OUR BEAUTY PLAN’S INFORMATION SECURITY AND PRIVACY POLICIES AND PROCEDURES

These policies and procedures address requirements under the HIPAA Security, Privacy and Breach Notification Rules as well as other applicable laws and rules where noted.

TABLE OF CONTENTS

I. HIPAA Security Rule

Definitions
Security Officer
Risk Analysis
Information System Activity Review
Workforce Security – Access Limited By Job Function
Terminating Access When Employment Status Changes
Information Access Management
Security Training
Security Awareness
Password Management
Security Incident Reporting, Response and Management Process
Contingency Plan
Evaluation
Physical Safeguards
Workstation Use and Security
Device and Media Controls
Encryption and Transmission of PHI
Business Associates and Subcontractors
Sanctions

II. HIPAA Privacy Rule

Permitted and Required Uses and Discloses
Prohibition on Unauthorized Use or Disclosure
Complying With the “Minimum-Necessary” Standard
No Intimidating or Retaliatory Acts
Accounting
Documentation
Business Associate Compliance and Investigation Responsibilities

III. HIPAA Breach Notification Rule

Breach Notification Policy

I. HIPAA Security Rule

Policy: Definitions
Regulation: 45 C.F.R. §§ 160.103, 164.304, and 164.402

Definitions
Access means the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.

Administrative Safeguards are administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the Covered Entity’s or business associate’s workforce in relation to the protection of that information.

Authentication means the corroboration that a person is the one claimed.

Availability means the property that data or information is accessible and useable upon demand by an authorized person.

Breach means an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the Covered Entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment.

Business Associate means any person who, other than in the capacity of a Workforce Member, creates, receives, maintains, transmits protected health information on behalf of a Covered Entity.

Confidentiality means the property that data or information is not made available or disclosed to unauthorized persons or processes.

Covered Entity means a health plan, health care clearinghouse, or a healthcare provider who transmits any health information in electronic form in connection with a transaction

Disclosure means the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.

Encryption means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

Information System means an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.

Integrity means the property that data or information have not been altered or destroyed in an unauthorized manner.

Malicious Software means software, for example, a virus, designed to damage or disrupt a system.

Our Beauty Plan (OBP) means Sebastian Technology Group, LLC doing business as Our Beauty Plan.

Password means confidential Authentication information composed of a string of characters.

Personal Information (PI) shall mean information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver’s license number, a state identification card number, a financial account number along with a security or access code, a credit or debit card number, a passport number, an alien registration number, a health insurance identification number, any military identification information, medical information, or biometric information such as a fingerprint, voice print, retina or iris image or other unique representation of biometric data that is used to identify an individual. PI also includes a username and password or security questions and answers that would permit access to an on-line account. PI does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

Protected Health Information (PHI) means (1) information created, received, or maintained by OBP from or on behalf of a Covered Entity that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to the individual; or the past, present, or future payment for the provision of health care to an individual; and (2) that identifies the individual or for which there is a reasonable basis to believe the information can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, insurance policy number, Social Security Number, etc.). PHI includes information of persons living, or persons deceased for less than 50 years. PHI includes individually identifiable information in both paper and electronic form (electronic PHI is referred to as ePHI).

Physical Safeguards are physical measures, policies, and procedures to protect a Covered Entity’s or business associate’s electronic Information Systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.

Security Incident means the attempted or successful unauthorized Access, use, disclosure, modification, or destruction of information or interference with system operations in an Information System except that that unsuccessful attempts that are trivial in nature are not Security Incidents.

Subcontractor means a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.

Technical Safeguards means the technology and the policy and procedures for its use that protect electronic protected health information and control Access to it.

Use means with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.

User means a person or entity with authorized Access.

Workforce Member means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or business associate, is under the direct control of such Covered Entity or Business Associate, whether or not they are paid by the Covered Entity or Business Associate.

Workstation means an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.

Policy: Security Officer
Regulation: 45 C.F.R. § 164.308(a)(2); 201 CMR § 17.03

Policy
1. OBP shall have a Security Officer who is responsible for overseeing the implementation of OBP’s program for the protection of Confidentiality, Integrity and Availability of electronic protected health information, including the use of Administrative, Physical and Technical Safeguards.

2. The Security Officer may also appoint a designee to act as the Security Officer in the absence of the Security Officer.

3. The appointment of the Security Officer and designee is made in writing and retained by OBP for six (6) years.

4. The Security Officer and designee receive training relevant to their duties.

Procedure

1. OBP’s Owner and Chief Technology Officer shall serve as the Security Officer.

2. The Security Officer shall attend training at least annually on the protection and security of PHI and will retain evidence of such training for six (6) years.

