RosettaHealth implements policies and procedures to maintain compliance and integrity of data. The Security and Privacy Officer is responsible for maintaining policies and procedures and assuring all RosettaHealth workforce members, business associates, customers, and partners are adherent to all applicable policies. Previous versions of policies are retained to assure ease of finding policies at specific historic dates in time.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 12.c - Developing and Implementing Continuity Plans Including Information Security

Applicable Standards from the HIPAA Security Rule

  • 164.316(a) - Policies and Procedures

  • 164.316(b)(1)(i) - Documentation

Scope of Policies

In accordance with the amended HIPAA Final Rule (Effective Date: March 26, 2013), RosettaHealth commits to enacting, supporting, and maintaining the following procedures and activities, as a minimum, as required by HIPAA:

  1. Privacy Policies and Procedures -- RosettaHealth shall develop and implement written privacy policies and procedures that are consistent with the HIPAA Rules.

  2. Privacy Personnel -- RosettaHealth designated privacy official (Privacy and Security Officer) is responsible for developing and implementing its privacy policies and procedures, and the contact person responsible for receiving complaints and providing individuals with information on RosettaHealth’s privacy practices.

  3. Workforce Training and Management -- Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the RosettaHealth (whether or not they are paid by RosettaHealth). RosettaHealth shall train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their various functions.

  4. Sanctions -- RosettaHealth shall have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures, and/or HIPAA’s Privacy and Security Rules.

  5. Mitigation -- RosettaHealth shall mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or the Privacy Rule.

  6. Data Safeguards -- RosettaHealth shall maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional uses or disclosures of protected health information in violation of the Privacy Rule and its own policies, and to limit the incidental uses and disclosures pursuant to otherwise permitted or required uses or disclosures.

  7. Complaints -- RosettaHealth shall establish procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule. RosettaHealth shall explain those procedures in its privacy practices notice.

  8. Retaliation and Waiver -- RosettaHealth shall NOT retaliate against a person for exercising rights provided by HIPAA, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates any HIPAA standard or requirement. RosettaHealth shall not require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, and enrollment or benefits eligibility.

  9. Documentation and Record Retention -- RosettaHealth shall maintain, until at least six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, dispositions of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.

Maintenance of Policies

  1. All policies are stored and updated to maintain RosettaHealth compliance with HIPAA, and other relevant standards.

  2. Policy update requests can be made by any workforce member at any time. Furthermore, all policies are reviewed annually by both the Security and Privacy Officer to assure they are accurate and up-to-date.

  3. RosettaHealth employees may request changes to policies using the following process:

    1. The RosettaHealth employee initiates a policy change request by creating an Issue in the RosettaHealth Quality Management System. The change request may optionally include a GitHub pull request from a separate branch or repository containing the desired changes.

    2. The Security and Privacy Officer is assigned to review the policy change request.

    3. Once the review is completed, the Security and Privacy Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further review and documentation.

    4. If the review is approved, the Security and Privacy Officer then marks the Issue as Done, adding any pertinent notes required.

    5. If the policy change requires technical modifications to production systems, those changes are carried out by authorized personnel.

  4. All policies are made accessible to all RosettaHealth workforce members.

    • Changes are communicated to all RosettaHealth team members via email. These emails include a high-level description of the policy change using terminology appropriate for the target audience.

    • Changes are also communicated during daily scrum meetings directing employee’s attention to the related email.

  5. All policies, and associated documentation, are retained for 6 years from the date of its creation or the date when it last was in effect, whichever is later. A revision history and backup of all RosettaHealth policies is done via DropBox or BitBucket.

  6. The policies are reviewed and audited annually, or after significant changes occur to RosettaHealth’s organizational environment. Issues that come up as part of this process are reviewed by RosettaHealth management to assure all risks and potential gaps are mitigated and/or fully addressed.