PRIVACY POLICY

 

 

Medical Information Network – North Sound

MIN-NS Security Policy

Effective Date: June 4, 2014

This MIN-NS Security Policy is published by Medical Information Network – North Sound (MIN-NS) and applies to the operation and use of the Services by any MIN-NS Participant.

This Security Policy applies to all Participants and MIN-NS Users, and is subject to each Participant’s Participation Agreement.

The following obligations and requirements are intended to provide for the security of the Services, transactions conducted using the Services, and of the information maintained, stored or transmitted by, through or in the Services.

  1. SECURITY OFSERVICES. MIN-NS shall maintain, or if applicable obtain reasonable assurances that Services Vendors maintain, Reasonable and Appropriate Safeguards for the Services and any Protected Information maintained or stored or in transmission through the Services, or otherwise in the possession or control of MIN-NS or any Services Vendor for purposes of MIN-NS, as required by the Security Rule and consistent with the MIN-NS Policies. MIN-NS may implement supplemental or more stringent safeguards which MIN-NS deems appropriate in MIN-NS’s reasonable discretion.
  2. PARTICIPANTSECURITYADMINISTRATION. The Participant shall maintain Reasonable and Appropriate Safeguards for its Workforce, Facilities, Information Systems and Authorized Devices used in connection with any Services, including but not limited to the following:
    1. MIN-NS User Clearance. Policies and procedures providing appropriate clearance for its MIN-NS Users.
    2. MIN-NS User Authorization. Policies and procedures for authorizing, and suspending and terminating the authorization of its MIN-NS Users who are authorized to access and use any of the Services and obtain or disclose Protected Information through the Services, on behalf of the Participant.
    3. MIN-NS User Access Limitations. Policies and procedures requiring MIN-NS Users to limit their access to and use of the Services and Protected Information available through the Services to the Minimum Necessary (except for Treatment purposes), and consistent with applicable federal and state law and the MIN-NS Policies.
    4. Acceptable Use Management. Acceptable use management services for the Participant’s Information System(s) and Workstations and access to or use of the Internet or any websites by any MIN-NS User of the Participant’s Information System(s) or Workstations
    5. Access Controls. Administrative, physical and technical access control Safeguards to prevent parties not authorized as MIN-NS Users by the Participant from using the Participant’s Information System(s) to seek or obtain access to any of the Services, Protected Information available through the Services, or any other Information System, and to detect and respond to any such unauthorized activity.
    6. Workstation and Device Management. Policies and procedures for the authorization and secure operation and disposal of all Authorized Devices which the Participant permits its MIN-NS Users to use in order to access any Service. MIN-NS may limit or prohibit the use of certain types of device as Authorized Devices, for example smartphones, if their security has not been adequately demonstrated to MIN-NS’s satisfaction in its sole discretion.
    7. Protected Information Lifecycle. Policies and procedures governing the retention, inclusion in records and disposal or destruction of Protected Information obtained by or through any Service.
    8. MIN-NS User Training. Appropriate and adequate training to all MIN-NS Users in the requirements of applicable federal and state laws, the MIN-NS Policies and all applicable Schedules.
    9. Sanctions for Violations. Sanctions and disciplinary procedures for the Participant’s MIN-NS Users and other members of the Participant’s Workforce and any other person subject to the Participant’s authority, for accessing or using any Service in violation of applicable federal or state laws, any MIN-NS policy, procedure or Schedule, or the Participant’s policies, procedures or technical controls implemented for purposes of access to and use of the Services.
    10. Audit Trails. Audit logs for transactions in which any Protected Information is transmitted to or from any of the Services and the Participant’s Information System(s) or Authorized Devices.
    11. Software Management. Patch management, change management and updating policies and procedures for hardware and software included in the Participant’s Information System(s) and Authorized Devices which may be used to access any Service.
    12. Malware Protection. Anti-virus and other anti-malware software or other applications intended to identify, prevent the download of, disable, uninstall or otherwise affect any computer virus, worm, "Trojan horse," spyware, or other potentially harmful software in or accessing Participant’s Information System(s) or Authorized Devices, and/or using them to access any Service, or the Information System of any party.
    13. Any other Safeguard MIN-NS has determined is Reasonable and Appropriate to protect (a) any Service, (b) the Information System or Authorized Devices of any party, or (c) any information, including but not limited to Protected Information.
  • 2. SECURITY INCIDENTS AND BREACHES. MIN-NS, all Participants and all MIN-NS Users shall comply with the following Security Incident and Breach Response Policies:
  • 3. Monitoring.
    • 3.1. Services Monitoring. MIN-NS shall be responsible for monitoring or providing for the monitoring of activity in the all Services, and in any Information System used to host, operate or manage a Service, and at Facilities where equipment used to host, operate or manage the Services is located.
    • 3.2. Participant Monitoring. Each Participant shall be responsible for monitoring activity on its Information System(s), on its Workstations and other Authorized Devices, and at its Facilities.
  • 4. Reporting of Security Incidents and Unauthorized PHI Uses/Disclosure.
    • 4.1. MIN-NS Reporting. MIN-NS shall report to the Participant any Security Incident or Unauthorized Use or Disclosure of Protected Health Information of which it becomes aware which affects Protected Information of the Participant.
    • 4.2. Participant Reporting. Each Participant shall report to MIN-NS any Security Incident or Unauthorized Use or Disclosure of Protected Health Information of which it becomes aware, which may affect or involve the use or access to any Service.
