 individuals will be submitted to HHS annually. The Breach Notification Rule also requires business associates of covered entities to notify the covered entity of breaches at or by the business associate.

Incident Response Policy

The Incident Response Policy provides the impetus for security and business teams to integrate their efforts from the perspective of awareness and communication as well as coordinated response in times of crisis. The purpose of this policy is to establish the requirement that all business units supported by the InfoSec team develop and maintain a security response plan. This ensures that InfoSec team has all the necessary information to formulate a successful response should a specific security incident occur.

In case of a security incident with the OPIE Choice Analytics service, the InfoSec team will be available with dedicated team members during non-business hours should an incident occur and escalation be required.

All security issues are categorized into High, Medium and Low based on assessments

Workstation Security Policy

Appropriate measures must be taken when using workstations to ensure the confidentiality, integrity and availability of sensitive information, including protected health information (PHI) and that access to sensitive information is restricted to authorized users. 

Remote Access Policy

Policy Compliance

Compliance Measurement

OPIE Choice Network will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

Exceptions

Any exception to the policy must be approved by OPIE Choice Network in advance.