Privacy Policies and User Agreement

PIPEDA

Purpose of this privacy policy

Entreprise Dentist.Business Inc. is a Canadian company with focus in IT, R&D, Outsourcing and Consulting. With client-centric approach to help grow your business along with a proven track record of successfully delivered projects. Entreprise Dentist.Business Inc.’s collaboration with its R&D centers supplies 24/7 service and support in project delivery and outsourcing, quality IT solutions that facilitate and add value to Entreprise Dentist.Business Inc.’s clients. Entreprise Dentist.Business Inc. offers a full spectrum custom software services, including web and mobile application development. Our R&D center and trusted partners accumulate more than 1500 world-class IT specialists working on each of our projects. Entreprise Dentist.Business Inc. owns the following applications: homecareit.ca, dentist.business, ehealthmatrix.ca

This privacy policy has been developed to comply with Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”). The purpose of this policy is to establish requirements for proper handling of Protected Health Information (PHI) through the adoption of an Information Privacy and Security Management Process for Entreprise Dentist.Business Inc. and to comply with any other applicable information security regulations and protect the overall security of the organization. The process includes analysis and management of risks, implementation of secure systems and applications, the use of security incident procedures to learn from prior issues, information system usage audits and activity reviews, regular security evaluations and regulation compliance assessments, training for all staff using electronic information systems, and documentation of compliance activities.

PIPEDA sets out rules for the collection, use and disclosure of personal information in the course of commercial activity as defined in the Act.

The Ten Principles of PIPEDA Summarized

The ten Principles of PIPEDA in the foundation of this Privacy Policy are as following:

Accountability: organizations are accountable for the personal information they collect, use, retain and disclose in the course of their commercial activities, including, but not limited to, the appointment of a Chief Privacy Officer;

Identifying Purposes: organizations are to explain the purposes for which the information is being used at the time of collection and can only be used for those purposes;

Consent: organizations must obtain an Individual’s express or implied consent when they collect, use, or disclose the individual’s personal information;

Limiting Collection: the collection of personal information must be limited to only the amount and type that is reasonably necessary for the identified purposes;

Limiting Use, Disclosure and Retention: personal information must be used for only the identified purposes, and must not be disclosed to third parties unless the Individual consents to the alternative use or disclosure;

Accuracy: organizations are required to keep personal information in active files accurate and up-to-date;

Safeguards: organizations are to use physical, organizational, and technological safeguards to protect personal information from unauthorized access or disclosure.

Openness: organizations must inform their clients and train their employees about their privacy policies and procedures;

Individual Access: an individual has a right to access personal information held by an organization and to challenge its accuracy if need be; and

Provide Recourse: organizations are to inform clients and employees of how to bring a request for access, or complaint, to the Chief Privacy Officer, and respond promptly to a request or complaint by the individual.

This Privacy Policy applies to Entreprise Dentist.Business Inc. employees and contracted partners. As well, Entreprise Dentist.Business Inc. ensures that all third party service providers sign Confidentiality Agreements prior to any transfer of any personal information in the course of any project or consulting services.

Definitions

“Personal information” information about an identifiable individual and can include name, mailing address, phone number, email address. Entreprise Dentist.Business Inc. collects uses and discloses personal information only for those purposes necessary to administer registration and membership; establish and maintain communications with members, registrants, contacts; facilitate registrations for sessions and respond to inquiries.

“Business information” means business name, business address, business telephone number, name(s) of owner(s), officer(s) and director(s), job titles, business registration numbers (GST, RST, source deductions), financial status. Although business information is not subject to PIPEDA, confidentiality of business information will be treated with the same security measures by Entreprise Dentist.Business Inc. staff and as is required for individual personal information under PIPEDA.

“Individual” means the client’s owner(s) or patient’s and/or any person associated with a client.

“Application” means the application form or related forms completed by the individual(s) to request an appointment through the Entreprise Dentist.Business Inc. application.

“Database” means the list of names, addresses and telephone numbers of clients and individuals held by Entreprise Dentist.Business Inc. in the forms of, but not limited to, computer files, paper files, and files on computer hard-drives.

“File” means the information collected in the course of processing an application, as well as information collected/updated to maintain /service the account.

“Express consent” means the individual signs the application, or other forms containing personal information, authorizing Entreprise Dentist.Business Inc. to collect, use, and disclose the individual’s personal information for the purposes set out in the application and/or forms.

“Implied Consent” means the organization may assume that the individual consents to the information being used, retained and disclosed for the original purposes, unless notified by the individual.

“Third Party” means a person or company that provides services to Entreprise Dentist.Business Inc. in support of the programs, benefits, and other services offered by Entreprise Dentist.Business Inc., such as persons with whom the individual or client does business, but does not include any Government office, health services office or department to whom Entreprise Dentist.Business Inc. reports in the delivery of such services.

Overall Policy Statement including purpose

Organization is committed to safe guarding the personal information entrusted by members, subscribers, registrants, contacts, board members, and person providing services. (Description of individual varies.) The statement outlines the policies and practices to be followed to protect personal information based on the requirements in PIPEDA, the Personal Information Protection and Electronics Documents Act.

Collection, Use and Disclosure

Collection, use and disclosure of confidential information occurs with the knowledge and consent of the individual except, where collection, use and disclosure is permitted by law without consent. The organization will ask for consent to collect, use or disclose an individual’s personal information, except in specific circumstances where release of the information without consent is required by law. The information must be used for the purpose for which the information was collected. If the organization is going to use it for another purpose then consent must be obtained. Included can be a statement as to whether the organization is implying consent or is asking for express consent and indicate how consent is managed. The organization will not disclose information to Third Parties. A member may withdraw consent to the collection, use and disclosure of personal information at any time with the understanding that this action may hamper or prevent the provision of service by the organization.

Consent

An individual’s express, written consent will be obtained before or at the time of collecting personal information. The purposes for the collection, use or disclosure of the personal information will be provided to the individual at the time of seeking his or her consent. Once consent is obtained from the individual to use his or her information for those purposes, Entreprise Dentist.Business Inc. has the individual’s implied consent to collect or receive any supplementary information that is necessary to fulfil the same purposes. Express consent will also be obtained if, or when, a new use is identified.

Limiting collection

Personal information collected will be limited to the purposes set out in this Privacy Policy.

Security and Safeguards

The Organization makes every reasonable effort to prevent any loss, misuse, disclosure or modification of personal information as well as any unauthorized access to personal information. Such practices such as locked cabinets, computer password, firewalls, encryption, and internal organizational tools such as restricted access, shredding and permanent deletion of electronic records. The organization may process payments through a site such as PayPal. Billing and credit card information are stored not on the Organizations’ server but on a secure PayPal server that sits behind an electronic firewall and are not connected to the internet.

All inactive files or personal information no longer required are shredded prior to disposal to prevent inadvertent disclosure to unauthorized persons.

Technological Safeguards

Personal information contained in Entreprise Dentist.Business Inc. computers and electronic data storage are password protected in accordance with Entreprise Dentist.Business Inc.’s Internal Security Policy. Access to any of Entreprise Dentist.Business Inc. computers also is password protected. Entreprise Dentist.Business Inc.’s Internet router or server has firewall protection sufficient to protect personal and confidential business information against virus attacks and “sniffer” software arising from Internet activity. Personal information is not transferred to any third parties by e-mail or other electronic form.

Access and Amend Personal Information

Individuals have a right to access and amend their personal information as kept by the organization and may make a request for access through an email to the named contact person.

Limiting Use, Disclosure and Retention

Use of Personal Information

Personal information will be used for only those purposes to which the individual has consented with the following exceptions, as permitted under PIPEDA:

Entreprise Dentist.Business Inc. will use personal information without the individual’s consent, where:

• the organization has reasonable grounds to believe the information could be useful when investigating a contravention of a federal, provincial or foreign law and the information is used for that investigation;
• an emergency exists that threatens an individual’s life, health or security;
• the information is publicly available;
• the use is clearly in the individual’s interest, and consent is not available in a timely way;
• knowledge and consent would compromise the availability or accuracy of the information, and
• collection is required to investigate a breach of an agreement.

Disclosure and Transfer of Personal Information

Personal information will be disclosed to only those Entreprise Dentist.Business Inc. employees, members and third parties that need to know the information for the purposes of their work or providing of professional services.

Personal information will be disclosed to third parties with the individual’s knowledge and consent.

PIPEDA permits disclosure of personal information to third parties, without an individual’s knowledge and consent, to:

• a lawyer representing Entreprise Dentist.Business Inc.;
• collect a debt owed to Entreprise Dentist.Business Inc. by the individual, client or third party;
• comply with a subpoena, a warrant or an order made by a court or other body with appropriate jurisdiction;
• a law enforcement agency in the process of a civil or criminal investigation; a government agency or department requesting the information; or,
• as required by law.

PIPEDA permits Entreprise Dentist.Business Inc. to transfer personal information to a third party, without the individual’s knowledge or consent, if the transfer is simply for processing purposes and the third party only uses the information for the purposes for which it was transferred. Entreprise Dentist.Business Inc. will ensure that the third party protects the information and uses it only for the purposes for which it was transferred.

Retention of Personal Information

Personal information will be retained in client files as long as the file is active and for such periods of time as may be prescribed by applicable laws and regulations.

Accuracy

Entreprise Dentist.Business Inc. endeavours to ensure that any personal information provided by the individual in his or her active file(s) is accurate, current and complete as is necessary to fulfill the purposes for which the information has been collected, used, retained and disclosed. Individuals are requested to notify Entreprise Dentist.Business Inc. of any change in personal or business information. Information contained in inactive files is not updated.

Openness

Entreprise Dentist.Business Inc. will endeavour to make its privacy policies and procedures known to the individual via this Privacy Policy.

Complaints/Recourse

If an individual has a concern about Entreprise Dentist.Business Inc.’s personal information handling practises, a complaint, in writing, may be directed to the Entreprise Dentist.Business Inc.’s Information Security Officer.

Upon verification of the individual’s identity, Entreprise Dentist.Business Inc.’s Information Security Officer will act promptly to investigate the complaint and provide a written report of the investigation’s findings to the individual.

Furthermore, the necessary steps to correct the offending information handling practise and/or revise Entreprise Dentist.Business Inc.’s privacy policies and procedures will be taken. In case Entreprise Dentist.Business Inc.’s Information Security Officer determines that the individual’s complaint is not well founded, the individual will be notified in writing.

If the individual is dissatisfied with the finding and corresponding action taken by Entreprise Dentist.Business Inc.’s Information Security Officer, the individual may bring a complaint to the Federal Privacy Commissioner at the address below:

The Privacy Commissioner of Canada

https://www.priv.gc.ca

Questions/Access Request/Complaint

Any questions regarding this or any other privacy policy of Entreprise Dentist.Business Inc. may be directed to the Information Security Officer. Requests for access to information, or to make a complaint, are to be made in writing and sent to Entreprise Dentist.Business Inc. at the address below:

Information Security Officer: Email address: go@dentist.business

Date Created: January 25th, 2018

HIPAA Privacy and Security Policy and Procedures

Security 1.0: Assigned Security Responsibility

Company Name: Entreprise Dentist.Business Inc..

Policy Name: Assigned Security Responsibility.

Policy Number: Security 1.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Synopsis of Policy:

HIPAA Regulation:164.308(a)(2) Assigned security responsibility At all times Entreprise Dentist.Business Inc. shall have one

individual identified and assigned to HIPAA security responsibility.

The HIPAA Security Officer is responsible for the oversight of Security Rule implementation by department and has the ultimate responsibility for ensuring HIPAA Security Rule policies are implemented and followed. Responsibilities include:

1. Ensure that the necessary and appropriate HIPAA related policies are developed

and implemented to safeguard the integrity, confidentiality, and availability of Electronic Protected Health Information (ePHI) within Entreprise Dentist.Business Inc..

1. Ensure that the necessary infrastructure of personnel, procedures and systems are in place:
   1. To develop and implement the necessary HIPAA related policies.
   2. To monitor, audit and review compliance with all HIPAA related policies.
   3. To provide a mechanism for reporting incidents and HIPAA security
2. violations.
3. Act as a spokesperson and single point of contact for Entreprise Dentist.Business Inc. in all issues relating to HIPAA security.

1. The job title and duties shall be documented further within the Full Policy found below.

Full Policy Language:

HIPAA Regulation: 164.308(a)(2) Assigned security responsibility

Policy Purpose: At all times Entreprise Dentist.Business Inc. shall have one individual identified and assigned to HIPAA security responsibility.

Policy Description:

The HIPAA Security Officer is responsible for the oversight of the Security Rule and its implementation. They also have the ultimate authority and responsibility for ensuring HIPAA Security Rule policies are implemented and followed.

Responsibilities include:

1. Ensuring that the necessary and appropriate HIPAA related policies are developed and implemented to safeguard the integrity, confidentiality, and availability of electronic protected health information (ePHI) within Entreprise Dentist.Business Inc..
2. Ensuring that the necessary infrastructure of personnel, procedures, and systems are in place:

1. To develop and implement the necessary HIPAA policies;
2. To monitor, audit and review compliance with all HIPAA policies; and
3. To provide a mechanism for reporting incidents and HIPAA security violations.

1. Act as a spokesperson and single point of contact for Entreprise Dentist.Business Inc. in all issues relating to HIPAA security.
2. The job title and duties shall be documented within the Security Officer’s Job Description.

Policy Responsibilities:

The above HIPAA Security Officer responsibilities are assigned to the Olena Pomazanova, President, Privacy/Security Officer for Entreprise Dentist.Business Inc. Entreprise Dentist.Business Inc. current Security Officer is identified as Olena Pomazanova, President, Privacy/Security Officer who is the person that is responsible as the Security Officer.

The HIPAA Security Officer shall carry out the assigned responsibilities in coordination with their Job Description.

Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
  • ePHI: Electronic/Protected health information means individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.
  • Paper PHI: Protected Health Information that is not in an electronic format.AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 2.0: User Access Management

Company Name: Entreprise Dentist.Business Inc..

Policy Name: User Access Management.

Policy Number: Security 2.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Synopsis of Policy: HIPAA Regulation: 164.308(a)(3)

This policy establishes rules for authorizing access to the computing network, applications, workstations, and to areas where Electronic Protected Health Information (ePHI) is accessible.

Workforce members that need access to ePHI will need authorization when working with ePHI or when working in locations where it resides.

Workforce security includes ensuring that only workforce members who require access to ePHI for work related activities shall be granted access. When work activities no longer require access, authorization shall be terminated.

In addition, this policy provides guidelines on how user access is routinely reviewed and updated.

Aspects of this policy specifically concern:

Management and Access Control;

Rules for Minimum Necessary Access;

How we Grant Access to ePHI;

How we Screen Workforce members Prior to Access;

Why we maintain Signed Security Acknowledgements;

What Security Awareness is required Prior to getting Access; Procedures for Granting Access in an Emergency; Modifications to the Workforce members Access;

Ongoing Compliance for Access;

And Termination of Access

Full Policy Language:

HIPAA Regulation:

• 164.308(a)(3) Workforce security
• 164.308(a)(3) Authorization and/or supervision
• 164.308(a)(3) Workforce clearance procedure
• 164.308(a)(3) Termination procedures
• 164.308(a)(4) Information access management
• 164.308(a)(4) Access authorization
• 164.308(a)(4) Access establishment and modification
• 164.312(a)(1) Access control
• 164.312(c)(1) Integrity
• 164.312(a)(1) Emergency access procedurePolicy Purpose:The intent of this policy is to establish rules for authorizing access to the computing network, applications, workstations, and to areas where ePHI is accessible. Workforce members that require access to ePHI will need authorization when working with ePHI or when working in locations where it resides. Workforce security includes ensuring that only workforce members who require access to ePHI for work related activities shall be granted access. When work activities no longer require access, authorization shall be terminated. In addition, this policy provides guidelines on how user access is routinely reviewed and updated.Policy Description:Management and Access ControlOnly the workforce member’s supervisor or manager can grant access to Entreprise Dentist.Business Inc. ePHI information systems.Access to the information system or application may be revoked or suspended, consistent with Entreprise Dentist.Business Inc. policies and practices, if there is evidence that an individual is misusing information or resources. Any individual whose access is revoked or suspended may be subject to disciplinary action or other appropriate corrective measures. Minimum Necessary Access Entreprise Dentist.Business Inc. shall ensure that only workforce members who require access to Electronic Protected Health Information (ePHI) are granted access. Each supervisor or manager is responsible for ensuring that the access to ePHI granted to each of his or her subordinates is the minimum necessary access required for each subordinate’s job role and responsibilities. If the user no longer requires access, it is the supervisor or manager’s responsibility to complete the necessary process to terminate access.

Granting Access to ePHI

Screen Workforce Members Prior to Access

The manager or supervisor shall ensure that information access is granted only after first verifying that the access of a workforce member to ePHI is appropriate.

Sign Security Acknowledgement

Prior to being issued a User ID or log on account to access any ePHI, each workforce member shall sign Entreprise Dentist.Business Inc. Confidentiality Agreement or an Acknowledgement of Information Security Responsibility before access is granted to the network or any application that contains ePHI, and thereafter shall comply with all Entreprise Dentist.Business Inc. security policies and procedures.

Security Awareness Prior to Getting Access

Before access is granted in any of the various systems or applications that contain ePHI, workforce members shall be trained to a minimum standard including:

1. Proper uses and disclosures of the ePHI stored is systems or application(s)
2. How to properly log on and log off the systems or application(s)
3. Protocols for correcting user errors
4. Instructions on contacting a designated person or help desk when ePHI may have been altered or destroyed in error
5. Reporting a potential or actual security breach

Management Approval

Entreprise Dentist.Business Inc. shall implement the following policies:

1. User IDs or log on accounts can only be assigned with management approval.
2. Managers are responsible for requesting the appropriate level of computer access for staff to perform their job function.
3. All requests regarding User IDs or computer system access for workforce members are to be communicated to the appropriate individuals by email, for tracking purposes for Entreprise Dentist.Business Inc. All requests shall be made in writing (which may be in an electronic format).
4. System administrators are required to process only those requests that have been authorized by managers.
5. Request is to be retained by the system administrator for a minimum of 1 year.

Granting Access in an Emergency

Emergency User Access

Management has the authority to grant emergency access for workforce members who have not completed the normal HIPAA access requirements if:

1. The facility declares an emergency or is responding to a natural disaster that makes the management of client information security secondary to immediate personnel safety activities.
2. Management determines that granting immediate access is in the best interest of the client.

If management grants emergency access, she/he shall review the impact of emergency access and document the event within 24 hours of it being granted.

After the emergency event is over, the user access shall be removed or the workforce member shall complete the normal requirements for being granted access.

Granting Emergency Access to an Existing User Access Account

In some circumstances it may be necessary for management to grant emergency access to a user’s account without the user’s knowledge or permission. Management may grant this emergency access in these situations:

1. The workforce member terminates or resigns and management requires access to the person’s data;
2. The workforce member is out for a prolonged period;
3. The workforce member has not been in attendance and therefore is assume to have resigned; or
4. Manager/supervisor needs immediate access to data on a workforce member’s computer in order to provide client treatment.

Termination of Access

The department manager or his/her designated representative is responsible for terminating a workforce member’s access to ePHI in these circumstances:

1. If management has evidence or reason to believe that the individual is using information systems or resources in a manner inconsistent with the Security Rule policies.
2. If the workforce member or management has evidence or reason to believe the user’s password has been compromised.
3. If the employee resigns, is terminated, is suspended, retires, or is away on unapproved leave.
4. If the employee’s job description changes and system access is no longer justified by the new job description.

If the workforce member is on an approved leave of absence and the user’s system access will not be required for more than three weeks, management shall suspend the user’s account until the workforce member returns from their leave of absence.

Modifications to the Workforce members Access

If a workforce member transfers to another program or changes role(s) within the same program within Entreprise Dentist.Business Inc.:

1. The workforce member’s new supervisor or manager is responsible for evaluating the member’s current access and for requesting new access to ePHI commensurate with the workforce member’s new role and responsibilities.

If a workforce member transfers to another program or department outside of Entreprise Dentist.Business Inc.:

1. The workforce member’s access to ePHI within his or her current unit shall be terminated as of the date of transfer.
2. The workforce member’s new supervisor or manager is responsible for requesting access to ePHI commensurate with the workforce member’s new role and responsibilities.

Ongoing Compliance for Access

In order to ensure that workforce members only have access to ePHI when it is required for their job function, the following actions shall be implemented by Entreprise Dentist.Business Inc.:

1. Every new User ID or log on account that has not been used after 30 consecutive calendar days since creation shall be investigated to determine if the workforce member still requires access to the ePHI.
2. At least every six months, IT teams are required to send supervisors/managers (or appropriate designees):
   1. A list of all workforce members for all applications.
   2. A list of workforce members and their access rights for all shared folders that contain ePHI, and
   3. A list of all Virtual Private Network (VPN) workforce members.
3. The supervisors/managers shall then notify their IT teams of any workforce members that no longer require access.

Policy Responsibilities:

Security Officer or Designee Responsibilities:

1. Work with System Administrator to arrange an email to Security Officer with the names of workforce members who are terminating or transferring out of Entreprise Dentist.Business Inc., along with the individual’s supervisor’s name and the effective date.
2. Work with HR or their designee to arrange a process to immediately email and telephone IT and Facilities Management if a workforce member is being released from probation or terminated with cause. The HR division shall provide the workforce member’s name, supervisor’s name and effective date, so that access can be discontinued when the personnel action is effective.

Entreprise Dentist.Business Inc. IT Team(s) Responsibilities: Account Management

1. Immediately, upon written notification, the worker’s access to ePHI shall be removed.
2. A report shall be created that identifies new User IDs or log on accounts not accessed within 30 days of creation.
3. A report shall be provided every six months to the manager/supervisor or designee documenting workers with access to ePHI, and requesting verification that access is still required to fulfill the worker’s job functions.

Managers and Supervisors Responsibilities:

1. Each manager/supervisor is responsible for ensuring that the access to ePHI granted to each of his or her subordinates is the minimum necessary access required for each such subordinate’s job role and responsibilities.
2. If the user no longer requires access, it is the manager/supervisor’s responsibility to complete the necessary paperwork as soon as possible to terminate access.
3. The manager/supervisor shall validate new User IDs or log on accounts that are not accessed within 30 days of creation. If access is no longer required, the User ID shall be deleted.
4. Semi-annual user and folder access reports and the VPN access reports prepared by the IT team shall be reviewed and verified to determine if the workforce members still require access to the ePHI.
5. The manager/supervisor shall ensure members of the workforce have signed the IT security agreement and are properly trained before approving access to ePHI.

User Responsibility:

Each user shall read and attest to Entreprise Dentist.Business Inc. IT Security Policies, sign Entreprise Dentist.Business Inc. HIPAA Confidentiality Agreement, attend HIPAA Security training, and report all security incidents.