Policy: Risk Analysis
Regulation: 45 C.F.R. § 164.308(a)(1); 201 CMR § 17.03

Policy
OBP will conduct a thorough risk analysis or an update of the risk analysis at least every other year or more frequently if there are significant system changes to assess the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic PHI or PI information held by OBP. OBP shall review the risk analysis and implement reasonable security measures to reduce OBP’s risks and vulnerabilities to a reasonable and appropriate level. The Security Officer or the Security Officer’s designee shall oversee the risk analysis.
Procedure
1. OBP’s Security Officer will either perform the risk analysis or engage an outside consultant to do so.
2. The Security Officer will determine whether additional risk analyses or updates are necessary in the event of any systems or operational change.
3. OBP will maintain electronic records relating to the risk analysis and updates.
4. Documentation for all risk analyses shall be kept for a period of six (6) years.

Policy: Information System Activity Review
Regulation: 45 C.F.R. § 164.308(a)(1)

Policy
OBP regularly monitors system activity by reviewing audit logs, Access reports and security incident tracking reports.
Procedure
1. OBP’s IT department utilizes various systems and services to monitor system activity including an automated malware/threat detection service, which provides 24/7 monitoring and notification, and a firewall to ward off denial of service attacks. OBP’s IT department manages and configures these services to ensure adequate levels of protection.
2. Within the OBP application, there is an audit feature that produces audit logs, which will be regularly downloaded and reviewed for usage anomalies.

Policy: Workforce Security – Access Limited By Job Function
Regulation: 45 C.F.R. § 164.308(a)(3); 201 CMR §§ 17.03, 17.04

Policy
It is OBP’s policy to ensure that Workforce Members have appropriate Access to electronic PHI and PI and to prevent those Workforce Members who do not have Access from obtaining Access to such information.
Procedure
1. OBP Workforce Members will have access only to information necessary to perform his or her job functions. For example, Workforce Members engaged in IT (including IT product development) may have access to PHI if it is necessary to carry out job functions but would not have access to employee data, which constitutes PI. On the other hand, a human resources Workforce Member would have access to necessary PI to carry out job functions but would not have access to PHI.
2. All Workforce Members will be trained on the concept of minimum necessary (see Minimum Necessary Policy) and will access only the electronic PHI or PI necessary to perform job functions.

Policy: Terminating Access When Employment Status Changes
Regulation: 45 C.F.R. § 164.308(a)(3)(ii)(C)

Policy
It is OBP’s policy to terminate access to electronic PHI or PI when a Workforce Member no longer requires access due to employment termination, change in job function or other change in access needs.
Procedure
1. Terminated Workforce Members will have all access to electronic PHI or PI terminated immediately.
2. Prior to termination of or change in workforce status or job function, the Security Officer or its designee will revoke access privileges or will notify the appropriate service provider to effectuate the revocation.

Policy: Information Access Management
Regulation: 45 C.F.R. § 164.308(a)(4)

Policy
It is OBP’s policy to manage access to electronic PHI and PI through access to a workstation, transaction, program, or process that complies with regulatory obligations.
Procedure
1. Access will be granted to electronic PHI and PI as deemed necessary by the Security Officer or its designee.
2. Annually, OBP shall assess access rights to ensure that only authorized individuals have Access to electronic PHI and PI and that such access is appropriate for those individuals’ job functions.

Policy: Information Security Training
Regulation: 45 C.F.R. § 164.308(a)(5); 201 CMR § 17.03

Policy
It is OBP’s policy to provide training on the security of OBP’s Information Systems to Workforce Members upon hire/engagement and periodically thereafter, as necessary. Additionally, the Security Officer and/or the Security Officer’s designee will provide timely security updates and training, as needed.
Procedure
1. Each OBP Workforce Member receives training on OBP’s Information Systems, security measures and limitations on access and on these Information Security Policies as part of the on-boarding process.
2. Each OBP Workforce Member receives regular cybersecurity training throughout the year. This training may take the form of simulated phishing emails, short videos, shared articles or security updates during regular staff meetings.
3. Documentation of training is retained by OBP for a period of six (6) years.

Policy: Security Awareness
Regulation: 45 C.F.R. § 164.308(a)(5)

Policy
It is OBP’s policy to detect and safeguard its Information Systems against Malicious Software.
Procedure
1. OBP employs an automated malware/threat detection service, which provides 24/7 monitoring and notification to detect and safeguard against Malicious Software on its Information Systems. OBP’s IT department monitors and responds to reports from this service.