    • 4.3. MIN-NS User Reporting. All MIN-NS Users shall report to their Participant any Security Incident or Unauthorized Use or Disclosure of Protected Health Information which they become aware, may affect or involve the use or access to any Service.
  • 5. Security Incident Investigation.
    • 5.1. MIN-NS Investigation. MIN-NS shall investigate any Security Incident which may affect or have affected any Service or any Information System used to host, operate or manage a Service, or any Protected Information maintained, stored or in transmission or processing in a Service, promptly upon receiving notice from a Participant or other information which reasonably indicates the potential occurrence of a such an event. MIN-NS shall document the results of each such investigation. MIN-NS shall provide for reasonable periodic reporting of Security Incident information to the Participant, and shall promptly report any Security Incident to Participant which presents or indicates a potentially material threat to the Participant’s Protected Information, Information System(s) or Authorized Devices, or which may constitute a Security Breach.
    • 5.2. Participant Investigation. Each Participant shall investigate any reported Security Incident involving access to or use of any Service (a) from or by use of Participant’s Information System or any other equipment or device of Participant, Authorized or otherwise, (b) by use of a User Name and/or Password issued to a MIN-NS User of the Participant, or (c) by a MIN-NS User of the Participant contrary to any MIN-NS Policy, promptly upon receiving notice from MIN-NS or other information which reasonably indicates the occurrence of such an event. The Participant shall document the results of each such investigation. The Participant shall permit MIN-NS to review such documentation on a reasonable basis, and shall promptly report to MIN-NS any Security Incident which presents or indicates a potentially material threat to any Service or any other Participant’s Protected Information, Information System(s) or Workstations or other equipment or devices, or which may constitute a Security Breach.
  • 6.Security Incident Mitigation and Remediation. All affected parties shall share information about the results of their Security Incident investigations, and cooperate in determining and implementing measures to mitigate the harmful effects of any given incident and prevent other incidents of the same type, to the extent practicable.
    • 6.1. Law Enforcement Notification. Any party may notify appropriate law enforcement agencies in the event it believes a Security Incident which affects it is a crime or the result of criminal activity.
    • 6.2. Security Breach Notification. In the event a Security Incident or Unauthorized Use or Disclosure of Protected Health Information is also a Security Breach the parties shall notify potentially affected individuals and applicable regulatory authorities as follows:
      1. Each affected Participant which has a direct provider-patient, plan-member or entity-customer relationship with potentially affected individuals shall have primary responsibility for their notification, if required by law or elected by the Participant.
      2. Each affected Participant is primarily responsible for notification of regulatory authorities, if required by law or elected by the Participant.
      3. Any notification to potentially affected individuals or to regulatory authorities shall be deemed notification as well by MIN-NS (and any affected Services Vendor, if applicable) and each shall be identified as a notifying party, unless such party directs otherwise in writing.
      4. In the event an affected Participant elects not to or fails to timely notify potentially affected individuals or regulatory authorities as provided above, and MIN-NS reasonably determines that it may be required to give such notification by law, MIN-NS may give such notification at its discretion.
  1. MIN-NS REMEDIES FOR PARTICIPANT SECURITY MANAGEMENT FAILURE. In the event that MIN-NS determines that a failure by a Participant to comply with Section 2 of this Security Policy creates a material vulnerability potentially affecting (a) any Service, (b) the Information System or any other equipment or device of any party, or (c) any information, including but not limited to Protected Information, MIN-NS shall promptly notify the Participant and may, at MIN-NS’s reasonable discretion, suspend or limit access to and/or use of some or all of the Services by some or all of the Participant’s MIN-NS Users, and/or from some or all of the Participant’s Information System(s) and/or Authorized Devices, as MIN-NS may determine is reasonably prudent. Such a failure by the Participant shall be deemed a Curable Breach, provided that upon receipt of notice of such a breach the Participant shall use its best efforts to come into compliance with this Security Policy. Upon MIN-NS’s reasonable satisfaction that the Participant is in compliance with Paragraph 2 of this Security Policy, MIN-NS shall terminate the suspension. In the event of a continuing failure to come into compliance by the Participant, MIN-NS may proceed to terminate the Participation Agreement as provided therein.
  2. PARTICIPANT REMEDIES FOR SERVICES SECURITY MANAGEMENT FAILURE. In the event that the Participant determines that a failure by MIN-NS to comply with Section 1 of this Security Policy creates a material vulnerability potentially affecting (a) the Participant’s Information System or (b) any information, including but not limited to Protected Information, accessible in or through the Participant’s Information System, the Participant shall promptly notify MIN-NS and may, at the Participant’s sole discretion, suspend or limit access to and/or use of any or all of the Services by some or all of the Participant’s MIN-NS Users, and/or from the Participant’s Information System(s), as the Participant may determine is reasonably prudent in order to mitigate the vulnerability. Such a failure by MIN-NS shall be deemed a Curable Breach, provided that upon receipt of such notice MIN-NS shall use its best efforts to come into compliance with this Security Policy. Upon the Participant’s reasonable satisfaction that the Participant is in compliance with Paragraph 1 of this Security Policy, MIN-NS shall terminate the suspension. The Participant shall not be liable for any fees payable for any of the Services during any period of suspension under this Section, or for any reactivation fees following such suspension.

MIN-NS Washington HIE Security Policy Effective Date: June 4, 2012