Procedures

Entreprise Dentist.Business Inc. shall document written procedures for granting user access, the authorization of access to ePHI, and the termination of user access. These procedures shall include, as a minimum, all of the policy requirements above.

Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or Entreprise Dentist.Business Inc. who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected health information means individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.
  • Paper PHI: Protected Health Information that is not in an electronic format.
• Workforce: Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 3.0: Authentication & Password Management

Company Name: Entreprise Dentist.Business Inc..

Policy Name: Authentication & Password Management

Policy Number: Security 3.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Synopsis of Policy: HIPAA Regulation: 164.312(d); 164.308(a)(5); 164.312(a)(1)

Passwords are an important aspect of computer security and are the front line of protection for user accounts. A compromised password may result in a security breach of Entreprise Dentist.Business Inc. network. All Entreprise Dentist.Business Inc.

workforce members are responsible for taking the appropriate steps, as outlined in the full policy, to select and secure their passwords.

This policy reinforces the use and importance of effective passwords, also known as strong passwords. This policy will also require workforce members to change their passwords on a regular basis.

Information systems used to access ePHI shall uniquely identify and authenticate workforce members.

The policy specifies:

Standards of Authentication – Verification

The rules for maintaining Unique User ID and Password Management The guidelines for appropriate User ID and Passwords

Full Policy Language: HIPAA Regulation:

• 164.312(d) Mechanism to authenticate electronic protected health information
• 164.312(d) Person or entity authentication
• 164.308(a)(5) Password management
• 164.312(a)(1) Unique user identificationPolicy Purpose:Passwords are an important aspect of computer security and are the front line of protection of user accounts. A compromised password may result in a security breach of Entreprise Dentist.Business Inc. network. All Entreprise Dentist.Business Inc.
  workforce members are responsible for taking the appropriate steps to select and securetheir passwords. The purpose of this policy is to reinforce the use of effective passwords, also known as strong passwords, and require workforce members to change their passwords on a regular basis.Policy Description:Information systems used to access ePHI shall uniquely identify and authenticate workforce members.Authentication – VerificationIndustry standard protocols will be used on all routers and switches used in the Wide Area Network (WAN) and the local area networks (LANs). Authentication types can include:

1. Unique user ID and passwords
2. Biometric identification system
3. Telephone callback
4. Token system that uses a physical device for user identification
5. Two forms of authentication for wireless remote access
6. Information systems used to access ePHI shall identify and authenticate connections to specific devices involved in system communications (digital certificate, for example)

The password file on the authenticating server shall be adequately protected and not stored unencrypted.

Unique User ID and Password Management

1. All Entreprise Dentist.Business Inc. workforce members are assigned a unique user ID to access the network. All workforce members are responsible for creating and maintaining the confidentiality of the password associated with their unique user ID. Managers/supervisors are required to ensure that their staff understands the user responsibilities for securely managing confidential passwords.
2. Upon receipt of a user ID, the person assigned to said ID is required to change the password provided by the administrator to a password that only he or she (the user) knows. Effective passwords shall be created in order to secure access to electronic protected health information (ePHI).
3. Workforce members who suspect that their password has become known by another person shall change their password immediately. No user shall give his or her password to another person.
4. Workforce members are required to change their network user ID passwords every six months; when the technology is capable. Each application access password shall be changed every six months. Where technology is capable, network and application systems shall be configured to enforce automatic expiration of passwords every six months.
5. All privileged system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) shall be changed at least each fiscal quarter. All passwords are to be treated as sensitive, confidential Entreprise Dentist.Business Inc. information.

3.3 User ID & Password Guidelines

Where possible, implement unique user IDs that are different from the e-mail address; [ORGANIZATION] is encouraged not to use standard naming conventions for user IDs and should avoid using the same email user name as the system user ID.

1. Password length:
   1. 8-character passwords are the absolute minimum;
   2. 10-12 characters or longer is recommended; and
   3. Passwords up to 64 characters should be allowed.
2. Requiring mixed case, numbers, or special characters is recommended
3. Requiring users to periodically change their passwords is recommended:
   1. Every 6 months or a year preferably.
   2. Passwords are required to change if there is a suspicion that a password has been compromised.
4. Password selection software should not allow “obvious” passwords:

1. Common words, words related to the user, repeated letters,

numeric sequences, etc. (e.g, “password123”, “johnsmith”, or “abcabcabc”).

1. Login software should include features to prevent brute force attacks, such as:
   1. Delays between login attempts; and
   2. Lock account after a number of failed attempts.
2. Password protection requirements for users:
   1. Never reveal a password over the phone to anyone;
   2. Never reveal a password in an email message;
   3. Never reveal a password to your supervisor;
   4. Never talk about a password in front of others;
   5. Never hint at the format of a password (e.g., “my family name”);
   6. Never reveal a password on questionnaires or security forms;
   7. Never share a password with family members;
   8. Never reveal a password to co-workers;
   9. Never write down your password; instead, memorize it;
   10. Never keep a list of user IDs and passwords in your office; and
   11. Never misrepresent yourself by using another person’s user ID and password.

Policy Responsibilities:

Managers and Supervisors Responsibility

Managers/supervisors are responsible to reinforce secure password use in their offices with emphasis on ‘no password sharing’.

IT Team(s) Responsibilities for Network User ID Creation

1. System administrators shall provide the password for a new unique user ID to only the user to whom the new ID is assigned.
2. Workforce members may at times request that their password be reset. System administrators shall verify the identity of the user requesting a password reset or verify that the person making the request is authorized to request a password reset for another user. When technically possible, a new or reset password shall be set to expire on its attempted use at log on so that the user is required to change the provided password to one only they know.

All Workforce members accessing ePHI

Any workforce member who suspects that their password has become known by another person shall change their password immediately.

Procedures

Managers and Supervisors Responsibility

Managers/supervisors are responsible to reinforce secure password use in their offices with emphasis on ‘no password sharing’. If access to another worker’s account is required, managers/supervisors shall follow the emergency access section of Entreprise Dentist.Business Inc. HIPAA User Access Management policy.

IT Team(s) Responsibilities for Network User ID Creation

1. System administrators shall provide the password for a new unique user ID to only the user whom the new ID is assigned.
2. Workforce members may at times request that their password be reset. System administrators shall verify the identity of the user requesting a password reset or verify that the person making the request is authorized to request a password reset for another user. When technically possible, a new or reset password shall be set to expire on its initial use at log on so that the user is required to change the provided password to one only they know.

All Workforce Members Accessing ePHI

Any workforce member who suspects that their password has become known by another person shall change their password immediately.

Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected health information means individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.
• Paper PHI: Protected Health Information that is not in an electronic format.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 4.0: Facility Access Controls

Company Name: Entreprise Dentist.Business Inc.

Policy Name: Facility Access Controls.

Policy Number: Security 4.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Synopsis of Policy: HIPAA Regulation: 164.310(a)(1) Facility security plan; Facility access controls; Access control and validation procedures; Maintenance records; Contingency operations

This policy establishes protocols for securing facilities that contain Electronic Protected Health Information (ePHI).

Entreprise Dentist.Business Inc. shall reasonably safeguard ePHI from any intentional or unintentional use or disclosure. Entreprise Dentist.Business Inc. shall protect its facilities where ePHI can be accessed.

When designing a new building and remodeling existing sites, facility managers and/or designees shall work with the Compliance Officers to ensure the facility plan components below are compliant with the HIPAA Regulations.

Entreprise Dentist.Business Inc. shall safeguard its facilities and the equipment therein from unauthorized physical access, tampering and theft. Entreprise Dentist.Business Inc. Compliance Officers shall annually audit facilities to ensure that ePHI safeguards are continuously being maintained.

The policy

• • • • • • • • • •

details implementation specification for: Visitor Access Control:

(IF YOU HAVE) Security Access Cards: (IF YOU HAVE) Keypads/Cipher Locks: Metal/Hard Keys:

Network Closet(s):

Server Room(s):

Alarm System(s):

Doors:

Contingency Operations – Emergency Access to Facilities Maintenance Records Policy – For all sites that access ePHI.

Full Policy Language: HIPAA Regulation:

• 164.310(a)(1) Facility security plan
• 164.310(a)(1) Facility access controls
• 164.310(a)(1) Access control and validation procedures
• 164.310(a)(1) Maintenance records
• 164.310(a)(1) Contingency operationsPolicy Purpose:The intent of this policy is to establish protocols for securing facilities that contain ePHI.Policy Description:General
  Entreprise Dentist.Business Inc. shall reasonably safeguard electronic protected health information (ePHI) from any intentional or unintentional use or disclosure. Entreprise Dentist.Business Inc. shall protect its facilities where ePHI can be accessed.New or Remodeled Facility in Entreprise Dentist.Business Inc. When designing a new building and remodeling existing sites, facility managers and/or designees shall work with the Compliance Officers to ensure the facility plan components below are compliant with the HIPAA Regulations.Facility Security Plan
  Entreprise Dentist.Business Inc. shall safeguard the facilities of Entreprise Dentist.Business Inc. and the equipment therein from unauthorized physical access, tampering, and theft. Entreprise Dentist.Business Inc. Compliance Officers shall annually audit Entreprise Dentist.Business Inc. facilities to ensure ePHI safeguards are continuously being maintained.Facility security guidelines for the workforce:
  1. Do not share access cards to enter the facility;
  2. Do not allow other persons to enter the facility by “piggy backing” (enteringthe facility by walking behind an authorized person, through a door withoutusing a card in the reader);
  3. Do not share hard key access to enter the facility; and
  4. Do not share alarm codes or keypad codes to enter the facility.

One or more of the following shall be implemented for all sites that access ePHI:

1. Visitor Access Control: In facilities where ePHI is available, all visitors shall be

escorted and monitored. Each facility shall implement procedures that govern visitor access controls. These procedures may vary depending on the facilities structure, the type of visitors, and where the ePHI is accessible.

1. Metal/Hard Keys: Facilities that use metal/hard keys shall change affected or appropriate key locks when keys are lost or a workforce member leaves without returning the key. In addition, the facility shall have:
   1. Clearances based on programmatic need, special mandated security requirements and workforce member security; and
   2. A mechanism to track which workforce members are provided access
2. Network Closet(s): Every network closet shall be locked whenever the room is unoccupied or not in use. Entreprise Dentist.Business Inc. shall document who has access to the network closets and periodically change the locking mechanism to these closets.
3. Server Room(s): Every server room shall be locked whenever the room is unoccupied or not in use. Entreprise Dentist.Business Inc. shall document who has access to each server room and periodically change the locking mechanism to server rooms.
4. Alarm Systems: All buildings that have ePHI shall have some form of alarm system that is activated during non-business hours. Alarm system codes may only be provided to workforce members that require this information in order to leave and enter a building. These alarm codes shall be changed at least every six months.
5. Doors: All external facility doors and doors to areas where ePHI is housed shall remain completely shut at all times. It is each workforce member’s responsibility to make sure the door that is being entered or exited is completely shut before leaving the vicinity. Sometimes the doors do not completely close by themselves. If a door’s closing or locking mechanism is not working, it is every worker’s responsibility to notify the facility manager or designee for that facility.

Contingency Operations – Emergency Access to Facilities

Each facility shall have emergency access procedures in place that allow facility access to appropriate persons to access data. This includes a primary contact person and back-up person for when facility access is necessary after business hours by persons who do not currently have access to the facility.

Maintenance Records Policy

Repairs or modifications to the physical building for each facility where ePHI can be accessed shall be logged and tracked. These repairs are tracked centrally by General

Services – Facility Management. The log shall include events that are related to security (for example, repairs or modifications of hardware, walls, doors, and locks).

Policy Responsibilities:

Manager/supervisor Requirements:

1. Take appropriate corrective action against any person who knowingly violates the facility plan;
2. Authorize clearances that are appropriate to the duties of each workforce member;
3. Notify the security administrator or designee within one business day when a user no longer requires access to the facility; and
4. Verify that each worker surrenders her/his card or key upon leaving employment.

Worker Requirements:

1. Display their access/security card to demonstrate their authorization to access restricted areas;
2. Immediately report lost or stolen (key/ID) cards, or metal keys or keypad- cipher lock combinations; and
3. Surrender access card or key upon leaving employment.

Facility Manager/Security Officer or Designee Requirements:

1. Request and track maintenance repairs;
2. Establish and maintain a mechanism for accessing the facility in anemergency;
3. Track who has access to the facility;
4. Change metal locks when a key is lost or unaccounted for;
5. Change combination keypads/cipher locks every three months;
6. Change the alarm code every six months;
7. Disable access cards not used for 90 days or more; and
8. Complete access card audits every 6 months to verify user access.

Security Officer responsibilities:

1. Work with General Services and Entreprise Dentist.Business Inc. to ensure facilities comply with the HIPAA Security Rule for facility access controls;and
2. Conduct annual audits of Entreprise Dentist.Business Inc. facilities to ensure the facility is secured and the requirements of this policy are being enforced.

Procedures

Entreprise Dentist.Business Inc. shall document written procedures for their facility security plan. Procedures shall be written to address the unique requirements of each facility. An essential part of compliance is to document and implement processes to ensure the safeguards in the facility security plan are being maintained.

Entreprise Dentist.Business Inc. shall submit new and revised procedures and plans to the Compliance Officers for approval and ongoing evaluation. Any procedures developed by Entreprise Dentist.Business Inc. shall be consistent with Entreprise Dentist.Business Inc. HIPAA policies and not deviate from Entreprise Dentist.Business Inc. standard.

6.0 Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected health information means individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.
  • Paper PHI: Protected Health Information that is not in an electronic format.AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 5.0: Workstation Access Controls

Company Name: Entreprise Dentist.Business Inc.

Policy Name: Workstation Access Controls

Policy Number: Security 5.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Synopsis of Policy: HIPAA Regulations: 164.310(a)(1) Access control and validation procedures; (b) Workstation use; (c) Workstation security; 164.312(a)(1) Automatic log off

This policy establishes rules for securing workstations that access ePHI (electronic protected health information). Since ePHI is portable, this policy requires workforce members to protect ePHI in all locations, including, but not limited to, homes or client sites.

Entreprise Dentist.Business Inc. shall ensure that observable confidential information is adequately shielded from unauthorized disclosure and unauthorized access on computer screens. Each of Entreprise Dentist.Business Inc. workstations shall make every effort to ensure that confidential information on computer screens is not visible to unauthorized persons.

The policy details implementation of this policy for:

• Workforce members who work in other facilities
• Workforce members who work from home or other non-office sites
• Password protection of their personal computers
• Security for all other forms of portable ePHI such as locking up CD ROM Disks,floppy disks, USB drives, PDAs, and laptops
• Automatic, time-based user session-lock when a computer or workstation is left idle
• Accessing ePHI outside Entreprise Dentist.Business Inc. Wide Area Network, e.g., by VPN

Full Policy Language: HIPAA Regulation:

• 164.310(a)(1) Access control and validation procedures
• 164.310(b) Workstation use
• 164.310(c) Workstation security
• 164.312(a)(1) Automatic log offPolicy Purpose:The intent of this policy is to establish rules for securing workstations that access ePHI. Since ePHI is portable, this policy requires workforce members to protect ePHI in all locations, including, but not limited to, homes or client sites.Policy Description:Workstation Use: Security

1. Entreprise Dentist.Business Inc. members shall ensure that observable confidential information is adequately shielded from unauthorized disclosure and unauthorized access on computer screens. Each Entreprise Dentist.Business Inc. workplace shall make every effort to ensure that confidential information on computer screens is not visible to unauthorized persons.
2. Workforce members who work in other facilities that are not part of Entreprise Dentist.Business Inc. shall be aware of their surroundings to ensure no one can incidentally view ePHI and no ePHI is left unattended.
3. Workforce members who work from home or other non-office sites shall take the necessary steps to protect ePHI from other persons who may have access to their home or other non-office site. This includes password protection of their personal computers, and security for all other forms of portable ePHI such as locking up CD ROM Disks, floppy disks, USB drives, PDAs, and laptops.
4. User session-lock shall be implemented when the computer is left idle. It shall be automatic after a specific time based on location and function. The session shall be locked to disable access to the PC until the user enters their unique password with login information.
5. When technology is capable, while accessing ePHI outside the Entreprise Dentist.Business Inc. Wide Area Network (for example: extranet, VPN) automatic log off shall occur after a maximum of 15 minutes of inactivity. Automatic log off is a system-enabled enforcement of session termination after a period of inactivity and blocks further access until the workforce member reestablishes the connection using the identification and authentication process.

Policy Responsibilities:

Manager/supervisor requirements:

1. Take appropriate corrective action against any person who knowingly violates the security of workstation use;
2. Ensure that workers set their computer to automatically lock when the computer is not in use; and
3. Ensure that all confidential information is not viewable by unauthorized persons at workstations in offices under their management.

Worker Requirements:

1. Session lock the computer when left unattended;
2. Ensure their computer is set to automatically lock when the computer is not in use;
3. Ensure that all confidential information is not viewable by unauthorized persons;and
4. When working from home or other non-office work sites, protect ePHI from unauthorized access or viewing.

IT Support:

1. When installing new workstations, set the session lock timer to lock the computer when left unattended; and
2. When installing new systems or applications, set the automatic log off timer to terminate the session when the computer is left unattended.

Procedures

Procedures for protecting workstations include:

1. Use of polarized screens or other computer security screen overlay devices that shield confidential information;
2. Placement of computers out of the visual range of persons other than the authorized user;
3. Clearing confidential information from the screen when it is not actively in use;
4. Setting an automatic session lock option on all computer workstations;
5. Shutting down or locking workstation sessions when left unattended; and
6. When the technology is capable, setting the applications to automatically log off after a specific time of inactivity.

Entreprise Dentist.Business Inc. shall develop and implement procedures. Entreprise Dentist.Business Inc. shall submit all new and revised procedures to the Office of HIPAA for approval and ongoing evaluation. Any procedures developed by Entreprise Dentist.Business Inc. shall be consistent with Entreprise Dentist.Business Inc. HIPAA policies and not deviate from Entreprise Dentist.Business Inc. standard.

Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected health information means individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.
  • Paper PHI: Protected Health Information that is not in an electronic format.AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 6.0: Device and Media Controls

Company Name: Entreprise Dentist.Business Inc.

Policy Name: Device and Media Controls

Policy Number: Security 6.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Synopsis of Policy: HIPAA Regulation: 164.310(d)(1) Device and media controls; Disposal; Media reuse; Accountability; Data backup and storage

This policy is to ensure that Electronic Protected Health Information (ePHI) stored or transported on storage devices is appropriately controlled and managed. Examples include thumb drives, external hard-drives and removable media.

This policy details Device and Media Controls and outlines responsibility for their accountability.

The policy details implementation specification(s) for:

• Portable Media Use & Security
• Disposal
• Media Reuse
• Sending a Computer Server or Hard-Drive out for Repair
• Moving Computer Server Equipment with ePHI
• Device and media acquisitionThe policy specifies the various responsibilities of:
• Manager/supervisor
• IT
• Workforce for Device and Media controls

Full Policy Language: HIPAA Regulation:

• 164.310(d)(1) Device and media controls
• 164.310(d)(1) Disposal
• 164.310(d)(1) Media reuse
• 164.310(d)(1) Accountability
• 164.310(d)(1) Data backup and storagePolicy Purpose:The intent of this policy is to ensure that ePHI stored or transported on storage devices and removable media is appropriately controlled and managed.Policy Description:Device and Media Controls/Accountability

1. Entreprise Dentist.Business Inc. shall protect allhardware and electronic media that contains electronic protected health information (ePHI). This includes personal computers, PDAs, laptops, storage systems, backup tapes, CD ROM disks, and removable disks.
2. Every area of Entreprise Dentist.Business Inc. is responsible for developing procedures that govern the receipt and removal of hardware and electronic media that contain(s) ePHI into and out of a facility. Procedures shall include maintaining a record of movements of hardware and electronic media and any persons responsible.

Portable Media Use – Security

1. In addition to protecting Entreprise Dentist.Business Inc. workstations and facilities, workforce members shall protect ePHI when working from all other locations. This includes locations such as home, other offices, or when working in the field.
2. In order to limit the amount of portable ePHI, workforce members shall not save any ePHI on floppy disks, CD ROM Disks and other portable items.
3. Methods for protecting portable media with ePHI include:

1. All workforce members shall receive permission from their supervisor before

removing ePHI from their facility. Approvals shall include the type of permission and the time period for authorization. The time period shall be a maximum of one year.

1. Workforce members who work in the field shall not leave ePHI unlocked or visible in their vehicles. They will also not leave any ePHI in client facilities/homes.
2. If ePHI is lost, workforce members are responsible for promptly contacting their supervisor, the Security Officer or designated Compliance Officers responsible for HIPAA Compliance within one business day upon awareness that ePHI has been lost.

Disposal

1. Before electronic media that contains ePHI can be disposed, the following actions shall be taken on computers used in the workplace, at home, or at remote sites:

1. Hard drives shall be either wiped clean or destroyed. Hard drive cleaning shallmeet the Department of Defense (DOD) standards, which states, “The method of destruction shall preclude recognition or reconstruction of the classified information or material.” In addition, the hard drive shall be tested to ensure the information cannot be retrieved.
2. Backup tapes shall be destroyed or returned to the owner and their return documented. Destruction shall include a method to ensure there is no ability to reconstruct the data.
3. Other media, such as memory sticks, USB flash drives or micro drives, CD- ROMs and floppy disks, shall be physically destroyed (broken into pieces) before disposing of the item.

Media Reuse

1. All ePHI shall be removed from hard drives when the equipment is transferred to a worker who does not require access to the ePHI, or when the equipment is transferred to a new worker with different ePHI access needs. Hard drives shall be wiped clean before transfer.
2. Cleaning shall meet the Department of Defense (DOD) standards, which states,“The method of destruction shall preclude recognition or reconstruction of the classified information or material.” In addition, the hard drive shall be tested to ensure the information cannot be retrieved.

Sending a Computer Server Hard Drive to Repair

When the technology is capable, an exact copy of the ePHI shall be created and the ePHI removed from the server hard drive before sending the device out for repair.

Moving Computer Server Equipment with ePHI

Before moving server equipment that contains ePHI, a retrievable exact copy needs to be created.

Device and Media Acquisition

Entreprise Dentist.Business Inc. shall include security requirements and/or security specifications in information system acquisition contracts based on an assessment of risk (applications, servers, copiers, etc.).

Policy Responsibilities:

Manager/Supervisor Responsibilities:

1. Ensure that only workforce members who require the need to remove ePHI from their facilities are granted permission to do so.

IT Responsibilities

1. Ensure all hard drives are wiped clean before disposal or reuse
2. Test hard drives to ensure they are clean
3. Before moving hardware or sending hard drives for repair that contains ePHI,create a retrievable copy of that data
4. Maintain an inventory and a record of movements or transfers of hardware andelectronic media such as workstations, servers, or backup tapes

Workforce Responsibilities:

1. Individual workforce members or their units shall track Laptops, PDAs, CD ROM Disks, and floppy disks, and all other portable media that contain ePHI.
2. To limit the amount of portable ePHI, workforce members shall not save any quantity of ePHI onto floppy disks, CD ROMs and other portable items when it is not necessary.