Policy: Password Management
Regulation: 45 C.F.R. § 164.308(a)(5)

Policy
It is OBP’s policy to develop procedures that provide for the security and maintenance of passwords for all OBP Information Systems. OBP will use a password manager to store complex and unduplicated passwords for all OBP Information Systems. All OBP Information System passwords must be at least 16 characters, mixed lower and upper case letters and at least one symbol.
Procedure
1. OBP Workforce Members will receive training on proper password management as part of OBP’s security training.
2. OBP Workforce Members will be required to use multifactor authentication to access any OBP Information Systems.
3. OBP Workforce Members will be required to use a password manager to store complex and unduplicated passwords for all OBP Information Systems.
4. If passwords are compromised in any respect, they must be changed immediately in accordance with the password guidelines and an evaluation of any impacted Information System will be performed to determine if there was inappropriate access.

Policy: Security Incident Reporting, Response and Management Process
Regulation: 45 C.F.R. § 164.308(a)(6)

Policy
It is OBP’s policy to identify and respond to suspected or known Security Incidents and to mitigate, to the extent practicable, harmful effects of Security Incidents that are known to the OBP and document these Security Incidents and their outcomes.

Procedure
1. The Security Officer will document potential Security Incidents and will perform an initial assessment. During the initial assessment, the Security Officer will determine whether the issue qualifies as a Security Incident based on the Security Officer’s knowledge and expertise.
2. If the issue qualifies as a Security Incident, the Security Officer will take immediate steps to mitigate any harmful effects. If the Security Officer is unable to do so, the Security Officer will promptly engage an IT Security firm directly, through its cyber liability insurance coverage or through legal counsel.
3. Security Incident response will involve: (i) assessment/strategy; (ii) containment of the issue; (iii) eradication of the issue; (iv) restoration; (v) legal review to determine notification requirements; (vi) documentation; and (vii) post-incident review.
4. The Security Officer will maintain a document separate from OBP Information Systems that details emergency contact information of OBP Workforce Members, insurance brokers, IT Security firms, legal counsel and other relevant contacts.
5. The Security Officer will document all steps and outcomes in a Security Incident Report.
6. OBP Workforce Members will be trained at least annually that all suspected Security Incidents must be reported immediately to the Security Officer.

Policy: Contingency Plan
Regulation: 45 C.F.R. § 164.308(a)(7)

Policy
To respond to an emergency or other occurrence (such as a cyber attack or system failure) that damages OBP’s Information Systems containing electronic PHI, it is OBP’s policy to have a data backup plan, disaster recovery plan and emergency mode operation plan. OBP’s does not maintain a physical location and its Information Systems are cloud-based, therefore, emergencies such as fires, natural disasters and vandalism would not impact OBP’s Information Systems.
Procedure
1. As detailed in the Security Incident Reporting, Response and Management Process Policy, in the event of a cyber attack, OBP will engage an IT security firm through its insurance coverage or legal counsel to assist with security-related issues when warranted.
2. OBP maintains its data with cloud-based providers that back up the data in multiple locations, which allows OBP to create and maintain retrievable exact copies of all files and restore the loss of data.
3. To the extent that the emergency involves inaccessibility of data or loss of data, OBP’s emergency mode of operation will be to notify clients of accessibility issues and OBP will work diligently to restore its most recent backups. Because OBP is not maintaining the actual patient medical record (it is not an electronic health record system), inaccessibility to OBP data may create an inconvenience but it will not create a patient safety issue.
4. OBP shall revisit annually whether it requires a more detailed plan or at more frequent intervals as determined by the Security Officer.

Policy: Evaluation
Regulation: 45 C.F.R. § 164.308(a)(8)

Policy
OBP will perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under the above rule and, subsequently, in response to environmental or operational changes affecting the security of electronic PHI and PI, that establishes the extent to which OBP’s security policies and procedures meet regulatory requirements. These operational and environmental changes include, but are not limited to technology changes, organizational changes, business process changes, and regulatory changes.
Procedure
1. At least annually, OBP will evaluate whether there have been any environmental or operational changes. The evaluation will include consideration of each of the following:
a. Regulatory changes affecting OBP;
b. Information system or technology revisions and deployments;
c. Major workforce changes;
d. Leadership and/or governance structure alterations;
e. Business model adjustments;
f. Mergers and Acquisitions;
g. Policy and procedural modifications not driven by regulatory changes;
h. New or changed administrative, physical, or technical safeguards.
2. At least annually and in response to identified environmental and operational changes affecting the security of electronic PHI and PI, OBP will conduct evaluations of its information security safeguards to demonstrate and document compliance with its security policies.

