Contact us

Privacy retains formal policies and procedures, other critical records, and disclosures of individuals' protected health information for a minimum of six years; for electronic health records, retains records of disclosures to carry out treatment, payment, and health care operations for a minimum of three years.  It keeps vital documents, such as contracts, personnel records, financial information, patient records, and more. implements security control policies such as access controls, encryption, backups, electronic signatures, locked facilities, containers, and more to protect from loss, destruction, and falsification. issues guidelines on the ownership, classification, retention, storage, handling, and disposal of all records and information. Designated senior management within reviews and approves the security categorizations and associated guidelines.

When required, obtains consent before it collects any PII. has established a formal records document retention program. It implements specific controls for record storage, access, retention, and destruction. has formally appointed a data protection officer responsible for the privacy of covered information. It protects records with sensitive personal information during transfer to organizations lawfully collecting such information. It keeps covered information storage to a minimum and specifies where to store it. It protects the confidentiality and integrity of covered information at rest using an encryption method appropriate to the medium where it is stored. When chooses not to encrypt covered information, it maintains a documented rationale for not doing so or uses alternative compensating controls  if the CISO approves the method  and reviews it annually. implements technical means to ensure storage of covered information in organization-specified locations. has created a comprehensive privacy governance program to ensure compliance with applicable laws and regulations regarding the processing of PII by programs and systems.  It tailors the program to meet its operations' structure, scale, volume, sensitivity, updates and periodically monitors them. documents compliance with the notice requirements by retaining copies of the notices it issues for six years and, if applicable, any written acknowledgments of receipt of the notice or documentation of good faith efforts to obtain such written disclosures. documents restrictions in writing and formally maintains such reports, or an electronic copy, as an organizational record for six (6) years.

The public has access to information about's security and privacy activities (via privacy notice) and is able to communicate with its senior security official and senior privacy official. configures workstations that can access electronically protected health information with specifications that address: 

  1. What proper functions to perform;

  2. How to perform those functions;

  3. Physical attributes of the surroundings.

Password Management

Learn more