3. Workforce members shall remove and destroy all ePHI before disposing of the media.

Procedures

Entreprise Dentist.Business Inc. shall document written procedures to track, dispose, and reuse media devices used for ePHI. Entreprise Dentist.Business Inc. shall submit all new and revised procedures to the Security Officer for approval and ongoing evaluation. Any procedures developed by Entreprise Dentist.Business Inc. shall be consistent with Entreprise Dentist.Business Inc. HIPAA policies and not deviate from Entreprise Dentist.Business Inc. standard.

Definitions

• Covered Entity: A health plan or a health care provider that stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate: Any entity that uses or discloses protected health information(PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization which, on behalf of a covered entity,

• performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected Health Information is any individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

Paper PHI: Protected Health Information that is not in an electronic format.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 7.0: Audit Controls

Company Name: Entreprise Dentist.Business Inc..

Policy Name: Audit Controls

Policy Number: Security 7.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Synopsis of Policy:

The intent of this policy is to provide the authority for workforce members representing the Entreprise Dentist.Business Inc. IT organizations to conduct a security audit on any computing resource of the Entreprise Dentist.Business Inc..

Activity reviews provide indications that implemented safeguards are working, or that safeguards are insufficient. Audits may be conducted to:

1. Ensure integrity, confidentiality, and availability of information and resources
2. Investigate possible security incidents to ensure conformance to Entreprise Dentist.Business Inc. IT and security policies
3. Monitor user or system activity where appropriate
4. Verify that software patching is being maintained at the appropriate security level
5. Verify virus protection is being maintained at current levels

Full Policy Language: HIPAA Regulation:

• Log-in monitoring
• Information system activity review
• Audit controlsPolicy Purpose:The intent of this policy is to provide the authority for workforce members representing the Entreprise Dentist.Business Inc. IT organizations to conduct a security audit on any computing resource of the Entreprise Dentist.Business Inc.. Activity reviews provide indications that implemented safeguards are working, or that safeguards are insufficient. Audits may be conducted to:
  1. Ensure integrity, confidentiality, and availability of information and resources;
  2. Investigate possible security incidents to ensure conformance to Entreprise Dentist.Business Inc. IT and security policies;
  3. Monitor user or system activity where appropriate;
  4. Verify that software patching is being maintained at the appropriate securitylevel; and
  5. Verify virus protection is being maintained at current levels
• Policy Description: Log-in Monitoring

1. Entreprise Dentist.Business Inc. has the right to monitor system access and activity of all workforce members.
2. To ensure that access to servers, workstations, and other computer systems containing ePHI is appropriately secured; the following login monitoring measures shall be implemented:
   1. A mechanism to log and document four or more failed log-in attempts in arow shall be implemented on each network system containing ePHI when thetechnology is capable.
   2. Login activity reports and logs shall be reviewed biweekly at a minimum toidentify any patterns of suspicious activity.
   3. All failed login attempts of a suspicious nature, such as continuous attempts, shall be reported immediately to the Security Officer or the designee for each Entreprise Dentist.Business Inc..

1. To the extent that technology allows, any user ID that has more than four- repeated failed login attempts in a row shall be disabled for a minimum of 30 minutes.

Information System Activity Review – Audit Controls

To ensure that activity for all computer systems accessing ePHI is appropriately monitored and reviewed, these requirements shall be met:

1. Where technology allows, the audit record shall capture sufficient information to establish what events occurred, the sources of the events, and the outcomes of the events.
2. Each fiscal quarter, at a minimum, every application and system administrator or designee shall review audit logs, activity reports, or other mechanisms to document and manage system activity.
3. Indications of improper use shall be reported to management for investigation and follow up.
4. Audit logs of access to networks and applications with ePHI shall be archived.
5. Audit information and audit tools shall be protected from unauthorized access,modification, and deletion.

Policy Responsibilities:

System administrators, Security Officers are responsible to implement and monitor audit controls for all systems that contain ePHI.

Procedures:

Entreprise Dentist.Business Inc. shall submit all new and revised procedures to the Office of HIPAA for approval and ongoing evaluation. The Security Officer shall create audit control checklists and logs to assist with, and standardize, the audit function. Any procedures developed by Entreprise Dentist.Business Inc. shall be consistent with the Entreprise Entreprise Dentist.Business Inc. HIPAA policies and not deviate from the Entreprise Dentist.Business Inc. standard.

Definitions:

• Covered Entity: A health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction.
• ePHI: Electronic/Protected health information means individually identifiable health information:

• Transmitted by electronic media;

• Maintained in electronic media; or
• Transmitted or maintained in any other form or medium.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 8.0: Incident Response & Reporting

Company Name: Entreprise Dentist.Business Inc..

Policy Name: Incident Response & Reporting

Policy Number: Security 8.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Synopsis of Policy: HIPAA Regulation: 164.308(a)(6) Security incident procedures; Response and reporting

This policy formalizes the response to security incidents and the reporting of them.

It includes identification and response to suspected and known security incidents, their mitigation and the documentation of incidents and their outcomes.

It is imperative that a formal reporting and response policy be followed when responding to security incidents. Therefore, Entreprise Dentist.Business Inc. shall employ tools and techniques to monitor events, detect attacks and provide identification of unauthorized use of the systems that contain Electronic Protected Health Information (ePHI).

The policy details the type of incidents that shall be reported, and who is responsible for notifying whom. It also details the appropriate Response, Tracking and Resolution; and it outlines who is responsible for determining if a report shall be forwarded to the Department of Health and Human Services (HHS).

All HIPAA security related incidents and their outcomes shall be logged and documented by the Compliance Officers. The Compliance Officers shall document and log incidents and outcomes.

The policy specifies that all workforce members are responsible for promptly reporting any security-related incidents to the IT help desk, the Privacy Officer or their manager.

Full Policy Language: HIPAA Regulation:

• 164.308(a)(6) Security incident procedures
• 164.308(a)(6) Response and reportingPolicy Purpose:The purpose of this policy is to formalize the response to, and reporting of, security incidents. This includes identification and response to suspected or known security incidents, the mitigation of the harmful effects of known or suspected security incidents, and the documentation of security incidents and their outcomes. It is imperative that this formal reporting and response policy be followed when responding to security incidents.Policy Description:Entreprise Dentist.Business Inc. shall employ tools and techniques (The Guard and its Process) to monitor events, detect attacks, and provide identification of unauthorized use of the systems that contain ePHI.Reporting

1. All security incidents, threats, or violations that affect or may affect the confidentiality, integrity or availability of electronic protected health information (ePHI) shall be reported and responded to promptly.
2. Incidents that shall be reported include, but are not limited to:
   1. Virus, worm, or other malicious code attacks;
   2. Network or system intrusions;
   3. Persistent intrusion attempts from a particular entity;
   4. Unauthorized access to ePHI, an ePHI based system, or an ePHI based network;
   5. ePHI data loss due to disaster, failure, error, theft;
   6. Loss of any electronic media that contains ePHI;
   7. Loss of the integrity of ePHI; and
   8. Unauthorized person found in Entreprise Dentist.Business Inc. facility.
3. Entreprise Dentist.Business Inc. Compliance Officers shall be notified immediately of any suspected or real security incident. If it is unclear as to whether a situation is a security incident, the Compliance Officers shall be contacted to evaluate the situation.

Response and Resolution

The Compliance Officers shall track the incident. The Compliance Officers shall determine if a report of the incident shall be forwarded to the HHS. Compliance Officers are the only employees that can resolve an incident. The Compliance Officers shall evaluate the report to determine if an investigation of the incident is necessary. The Compliance Officers shall determine if Entreprise Dentist.Business Inc. Counsel, law enforcement, Human Resources, or Entreprise Dentist.Business Inc. Communication and Media Office is to be contacted regarding the incident.

Logging

1. All HIPAA security-related incidents and their outcomes shall be logged and documented by the Compliance Officers. The Compliance Officers shall document and log incidents and outcomes.
2. All incident(s) will be reviewed and investigated and if the breached PHI has been compromised (unauthorized individuals have received and viewed the PHI) the breach will be reported to HHS. Entreprise Dentist.Business Inc. and its Compliance Officers will record all the incidents and retain these incident reports for six years.
3. Entreprise Dentist.Business Inc. shall train personnel in their incident response roles and responsibilities and provide refresher training as needed. Entreprise Dentist.Business Inc. shall test the incident response capability at least annually using tests and exercises to determine the effectiveness.

Policy Responsibilities:

Report violations of this policy to Entreprise Dentist.Business Inc. Compliance Officers.

Workforce members

Workforce members are responsible for promptly reporting any security-related incidents to the Security Officer.

IT Help Desk

The Security Officer documents all security incidents.

Compliance Officers

The Compliance Officer that is responsible to determine if the incident requires further investigation is Pomazanova Olena. Entreprise Dentist.Business Inc. Security and Privacy Officer, shall determine if corrective actions should be

implemented. The Compliance Officers are responsible for documenting the investigations and any corrective actions. The Compliance Officers are responsible for maintaining all documentation on security breaches for six years.

Procedures

Entreprise Dentist.Business Inc. shall submit all new and revised procedures to the Compliance Officers for approval and ongoing evaluation. Any procedures developed by Entreprise Dentist.Business Inc. shall be consistent with Entreprise Dentist.Business Inc. HIPAA policies and not deviate from Entreprise Dentist.Business Inc. standard.

Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected health information means individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

Paper PHI: Protected Health Information that is not in an electronic format.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 9.0: Transmission Security

Company Name: Entreprise Dentist.Business Inc..

Policy Name: Transmission Security

Policy Number: Security 9.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Synopsis of Policy: HIPAA Regulation: 164.312(e)(1) Transmission security; Integrity controls; Encryption and decryption; Encryption

This policy creates the rules which guard against unauthorized access to, or modification of, Electronic Protected Health Information (ePHI) that is being transmitted over an electronic communications network (“data in motion”). It commits resources to assure that when ePHI is transmitted from one point to another, it shall be protected in a manner commensurate with the associated risk.

The policy details standards of encryption, and under which circumstance it is required and when it is optional.

It specifies control requirements of:

• Modem use;
• WAN access;
• Wireless devices;
• Perimeter security; and
• Firewall and details management and workforce responsibilities to execute thepolicy.

Full Policy Language: HIPAA Regulation:

• 164.312(e)(1) Transmission security
• 164.312(e)(1) Integrity controls
• 164.312(a)(1) Encryption and decryption
• 164.312(a)(1) EncryptionPolicy Purpose:The intent of this policy is to guard against unauthorized access to, or modification of, ePHI that is being transmitted over an electronic communications networks. When ePHI is transmitted from one point to another, it shall be protected in an encrypted manner.Policy Description:Encryption:Proven, standard algorithms shall be used as the basis for encryption technologies. The use of proprietary encryption algorithms is not allowed for any purpose unless authorized by the HIPAA Security Officer.Encryption Required:
  1. No ePHI shall be sent outside Entreprise Dentist.Business Inc. domain unless it is encrypted. This includes all email and email attachments sent over a public internet connection.
  2. When accessing a secure network an encryption communication method, suchas a VPN, shall be used.
• Encryption Optional:
  1. When using a point-to-point communication protocol to transmit ePHI, no encryption is required.
  2. Dial-up connections directly into secure networks are considered to be secure connections for ePHI and no encryption is required.
• If still using Modems:
  1. Modems shall never be left connected to personal computers in auto-answer mode.
  2. Dialing directly into or out of a desktop computer that is simultaneously connected to a local area network (LAN) or another internal communication network is prohibited.

3. Dial-up access to WAN-connected personal computers at the office is prohibited.

ePHI Transmissions Using Wireless LANs and Devices within Entreprise Dentist.Business Inc. domain:

1. A) The transmission of ePHI over a wireless network within Entreprise Dentist.Business Inc. domain is permitted if both of the following conditions are met:

1. The local wireless network is utilizing an authentication mechanism to ensure that wireless devices connecting to the wireless network are authorized; and
2. The local wireless network is utilizing an encryption mechanism for all transmissions over the aforementioned wireless network and uses two types of authentication.

1. B) If transmitting ePHI over a wireless network that is not utilizing an authentication and encryption mechanism, the ePHI shall be encrypted before transmission.

Perimeter Security

1. Any external connection to Entreprise Dentist.Business Inc. Wide Area Network (WAN) shall come through the perimetersecurity’s Firewall.
2. If determined safe by the Security Officer, outbound services shall be initiatedfor internal addresses to external addresses.
3. Inbound services shall be negotiated on a case-by-case basis with the SecurityOfficer.
4. All workforce members connecting to the WAN shall sign Entreprise Dentist.Business Inc. IT Confidentiality Agreement before connectivity is established.

Firewall Controls to Transmit ePHI Into and Out of Entreprise Dentist.Business Inc.

1. Networks containing systems and applications with ePHI shall implement perimeter security and access control with a firewall.
2. Firewalls shall be configured to support the following minimum requirements:
   1. Limit network access to only authorized workforce members and entities;
   2. Limit network access to only legitimate or established connections (Anestablished connection is return – traffic in response to an applicationrequest submitted from within the secure network.); and
   3. Consoleandothermanagementportsshallbeappropriatelysecuredordisabled.

3. The configuration of firewalls used to protect networks containing ePHI-based systems and applications shall be submitted to the Security Officer for review and approval.

Policy Responsibilities:

All workforce members that transmit ePHI outside Entreprise Dentist.Business Inc. WAN are responsible for ensuring the information is safeguarded by using encryption when using the public internet or a wireless device.

Procedures

Each area of Entreprise Dentist.Business Inc. shall submit all new and revised procedures to the Compliance Officers for approval and ongoing evaluation. Any procedures developed by Entreprise Dentist.Business Inc. shall be consistent with Entreprise Dentist.Business Inc. HIPAA policies and not deviate from Entreprise Dentist.Business Inc. standard.

Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected health information means individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.
  • Paper PHI: Protected Health Information that is not in an electronic format.AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 10.0: Protection from Malicious Software

Company Name: Entreprise Dentist.Business Inc..

Policy Name: Protection from Malicious Software

Policy Number: Security 10.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Synopsis of Policy: HIPAA Regulation: 164.308(a)(5) Protection from malicious software

This policy establishes protections to safeguard against, detect and report malicious software, including but not limited to viruses, worms and trojans. This policy mandates that Entreprise Dentist.Business Inc. shall ensure all computers owned, leased and/or operated by the covered components install and maintain anti-virus software. Additionally, all workstations shall be configured to activate and update anti- virus software automatically each time the computer is turned on or the user logs on the network.

The policy also details the necessary steps in the event that a virus, worm or other malicious code has infected or been identified on a server or workstation. It specifies workforce members’ responsibilities to maintain cyber-hygiene standards; and the IT manager’s responsibilities to support this policy.

Full Policy Language:

HIPAA Regulation:

164.308(a)(5) Protection from malicious software

Policy Purpose:

The intent of this policy is to establish procedures for protections to guard against, detect, and report malicious software. Malicious software includes, but is not limited to, viruses, worms, trojans, ransomware attacks.

Policy Description:

Entreprise Dentist.Business Inc. shall ensure all computers (owned, leased, and/or operated by Entreprise Dentist.Business Inc.) are installed with and maintain anti-virus software. All workstations shall be configured to activate and update anti-virus software automatically each time the computer is turned on or the user logs onto the network.

In the event that a virus, worm, or other malicious code has infected or been identified on a server or workstation, that equipment shall be disconnected from the network until it has been appropriately cleaned.

Policy Responsibilities:

Workforce Responsibilities:

1. Workforce members who utilize laptops to log on to the network shall work with their IT support to ensure all updates are received.
2. Workforce members are not to disable automatic virus scanning features.
3. All non- Entreprise Dentist.Business Inc. computersthat directly access the WAN shall have anti-virus software and remain currentwith updates.
4. All downloaded files shall be virus-checked prior to use.
5. All storage media (i.e. disks) shall be treated as if they contain viruses.Workforce members are permitted to use removable storage disks provided thatall disks are virus checked prior to use.
6. If a virus is detected, workforce members are instructed to immediately contacttheir Security Officer.
7. For the purposes of protecting data and preventing the spread of viruses,workers shall:
   • Attend HIPAA security training
   • Maintain back-up copies of data files

IT Responsibility:

1. Set up laptop computers so they automatically load virus updates when they are connected to Entreprise Dentist.Business Inc. network.

Procedures

To ensure that all Entreprise Dentist.Business Inc. workforce members are made aware of the threats and vulnerabilities due to malicious code and software such as viruses and worms and are effectively trained to identify and prevent these types of attacks, the following procedures shall be established and implemented:

1. The workforce shall be trained to identify and protect data, when possible, against malicious code and software.
2. Security reminders shall be given to the workforce to inform them of any of new virus, worm, or other type of malicious code that may threaten ePHI.

Entreprise Dentist.Business Inc. shall submit all new and revised procedures to the Compliance Officers for approval and ongoing evaluation. Any procedures developed by Entreprise Dentist.Business Inc. shall be consistent with Entreprise Dentist.Business Inc. HIPAA policies and not deviate from Entreprise Dentist.Business Inc. standards.

Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected health information means individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.
  • Paper PHI: Protected Health Information that is not in an electronic format.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 11.0: Contingency Plan, Disaster Recovery

Company Name: Entreprise Dentist.Business Inc..

Policy Name: Contingency Plan, Disaster Recovery

Policy Number: Security 11.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Synopsis of Policy: HIPAA Regulation: 164.308(a)(7) Contingency plan, Data backup plan, Disaster recovery plan, Emergency mode operation plan, Testing and revision procedures, Applications and data criticality analysis; 164.310(a)(1) Contingency operations

This policy sets forth rules for continuing business without the normal resources of Entreprise Dentist.Business Inc.. These include the required procedures for an emergency, disaster or other occurrence (i.e., fire, vandalism, system failure and natural disaster) when any system that contains ePHI is affected, including:

• Applications and data criticality analysis
• Data backup
• Disaster Recovery Plan
• Emergency mode operation planThe policy details specific requirements for each of these critical functions, and the responsibility for the creation, evaluation, testing and updating of the various contingency plans described therein.

Full Policy Language: HIPAA Regulation:

• 164.308(a)(7) Contingency plan
• 164.308(a)(7) Data backup plan
• 164.308(a)(7) Disaster recovery plan
• 164.308(a)(7) Emergency mode operation plan
• 164.308(a)(7) Testing and revision procedures
• 164.308(a)(7) Applications and data criticality analysis
• 164.310(a)(1) Contingency operationsPolicy Purpose:The purpose of this policy is to establish rules for continuing business without the normal resources of Entreprise Dentist.Business Inc.. Policy Description:

1. Entreprise Dentist.Business Inc. shall develop procedures for implementation in the event of an emergency, disaster or other occurrence (i.e., fire, vandalism, system failure and natural disaster) when any system that contains ePHI is affected, including:
   1. Applications and data criticality analysis;
   2. Data backup;
   3. Disaster Recovery Plan; and
   4. Emergency mode operation plan.
2. Each of the following plans shall be evaluated and updated at least annually as business needs and technology requirements change.

Applications and Data Criticality Analysis

1. Entreprise Dentist.Business Inc. shall assess the relativecriticality of specific applications and data within Entreprise Dentist.Business Inc. for purposes of developing its Data Backup Plan, its Disaster Recovery Plan and its Emergency Mode Operation Plan.
2. Entreprise Dentist.Business Inc. shall identify critical business functions, define impact scenarios, and determine resources needed to recover from each impact.
3. The assessment of data and application criticality shall be conducted periodically and at least annually to ensure that appropriate procedures are in place for data and applications at each level of risk.

Data Backup Plan

1. All ePHI shall be stored on network servers in order for it to be automatically backed up by the system.
2. ePHI shall not be saved on the local drives of personal computers.
3. ePHI stored on portable media (e.g. thumb drives, external hard drive, CD ROMDisks) shall be saved to the network to ensure backup of ePHI data.
4. Entreprise Dentist.Business Inc. shall conduct dailybackups of user-level and system-level information and store the backupinformation in a secure location. A weekly backup shall be stored offsite.
5. Entreprise Dentist.Business Inc. shall establish andimplement a Data Backup Plan pursuant to which it would create and maintainretrievable exact copies of all ePHI.
6. The Data Backup Plan shall apply to all files that may contain ePHI.
7. The Data Backup Plan shall require that all media used for backing up ePHI bestored in a physically secure environment, such as a secure, off-site storage facility. Or, if backup media remains on site, in a physically secure location, different from the location of the computer systems it usually backs up.
8. If a non – Entreprise Dentist.Business Inc. off-site storage facility or backup service is used, a written contract shall be used to ensure that the contractor shall safeguard the ePHI in an appropriate manner.
9. Data backup procedures outlined in the Data Backup Plan shall be tested on, at least, an annual basis to ensure that exact copies of ePHI can be retrieved and made available.

10. Entreprise Dentist.Business Inc. shall submit its new and revised Data Backup Plan to the Compliance Officers for approval.

Disaster Recovery Plan

1. To ensure that Entreprise Dentist.Business Inc. can recover from the loss of data due to an emergency or disaster such as fire, vandalism, terrorism, system failure, or natural disaster affecting systems containing ePHI. Entreprise Dentist.Business Inc. shall establish and implement a Disaster Recover Plan pursuant to which it can restore or recover any loss of ePHI and the systems needed to make that ePHI available in a timely manner. The Disaster Recovery Plan for Entreprise Dentist.Business Inc. shall be incorporated into Entreprise Dentist.Business Inc. Disaster Recovery Plan.
2. The Disaster Recovery Plan shall include procedures to restore ePHI from data backups in the case of a disaster causing data loss.
3. The Disaster Recovery Plan shall include procedures to log system outages, failures, and data loss to critical systems. Also, procedures will be implemented to train the appropriate personnel in regards to the disaster recovery plan.
4. The Disaster Recovery Plan shall be documented and easily available to the necessary personnel at all time(s), who shall be trained to implement the Disaster Recovery Plan.

5. The disaster recovery procedures outlined in the Disaster Recovery Plan shall be tested on a periodic basis to ensure that ePHI and the systems needed to make ePHI available can be restored or recovered.
6. Entreprise Dentist.Business Inc. shall submit its

new and revised Disaster Recovery Plan to the Compliance Officers for approval.