Policy: Physical Safeguards
Regulation: 45 C.F.R. § 164.310(a)

Policy
It is OBP’s policy to implement policies and procedures to limit physical Access to its Information Systems and to safeguard the OBP equipment from unauthorized physical Access, tampering and theft.
Procedure
1. Most of OBP’s Information Systems are cloud-based. As a result, access to such systems does not require physical security. Further, OBP is a virtual company without a physical office space. As a result, there is no physical facility or server room to protect.
2. Work is performed remotely by Workforce Members. Workforce Members are not permitted to perform work involving the use of or access to electronic PHI in a public location or over public WiFi networks. Workforce Members are obligated to use privacy screens when they are not working in a private office space.

Policy: Workstation Use and Security
Regulation: 45 C.F.R. § 164.310(b)

Policy
It is OBP’s policy to implement policies and procedures to specify the proper functions to be performed on Workstations and how Workstations should be both used and secured.
Procedure
1. The majority of OBP’s Information Systems are cloud-based thereby reducing the risk of having electronic PHI on local Workstations. Further, all OBP Workforce Members can access Information Systems either through a secure Virtual Machine or a OBP-issued computer with appropriate protections installed.
2. OBP will train all OBP Workforce Members to secure any unattended PHI or PI, e.g. to lock computer screens and to use privacy screens.
3. OBP will require the Workstations of any Workforce Members automatically log-off after ten (10) minutes of idle time.

Policy: Device and Media Controls
Regulation: 45 C.F.R. § 164.310(d)

Policy

It is OBP’s policy to implement policies and procedures to oversee OBP’s receipt of hardware and electronic media that contain electronic PHI or PI. This oversight includes destruction and re-use of devices that contain electronic PHI or PI.

Procedure

1. OBP will ensure that all electronic media and hardware it disposes of is properly destroyed. If OBP uses a third party for disposal, it will obtain a certificate detailing the destruction methodology and device destroyed. OBP will not store electronic PHI or PI on local machines or devices as a regular business practice. To the extent that it is necessary to do so, the device shall be encrypted and the files shall be destroyed as soon as practicable.

2. OBP will retain any records relating to the destruction of devices for a period of six (6) years.

3. Prior to re-use of any media that contained electronic PHI or PI, OBP’s Security Officer will either destroy and install a new hard drive or sanitize the hard drive and certify such sanitization prior to re-use.

Policy: Encryption and Transmission of PHI
Regulation: 45 C.F.R. § 164.312(a)(2)(iv) and (e)(2)(ii)

Policy
It is OBP’s policy to implement mechanisms to encrypt and decrypt electronic PHI and PI at rest and in transit when appropriate.
Procedure
1. OBP shall encrypt emails containing any sensitive information including electronic PHI. All OBP Workforce Members will receive training during on-boarding regarding email use and when/how to send encrypted emails.
2. OBP’s desktop and laptop computers are encrypted, and its cloud-based servers are encrypted.
3. When encryption is not reasonable or appropriate, OBP will document why it is not reasonable or appropriate and will implement an alternative safeguard.

Policy: Sanctions
Regulation: 45 C.F.R. §164.308(a)(1)(ii)(C)

Policy
It is OBP’s policy to enforce sanctions against Workforce Members who do not adhere to these Information Security policies.

II. HIPAA Privacy Rule

Policy: Permitted and Required Uses and Discloses
Regulations: 45 CFR § 164.502(a)(3) and 45 CFR § 164.502(a)(4)(i)-(ii)

Policy:
OBP may only use and disclose PHI that it creates or receives to perform services for a Covered Entity as permitted in a services agreement and/or business associate agreement. OBP may also use PHI for the proper management and administration of OBP’s operations or to carry out legal responsibilities, provided that, with respect to disclosure of PHI, either: (A) the disclosure is required by law; or (B) OBP obtains reasonable assurance from any person or entity to which OBP will disclose the PHI. Further, OBP will disclose PHI when required by the Secretary to determine OBP’s compliance with HIPAA regulations and to the appropriate Covered Entity, as necessary to satisfy a Covered Entity’s obligations under § 164.524(c)(2)(ii) and (3)(ii) with respect to an individual’s request for a copy of ePHI.

Policy: Prohibition on Unauthorized Use or Disclosure
Regulations: 45 CFR § 164.502(a)(3)

Policy
OBP will neither use nor disclose PHI, except as permitted or required by a business associate agreement or in writing by a Covered Entity or as required by law. OBP may not use or disclose PHI in a manner that will violate the Privacy Rule if done by a Covered Entity.