Disaster and Emergency Mode for Small Practices (Larger Organizations like Clinics and Hospitals should use the Full Disaster Recovery Plan)

1. Real Estate/Office Suite: Who to call, Phone Number
2. Computers: Who to call, Phone Number
3. Networking of Computers: Who to call, Phone Number
4. Restoration of Data to Server or Connection to the Internet: Who to call, Phone

Number

5. EHR Support: Who to call, Phone Number
6. Add anything else needed to continue business

Emergency Mode Operation Plan

1. Entreprise Dentist.Business Inc. shall establish and implement (as needed) procedures to enable continuation of critical business processes for protection of the security of ePHI while operating in emergency mode. Emergency mode operation involves critical business processes that shall occur to protect the security of electronic protected health information during and immediately after a crisis situation.
2. Emergency mode operation procedures outlined in the Disaster Plan shall be tested on a periodic basis to ensure that critical business processes can continue in a satisfactory manner while operating in emergency mode.
3. Entreprise Dentist.Business Inc. shall submit its new and revised Emergency Mode Operation Plan to the Compliance Officers for approval.

Policy Responsibilities:

The Compliance/Security Officer shall oversee the creation, evaluation, testing, and updating of the various contingency plans described herein.

Entreprise Dentist.Business Inc. shall submit its new and/or revised procedures and plans to the Security Officer for approval and ongoing evaluation. Any procedures developed by Entreprise Dentist.Business Inc. shall be consistent with Entreprise Dentist.Business Inc. HIPAA policies and not deviate from Entreprise Dentist.Business Inc. standards.

Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected health information means individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.
  • Paper PHI: Protected Health Information that is not in an electronic format.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 12.0: Business Associates

Company Name: Entreprise Dentist.Business Inc..

Policy Name: Business Associates

Policy Number: Security 12.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Review Date: January 25th, 2021.

Synopsis of Policy: HIPAA Regulation: 164.308(b)(1) Business associate contracts and other arrangements, Written contract or other arrangements

This policy defines procedures for determining which contractual and business relationships are considered “Business Associates” as defined by HIPAA. In addition, this policy addresses requirements for tracking designated Business Associates (BAs) and how to follow up on complaints about the BAs.

Full Policy Language: HIPAA Regulation:

• 164.308(b)(1) Business associate contracts and other arrangements
• 164.308(b)(1) Written contract or other arrangementsPolicy Purpose:To document the policy and procedure for determining which contractual and business relationships are considered “Business Associates” as defined by HIPAA. In addition, this policy addresses tracking designated Business Associates and how to follow up on complaints about Business Associates.Policy Description:Business Associates

1. Entreprise Dentist.Business Inc. has many contractual and business relationships, and policies related to its contracts and business relationships. However, not all contractors or business partners are “Business Associates” as defined by HIPAA. This policy only applies to contractors or business partners that come within the definition of a “Business Associate.” Essentially, any person or organization that you hire to help you do something and for that contract to work, you must either directly share PHI or ePHI or give them access to PHI or ePHI would be considered a BA and would need a BA agreement signed by that entity.
2. Compliance Officers of Entreprise Dentist.Business Inc. shall review contracts to determine if the contract requires a Business Associate Agreement. If a Business Associate Agreement is required: contract managers must complete the Business Associate Agreement (BAA) and notify the Compliance Officers. This BAA requires the Business Associate to provide satisfactory assurance that the Business Associate shall appropriately safeguard the confidential information and report any security incidents. Entreprise Dentist.Business Inc. shall audit the Business Associate via electronic questionnaire. If decided by the Compliance Officers, Entreprise Dentist.Business Inc. shall conduct a security audit of the Business Associate’s HIPAA Policies and Procedures as a means of due diligence to ensure that the Business Associate is taking the necessary precautions under the HIPAA Security Rule to protect the data that is shared with them.

Business Associate Non-Compliance

1. If Entreprise Dentist.Business Inc. knows of a pattern of activity or practice of a Business Associate that constitutes a material breach or violation of an obligation under the contract or other arrangement, Entreprise Dentist.Business Inc. shall take reasonable steps to repair the breach or end the violation, as applicable. This includes working with, and providing consultation to, the Business Associate.
2. If such steps are unsuccessful, Entreprise Dentist.Business Inc. shall terminate the contract or arrangement, if feasible. If termination is not feasible, the problem shall be reported to the Office of Civil Rights (OCR) within 30 days of the incident.

Policy Responsibilities:

Compliance Officers of Entreprise Dentist.Business Inc. shall work together to ensure that all Business Associates are identified, tracked, and investigated when an allegation is made.

Procedures

Tracking and Identifying Entreprise Dentist.Business Inc. Business Associates

Entreprise Dentist.Business Inc. shall identify those business relationships that meet the definition of a Business Associate. Contract managers shall note that designation in the contract record and notify the Compliance Officer when a contractor is determined to be a Business Associate.

Response to Complaints about Business Associates

Entreprise Dentist.Business Inc.  workforce members who receive a report or complaint from any source about inappropriate safeguards to ePHI by Business Associates shall provide information regarding that report or complaint to the Compliance Officers. The Compliance Officers shall coordinate with the Business Associate’s contract administrator to document the alleged violation and determine if remediation is required in order for the Business Associate to attain/retain contract compliance.

Where contract compliance cannot be attained/retained, Entreprise Dentist.Business Inc. shall terminate the contract, if feasible. If termination is not feasible, the Compliance Officers shall report the problem to the Office of Civil Rights within 30 days of the incident.

Definitions

• Business Associate: On behalf of the covered entity, completes a function or activity involving the use or disclosure of protected health information (PHI), including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and re-pricing; or, provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity or, to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected health information means individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.
  • Paper PHI: Protected Health Information that is not in an electronic format.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 13.0: Monitoring and Effectiveness

Company Name: Entreprise Dentist.Business Inc..

Policy Name: Monitoring and Effectiveness

Policy Number: Security 13.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Review Date: January 25th, 2021.

Synopsis of Policy: HIPAA Regulation: 164.308(a)(1) Perform a periodic technical and non-technical evaluation, requiring a process for Security management, risk analysis and risk management)

This policy establishes periodic evaluations of Entreprise Dentist.Business Inc. compliance with HIPAA policies and procedures. Security assessments shall be conducted periodically to confirm continued compliance with security standards and specifications. Assessments will determine if security controls are correctly implemented, and, as implemented, are effective in their application.

The policy also establishes procedures for Change Management of systems governed by the HIPAA Security Rule. The policy specifies the need for Change Control, Change Notification, Change Implementation, Change Closure and Evaluation.

The policy also specifies management and workforce responsibilities for implementation.

Full Policy Language: HIPAA Regulation:

• 164.308(a)(1) Perform a periodic technical and non-technical evaluation
• 164.308(a)(1) Security management process
• 164.308(a)(1) Risk analysis
• 164.308(a)(1) Risk managementPolicy Purpose:The intent of this policy is to establish periodic evaluations on whether Entreprise Dentist.Business Inc. is complying with the HIPAA policies and procedures to effectively provide confidentiality, integrity and availability of electronic protected health information (ePHI). Security assessments shall be conducted periodically to determine continued compliance with security standards and specifications. Assessments are conducted to:
  1. Determine if security controls are correctly implemented, and, as implemented, are effective in their application;
  2. Ensure that HIPAA security regulations, policies, and directives are met; and
  3. Implement security measures sufficient to reduce risks and vulnerabilities to areasonable and appropriate level.
• Policy Description:
• Risk Assessment & Management:
• Entreprise Dentist.Business Inc., along with the Security Officer, shall monitor the effectiveness of Entreprise Dentist.Business Inc. ability to secure ePHI. In order to accomplish this, a risk assessment shall be conducted when:
  1. New technology is implemented that either contains ePHI or is used to protect ePHI;
  2. New facilities that maintain or house ePHI are designed;
  3. Existing facilities that maintain or house ePHI are being remodeled or thedesign layout is being altered;
  4. New programs, functions, or departments are added that affect the security of Entreprise Dentist.Business Inc.;
  5. Security breaches are identified; and
  6. Changes in the mode or manner of service delivery are made.
• Security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level shall be documented and implemented.

Change Control

The primary goal of change management is to facilitate communications and coordinate all changes that may occur in the IT environment. These changes include, but are not limited to, the installation, update, or removal of network services and components, operating system upgrades, application or database servers and software.

Change Notification

1. For informational purposes, the Compliance Officers shall be notified of changes by email no less than 48 hours in advance.
2. Emergency Changes shall be communicated to the Compliance Officers as soon as is reasonable.
3. Any change that encounters difficulties that could adversely affect customers, patients, or clients shall be communicated to the Compliance Officers as soon as is reasonable.

Change Implementation

All non-emergency changes shall occur within the recognized downtime unless approved in advance by all affected parties or for inter-departmental changes as department procedures dictate.

Change Closure

The disposition of all changes shall be documented.

Evaluation

Entreprise Dentist.Business Inc. shall conduct an assessment of security controls at least annually to determine the extent to which controls are implemented correctly, operating as intended, and producing the desired outcome. Technical and non-technical evaluations are to be conducted periodically to identify any new risks or to determine the effectiveness of the HIPAA Security Policies and Procedures. These evaluations include but are not limited to the following:

1. Random audit reviews of a facility’s physical environment security;
2. Random audit reviews of workstation security;
3. Periodic, unannounced tests of the physical, technical, and administrativecontrols;
4. Assessment of changes in the environment or business process that may affectthe HIPAA Security Policies and Procedures;
5. Assessment when new federal, state or local laws and regulations are passedthat may affect the HIPAA Security Policies and Procedures;
6. Assessment of the effectiveness of the HIPAA Security Policies and Procedureswhen security violations, breaches or other security incidents occur; and
7. Assessment of redundancy needed in the network or servers for ePHIavailability.

Policy Responsibilities:

Compliance Officers

HIPAA Compliance Officers:

1. Are responsible to coordinate with the Security Officers to conduct audits of covered component compliance with the HIPAA security rule;
2. Shall coordinate the production of procedures to implement this policy; and
3. Are responsible for providing tools and processes for assessing technical and nontechnical evaluations as part of Entreprise Dentist.Business Inc. ongoing compliance efforts.

If assessments recommend changes to the HIPAA Policies and Procedures, the Compliance Officers are responsible for reviewing these changes and presenting them to management. If needed, the Compliance Officers will update the workforce training materials.

Procedures

The Compliance Officers shall write procedures to ensure ongoing evaluation and assessments are completed to mitigate risks to ePHI.

Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected health information means individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.
  • Paper PHI: Protected Health Information that is not in an electronic format.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 14.0: Security Awareness and Training

Company Name: Entreprise Dentist.Business Inc..

Policy Name: Security Awareness and Training

Policy Number: Security 14.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Review Date: January 25th, 2021.

Synopsis of Policy: HIPAA Regulation: 164.308(a)(5) Security awareness and training; Security reminders Texas Med Rec Privacy Act: THSC §2.I.181.101 Training Required

This policy ensures that all members of Entreprise Dentist.Business Inc. workforce who can access Electronic Protected Health Information (ePHI) receive the necessary training in order to implement and maintain the HIPAA Security Policies and Procedures. The intent is also to prevent any violations of confidentiality, integrity or availability of ePHI. Since Security Awareness Training is key to eliminating Entreprise Dentist.Business Inc. exposure to both malicious threats and accidental errors and omissions, its components are specified in the policy, along with training frequency, record keeping, and ongoing reminders.

Compliance with Texas Medical Records Privacy Act security awareness and training requirements (as noted above) are also fulfilled in this policy.

Full Policy Language: HIPAA Regulation:

• 164.308(a)(5) Security awareness and training
• 164.308(a)(5) Security remindersPolicy Purpose:The intent of this policy is to ensure that all members of Entreprise Dentist.Business Inc. workforce that can access to electronic protected health information (ePHI) receives the necessary training in order to implement and maintain the HIPAA Security Policies and Procedures. Also, the intent of this policy is to prevent any violations of confidentiality, integrity or availability of ePHI.Policy Description:Security Awareness Training
  Security awareness training is key to eliminating Entreprise Dentist.Business Inc. exposure to both malicious threats and accidental errors or omissions.System & Application TrainingThis policy sets forth a minimum standard for system and application security awareness to reduce Entreprise Dentist.Business Inc. risk:
  1. Proper uses and disclosures of the ePHI stored in the application;
  2. How to properly log on and log off the application;
  3. Protocols for correcting user errors;
  4. Instructions for contacting a designated person or help desk when ePHI mayhave been altered or destroyed in error; and
  5. Reporting a potential security breach.
• HIPAA Security Training

1. All members of the workforce that are part of Entreprise Dentist.Business Inc. shall receive security training. The Compliance Officers will provide the training and materials.
   1. Worker Level Training: This training entails Security Policies and Procedures that directly affect workers.
   2. Managerial – Supervisory Training: This training entails all of the HIPAA Security Policies and Procedures and Management’s role in enforcement and supervision.
2. All new workforce members are required to attend the appropriate training within 60 days of entering the workforce.

3. Entreprise Dentist.Business Inc. is required to ensure that all of their workforce members receive training.

Tracking Security Training:

Entreprise Dentist.Business Inc.  training coordinator or designee shall enter their workforce members into The Guard to sign them up for the appropriate level of training.

HIPAA Security Reminders

1. The Compliance Officers shall develop and implement periodic security updates and issue reminders to Entreprise Dentist.Business Inc. workforce. These security reminders shall be provided using any media that is most effective for Entreprise Dentist.Business Inc. (e.g. email, posters, newsletters, intranet site, etc.).
2. At a minimum, these reminders shall be provided on a quarterly basis.

Policy Responsibilities:

Compliance Officers are responsible for ensuring that all workforce members in their operational areas are trained no later than 30 days after entering their workforce. In addition, the Compliance Officers will have oversight responsibility to audit reports from The Guard to ensure required workforce member attendance. If needed, the Compliance Officers may require workforce members to attend more training if security incidents warrant this remedial action.

Procedures

Entreprise Dentist.Business Inc. shall document written

procedures on how new workers are notified and sent to training.

Entreprise Dentist.Business Inc. shall submit its new and revised procedures and plans to the Compliance Officers for approval and ongoing evaluation. Any procedures developed by Entreprise Dentist.Business Inc. shall be consistent with Entreprise Dentist.Business Inc. HIPAA policies and will not deviate from Entreprise Dentist.Business Inc. standard.

Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.).

Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.

• ePHI: Electronic/Protected health information means individually identifiable health information:

• Transmitted by electronic media;
• Maintained in electronic media; or
• Transmitted or maintained in any other form or medium.
• Paper PHI: Protected Health Information that is not in an electronic format.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 15.0: Sanctions Policy

Company Name: Entreprise Dentist.Business Inc..

Policy Name: Sanctions Policy

Policy Number: Security 15.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Review Date: January 25th, 2021.

Synopsis of Policy: HIPAA Regulation: 164.308(a)(1) Sanctions policy

This policy specifies enforcement, sanctions, penalties and disciplinary actions that may be applied against workforce members who fail to comply with all security policies and procedures. This policy ensures that information system workforce members know they can be held accountable for their actions.

The policy details all requirements of its fulfillment and penalties for non-compliance. It is of critical importance for all members of Entreprise Dentist.Business Inc. workforce to read this policy in full, and acknowledge having read it with signature.

Full Policy Language:

HIPAA Regulation:

• 164.308(a)(1) Sanctions policy

Policy Purpose:

The intent of this policy is to specify enforcement, sanctions, penalties, and disciplinary actions that may be applied against workforce members who fail to comply with the security policies and procedures. This policy ensures that workforce members know they can be held accountable for their actions.

Policy Description:

Sanctions

1. The definition of Entreprise Dentist.Business Inc. workforce is taken from the Privacy Rule. In Section 160.103, of the Privacy Rule, the term “workforce” is defined as, “Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.” The workforce shall guard against improper uses or disclosures of Entreprise Dentist.Business Inc. confidential client protected health information.
2. All members of Entreprise Dentist.Business Inc.  workforce are required to be aware of their responsibilities under Entreprise Dentist.Business Inc. HIPAA Security Rule policies.
3. All members of Entreprise Dentist.Business Inc. workforce are required to sign the HIPAA Confidentiality form indicating that they have been informed of the business practices in Entreprise Dentist.Business Inc. as they relate to security.
4. Managers and supervisors are responsible for ensuring that workforce members who have access to ePHI are informed of their responsibilities. Management is responsible for ensuring timely and appropriate training, that updates are communicated broadly, and that old/discontinued information is purged from common usage.
5. Members of Entreprise Dentist.Business Inc. workforce who violate Entreprise Dentist.Business Inc.  policies and procedures regarding the safeguarding of an individual’s confidential information are subject to disciplinary action by Entreprise Dentist.Business Inc.  up to and including immediate dismissal from employment or service. For violations of these polices, corrective action, including but not limited to contract cancellation or termination of services, shall be implemented by Entreprise Dentist.Business Inc.  for those members of the workforce who are not subject to Entreprise Dentist.Business Inc. discipline process.

1. Members of Entreprise Dentist.Business Inc. workforce who knowingly and willfully violate state or federal law for failure to safeguard ePHI are subject to criminal investigation and prosecution or civil monetary penalties.
2. If Entreprise Dentist.Business Inc. fails to enforce security safeguards, Entreprise Dentist.Business Inc. may be subject to administrative penalties by the Office of Civil Rights (OCR), including federal funding penalties.

Reporting violations

All workforce members shall notify the Compliance Officers when there is a reasonable belief that any security policies or procedures are being violated.

Retaliation prohibited

1. Neither Entreprise Dentist.Business Inc. as an entity nor

any member of Entreprise Dentist.Business Inc. workforce shall intimidate, threaten, coerce, discriminate against, or take any other form of retaliatory action against any individual for:

1. Exercising any right established under Entreprise Dentist.Business Inc. policy;
2. Participating in any process established under Entreprise Dentist.Business Inc. policy including the filing of a complaint with the Entreprise Dentist.Business Inc. or with the Office of Civil Rights;
3. Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing relating to Entreprise Dentist.Business Inc. policy and procedures; and
4. Opposing any unlawful act or practice, provided that the individual or other person (including a member of the Entreprise Dentist.Business Inc. workforce) has a good faith belief that the act or practice being opposed is unlawful and the manner of such opposition is reasonable and does not involve a use or disclosure of an individual’s protected confidential information in violation of Entreprise Dentist.Business Inc. policy.

2. Those engaging in retaliation shall be subject to the sanctions under this policy.

Policy Responsibilities:

All workforce members are responsible for notifying the Compliance Officers when there is a belief that any security policies are being violated. In addition, suspected violations should be reported to the Security Officer.

Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected health information means individually identifiable health information:o Transmitted by electronic media;
  o Maintained in electronic media; or
  o Transmitted or maintained in any other form or medium.
• Paper PHI: Protected Health Information that is not in an electronic format.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 16.0: Policies and Procedures

Company Name: Entreprise Dentist.Business Inc..

Policy Name: Policies and Procedures

Policy Number: Security 16.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Review Date: January 25th, 2021.

Synopsis of Policy: HIPAA Regulation: 164.316. a Policies and procedures;.316.a.1 Documentation; 316.a.1.i Time limit; .316.a.1.ii Availability; .316.a.1.iii Updates

This policy formalizes the process by which Entreprise Dentist.Business Inc. HIPAA Security Rule policies and procedures are created, documented and implemented in accordance with regulations. It specifies the role of the various Compliance Officers in development, discussion and implementation of new policies and regular review of current policies.

It details documentation requirements surrounding policy administration.

Full Policy Language: HIPAA Regulation:

• 164.316. a Policies and procedures
• 164.316.a.1 Documentation
• 164.316.a.1.i Time limit
• 164.316.a.1.ii Availability
• 164.316.a.1.iiiUpdates Policy Purpose:The intent of this policy is to formalize the process by which Entreprise Dentist.Business Inc. HIPAA Security Rule policies and procedures are created, documented, and implemented in accordance with regulations.Policy Description:
  1. The Compliance Officers shall implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications or other requirements of the HIPAA Security Rule. The Compliance Officers shall work with workforce members to draft and revise policies and procedures.
  2. All policies and procedures implemented to comply with the HIPAA Security Rule shall be documented in writing (which may be in electronic form). All records of actions, activities, or assessments required by the Rule shall be documented. The documentation shall be detailed enough to communicate the security measures taken and to facilitate periodic evaluations.
  3. Documentation shall be retained for a minimum of 6 years from the time of its creation or the date when it last was in effect, whichever is later.
  4. All documentation shall be available to those persons responsible for implementing the procedures to which the documentation pertains.
  5. Documentation shall be reviewed at least annually, and updated as needed, in response to environmental or operational changes affecting the security of the electronic protected health information (ePHI).
• Policy Responsibilities:
• Compliance Officers
• The Compliance Officers shall be responsible for leading the development, implementation, and maintenance of the policies, procedures, and related documentation.
• Department Management
• Entreprise Dentist.Business Inc. shall submit all new and revised procedures to the Compliance Officers for approval and ongoing evaluation.

Procedures

In general the following process is used to develop and implement policies and procedures:

1. The Compliance Officers shall draft new or updated HIPAA information security policies;
2. The new information security policy shall be presented to the Head of Entreprise Dentist.Business Inc. for awareness, input, and endorsement;
3. The Compliance Officers shall give final approval for the new or updated policy; and
4. The Compliance Officers shall communicate the new or updated policy to the workforce including updating training and related materials as needed.

Any procedures developed by Entreprise Dentist.Business Inc. shall be consistent with Entreprise Dentist.Business Inc. HIPAA policies and not deviate from Entreprise Dentist.Business Inc. standard.

Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected health information means individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.
  • Paper PHI: Protected Health Information that is not in an electronic format.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 17.0: Satellite Office and Home Office Policy

Company Name: Entreprise Dentist.Business Inc..

Policy Name: Satellite Office and Home Office Policy

Policy Number: Security 17.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Review Date: January 25th, 2021.

Synopsis:

This policy is designed to help Entreprise Dentist.Business Inc. designate and protect Satellite and Home Offices that directly perform services for the Covered Entity or Business Associate.

Definitions:

Satellite Office: A Satellite Office is a non-descript location, with no signage to designate that it is part of, or performs services for, the main organization. This location is not used for storing PHI documented in physical or digital form. It is strictly used for providing treatment and then leaving. When leaving, there is no footprint, no computers, no charts, no trash: nothing that can be traced back to any of the PHI that was interacted with. If any of the above does not apply, then this site is considered a location and is subject to all the HIPAA requirements that the main office is subject to.

Home Office: A home office with no signage to designate that it is part of, or performs services for, the main organization. This location is not used for storing charts, for storing computers, and does not retain any documentation. It is strictly used for providing treatment and healthcare viewing of electronic records. There is no footprint, no data stored on computers, no charts, no trash: nothing that can be traced back to any of the PHI that was interacted with. Entreprise Dentist.Business Inc.

should not allow storage of PHI at the Home Office. Printed matter should be shredded immediately after use, and it should not be stored. Computers should be set up so PHI cannot download from the main site. No footprint can be left. If any of the above does not apply, then this site is considered a location and is subject to all the HIPAA requirements that the main office is subject to.

Requirements of Compliance for Satellite and Home Offices:

1. Devices used at Satellite and Home sites must be protected and encrypted and listed in the Device Audit as encrypted.
2. Site(s) must have a Physical Site Audit filled out and stored in The Guard.
3. All Entreprise Dentist.Business Inc. staff that work in theSatellite and Home offices must go through HIPAA training.
4. No footprint (evidence of PHI) will be allowed at either Satellite or HomeOffices.
5. If the above are not followed, the organization must defend their decisions to theDepartment of Health and Human Services (HHS) should a breach occur and these protocols are not followed.

Example of a Satellite Office:

A Doctor’s office in city A has a lot of patients in city B, so once a week they use a site in city B (i.e., an examination room in another doctor’s office, etc.) to see patients who live there so they do not have to travel as far. This site is not used for storing charts, for storing computers, or for leaving any documentation behind. It is strictly used for seeing the Doctor’s patients, and then leaving. When leaving, they leave behind no footprint, no computers, no charts, no trash, and nothing about or pertaining to any of the patients that were there that day.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Privacy 21.0: Breach Notification

Company Name: Entreprise Dentist.Business Inc..

Policy Name: Breach Notification

Policy Number: Privacy 21.0

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Review Date: January 25th, 2021.

Synopsis of Policy: Breach Notification

This policy provides guidance for breach notification by Entreprise Dentist.Business Inc. when impermissive or unauthorized access, acquisition, use, and/or disclosure of Entreprise Dentist.Business Inc. patients’ Protected Health Information (PHI) occurs. Breach notification will be carried out in compliance with the American Recovery and Reinvestment Act (ARRA)/Health Information Technology for Economic and Clinical Health Act (HITECH), Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act (Omnibus Rule), as well as any other federal or state notification law.

The full policy, of which this serves as executive summary, details and defines all aspects of inappropriate, wrongful, accidental, or willful breaches of protected health information (PHI). The complete policy also identifies required procedures to alert those who have been subject of a breach, and additional notification requirements (governmental agencies, law enforcement, etc.).

Any Entreprise Dentist.Business Inc. workforce member coming in contact with PHI in their regular duties must read the complete policy and attest to having read and understanding it.

Full Policy Language: Purpose:

To provide guidance for breach notification by covered entities when impermissive or unauthorized access, acquisition, use and/or disclosure of Entreprise Dentist.Business Inc. patient protected health information occurs. Breach notification will be carried out in compliance with the American Recovery and Reinvestment Act (ARRA)/Health Information Technology for Economic and Clinical Health Act (HITECH), Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act (Omnibus Rule), as well as any other federal or state notification law.

The Federal Trade Commission (FTC) has published breach notification rules for vendors of personal health records as required by ARRA/HITECH. The FTC rule applies to entities not covered by HIPAA, primarily vendors of personal health records. The rule was effective September 24, 2009 with full compliance required by February 22, 2010.

Background:

The American Recovery and Reinvestment Act of 2009 (ARRA) was signed into law on February 17, 2009. Title XIII of ARRA is the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH significantly impacted the Health Insurance Portability and Accountability (HIPAA) Privacy and Security Rules. While HIPAA did not require notification when patient protected health information (PHI) was inappropriately disclosed, covered entities may have chosen to include notification as part of the mitigation process. HITECH required notification of certain breaches of unsecured PHI to the following: individuals, Secretary of the Department of Health and Human Services (HHS), and the media. The effective implementation date for these provisions was September 23, 2009.

In January of 2013, the “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules” (Omnibus Rule) modified the HITECH definition of a breach to eliminate the previous “harm” standard and was effective September 23, 2013. It states that an “acquisition, access, use, or disclosure in a manner not permitted is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment” of at least the following factors:

1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used the protected health information or to whom the disclosure was made;
3. Whether the protected health information was actually acquired or viewed; and
4. The extent to which the risk to the protected health information has beenmitigated.

Definitions:

Access: Means the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.

Agent: An agent of Entreprise Dentist.Business Inc. is determined in accordance with federal common law of agency. Entreprise Dentist.Business Inc. is liable for the acts of its agents. An agency relationship exists if Entreprise Dentist.Business Inc. has the right or authority of Entreprise Dentist.Business Inc. to control the agent’s conduct in the course of performing a service on behalf of Entreprise Dentist.Business Inc. (i.e. give interim instructions, direct the performance of the service).

Breach: Means the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI and is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:

1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used the protected health information or to whom the disclosure was made;
3. Whether the protected health information was actually acquired or viewed; and
4. The extent to which the risk to the protected health information has beenmitigated.

Breach excludes:

1. Any unintentional acquisition, access, or use of PHI by a workforce member orperson acting under the authority of a Covered Entity (CE) or Business Associate (BA) if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule;
2. Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE or BA, or organized health care arrangement in which the CE participates, and the information received as a result of such disclosure is not further used or disclosed

in a manner not permitted under the Privacy Rule; and

3. A disclosure of PHI where a CE or BA has a good faith belief that an

unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

Covered Entity: A health plan, health care clearinghouse, or a healthcare provider who transmits any health information in electronic form.

Disclosure: Disclosure means the release, transfer, provision of, access to, or divulging in any manner of information outside the entity holding the information.

Individually Identifiable Health Information: That information that is a subset of health information, including demographic information collected from an individual, and is created or received by a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Law Enforcement Official: Any officer or employee of an agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, who is empowered by law to investigate or conduct an official inquiry into a potential violation of law; or prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.

Organization: For the purposes of this policy, the term “organization” shall mean the covered entity to which the policy and breach notification apply.

Protected Health Information (PHI): Protected health information means individually identifiable health information that is: transmitted by electronic media; maintained in electronic media; or transmitted or maintained in any other form or medium (see regulations for complete definition and exclusions).

Unsecured Protected Health Information: Protected health information (PHI) that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Pub. L.111-5 on the HHS website.

1. Electronic PHI has been encrypted as specified in the HIPAA Security rule by the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without the use of a confidential process or key and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The following encryption processes meet this

standard.

1. Valid encryption processes for data at rest (i.e. data that resides indatabases, file systems, and other structured storage systems) are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices; and
2. Valid encryption processes for data in motion (i.e. data that is moving through a network, including wireless transmission) are those that comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are Federal Information Processing Standards FIPS 140-2 validated.

2. The media on which the PHI is stored or recorded has been destroyed in the following ways:

1. Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction; and
2. Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publications 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.

Workforce: Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such entity, whether or not they are paid by the covered entity or business associate.

Policy Statement/s:

1. Discovery of Breach: A breach of PHI shall be treated as “discovered” as of the first day on which an incident that may have resulted in a breach is known to Entreprise Dentist.Business Inc. or, by exercising reasonable diligence would have been known to Entreprise Dentist.Business Inc. (includes breaches by Entreprise Dentist.Business Inc. business associates). Entreprise Dentist.Business Inc. shall be deemed to have knowledge of a breach if such breach is known or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent (e.g. a business associate acting as an agent of the organization) of Entreprise Dentist.Business Inc. (see attachment for examples of breach of unsecured protected heath information). Following the discovery of a potential breach, Entreprise Dentist.Business Inc. shall begin an investigation (see organizational policies for security incident response and/or risk management incident response), conduct a risk assessment, and based on the results of the risk assessment, begin the process to notify each individual whose PHI has been, or is reasonably believed to by Entreprise Dentist.Business Inc. to have been accessed, acquired, used, or disclosed as a

result of the breach. Entreprise Dentist.Business Inc. shall also begin the process of determining what external notifications are required or should be made (e.g., Secretary of Department of Health & Human Services (HHS), media outlets, law enforcement officials, etc.).

1. Breach Investigation: Entreprise Dentist.Business Inc. shall name an individual to act as the investigator of the breach (e.g., privacy officer, security officer, risk manager, etc.). The investigator shall be responsible for the management of the breach investigation, completion of a risk assessment, and coordinating with others in Entreprise Dentist.Business Inc. as appropriate (e.g., administration, security incident response team, human resources, risk management, public relations, legal counsel, etc.) The investigator shall be the key facilitator for all breach notification processes to the appropriate entities (e.g., HHS, media, law enforcement officials, etc.). All documentation related to the breach investigation, including the risk assessment and notifications made, shall be retained for a minimum of six years.
2. Risk Assessment: For an acquisition, access, use or disclosure of PHI to constitute a breach, it must constitute a violation of the Privacy Rule. A use or disclosure of PHI that is incident to an otherwise permissible use or disclosure and occurs despite reasonable safeguards and proper minimum necessary procedures would not be a violation of the Privacy Rule and would not qualify as a potential breach. An “acquisition, access, use, or disclosure in a manner not permitted is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment” of at least the following factors:
   1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
   2. The unauthorized person who used the protected health information or towhom the disclosure was made;
   3. Whethertheprotectedhealthinformationwasactuallyacquiredorviewed;and
   4. The extent to which the risk to the protected health information has beenmitigated.
3. Entreprise Dentist.Business Inc. shall document the risk assessment as part of the investigation in the incident report form noting the outcome of the risk assessment process. Entreprise Dentist.Business Inc. has the burden of proof for demonstrating that all notifications were made as required or that the use or disclosure did not constitute a breach. Based on the outcome of the risk assessment, Entreprise Dentist.Business Inc. will determine the need to move forward with breach notification. Entreprise Dentist.Business Inc. may make breach notifications without completing a risk assessment.

1. Timeliness of Notification: Upon determination that breach notification is required, the notice shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach by Entreprise Dentist.Business Inc. involved or the business associate involved that is acting as Entreprise Dentist.Business Inc. agent. It is the responsibility of Entreprise Dentist.Business Inc. to demonstrate that all notifications were made as required, including evidence demonstrating the necessity of delay.
2. Delay of Notification Authorized for Law Enforcement Purposes: If a law enforcement official states to Entreprise Dentist.Business Inc. that a notification, notice, or posting would impede a criminal investigation or cause damage to national security, Entreprise Entreprise Dentist.Business Inc. shall:
   1. If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting of the time period specified by the official; or
   2. If the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described above is submitted during that time.
3. Content of the Notice: The notice shall be written in plain language and must contain the following information:
   1. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
   2. A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
   3. Any steps the individual should take to protect themselves from potential harm resulting from the breach;
   4. A brief description of what Entreprise Dentist.Business Inc. is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches; and
   5. Contact procedures for individuals to ask questions or learn additional information, which includes a toll-free telephone number, an e-mail address, Web site, or postal address.
4. Methods of Notification: The method of notification will depend on the individuals/entities to be notified. The following methods must be utilized accordingly:

1. Notice to Individual(s): Notice shall be provided promptly and in the following form:

1. Written notification by first-class mail to the individual at their last known address or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification shall be provided in one or more mailings as information is available. If Entreprise Dentist.Business Inc. knows that the individual is deceased and has the address of the next of kin or personal representative of the individual, written notification by first-class mail to the next of kin or personal representative shall be carried out. Limited examples (refer to preamble for more examples):
   1. Entreprise Dentist.Business Inc. may send one breach notice addressed to both a plan participant and the participant’s spouse or other dependents under the plan who are affected by a breach, if they all reside at a single address and all individuals to which the notice applies are clearly identified on the notice. When a plan participant (and/or spouse) is not the personal representative of a dependent under the plan, however, address a breach notice to the dependent himself or herself; and
   2. In the limited circumstance that an individual affirmatively chooses not to receive communications from a health care provider at any written addresses or email addresses and has agreed only to receive communications orally or by telephone, the provider may telephone the individual to request and have the individual pick up their written breach notice from the provider directly. In cases in which the individual does not agree or wish to travel to the provider to pick up the written breach notice, the health care provider should provide all of the information in the breach notice over the phone to the individual, document that it has done so, and the Department will exercise enforcement discretion in such cases with respect to the ‘‘written notice’’ requirement.
2. Substitute Notice: In the case where there is insufficient or out- of-date contact information (including a phone number, email address, etc.) that precludes direct written or electronic notification, a substitute form of notice reasonably calculated to reach the individual shall be provided. A substitute notice need not be provided in cases where there is insufficient or out-of-date contact information that precludes written notification to the next of kin or personal representative.

1. In a case in which there is insufficient or out-of-date contact information for fewer than 10 individuals, then the substitute notice may be provided by an alternative form of written notice, telephone, or other means.
2. In the case in which there is insufficient or out-of-date contact information for 10 or more individuals, then the substitute notice shall be in the form of either a conspicuous posting for a period of 90 days on the home page of the organization’s website, or a conspicuous notice in a major print or broadcast media in Entreprise Dentist.Business Inc. geographic areas where the individuals affected by the breach likely reside. The notice shall include a toll-free number that remains active or at least 90 days where an individual can learn whether his or her PHI may be included in the breach.

3. If Entreprise Dentist.Business Inc. determines that notification requires urgency because of possible imminent misuse of unsecured PHI, notification may be provided by telephone or other means, as appropriate in addition to the methods noted above.

1. Notice to Media: Notice shall be provided to prominent media outlets serving the state and regional area (of the breached patients) when the breach of unsecured PHI affects 500 or more of Entreprise Dentist.Business Inc. patients of a State or jurisdiction.
   1. The Notice shall be provided in the form of a press release.
   2. What constitutes a prominent media outlet differs depending upon the state or jurisdiction where Entreprise Dentist.Business Inc. affected patients reside. For a breach affecting more than 500 individuals across a particular state, a prominent media outlet may be a major, general interest newspaper with a daily circulation throughout the entire state. In contrast, a newspaper serving only one town and distributed on a monthly basis, or a daily newspaper of specialized interest (such as sports or politics) would not be viewed as a prominent media outlet. Where a breach affects more than 500 individuals in a limited jurisdiction, such as a city, then a prominent media outlet may be a major, general-interest newspaper with daily circulation throughout the city, even though the newspaper does not servethe whole State.
2. Notice to Secretary of HHS: Notice shall be provided to the Secretary ofHHS as follows below. The Secretary shall make available to the public on the HHS Internet website a list identifying covered entities involved in

all breaches in which the unsecured PHI of more than 500 patients is accessed, acquired, used, or disclosed.

1. For breaches involving 500 or more individuals, the organization shall notify the Secretary of HHS as instructed at www.hhs.gov at the same time notice is made to the individuals.
2. For breaches involving fewer than 500 individuals, the organization will maintain a log of the breaches. The breaches may be reported during the calendar year or no later than 60 days after the end of that calendar year in which the breaches were discovered (e.g., 2017 breaches must be submitted by 3/1/2018 – 60 days). Instructions for submitting the logged breaches are provided at www.hhs.gov.

9. Maintenance of Breach Information/Log: As described above and in addition to the reports created for each incident, Entreprise Dentist.Business Inc. shall maintain a process to record or log all breaches of unsecured PHI regardless of the number of patients affected. The following information should be collected/logged for each breach (see sample Breach Notification Log):

1. A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of patients affected, if known;
2. A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, etc.);
3. A description of the action taken with regard to notification of patients, the media, and the Secretary regarding the breach;
4. The results of the risk assessment; and
5. Resolution steps taken to mitigate the breach and prevent futureoccurrences.

10.Business Associate Responsibilities: In 2013, the Omnibus Rule extended liability for compliance to the HIPAA Privacy and Security Rules to business associates and their subcontractors. With these modifications, business associates are now directly liable for impermissible uses and disclosures, provision of breach notification to the covered entity, completing breach risk assessments, breach documentation requirements, and civil and criminal penalties for violations. The business associate (BA) of Entreprise Dentist.Business Inc. that accesses, creates, maintains, retains, modifies, records, stores, transmits, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, without unreasonable delay and in no case later than 60 calendar days after discovery of a breach, notify Entreprise Dentist.Business Inc. of such breach (when the business associate is an agent of the organization, this notification must be provided within a shorter timeframe as specified in Entreprise Dentist.Business Inc. Business Associate Agreement policy). Such notice shall include the identification of each

individual whose unsecured protected health information has been, or is reasonably believed by the BA to have been, accessed, acquired, or disclosed during such breach. The BA shall provide Entreprise Dentist.Business Inc. with any other available information that the organization is required to include in notification to the individual at the time of the notification or promptly thereafter as information becomes available. Upon notification by the BA of discovery of a breach, Entreprise Dentist.Business Inc. will be responsible for notifying affected individuals, unless otherwise agreed upon by the BA to notify the affected individuals (note: It is the responsibility of the Covered Entity to document this notification).

1. Workforce Training: Entreprise Dentist.Business Inc. shall train all members of its workforce on the policies and procedures with respect to PHI as necessary and appropriate for the members to carry out their job responsibilities. Workforce members shall also be trained as to how to identify and promptly report breaches within Entreprise Dentist.Business Inc., as well as return or destroy PHI, as appropriate for the incident. Workforce members that assist in investigating, documenting, and resolving breaches are trained on how to complete these activities.
2. Complaints: Entreprise Dentist.Business Inc. must provide a process for individuals to make complaints concerning the organization’s patient privacy policies and procedures or its compliance with such policies and procedures. Individuals have the right to complain about Entreprise Dentist.Business Inc. breach notification processes.
3. Sanctions: Entreprise Dentist.Business Inc. shall have in place and apply appropriate sanctions against members of its workforce who fail to comply with privacy policies and procedures.
4. Retaliation/Waiver: Entreprise Dentist.Business Inc. may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any privacy right. Entreprise Dentist.Business Inc. may not require individuals to waive their privacy rights under as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.

Applicable Federal/State Regulations:

• ▪  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act (Omnibus Rule);
• ▪  ARRA Title XIII Section 13402 – Notification in the Case of Breach;
• ▪  FTC Breach Notification Rules – 16 CFR Part 318;
• ▪  45 CFR Parts 160 and 164 – HIPAA Privacy and Security Rules; and
• ▪  WI § 134.98 – Notice of Unauthorized Acquisition of Personal Information (Note:Not applicable to Covered Entities under HIPAA).

ATTACHMENTS

Note: Each of these events may not rise to the level of a “breach.” This can only be determined by completing the risk assessment analysis and making a determination of whether or not there was “harm” to the individual.

• ▪  Workforce members access the electronic health records of a celebrity who is treated within the facility and they are not involved in the patient’s care.
• ▪  Stolen or lost laptop containing unsecured protected health information.
• ▪  Papers containing protected health information found scattered along roadside after improper storage in truck by business associate responsible for disposal (shredding).
• ▪  Posting of patient’s HIV+ health status on Facebook by a laboratory tech who carried out the diagnostic study.
• ▪  Misdirected e-mail of listing of drug seeking patients to an external group list.
• ▪  Lost flash drive containing database of patients participating in a clinical study.
• ▪  EOB (Explanation of Benefits) sent to wrong guarantor.
• ▪  Provider accessing the health record of divorced spouse for information to be usedin a custody hearing.
• ▪  Workforce members accessing electronic health records for information onfriends or family members out of curiosity/without a business-related purpose.
• ▪  EMT takes a cell phone picture of patient following a MVA and transmits phototo friends.
• ▪  Misfiled patient information in another patient’s medical records which is broughtto the organization’s attention by the patient.
• ▪  Medical record copies in response to a payer’s request lost in mailing process andnever received.
• ▪  Misdirected fax of patient records to a local grocery store instead of therequesting provider’s fax.
• ▪  Briefcase containing patient medical record documents stolen from car.
• ▪  PDA with patient-identifying wound photos lost.
• ▪  Intentional and non-work related access by staff member of neighbor’sinformation.
• ▪  Medical record documents left in public access cafeteria.Penalties for Breach: Penalties for violations of HIPAA have been established under HITECH as indicated below. The penalties do not apply if the organization did not know (or by exercising reasonable diligence would not have known) of the violation or if the failure to comply was due to a reasonable cause and was corrected within thirty days.

Examples of Potential Breaches of Unsecured Protected Health Information

Breach Penalties

Penalties will be based on the organization’s culpability for the HIPAA violation. The Secretary of HHS will base its penalty determination on the nature and extent of both the violation and the harm caused by the violation. The Secretary still will have the discretion to impose corrective action without a penalty in cases where the person did not know (and by exercising reasonable diligence would not have known) that such person committed a violation.

The maximum penalty is $50,000 per violation, with a cap of $1,500,000 for all violations of an identical requirement or prohibition during a calendar year.

The minimum civil monetary penalties are tiered based upon the entity’s perceived culpability for the HIPAA violation, as follows:

Tier A

▪

Tier B

▪

Tier C

▪

Tier D

▪

– If the offender did not know

$100 for each violation, total for all violations of an identical requirement during a calendar year cannot exceed $25,000.

– Violation due to reasonable cause, not willful neglect

$1,000 for each violation, total for all violations of an identical requirement during a calendar year cannot exceed $100,000.

– Violation due to willful neglect, but was corrected.

$10,000 for each violation, total for all violations of an identical requirement during a calendar year cannot exceed $250,000.

– Violation due to willful neglect, but was NOT corrected.

$50,000 for each violation, total for all violations of an identical requirement during a calendar year cannot exceed $1,500,000.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Privacy 22.0: Organizational Code of Conduct

Entreprise Dentist.Business Inc. and its employees must, at all times, comply with all applicable laws and regulations. Entreprise Dentist.Business Inc. will not condone the activities of employees who achieve results through violation of the law or unethical business dealings. This includes any payments for illegal acts, indirect contributions, rebates, and bribery. Entreprise Dentist.Business Inc. does not permit any activity where public scrutiny or opinions would damage the reputation of Entreprise Dentist.Business Inc..

All business conduct should be well above the minimum standards required by law. Accordingly, employees must ensure that their actions cannot be interpreted, in any way, in contravention of the laws and regulations governing Entreprise Dentist.Business Inc. operations.

Employees uncertain about the application or interpretation of any legal requirements should refer the matter to their supervisor, who, if necessary, should seek appropriate legal advice.

Employees need to utilize the company provided systems in a correct and timely manner.

General Employee Conduct:

Entreprise Dentist.Business Inc. expects its employees will conduct themselves in a business-like manner. Drinking, gambling, fighting, swearing, and similar unprofessional activities are strictly prohibited while on the job.

Employees must not engage in sexual harassment, or conduct themselves in a way that could be construed as such. For example, by using inappropriate language, keeping or posting inappropriate materials in their work area, or accessing inappropriate materials on their Entreprise Dentist.Business Inc. computer.

Conflicts of Interest:

Entreprise Dentist.Business Inc. expects that employees will perform their duties conscientiously, honestly, and in accordance with the best interests of Entreprise Dentist.Business Inc. Employees must not use their positions, or the knowledge gained as a result of their positions, for private or personal advantage. Regardless of the circumstance(s), if employees sense that a course of action they have pursued, are presently pursuing, or are even contemplating pursuing may involve them in a conflict of interest with their employer, they should immediately communicate all those facts to their supervisor.

Outside Activities, Employment, and Directorships:

All employees share a serious responsibility for Entreprise Dentist.Business Inc. good public relations, especially at the community level. Their readiness to help with religious, charitable, educational, and civic activities brings credit to Entreprise Dentist.Business Inc. and is encouraged.