Policy: Complying With the “Minimum-Necessary” Standard
Regulation: 45 CFR §164.502(b)

Policy
OBP will, in its performance of the functions, activities, services, and operations specified in its Business Associate Agreement and/or underlying services agreement with a Covered Entity, make reasonable efforts to use, to disclose, and to request only the minimum amount of PHI reasonably necessary to accomplish the intended purpose of the use, disclosure or request. The phrase “minimum necessary” shall be interpreted in accordance with HIPAA and its implementing regulations.
Procedure
1. OBP shall train all Workforce Members on the minimum necessary standard at least annually and will maintain documentation of such training for a period of six (6) years.

Policy: No Intimidating or Retaliatory Acts
Regulation: 45 CFR § 160.316

Policy

No individual may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA or state data protection law.

Policy: Accounting
Regulation: 45 CFR § 164.528

Policy
OBP shall assist Covered Entities in satisfying its disclosure accounting obligations under HIPAA to the extent that OBP maintains PHI on behalf of the Covered Entity.

Policy: Documentation
Regulation: 45 CFR § 164.316(b)(1)

Policy

OBP’s privacy policies and procedures shall be documented and maintained for at least six years from the date of creation or the date when it was last in effect, whichever is later. Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirements and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures must be promptly documented. All documents will be made available to those that are responsible for implementing the procedures.

Policy: Business Associates and Subcontractors (Privacy and Security)
Regulations: 45 CFR § 164.502(e)(ii) and 45 CFR § 164. 504(e)(1)(iii); 45 C.F.R. §§164.308(b) and 164.314

Policy

OBP requires business associate agreements (BAA) be in place with all Covered Entities under the Health Insurance Portability and Accountability Act of 1993 and its implementing regulations (HIPAA) where OBP meets the definition of a Business Associate. OBP further requires that any Subcontractors that create, receive, maintain, or transmit protected health information under HIPAA (PHI) on behalf of OBP sign a Business Associate Subcontractor Agreement that complies with federal and state law and contains satisfactory assurances that the entity will appropriately safeguard PHI and will not use or disclose such information in a manner that would violate the requirements of federal or state law.
If OBP becomes aware of a pattern of activity or a practice of a Subcontractor that constitutes a material breach or violation of the Subcontractor’s obligation, OBP will require the Subcontractor to take reasonable steps to cure the breach or end the violation. If such steps are unsuccessful, OBP will terminate the contract or arrangement, if feasible.
Procedure

1. When PHI is created, transmitted, maintained, or used by OBP as a Business Associate to provide services to a Covered Entity, a Business Associate Agreement (BAA) is required.

2. When PHI is created, transmitted, or used by a Business Associate Subcontractor (BAS) to provide services to OBP, a Business Associate Agreement Subcontractor Agreement (BASA) is required.

3. OBP maintains a template BAA and BASA and such agreements should be used whenever possible.

4. OBP’s Owner and Chief Operating Officer is responsible for ensuring that proper BAA and BASAs are in place.

Policy: Business Associate Compliance and Investigation Responsibilities
Regulation: 45 CFR § 160.310

Policy

OBP will provide the Department of Health and Human Services’ Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including PHI, pertinent to determining compliance.

III. HIPAA Breach Notification Rule

Policy: Breach Notification Policy
Regulations: 45 CFR § 164.410 and 45 CFR § 164.412

Policy
OBP will report to the appropriate Covered Entity any breach of unsecured PHI, as well as any use or disclosure of PHI which is not permitted under a services agreement or business associate agreement (BAA). OBP will treat a breach as being discovered in accordance with 45 CFR § 164.410 and report to the Covered Entity as required under the applicable BAA, but in no event later than 60 calendar days after OBP learns of the breach. If a delay is requested by a law-enforcement official in accordance with 45 CFR § 164.412, OBP may delay notifying the Covered Entity for the applicable time period. OBP’s report will at least:
1. Identify the nature of the breach or other non-permitted use or disclosure, which will include a brief description of what happened, including the date of any breach and the date of the discovery of any breach;
2. Identify the PHI that was subject to the non-permitted use or disclosure or breach (such as full name, social security number, date of birth, home address, account number or other involved information) on an individual basis;
3. Identify what corrective or investigational action OBP took or will take to prevent further non-permitted uses or disclosures, to mitigate harmful effects and to protect against any further breaches; and
4. Provide such other information, including a written report, as the Covered Entity may reasonably request.
To the extent that the information at issue constitutes protected PI under applicable state law, OBP shall comply with the applicable notification requirements under state law.
Procedure
1. In the event of a suspected breach, OBP will evaluate the type of information at issue and the circumstances surrounding the suspected breach in light of applicable laws to determine whether there was a breach and whether there are notification or reporting obligations required by law.