Employees must, however, avoid acquiring any business interest, or participating in any other activity outside Entreprise Dentist.Business Inc. that would, or would appear to:

• Create an excessive demand upon their time and attention, thus depriving Entreprise Dentist.Business Inc. of their best efforts on the job.
• Create a conflict of interest – an obligation, interest, or distraction – that may interfere with the independent exercise of judgment in Entreprise Dentist.Business Inc. best interest.

Relationships With Clients and Suppliers:

Employees should avoid investing in or acquiring a financial interest in any business organization that has a contractual relationship with Entreprise Dentist.Business Inc. Also, avoid entering into a contractual agreement with an entity that provides goods or services, or both, to Entreprise Dentist.Business Inc. if such investment or interest could influence or create the impression of influencing their decisions in the performance of their duties on behalf of Entreprise Dentist.Business Inc.

Gifts, Entertainment, and Favors:

Employees must not accept entertainment, gifts, or personal favors that could, in any way, influence (or appear to influence) business decisions in favor of any person or organization with whom or with which Entreprise Dentist.Business Inc.  has, or is likely to have, business dealings. Similarly, employees must not accept any other preferential treatment under these circumstances because their positions with Entreprise Dentist.Business Inc. might be inclined to, or be perceived to, place them under obligation to return the preferential treatment.

Kickbacks and Secret Commissions:

Regarding Entreprise Dentist.Business Inc. business activities: Employees may not receive payment or compensation of any kind, except as authorized under Entreprise Dentist.Business Inc. business and payroll policies. In particular, Entreprise Dentist.Business Inc. strictly prohibits the acceptance of kickbacks and secret commissions from suppliers or others. Any breach of this rule will result in immediate termination and prosecution to the fullest extent of the law.

Organization Funds and Other Assets:

Employees who have access to Entreprise Dentist.Business Inc. funds in any form must follow the prescribed procedures for recording, handling, and protecting money as detailed in Entreprise Dentist.Business Inc. policies and procedures or other explanatory materials. Entreprise Dentist.Business Inc. imposes strict standards to prevent fraud and dishonesty. If employees become aware of any evidence of fraud and dishonesty, they should immediately advise their supervisor or seek appropriate legal guidance so that Entreprise Dentist.Business Inc. can promptly investigate.

When an employee’s position requires spending Entreprise Dentist.Business Inc. funds or incurring any reimbursable personal expenses, that individual must use good judgment on Entreprise Dentist.Business Inc. behalf to ensure that the funds were used in a strictly professional capacity and benefited Entreprise Dentist.Business Inc..

Entreprise Dentist.Business Inc.  funds and all other assets of Entreprise Dentist.Business Inc. are purposed for Entreprise Dentist.Business Inc. only and not for personal benefit. This includes the personal use of organizational assets, such as computers.

Organization Records and Communications:

Accurate and reliable records of many kinds are necessary to meet Entreprise Dentist.Business Inc. legal and financial obligations and to manage the affairs of Entreprise Dentist.Business Inc. Entreprise Dentist.Business Inc.  books and records must reflect, in an accurate and timely manner, all business transactions. The employees responsible for accounting and recordkeeping must fully disclose and record all assets, liabilities (or both) while exercising diligence in enforcing these requirements.

Employees must not make or engage in any false record or communication of any kind, whether internal or external, including but not limited to:

• False expense, attendance, production, financial, or similar reports and statements
• False advertising, deceptive marketing practices, or other misleading representations Dealing With Outside People and Organizations:Employees must take care to separate their personal roles from their organizational positions when communicating on matters not involving Entreprise Dentist.Business Inc. business.
  Employees must not use organizational identification, stationery, supplies, and equipment for personal or political matters.When communicating publicly on matters that involve Entreprise Dentist.Business Inc. business, employees must not presume to speak for Entreprise Dentist.Business Inc.  on any topic. This is unless they are certain that the views they express are those of Entreprise Dentist.Business Inc. and it is Entreprise Dentist.Business Inc. desire that such views be publicly disseminated.When dealing with anyone outside Entreprise Dentist.Business Inc. including public officials, employees must take care not to compromise the integrity or damage the reputation of Entreprise Dentist.Business Inc.. This applies as well to any outside individual, business, or government body.Prompt Communications:In all matters relevant to customers, suppliers, government authorities, the public, and others in Entreprise Dentist.Business Inc., all employees must make every effort to achieve and accurately complete timely communications – responding promptly and courteously to all proper requests for information and to all complaints.Privacy and Confidentiality:
  When handling financial and personal information about customers or others with whom Entreprise Dentist.Business Inc. has dealings, observe the following principles:

• Collect, use, and retain only the personal information necessary for Entreprise Dentist.Business Inc. business dealings. Whenever possible, obtain any relevant information directly from the person concerned. Use only reputable and reliable sources to supplement this information.
• Retain information only for as long as necessary or as required by law. Protect the physical security of this information.
• Limit internal access and personal information to those with a legitimate business reason for seeking that information. Use only personal information for the purposes for which it was originally obtained. Obtain the consent of the person concerned before externally disclosing any personal information, unless legal process or contractual obligation provides otherwise.Attendance:
  This policy details how absences and tardiness are counted for the purposes of maintaining excellent customer service throughout the business day.

• Family and Medical Leave Act: Absences due to illnesses or injuries that qualify under the Family and Medical Leave Act (FMLA) will not be counted against an employee’s attendance record. Medical documentation within the guidelines of the FMLA may be required in these instances.

Absences and Tardiness:

• Prescheduled times away from work using accrued vacation, holiday, flex or PTO (where available) days are not considered occurrences for the purpose of this policy.
• An absence occurs when an employee misses more than three hours of work within a normal workday. An absence of multiple days due to the same illness, injury, or other incident will be counted as one occurrence for the purpose of this policy. A tardy arrival, early departure or other shift interruption is considered a one-half occurrence. On occasion and with prior approval of the supervisor, an employee who is tardy may adjust that day’s schedule to work an equivalent amount of time at the end of the shift, and a one-half occurrence will not be counted. Arrival and departure times will be determined by the time on the time recording system in each department. An employee is considered late if he or she reports to work more than five minutes after the scheduled starting time; an early departure is one in which the employee leaves before the lcheduled end of his or her shift. If an employee is scheduled to work overtime and either fails to report or reports after the scheduled start time, an occurrence will be charged as noted above.

HIPAA Policy 24.0: Social Media

Company Name: Entreprise Dentist.Business Inc..

Policy Name: Social Media

Policy Number: HIPAA Policy 24.0

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Review Date: January 25th, 2021.

Synopsis of Policy: Policy 24.0 Social Media

This policy provides guidance for employee use of social media, which should be broadly understood for purposes of this policy to include blogs, wikis, micro-blogs, message boards, chat rooms, electronic newsletters, online forums, social networking sites, and other sites and services that permit users to share information with others in a contemporaneous manner.

Procedures:

The following principles apply to professional use of social media on behalf of Entreprise Dentist.Business Inc. as well as personal use of social media when referencing Entreprise Dentist.Business Inc.

1. Employees should be aware that is never acceptable to post to social websites any information regarding patients, their condition, their treatment plan, and that sanctions up to and including termination will occur.
2. Employees need to know and adhere to the [Company’s Code of Conduct, Employee Handbook, and other Entreprise Dentist.Business Inc. policies] when using social media in reference to Entreprise Dentist.Business Inc..
3. Employees should be aware of the effect their actions may have on their images, as well as Entreprise Dentist.Business Inc. image. The information that employees post or publish may be public information for a long time.
4. Employees should be aware that Entreprise Dentist.Business Inc. may observe content and information made available by employees through social media. Employees should use their best judgment in posting material that is neither inappropriate nor harmful to Entreprise Dentist.Business Inc., its employees, or its customers.
5. Although this is not an exclusive list, some specific examples of prohibited social media conduct include posting commentary, content, or images that are defamatory, pornographic, proprietary, harassing, libelous, or that can create a hostile work environment.
6. Employees are not to publish, post, or release any information that is considered confidential or private. If there are questions about what is considered confidential, employees should check with the Human Resources Department and/or their supervisor.
7. Social media networks, blogs and other types of online content can generate press, media attention, or legal questions. Employees should refer these inquiries to authorized Entreprise Dentist.Business Inc. spokespersons.
8. If employees find that they encounter a situation while using social media that threatens to become antagonistic, employees should disengage from the dialogue in a polite manner and seek the advice of a supervisor.
9. Employees should get appropriate permission before they refer to or post images of current (or former) employees, members, vendors, and suppliers. Additionally, employees should get appropriate permission to use a third party’s copyrights, copyrighted material, trademarks, service marks, or other intellectual property.

1. Social media use shouldn’t interfere with employee’s responsibilities at Entreprise Dentist.Business Inc. Entreprise Dentist.Business Inc. computer systems are to be used for business purposes only. When using Entreprise Dentist.Business Inc. computer systems, use of social media for business purposes is allowed (ex: Facebook, Twitter, Entreprise Dentist.Business Inc. blogs, and LinkedIn). However, personal use of social media networks, or personal blogging of online content is discouraged and could result in disciplinary action.
2. Subject to applicable law, after-hours online activity that violates Entreprise Dentist.Business Inc. Code of Conduct or any other company policy may subject an employee to disciplinary action or termination.
3. If employees publish content after-hours that involves work or subjects associated with Entreprise Dentist.Business Inc., a disclaimer should be used, such as this: “The postings on this site are my own and may not represent Entreprise Dentist.Business Inc. positions, strategies, or opinions.”
4. It is highly recommended that employees keep Entreprise Dentist.Business Inc. – related social media accounts separate from personal accounts, if practical.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

ENTREPRISE DENTIST.BUSINESS INC.’S WEB SITE AND SUBSITES PRIVACY POLICY

Entreprise Dentist.Business Inc. respects your privacy. In this regard, Entreprise Dentist.Business Inc. has prepared this Web site privacy policy (the “Privacy policy”) to communicate to its users how Entreprise Dentist.Business Inc. collects, uses and discloses personal information collected about them on the Web site. This privacy Policy applies to www.dentist.business and its authorized sub-sites that expressly adopt, display or link back to this privacy policy.

Collection and use of personal information

We may collect personal information such as your name, address, personal e-mail address and telephone and fax numbers that you voluntarily provide to us when you request information about our services, submit questions, register for services, or when you submit your resume in relation to a career opportunity. The aforementioned personal information provided by you may then be used to communicate with you in connection with your various inquiries or to consider you for employment purposes.

We may also collect information in connection with your visit to our Web site through the use of cookies. Such information will be used to analyze trends, to administer the site, to track visitors’ movements around the site and to gather demographic information about our visitor base as a whole. The use of cookies merely identifies you as a number, that is, your name, address or any other information that directly identifies you will not be collected. Additional details regarding the use of various technologies are provided below.

Disclosure of personal information

We may disclose the personal information collected through this Web site with our affiliates for internal business purposes.

We may also share information provided by you with service providers that we retain to perform services on our behalf. These service providers are contractually limited from using or disclosing the information except as is necessary to perform the services or to comply with legal requirements. Furthermore, we may disclose information about you where we are required or permitted by law to do so.

Links to websites not belonging to Entreprise Dentist.Business Inc.

This Web site may contain links to third party Web sites that are not affiliated with Entreprise Dentist.Business Inc. Entreprise Dentist.Business Inc. does not in any way endorse or make any representations about such third party Web sites. The links are simply made available for your convenience. As such, Entreprise Dentist.Business Inc. is not responsible for the privacy practices or content of such third party Web sites. If you choose to access those links, we encourage you to review their respective privacy policies before submitting any of your personal information.

Our security measures to protect your personal information

To protect the personally identifiable information you transmit through your use of this Web site, we maintain reasonable physical, technical and administrative safeguards to help protect against the unauthorized access, use and disclosure of the information.

Access and correction

By sending us an email via go@dentist.business, you may request information about the existence of the personal information voluntarily provided by you through our Website, and request access to such information in order to have it deleted, updated or corrected, subject to certain legal restrictions.

Use of technology: cookies & logs

As previously mentioned, Entreprise Dentist.Business Inc. may use cookies to collect information about its visitors. Cookies are identifiers that are transferred to your computer’s hard drive through your Web browser to enable our systems to recognize your browser. You may choose to disable cookies on your computer by modifying your Web browser.

Entreprise Dentist.Business Inc. may also use logs to collect information about its visitors. Entreprise Dentist.Business Inc. may review server logs for security purposes, for example, to detect intrusions into our network. Server log data, which contains visitors’ IP addresses, could in instances of criminal malfeasance be used to trace and identify individuals. In such instances, raw data logs would be shared with appropriate investigative bodies authorized to investigate such breaches of security. Like cookies, logs do not cross reference the information automatically collected with any type of personal information that is voluntarily offered by you on or through this Web site.

Consent

By using this Web site and sub-sites, you consent to the collection, use and disclosure of your personal information by us in the manner described in this Privacy policy. Entreprise Dentist.Business Inc. reserves the right to make changes to this Privacy policy from time to time without notice.

Privacy questions and access

For additional information about our online privacy practices, please contact:

Entreprise Dentist.Business Inc., 500, Place d’Armes, Suite 1800, Montréal, QC, H2Y 2W2

User Agreement

Welcome to Dentist.Business. We’re glad you’re here, and we hope you enjoy everything we have to offer.

Please read these User Agreement carefully because it’S a binding agreement between You and Entreprise Dentist.Business Inc., (“We”).

This User Agreement govern your use of the www.dentist.business or any other sites that link to this User Agreement. In this User Agreement, the word “Sites” refers to each of these websites and the services offered on those Sites. You automatically agree to this User Agreement and to our Privacy Policies simply by using or logging into the Sites.

Please note that we offer many services. Your use of Entreprise Dentist.Business Inc. applications or services are provided by Entreprise Dentist.Business Inc.’s pursuant to a separate manually or digitally-executed agreement. Those additional terms become part of your agreement with us, if you use the services or log into the Sites.

Your Accounts

You may be required to create an account and specify a password in order to use certain services or features on the Sites. To create an account, you must be at least 18 years old and you must provide truthful and accurate information about yourself. Don’t try to impersonate anyone else when you create your account. If your information changes at any time, please update your account to reflect those changes.

In some cases, an account may be assigned to you by an administrator, such as your employer. If you are using or logging into an account assigned to you by an administrator, additional terms may apply to your use of the Sites. Moreover, your administrator may be able to access or disable your account without our involvement.

You may not share your account with anyone else. Please keep your password confidential, and try not to use it on other websites. If you believe that your account has been compromised at any time, please notify your system administrator.

Modifications and Termination

We reserve the right to modify our Sites at any time, with or without notice to you. For example, we may add or remove functionality or features, and we may suspend or stop a particular feature altogether. We also reserve the right to charge a fee for any of our features at any time. If you don’t like any changes, you can stop using our Sites at any time.

Content You Post

We may provide opportunities for you to post text, photographs, videos, or other content (collectively, “Content”) on the Sites. You can only post Content if you own all the rights to that Content, or if another rights holder has given you permission.

Please note that we will not disclose or reproduce any ePHI or  and we respect PIPEDA and HIPPA requirements. Our Privacy Policies are top priority for us and we  collect use and disclose personal information only for those purposes necessary to administer registration and membership; establish and maintain communications with members, registrants, contacts; facilitate registrations for sessions and respond to inquiries. “Business information” means business name, business address, business telephone number, name(s) of owner(s), officer(s) and director(s), job titles, business registration numbers (GST, RST, source deductions), financial status. Although business information is not subject to PIPEDA, confidentiality of business information will be treated with the same security measures by Entreprise Dentist.Business Inc. staff and as is required for individual personal information under PIPEDA.

You agree to indemnify, release, and hold us harmless from any all liability, claims, actions, loss, harm, damage, injury, cost or expense arising out of any Content you post.

Keep in mind that if you send us any information, ideas, suggestions, or other communications to us, those communications will not be confidential. Moreover, unless we tell you otherwise, we reserve the right to reproduce, use, disclose, and distribute such communications without any obligation to you. This close is not related to the respect of any personal and business information.

Content Posted by Others

We are not responsible for, and do not endorse, Content posted by any other person. Accordingly, we may not be held liable, directly or indirectly, for any loss or damage caused to you in connection with any Content posted by another member.

Your Use of the Sites

Please do not use the Sites in a way that violates any laws, infringes on anyone’s rights, is offensive, or interferes with the Sites or any features on the Sites (including any technological measures we employ to enforce this Agreement).

It should be common sense, so we won’t bore you with a list of things you shouldn’t do. But if we (in our sole discretion) determine that you have acted inappropriately, we reserve the right to take down Content, terminate your account, prohibit you from using the Sites, and take appropriate legal actions.

Using our Site does not give you ownership of any intellectual property rights to the content you access. You may not use content from our Sites unless you obtain permission from us or its owner, or unless you are otherwise permitted by law.

When you use a Site or send communications to us through a Site, you are communicating with us electronically. You consent to receive electronically any communications related to your use of a Site. We may communicate with you by email or by posting notices on the Site. You agree that all agreements, notices, disclosures and other communications that are provided to you electronically satisfy any legal requirement that such communications be in writing. All notices from us intended for receipt by you shall be deemed delivered and effective when sent to the email address you provide to us. Please note that by submitting Content, creating a user account or otherwise providing us with your email address, postal address or phone number, you are agreeing that we or our agents may contact you at that address or number in a manner consistent with our Privacy Policies.

Intellectual Property

If you believe any Content on the Services infringes your copyrights, you may request that remove the Content from the Services (or disable access to that Content) by contacting us via go@dentist.business

Social Networks

The Service may include features that operate in conjunction with certain third party social networking websites that you visit such as Facebook, Instagram, YouTube, Vimeo, and Twitter (“Social Network Features”). While your use of the Social Network Features is governed by these Terms, your access and use of third party social networking sites and the services provided through the Services is governed by the terms of service and other agreements posted on these sites. You are responsible for ensuring that your use of those sites complies with any applicable terms of service or other agreements.

Our Warranties and Disclaimers

We provide our Services using a commercially reasonable level of care and promise to do our best to make sure you enjoy the Services. But there are certain things that we don’t promise about our Services.

OTHER THAN AS EXPRESSLY SET OUT IN THIS USER AGREEMENT, NEITHER ENTREPRISE DENTIST.BUSINESS INC.’S NOR ITS AGENTS OR SERVICE PROVIDERS (THE “SERVICES ENTITIES”) MAKE ANY SPECIFIC PROMISES ABOUT THE SITES. FOR EXAMPLE, WE DON’T MAKE ANY COMMITMENTS ABOUT THE CONTENT WITHIN THE SITES, THE SPECIFIC FUNCTION OF THE SITES, OR THEIR RELIABILITY, AVAILABILITY, OR ABILITY TO MEET YOUR NEEDS. WE PROVIDE THE SITES “AS IS”.

SOME JURISDICTIONS PROVIDE FOR CERTAIN WARRANTIES, LIKE THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. TO THE EXTENT PERMITTED BY LAW, WE EXCLUDE ALL WARRANTIES

Liability for our Services

EXCEPT WHERE PROHIBITED, THE SERVICES ENTITIES SHALL NOT BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES ARISING FROM YOUR USE OF THE SITES OR ANY THIRD PARTY’S USE OF THE SITES. THESE EXCLUSIONS INCLUDE, WITHOUT LIMITATION, DAMAGES FOR LOST PROFITS, LOST DATA, COMPUTER FAILURE, OR THE VIOLATION OF YOUR RIGHTS BY ANY THIRD PARTY, EVEN IF THE SERVICES ENTITIES HAVE BEEN ADVISED OF THE POSSIBILITY THEREOF AND REGARDLESS OF THE LEGAL OR EQUITABLE THEORY UPON WHICH THE CLAIM IS BASED.

Additional Details

We may modify this User Agreement at any time so be sure to check back regularly. By continuing to use or log in to a Site after this User Agreement have changed, you indicate your agreement to the revised User Agreement. If you do not agree to the changes, you should stop using or logging in to the Sites.

The Sites may contain links to third-party websites. That doesn’t mean that we control or endorse those websites, or any goods or services sold on those websites. Similarly, the Sites may contain ads from third-parties. We do not control or endorse any products being advertised.

If you do not comply with this User Agreement, and we don’t take action right away, this doesn’t mean we’re OK with what you did, or we are giving up any rights that we may have (such as taking action in the future).

This User Agreement is governed by and construed in accordance with the laws of Quebec, without regard to its conflict of laws rules. You expressly agree that the exclusive jurisdiction for any claim or dispute under this User Agreement and or your use of the Services resides in the courts located in Montreal, Quebec, and you further expressly agree to submit to the personal jurisdiction of such courts for the purpose of litigating any such claim or action. If it turns out that a particular provision in this User Agreement is not enforceable, that will not affect any other provision.

This User Agreement was last updated on January 25th, 2018.

Entreprise Dentist.Business Inc. is a Canadian company with focus in IT, R&D, Outsourcing and Consulting. With client-centric approach to help grow your business along with a proven track record of successfully delivered projects. Entreprise Dentist.Business Inc.’s collaboration with its R&D centers supplies 24/7 service and support in project delivery and outsourcing, quality IT solutions that facilitate and add value to Entreprise Dentist.Business Inc.’s clients. Entreprise Dentist.Business Inc. offers a full spectrum custom software services, including web and mobile application development. Our R&D center and trusted partners accumulate more than 1500 world-class IT specialists working on each of our projects. Entreprise Dentist.Business Inc. owns the following applications: homecareit.ca, dentist.business, ehealthmatrix.ca

This privacy policy has been developed to comply with Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”). The purpose of this policy is to establish requirements for proper handling of Protected Health Information (PHI) through the adoption of an Information Privacy and Security Management Process for Entreprise Dentist.Business Inc. and to comply with any other applicable information security regulations and protect the overall security of the organization. The process includes analysis and management of risks, implementation of secure systems and applications, the use of security incident procedures to learn from prior issues, information system usage audits and activity reviews, regular security evaluations and regulation compliance assessments, training for all staff using electronic information systems, and documentation of compliance activities.

PIPEDA sets out rules for the collection, use and disclosure of personal information in the course of commercial activity as defined in the Act.

The Ten Principles of PIPEDA Summarized

The ten Principles of PIPEDA in the foundation of this Privacy Policy are as following:

Accountability: organizations are accountable for the personal information they collect, use, retain and disclose in the course of their commercial activities, including, but not limited to, the appointment of a Chief Privacy Officer;

Identifying Purposes: organizations are to explain the purposes for which the information is being used at the time of collection and can only be used for those purposes;

Consent: organizations must obtain an Individual’s express or implied consent when they collect, use, or disclose the individual’s personal information;

Limiting Collection: the collection of personal information must be limited to only the amount and type that is reasonably necessary for the identified purposes;

Limiting Use, Disclosure and Retention: personal information must be used for only the identified purposes, and must not be disclosed to third parties unless the Individual consents to the alternative use or disclosure;

Accuracy: organizations are required to keep personal information in active files accurate and up-to-date;

Safeguards: organizations are to use physical, organizational, and technological safeguards to protect personal information from unauthorized access or disclosure.

Openness: organizations must inform their clients and train their employees about their privacy policies and procedures;

Individual Access: an individual has a right to access personal information held by an organization and to challenge its accuracy if need be; and

Provide Recourse: organizations are to inform clients and employees of how to bring a request for access, or complaint, to the Chief Privacy Officer, and respond promptly to a request or complaint by the individual.

This Privacy Policy applies to Entreprise Dentist.Business Inc. employees and contracted partners. As well, Entreprise Dentist.Business Inc. ensures that all third party service providers sign Confidentiality Agreements prior to any transfer of any personal information in the course of any project or consulting services.

Definitions

“Personal information” information about an identifiable individual and can include name, mailing address, phone number, email address. Entreprise Dentist.Business Inc. collects uses and discloses personal information only for those purposes necessary to administer registration and membership; establish and maintain communications with members, registrants, contacts; facilitate registrations for sessions and respond to inquiries.

“Business information” means business name, business address, business telephone number, name(s) of owner(s), officer(s) and director(s), job titles, business registration numbers (GST, RST, source deductions), financial status. Although business information is not subject to PIPEDA, confidentiality of business information will be treated with the same security measures by Entreprise Dentist.Business Inc. staff and as is required for individual personal information under PIPEDA.

“Individual” means the client’s owner(s) or patient’s and/or any person associated with a client.

“Application” means the application form or related forms completed by the individual(s) to request an appointment through the Entreprise Dentist.Business Inc. application.

“Database” means the list of names, addresses and telephone numbers of clients and individuals held by Entreprise Dentist.Business Inc. in the forms of, but not limited to, computer files, paper files, and files on computer hard-drives.

“File” means the information collected in the course of processing an application, as well as information collected/updated to maintain /service the account.

“Express consent” means the individual signs the application, or other forms containing personal information, authorizing Entreprise Dentist.Business Inc. to collect, use, and disclose the individual’s personal information for the purposes set out in the application and/or forms.

“Implied Consent” means the organization may assume that the individual consents to the information being used, retained and disclosed for the original purposes, unless notified by the individual.

“Third Party” means a person or company that provides services to Entreprise Dentist.Business Inc. in support of the programs, benefits, and other services offered by Entreprise Dentist.Business Inc., such as persons with whom the individual or client does business, but does not include any Government office, health services office or department to whom Entreprise Dentist.Business Inc. reports in the delivery of such services.

Overall Policy Statement including purpose

Organization is committed to safe guarding the personal information entrusted by members, subscribers, registrants, contacts, board members, and person providing services. (Description of individual varies.) The statement outlines the policies and practices to be followed to protect personal information based on the requirements in PIPEDA, the Personal Information Protection and Electronics Documents Act.

Collection, Use and Disclosure

Collection, use and disclosure of confidential information occurs with the knowledge and consent of the individual except, where collection, use and disclosure is permitted by law without consent. The organization will ask for consent to collect, use or disclose an individual’s personal information, except in specific circumstances where release of the information without consent is required by law. The information must be used for the purpose for which the information was collected. If the organization is going to use it for another purpose then consent must be obtained. Included can be a statement as to whether the organization is implying consent or is asking for express consent and indicate how consent is managed. The organization will not disclose information to Third Parties. A member may withdraw consent to the collection, use and disclosure of personal information at any time with the understanding that this action may hamper or prevent the provision of service by the organization.

Consent

An individual’s express, written consent will be obtained before or at the time of collecting personal information. The purposes for the collection, use or disclosure of the personal information will be provided to the individual at the time of seeking his or her consent. Once consent is obtained from the individual to use his or her information for those purposes, Entreprise Dentist.Business Inc. has the individual’s implied consent to collect or receive any supplementary information that is necessary to fulfil the same purposes. Express consent will also be obtained if, or when, a new use is identified.

Limiting collection

Personal information collected will be limited to the purposes set out in this Privacy Policy.

Security and Safeguards

The Organization makes every reasonable effort to prevent any loss, misuse, disclosure or modification of personal information as well as any unauthorized access to personal information. Such practices such as locked cabinets, computer password, firewalls, encryption, and internal organizational tools such as restricted access, shredding and permanent deletion of electronic records. The organization may process payments through a site such as PayPal. Billing and credit card information are stored not on the Organizations’ server but on a secure PayPal server that sits behind an electronic firewall and are not connected to the internet.

All inactive files or personal information no longer required are shredded prior to disposal to prevent inadvertent disclosure to unauthorized persons.

Technological Safeguards

Personal information contained in Entreprise Dentist.Business Inc. computers and electronic data storage are password protected in accordance with Entreprise Dentist.Business Inc.’s Internal Security Policy. Access to any of Entreprise Dentist.Business Inc. computers also is password protected. Entreprise Dentist.Business Inc.’s Internet router or server has firewall protection sufficient to protect personal and confidential business information against virus attacks and “sniffer” software arising from Internet activity. Personal information is not transferred to any third parties by e-mail or other electronic form.

Access and Amend Personal Information

Individuals have a right to access and amend their personal information as kept by the organization and may make a request for access through an email to the named contact person.

Limiting Use, Disclosure and Retention

Use of Personal Information

Personal information will be used for only those purposes to which the individual has consented with the following exceptions, as permitted under PIPEDA:

Entreprise Dentist.Business Inc. will use personal information without the individual’s consent, where:

• the organization has reasonable grounds to believe the information could be useful when investigating a contravention of a federal, provincial or foreign law and the information is used for that investigation;
• an emergency exists that threatens an individual’s life, health or security;
• the information is publicly available;
• the use is clearly in the individual’s interest, and consent is not available in a timely way;
• knowledge and consent would compromise the availability or accuracy of the information, and
• collection is required to investigate a breach of an agreement.

Disclosure and Transfer of Personal Information

Personal information will be disclosed to only those Entreprise Dentist.Business Inc. employees, members and third parties that need to know the information for the purposes of their work or providing of professional services.

Personal information will be disclosed to third parties with the individual’s knowledge and consent.

PIPEDA permits disclosure of personal information to third parties, without an individual’s knowledge and consent, to:

• a lawyer representing Entreprise Dentist.Business Inc.;
• collect a debt owed to Entreprise Dentist.Business Inc. by the individual, client or third party;
• comply with a subpoena, a warrant or an order made by a court or other body with appropriate jurisdiction;
• a law enforcement agency in the process of a civil or criminal investigation; a government agency or department requesting the information; or,
• as required by law.

PIPEDA permits Entreprise Dentist.Business Inc. to transfer personal information to a third party, without the individual’s knowledge or consent, if the transfer is simply for processing purposes and the third party only uses the information for the purposes for which it was transferred. Entreprise Dentist.Business Inc. will ensure that the third party protects the information and uses it only for the purposes for which it was transferred.

Retention of Personal Information

Personal information will be retained in client files as long as the file is active and for such periods of time as may be prescribed by applicable laws and regulations.

Accuracy

Entreprise Dentist.Business Inc. endeavours to ensure that any personal information provided by the individual in his or her active file(s) is accurate, current and complete as is necessary to fulfill the purposes for which the information has been collected, used, retained and disclosed. Individuals are requested to notify Entreprise Dentist.Business Inc. of any change in personal or business information. Information contained in inactive files is not updated.

Openness

Entreprise Dentist.Business Inc. will endeavour to make its privacy policies and procedures known to the individual via this Privacy Policy.

Complaints/Recourse

If an individual has a concern about Entreprise Dentist.Business Inc.’s personal information handling practises, a complaint, in writing, may be directed to the Entreprise Dentist.Business Inc.’s Information Security Officer.

Upon verification of the individual’s identity, Entreprise Dentist.Business Inc.’s Information Security Officer will act promptly to investigate the complaint and provide a written report of the investigation’s findings to the individual.

Furthermore, the necessary steps to correct the offending information handling practise and/or revise Entreprise Dentist.Business Inc.’s privacy policies and procedures will be taken. In case Entreprise Dentist.Business Inc.’s Information Security Officer determines that the individual’s complaint is not well founded, the individual will be notified in writing.

If the individual is dissatisfied with the finding and corresponding action taken by Entreprise Dentist.Business Inc.’s Information Security Officer, the individual may bring a complaint to the Federal Privacy Commissioner at the address below:

The Privacy Commissioner of Canada

https://www.priv.gc.ca

Questions/Access Request/Complaint

Any questions regarding this or any other privacy policy of Entreprise Dentist.Business Inc. may be directed to the Information Security Officer. Requests for access to information, or to make a complaint, are to be made in writing and sent to Entreprise Dentist.Business Inc. at the address below:

Information Security Officer: Email address: go@dentist.business

Date Created: January 25th, 2019

HIPAA Privacy and Security Policy and Procedures

Security 1.0: Assigned Security Responsibility

Company Name: Entreprise Dentist.Business Inc..

Policy Name: Assigned Security Responsibility.

Policy Number: Security 1.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Synopsis of Policy:

HIPAA Regulation:164.308(a)(2) Assigned security responsibility At all times Entreprise Dentist.Business Inc. shall have one

individual identified and assigned to HIPAA security responsibility.

The HIPAA Security Officer is responsible for the oversight of Security Rule implementation by department and has the ultimate responsibility for ensuring HIPAA Security Rule policies are implemented and followed. Responsibilities include:

1. Ensure that the necessary and appropriate HIPAA related policies are developed

and implemented to safeguard the integrity, confidentiality, and availability of Electronic Protected Health Information (ePHI) within Entreprise Dentist.Business Inc..

1. Ensure that the necessary infrastructure of personnel, procedures and systems are in place:
   1. To develop and implement the necessary HIPAA related policies.
   2. To monitor, audit and review compliance with all HIPAA related policies.
   3. To provide a mechanism for reporting incidents and HIPAA security
2. violations.
3. Act as a spokesperson and single point of contact for Entreprise Dentist.Business Inc. in all issues relating to HIPAA security.

1. The job title and duties shall be documented further within the Full Policy found below.

Full Policy Language:

HIPAA Regulation: 164.308(a)(2) Assigned security responsibility

Policy Purpose: At all times Entreprise Dentist.Business Inc. shall have one individual identified and assigned to HIPAA security responsibility.

Policy Description:

The HIPAA Security Officer is responsible for the oversight of the Security Rule and its implementation. They also have the ultimate authority and responsibility for ensuring HIPAA Security Rule policies are implemented and followed.

Responsibilities include:

1. Ensuring that the necessary and appropriate HIPAA related policies are developed and implemented to safeguard the integrity, confidentiality, and availability of electronic protected health information (ePHI) within Entreprise Dentist.Business Inc.
2. Ensuring that the necessary infrastructure of personnel, procedures, and systems are in place:

1. To develop and implement the necessary HIPAA policies;
2. To monitor, audit and review compliance with all HIPAA policies; and
3. To provide a mechanism for reporting incidents and HIPAA security violations.

1. Act as a spokesperson and single point of contact for Entreprise Dentist.Business Inc. in all issues relating to HIPAA security.
2. The job title and duties shall be documented within the Security Officer’s Job Description.

Policy Responsibilities:

The above HIPAA Security Officer responsibilities are assigned to the Olena Pomazanova, President, Privacy/Security Officer for Entreprise Dentist.Business Inc. Entreprise Dentist.Business Inc. current Security Officer is identified as Olena Pomazanova, President, Privacy/Security Officer who is the person that is responsible as the Security Officer.

The HIPAA Security Officer shall carry out the assigned responsibilities in coordination with their Job Description.

Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
  • ePHI: Electronic/Protected health information means individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.
  • Paper PHI: Protected Health Information that is not in an electronic format.AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 2.0: User Access Management

Company Name: Entreprise Dentist.Business Inc..

Policy Name: User Access Management.

Policy Number: Security 2.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Synopsis of Policy: HIPAA Regulation: 164.308(a)(3)

This policy establishes rules for authorizing access to the computing network, applications, workstations, and to areas where Electronic Protected Health Information (ePHI) is accessible.

Workforce members that need access to ePHI will need authorization when working with ePHI or when working in locations where it resides.

Workforce security includes ensuring that only workforce members who require access to ePHI for work related activities shall be granted access. When work activities no longer require access, authorization shall be terminated.

In addition, this policy provides guidelines on how user access is routinely reviewed and updated.

Aspects of this policy specifically concern:

Management and Access Control;

Rules for Minimum Necessary Access;

How we Grant Access to ePHI;

How we Screen Workforce members Prior to Access;

Why we maintain Signed Security Acknowledgements;

What Security Awareness is required Prior to getting Access; Procedures for Granting Access in an Emergency; Modifications to the Workforce members Access;

Ongoing Compliance for Access;

And Termination of Access

Full Policy Language:

HIPAA Regulation:

• 164.308(a)(3) Workforce security
• 164.308(a)(3) Authorization and/or supervision
• 164.308(a)(3) Workforce clearance procedure
• 164.308(a)(3) Termination procedures
• 164.308(a)(4) Information access management
• 164.308(a)(4) Access authorization
• 164.308(a)(4) Access establishment and modification
• 164.312(a)(1) Access control
• 164.312(c)(1) Integrity
• 164.312(a)(1) Emergency access procedurePolicy Purpose:The intent of this policy is to establish rules for authorizing access to the computing network, applications, workstations, and to areas where ePHI is accessible. Workforce members that require access to ePHI will need authorization when working with ePHI or when working in locations where it resides. Workforce security includes ensuring that only workforce members who require access to ePHI for work related activities shall be granted access. When work activities no longer require access, authorization shall be terminated. In addition, this policy provides guidelines on how user access is routinely reviewed and updated.Policy Description:Management and Access ControlOnly the workforce member’s supervisor or manager can grant access to Entreprise Dentist.Business Inc. ePHI information systems.Access to the information system or application may be revoked or suspended, consistent with Entreprise Dentist.Business Inc. policies and practices, if there is evidence that an individual is misusing information or resources. Any individual whose access is revoked or suspended may be subject to disciplinary action or other appropriate corrective measures.Minimum Necessary Access Entreprise Dentist.Business Inc. shall ensure that only workforce members who require access to Electronic Protected Health Information (ePHI) are granted access. Each supervisor or manager is responsible for ensuring that the access to ePHI granted to each of his or her subordinates is the minimum necessary access required for each subordinate’s job role and responsibilities. If the user no longer requires access, it is the supervisor or manager’s responsibility to complete the necessary process to terminate access.

Granting Access to ePHI

Screen Workforce Members Prior to Access

The manager or supervisor shall ensure that information access is granted only after first verifying that the access of a workforce member to ePHI is appropriate.

Sign Security Acknowledgement

Prior to being issued a User ID or log on account to access any ePHI, each workforce member shall sign Entreprise Dentist.Business Inc. Confidentiality Agreement or an Acknowledgement of Information Security Responsibility before access is granted to the network or any application that contains ePHI, and thereafter shall comply with all Entreprise Dentist.Business Inc. security policies and procedures.

Security Awareness Prior to Getting Access

Before access is granted in any of the various systems or applications that contain ePHI, workforce members shall be trained to a minimum standard including:

1. Proper uses and disclosures of the ePHI stored is systems or application(s)
2. How to properly log on and log off the systems or application(s)
3. Protocols for correcting user errors
4. Instructions on contacting a designated person or help desk when ePHI may have been altered or destroyed in error
5. Reporting a potential or actual security breach

Management Approval

Entreprise Dentist.Business Inc. shall implement the following policies:

1. User IDs or log on accounts can only be assigned with management approval.
2. Managers are responsible for requesting the appropriate level of computer access for staff to perform their job function.
3. All requests regarding User IDs or computer system access for workforce members are to be communicated to the appropriate individuals by email, for tracking purposes for Entreprise Dentist.Business Inc.. All requests shall be made in writing (which may be in an electronic format).
4. System administrators are required to process only those requests that have been authorized by managers.
5. Request is to be retained by the system administrator for a minimum of 1 year.

Granting Access in an Emergency

Emergency User Access

Management has the authority to grant emergency access for workforce members who have not completed the normal HIPAA access requirements if:

1. The facility declares an emergency or is responding to a natural disaster that makes the management of client information security secondary to immediate personnel safety activities.
2. Management determines that granting immediate access is in the best interest of the client.

If management grants emergency access, she/he shall review the impact of emergency access and document the event within 24 hours of it being granted.

After the emergency event is over, the user access shall be removed or the workforce member shall complete the normal requirements for being granted access.

Granting Emergency Access to an Existing User Access Account

In some circumstances it may be necessary for management to grant emergency access to a user’s account without the user’s knowledge or permission. Management may grant this emergency access in these situations:

1. The workforce member terminates or resigns and management requires access to the person’s data;
2. The workforce member is out for a prolonged period;
3. The workforce member has not been in attendance and therefore is assume to have resigned; or
4. Manager/supervisor needs immediate access to data on a workforce member’s computer in order to provide client treatment.

Termination of Access

The department manager or his/her designated representative is responsible for terminating a workforce member’s access to ePHI in these circumstances:

1. If management has evidence or reason to believe that the individual is using information systems or resources in a manner inconsistent with the Security Rule policies.
2. If the workforce member or management has evidence or reason to believe the user’s password has been compromised.
3. If the employee resigns, is terminated, is suspended, retires, or is away on unapproved leave.
4. If the employee’s job description changes and system access is no longer justified by the new job description.

If the workforce member is on an approved leave of absence and the user’s system access will not be required for more than three weeks, management shall suspend the user’s account until the workforce member returns from their leave of absence.

Modifications to the Workforce members Access

If a workforce member transfers to another program or changes role(s) within the same program within Entreprise Dentist.Business Inc.:

1. The workforce member’s new supervisor or manager is responsible for evaluating the member’s current access and for requesting new access to ePHI commensurate with the workforce member’s new role and responsibilities.

If a workforce member transfers to another program or department outside of Entreprise Dentist.Business Inc.:

1. The workforce member’s access to ePHI within his or her current unit shall be terminated as of the date of transfer.
2. The workforce member’s new supervisor or manager is responsible for requesting access to ePHI commensurate with the workforce member’s new role and responsibilities.

Ongoing Compliance for Access

In order to ensure that workforce members only have access to ePHI when it is required for their job function, the following actions shall be implemented by Entreprise Dentist.Business Inc.:

1. Every new User ID or log on account that has not been used after 30 consecutive calendar days since creation shall be investigated to determine if the workforce member still requires access to the ePHI.
2. At least every six months, IT teams are required to send supervisors/managers (or appropriate designees):
   1. A list of all workforce members for all applications.
   2. A list of workforce members and their access rights for all shared folders that contain ePHI, and
   3. A list of all Virtual Private Network (VPN) workforce members.
3. The supervisors/managers shall then notify their IT teams of any workforce members that no longer require access.

Policy Responsibilities:

Security Officer or Designee Responsibilities:

1. Work with System Administrator to arrange an email to Security Officer with the names of workforce members who are terminating or transferring out of Entreprise Dentist.Business Inc., along with the individual’s supervisor’s name and the effective date.
2. Work with HR or their designee to arrange a process to immediately email and telephone IT and Facilities Management if a workforce member is being released from probation or terminated with cause. The HR division shall provide the workforce member’s name, supervisor’s name and effective date, so that access can be discontinued when the personnel action is effective.

Entreprise Dentist.Business Inc. IT Team(s) Responsibilities: Account Management

1. Immediately, upon written notification, the worker’s access to ePHI shall be removed.
2. A report shall be created that identifies new User IDs or log on accounts not accessed within 30 days of creation.
3. A report shall be provided every six months to the manager/supervisor or designee documenting workers with access to ePHI, and requesting verification that access is still required to fulfill the worker’s job functions.

Managers and Supervisors Responsibilities:

1. Each manager/supervisor is responsible for ensuring that the access to ePHI granted to each of his or her subordinates is the minimum necessary access required for each such subordinate’s job role and responsibilities.
2. If the user no longer requires access, it is the manager/supervisor’s responsibility to complete the necessary paperwork as soon as possible to terminate access.
3. The manager/supervisor shall validate new User IDs or log on accounts that are not accessed within 30 days of creation. If access is no longer required, the User ID shall be deleted.
4. Semi-annual user and folder access reports and the VPN access reports prepared by the IT team shall be reviewed and verified to determine if the workforce members still require access to the ePHI.
5. The manager/supervisor shall ensure members of the workforce have signed the IT security agreement and are properly trained before approving access to ePHI.

User Responsibility:

Each user shall read and attest to Entreprise Dentist.Business Inc. IT Security Policies, sign Entreprise Dentist.Business Inc. HIPAA Confidentiality Agreement, attend HIPAA Security training, and report all security incidents.

Procedures

Entreprise Dentist.Business Inc. shall document written procedures for granting user access, the authorization of access to ePHI, and the termination of user access. These procedures shall include, as a minimum, all of the policy requirements above.

Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or Entreprise Dentist.Business Inc. who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected health information means individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.
  • Paper PHI: Protected Health Information that is not in an electronic format.
• Workforce: Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 3.0: Authentication & Password Management

Company Name: Entreprise Dentist.Business Inc.

Policy Name: Authentication & Password Management

Policy Number: Security 3.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Synopsis of Policy: HIPAA Regulation: 164.312(d); 164.308(a)(5); 164.312(a)(1)

Passwords are an important aspect of computer security and are the front line of protection for user accounts. A compromised password may result in a security breach of Entreprise Dentist.Business Inc. network. All Entreprise Dentist.Business Inc.

workforce members are responsible for taking the appropriate steps, as outlined in the full policy, to select and secure their passwords.

This policy reinforces the use and importance of effective passwords, also known as strong passwords. This policy will also require workforce members to change their passwords on a regular basis.

Information systems used to access ePHI shall uniquely identify and authenticate workforce members.

The policy specifies:

Standards of Authentication – Verification

The rules for maintaining Unique User ID and Password Management The guidelines for appropriate User ID and Passwords

Full Policy Language: HIPAA Regulation:

• 164.312(d) Mechanism to authenticate electronic protected health information
• 164.312(d) Person or entity authentication
• 164.308(a)(5) Password management
• 164.312(a)(1) Unique user identificationPolicy Purpose:Passwords are an important aspect of computer security and are the front line of protection of user accounts. A compromised password may result in a security breach of Entreprise Dentist.Business Inc. network. All Entreprise Dentist.Business Inc.
  workforce members are responsible for taking the appropriate steps to select and securetheir passwords. The purpose of this policy is to reinforce the use of effective passwords, also known as strong passwords, and require workforce members to change their passwords on a regular basis.Policy Description:Information systems used to access ePHI shall uniquely identify and authenticate workforce members.Authentication – VerificationIndustry standard protocols will be used on all routers and switches used in the Wide Area Network (WAN) and the local area networks (LANs). Authentication types can include:

1. Unique user ID and passwords
2. Biometric identification system
3. Telephone callback
4. Token system that uses a physical device for user identification
5. Two forms of authentication for wireless remote access
6. Information systems used to access ePHI shall identify and authenticate connections to specific devices involved in system communications (digital certificate, for example)

The password file on the authenticating server shall be adequately protected and not stored unencrypted.

Unique User ID and Password Management

1. All Entreprise Dentist.Business Inc. workforce members are assigned a unique user ID to access the network. All workforce members are responsible for creating and maintaining the confidentiality of the password associated with their unique user ID. Managers/supervisors are required to ensure that their staff understands the user responsibilities for securely managing confidential passwords.
2. Upon receipt of a user ID, the person assigned to said ID is required to change the password provided by the administrator to a password that only he or she (the user) knows. Effective passwords shall be created in order to secure access to electronic protected health information (ePHI).
3. Workforce members who suspect that their password has become known by another person shall change their password immediately. No user shall give his or her password to another person.
4. Workforce members are required to change their network user ID passwords every six months; when the technology is capable. Each application access password shall be changed every six months. Where technology is capable, network and application systems shall be configured to enforce automatic expiration of passwords every six months.
5. All privileged system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) shall be changed at least each fiscal quarter. All passwords are to be treated as sensitive, confidential Entreprise Dentist.Business Inc. information.

3.3 User ID & Password Guidelines

Where possible, implement unique user IDs that are different from the e-mail address; [ORGANIZATION] is encouraged not to use standard naming conventions for user IDs and should avoid using the same email user name as the system user ID.

1. Password length:
   1. 8-character passwords are the absolute minimum;
   2. 10-12 characters or longer is recommended; and
   3. Passwords up to 64 characters should be allowed.
2. Requiring mixed case, numbers, or special characters is recommended
3. Requiring users to periodically change their passwords is recommended:
   1. Every 6 months or a year preferably.
   2. Passwords are required to change if there is a suspicion that a password has been compromised.
4. Password selection software should not allow “obvious” passwords:

1. Common words, words related to the user, repeated letters,

numeric sequences, etc. (e.g, “password123”, “johnsmith”, or “abcabcabc”).

1. Login software should include features to prevent brute force attacks, such as:
   1. Delays between login attempts; and
   2. Lock account after a number of failed attempts.
2. Password protection requirements for users:
   1. Never reveal a password over the phone to anyone;
   2. Never reveal a password in an email message;
   3. Never reveal a password to your supervisor;
   4. Never talk about a password in front of others;
   5. Never hint at the format of a password (e.g., “my family name”);
   6. Never reveal a password on questionnaires or security forms;
   7. Never share a password with family members;
   8. Never reveal a password to co-workers;
   9. Never write down your password; instead, memorize it;
   10. Never keep a list of user IDs and passwords in your office; and
   11. Never misrepresent yourself by using another person’s user ID and password.

Policy Responsibilities:

Managers and Supervisors Responsibility

Managers/supervisors are responsible to reinforce secure password use in their offices with emphasis on ‘no password sharing’.

IT Team(s) Responsibilities for Network User ID Creation

1. System administrators shall provide the password for a new unique user ID to only the user to whom the new ID is assigned.
2. Workforce members may at times request that their password be reset. System administrators shall verify the identity of the user requesting a password reset or verify that the person making the request is authorized to request a password reset for another user. When technically possible, a new or reset password shall be set to expire on its attempted use at log on so that the user is required to change the provided password to one only they know.

All Workforce members accessing ePHI

Any workforce member who suspects that their password has become known by another person shall change their password immediately.

Procedures

Managers and Supervisors Responsibility

Managers/supervisors are responsible to reinforce secure password use in their offices with emphasis on ‘no password sharing’. If access to another worker’s account is required, managers/supervisors shall follow the emergency access section of Entreprise Dentist.Business Inc. HIPAA User Access Management policy.

IT Team(s) Responsibilities for Network User ID Creation

1. System administrators shall provide the password for a new unique user ID to only the user whom the new ID is assigned.
2. Workforce members may at times request that their password be reset. System administrators shall verify the identity of the user requesting a password reset or verify that the person making the request is authorized to request a password reset for another user. When technically possible, a new or reset password shall be set to expire on its initial use at log on so that the user is required to change the provided password to one only they know.

All Workforce Members Accessing ePHI

Any workforce member who suspects that their password has become known by another person shall change their password immediately.

Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected health information means individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.
• Paper PHI: Protected Health Information that is not in an electronic format.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 4.0: Facility Access Controls

Company Name: Entreprise Dentist.Business Inc..

Policy Name: Facility Access Controls.

Policy Number: Security 4.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Synopsis of Policy: HIPAA Regulation: 164.310(a)(1) Facility security plan; Facility access controls; Access control and validation procedures; Maintenance records; Contingency operations

This policy establishes protocols for securing facilities that contain Electronic Protected Health Information (ePHI).

Entreprise Dentist.Business Inc. shall reasonably safeguard ePHI from any intentional or unintentional use or disclosure. Entreprise Dentist.Business Inc. shall protect its facilities where ePHI can be accessed.

When designing a new building and remodeling existing sites, facility managers and/or designees shall work with the Compliance Officers to ensure the facility plan components below are compliant with the HIPAA Regulations.

Entreprise Dentist.Business Inc. shall safeguard its facilities and the equipment therein from unauthorized physical access, tampering and theft. Entreprise Dentist.Business Inc. Compliance Officers shall annually audit facilities to ensure that ePHI safeguards are continuously being maintained.

The policy

• • • • • • • • • •

details implementation specification for: Visitor Access Control:

(IF YOU HAVE) Security Access Cards: (IF YOU HAVE) Keypads/Cipher Locks: Metal/Hard Keys:

Network Closet(s):

Server Room(s):

Alarm System(s):

Doors:

Contingency Operations – Emergency Access to Facilities Maintenance Records Policy – For all sites that access ePHI.

Full Policy Language: HIPAA Regulation:

• 164.310(a)(1) Facility security plan
• 164.310(a)(1) Facility access controls
• 164.310(a)(1) Access control and validation procedures
• 164.310(a)(1) Maintenance records
• 164.310(a)(1) Contingency operationsPolicy Purpose:The intent of this policy is to establish protocols for securing facilities that contain ePHI.Policy Description:General
  Entreprise Dentist.Business Inc. shall reasonably safeguard electronic protected health information (ePHI) from any intentional or unintentional use or disclosure. Entreprise Dentist.Business Inc. shall protect its facilities where ePHI can be accessed.New or Remodeled Facility in Entreprise Dentist.Business Inc. When designing a new building and remodeling existing sites, facility managers and/or designees shall work with the Compliance Officers to ensure the facility plan components below are compliant with the HIPAA Regulations.Facility Security Plan
  Entreprise Dentist.Business Inc. shall safeguard the facilities of Entreprise Dentist.Business Inc. and the equipment therein from unauthorized physical access, tampering, and theft. Entreprise Dentist.Business Inc. Compliance Officers shall annually audit Entreprise Dentist.Business Inc. facilities to ensure ePHI safeguards are continuously being maintained.Facility security guidelines for the workforce:
  1. Do not share access cards to enter the facility;
  2. Do not allow other persons to enter the facility by “piggy backing” (enteringthe facility by walking behind an authorized person, through a door withoutusing a card in the reader);
  3. Do not share hard key access to enter the facility; and
  4. Do not share alarm codes or keypad codes to enter the facility.

One or more of the following shall be implemented for all sites that access ePHI:

1. Visitor Access Control: In facilities where ePHI is available, all visitors shall be

escorted and monitored. Each facility shall implement procedures that govern visitor access controls. These procedures may vary depending on the facilities structure, the type of visitors, and where the ePHI is accessible.

1. Metal/Hard Keys: Facilities that use metal/hard keys shall change affected or appropriate key locks when keys are lost or a workforce member leaves without returning the key. In addition, the facility shall have:
   1. Clearances based on programmatic need, special mandated security requirements and workforce member security; and
   2. A mechanism to track which workforce members are provided access
2. Network Closet(s): Every network closet shall be locked whenever the room is unoccupied or not in use. Entreprise Dentist.Business Inc. shall document who has access to the network closets and periodically change the locking mechanism to these closets.
3. Server Room(s): Every server room shall be locked whenever the room is unoccupied or not in use. Entreprise Dentist.Business Inc. shall document who has access to each server room and periodically change the locking mechanism to server rooms.
4. Alarm Systems: All buildings that have ePHI shall have some form of alarm system that is activated during non-business hours. Alarm system codes may only be provided to workforce members that require this information in order to leave and enter a building. These alarm codes shall be changed at least every six months.
5. Doors: All external facility doors and doors to areas where ePHI is housed shall remain completely shut at all times. It is each workforce member’s responsibility to make sure the door that is being entered or exited is completely shut before leaving the vicinity. Sometimes the doors do not completely close by themselves. If a door’s closing or locking mechanism is not working, it is every worker’s responsibility to notify the facility manager or designee for that facility.

Contingency Operations – Emergency Access to Facilities

Each facility shall have emergency access procedures in place that allow facility access to appropriate persons to access data. This includes a primary contact person and back-up person for when facility access is necessary after business hours by persons who do not currently have access to the facility.

Maintenance Records Policy

Repairs or modifications to the physical building for each facility where ePHI can be accessed shall be logged and tracked. These repairs are tracked centrally by General

Services – Facility Management. The log shall include events that are related to security (for example, repairs or modifications of hardware, walls, doors, and locks).

Policy Responsibilities:

Manager/supervisor Requirements:

1. Take appropriate corrective action against any person who knowingly violates the facility plan;
2. Authorize clearances that are appropriate to the duties of each workforce member;
3. Notify the security administrator or designee within one business day when a user no longer requires access to the facility; and
4. Verify that each worker surrenders her/his card or key upon leaving employment.

Worker Requirements:

1. Display their access/security card to demonstrate their authorization to access restricted areas;
2. Immediately report lost or stolen (key/ID) cards, or metal keys or keypad- cipher lock combinations; and
3. Surrender access card or key upon leaving employment.

Facility Manager/Security Officer or Designee Requirements:

1. Request and track maintenance repairs;
2. Establish and maintain a mechanism for accessing the facility in anemergency;
3. Track who has access to the facility;
4. Change metal locks when a key is lost or unaccounted for;
5. Change combination keypads/cipher locks every three months;
6. Change the alarm code every six months;
7. Disable access cards not used for 90 days or more; and
8. Complete access card audits every 6 months to verify user access.

Security Officer responsibilities:

1. Work with General Services and Entreprise Dentist.Business Inc. to ensure facilities comply with the HIPAA Security Rule for facility access controls;and
2. Conduct annual audits of Entreprise Dentist.Business Inc. facilities to ensure the facility is secured and the requirements of this policy are being enforced.

Procedures

Entreprise Dentist.Business Inc. shall document written procedures for their facility security plan. Procedures shall be written to address the unique requirements of each facility. An essential part of compliance is to document and implement processes to ensure the safeguards in the facility security plan are being maintained.

Entreprise Dentist.Business Inc. shall submit new and revised procedures and plans to the Compliance Officers for approval and ongoing evaluation. Any procedures developed by Entreprise Dentist.Business Inc. shall be consistent with Entreprise Dentist.Business Inc. HIPAA policies and not deviate from Entreprise Dentist.Business Inc. standard.

6.0 Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected health information means individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.
  • Paper PHI: Protected Health Information that is not in an electronic format.AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 5.0: Workstation Access Controls

Company Name: Entreprise Dentist.Business Inc..

Policy Name: Workstation Access Controls

Policy Number: Security 5.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Synopsis of Policy: HIPAA Regulations: 164.310(a)(1) Access control and validation procedures; (b) Workstation use; (c) Workstation security; 164.312(a)(1) Automatic log off

This policy establishes rules for securing workstations that access ePHI (electronic protected health information). Since ePHI is portable, this policy requires workforce members to protect ePHI in all locations, including, but not limited to, homes or client sites.

Entreprise Dentist.Business Inc. shall ensure that observable confidential information is adequately shielded from unauthorized disclosure and unauthorized access on computer screens. Each of Entreprise Dentist.Business Inc. workstations shall make every effort to ensure that confidential information on computer screens is not visible to unauthorized persons.

The policy details implementation of this policy for:

• Workforce members who work in other facilities
• Workforce members who work from home or other non-office sites
• Password protection of their personal computers
• Security for all other forms of portable ePHI such as locking up CD ROM Disks,floppy disks, USB drives, PDAs, and laptops
• Automatic, time-based user session-lock when a computer or workstation is left idle
• Accessing ePHI outside Entreprise Dentist.Business Inc. Wide Area Network, e.g., by VPN

Full Policy Language: HIPAA Regulation:

• 164.310(a)(1) Access control and validation procedures
• 164.310(b) Workstation use
• 164.310(c) Workstation security
• 164.312(a)(1) Automatic log offPolicy Purpose:The intent of this policy is to establish rules for securing workstations that access ePHI. Since ePHI is portable, this policy requires workforce members to protect ePHI in all locations, including, but not limited to, homes or client sites.Policy Description:Workstation Use: Security

1. Entreprise Dentist.Business Inc. members shall ensure that observable confidential information is adequately shielded from unauthorized disclosure and unauthorized access on computer screens. Each Entreprise Dentist.Business Inc. workplace shall make every effort to ensure that confidential information on computer screens is not visible to unauthorized persons.
2. Workforce members who work in other facilities that are not part of Entreprise Dentist.Business Inc. shall be aware of their surroundings to ensure no one can incidentally view ePHI and no ePHI is left unattended.
3. Workforce members who work from home or other non-office sites shall take the necessary steps to protect ePHI from other persons who may have access to their home or other non-office site. This includes password protection of their personal computers, and security for all other forms of portable ePHI such as locking up CD ROM Disks, floppy disks, USB drives, PDAs, and laptops.
4. User session-lock shall be implemented when the computer is left idle. It shall be automatic after a specific time based on location and function. The session shall be locked to disable access to the PC until the user enters their unique password with login information.
5. When technology is capable, while accessing ePHI outside the Entreprise Dentist.Business Inc. Wide Area Network (for example: extranet, VPN) automatic log off shall occur after a maximum of 15 minutes of inactivity. Automatic log off is a system-enabled enforcement of session termination after a period of inactivity and blocks further access until the workforce member reestablishes the connection using the identification and authentication process.

Policy Responsibilities:

Manager/supervisor requirements:

1. Take appropriate corrective action against any person who knowingly violates the security of workstation use;
2. Ensure that workers set their computer to automatically lock when the computer is not in use; and
3. Ensure that all confidential information is not viewable by unauthorized persons at workstations in offices under their management.

Worker Requirements:

1. Session lock the computer when left unattended;
2. Ensure their computer is set to automatically lock when the computer is not in use;
3. Ensure that all confidential information is not viewable by unauthorized persons;and
4. When working from home or other non-office work sites, protect ePHI from unauthorized access or viewing.

IT Support:

1. When installing new workstations, set the session lock timer to lock the computer when left unattended; and
2. When installing new systems or applications, set the automatic log off timer to terminate the session when the computer is left unattended.

Procedures

Procedures for protecting workstations include:

1. Use of polarized screens or other computer security screen overlay devices that shield confidential information;
2. Placement of computers out of the visual range of persons other than the authorized user;
3. Clearing confidential information from the screen when it is not actively in use;
4. Setting an automatic session lock option on all computer workstations;
5. Shutting down or locking workstation sessions when left unattended; and
6. When the technology is capable, setting the applications to automatically log off after a specific time of inactivity.

Entreprise Dentist.Business Inc. shall develop and implement procedures. Entreprise Dentist.Business Inc. shall submit all new and revised procedures to the Office of HIPAA for approval and ongoing evaluation. Any procedures developed by Entreprise Dentist.Business Inc. shall be consistent with Entreprise Dentist.Business Inc. HIPAA policies and not deviate from Entreprise Dentist.Business Inc. standard.

Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected health information means individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.
  • Paper PHI: Protected Health Information that is not in an electronic format.AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 6.0: Device and Media Controls

Company Name: Entreprise Dentist.Business Inc.

Policy Name: Device and Media Controls

Policy Number: Security 6.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Synopsis of Policy: HIPAA Regulation: 164.310(d)(1) Device and media controls; Disposal; Media reuse; Accountability; Data backup and storage

This policy is to ensure that Electronic Protected Health Information (ePHI) stored or transported on storage devices is appropriately controlled and managed. Examples include thumb drives, external hard-drives and removable media.

This policy details Device and Media Controls and outlines responsibility for their accountability.

The policy details implementation specification(s) for:

• Portable Media Use & Security
• Disposal
• Media Reuse
• Sending a Computer Server or Hard-Drive out for Repair
• Moving Computer Server Equipment with ePHI
• Device and media acquisitionThe policy specifies the various responsibilities of:
• Manager/supervisor
• IT
• Workforce for Device and Media controls

Full Policy Language: HIPAA Regulation:

• 164.310(d)(1) Device and media controls
• 164.310(d)(1) Disposal
• 164.310(d)(1) Media reuse
• 164.310(d)(1) Accountability
• 164.310(d)(1) Data backup and storagePolicy Purpose:The intent of this policy is to ensure that ePHI stored or transported on storage devices and removable media is appropriately controlled and managed.Policy Description:Device and Media Controls/Accountability

1. Entreprise Dentist.Business Inc. shall protect allhardware and electronic media that contains electronic protected health information (ePHI). This includes personal computers, PDAs, laptops, storage systems, backup tapes, CD ROM disks, and removable disks.
2. Every area of Entreprise Dentist.Business Inc. is responsible for developing procedures that govern the receipt and removal of hardware and electronic media that contain(s) ePHI into and out of a facility. Procedures shall include maintaining a record of movements of hardware and electronic media and any persons responsible.

Portable Media Use – Security

1. In addition to protecting Entreprise Dentist.Business Inc. workstations and facilities, workforce members shall protect ePHI when working from all other locations. This includes locations such as home, other offices, or when working in the field.
2. In order to limit the amount of portable ePHI, workforce members shall not save any ePHI on floppy disks, CD ROM Disks and other portable items.
3. Methods for protecting portable media with ePHI include:

1. All workforce members shall receive permission from their supervisor before

removing ePHI from their facility. Approvals shall include the type of permission and the time period for authorization. The time period shall be a maximum of one year.

1. Workforce members who work in the field shall not leave ePHI unlocked or visible in their vehicles. They will also not leave any ePHI in client facilities/homes.
2. If ePHI is lost, workforce members are responsible for promptly contacting their supervisor, the Security Officer or designated Compliance Officers responsible for HIPAA Compliance within one business day upon awareness that ePHI has been lost.

Disposal

1. Before electronic media that contains ePHI can be disposed, the following actions shall be taken on computers used in the workplace, at home, or at remote sites:

1. Hard drives shall be either wiped clean or destroyed. Hard drive cleaning shallmeet the Department of Defense (DOD) standards, which states, “The method of destruction shall preclude recognition or reconstruction of the classified information or material.” In addition, the hard drive shall be tested to ensure the information cannot be retrieved.
2. Backup tapes shall be destroyed or returned to the owner and their return documented. Destruction shall include a method to ensure there is no ability to reconstruct the data.
3. Other media, such as memory sticks, USB flash drives or micro drives, CD- ROMs and floppy disks, shall be physically destroyed (broken into pieces) before disposing of the item.

Media Reuse

1. All ePHI shall be removed from hard drives when the equipment is transferred to a worker who does not require access to the ePHI, or when the equipment is transferred to a new worker with different ePHI access needs. Hard drives shall be wiped clean before transfer.
2. Cleaning shall meet the Department of Defense (DOD) standards, which states,“The method of destruction shall preclude recognition or reconstruction of the classified information or material.” In addition, the hard drive shall be tested to ensure the information cannot be retrieved.

Sending a Computer Server Hard Drive to Repair

When the technology is capable, an exact copy of the ePHI shall be created and the ePHI removed from the server hard drive before sending the device out for repair.

Moving Computer Server Equipment with ePHI

Before moving server equipment that contains ePHI, a retrievable exact copy needs to be created.

Device and Media Acquisition

Entreprise Dentist.Business Inc. shall include security requirements and/or security specifications in information system acquisition contracts based on an assessment of risk (applications, servers, copiers, etc.).

Policy Responsibilities:

Manager/Supervisor Responsibilities:

1. Ensure that only workforce members who require the need to remove ePHI from their facilities are granted permission to do so.

IT Responsibilities

1. Ensure all hard drives are wiped clean before disposal or reuse
2. Test hard drives to ensure they are clean
3. Before moving hardware or sending hard drives for repair that contains ePHI,create a retrievable copy of that data
4. Maintain an inventory and a record of movements or transfers of hardware andelectronic media such as workstations, servers, or backup tapes

Workforce Responsibilities:

1. Individual workforce members or their units shall track Laptops, PDAs, CD ROM Disks, and floppy disks, and all other portable media that contain ePHI.
2. To limit the amount of portable ePHI, workforce members shall not save any quantity of ePHI onto floppy disks, CD ROMs and other portable items when it is not necessary.

3. Workforce members shall remove and destroy all ePHI before disposing of the media.

Procedures

Entreprise Dentist.Business Inc. shall document written procedures to track, dispose, and reuse media devices used for ePHI. Entreprise Dentist.Business Inc. shall submit all new and revised procedures to the Security Officer for approval and ongoing evaluation. Any procedures developed by Entreprise Dentist.Business Inc. shall be consistent with Entreprise Dentist.Business Inc. HIPAA policies and not deviate from Entreprise Dentist.Business Inc. standard.

Definitions

• Covered Entity: A health plan or a health care provider that stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate: Any entity that uses or discloses protected health information(PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization which, on behalf of a covered entity,

• performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected Health Information is any individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

Paper PHI: Protected Health Information that is not in an electronic format.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 7.0: Audit Controls

Company Name: Entreprise Dentist.Business Inc.

Policy Name: Audit Controls

Policy Number: Security 7.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Synopsis of Policy:

The intent of this policy is to provide the authority for workforce members representing the Entreprise Dentist.Business Inc. IT organizations to conduct a security audit on any computing resource of the Entreprise Dentist.Business Inc..

Activity reviews provide indications that implemented safeguards are working, or that safeguards are insufficient. Audits may be conducted to:

1. Ensure integrity, confidentiality, and availability of information and resources
2. Investigate possible security incidents to ensure conformance to Entreprise Dentist.Business Inc. IT and security policies
3. Monitor user or system activity where appropriate
4. Verify that software patching is being maintained at the appropriate security level
5. Verify virus protection is being maintained at current levels

Full Policy Language: HIPAA Regulation:

• Log-in monitoring
• Information system activity review
• Audit controls Policy Purpose:The intent of this policy is to provide the authority for workforce members representing the Entreprise Dentist.Business Inc. IT organizations to conduct a security audit on any computing resource of the Entreprise Dentist.Business Inc.. Activity reviews provide indications that implemented safeguards are working, or that safeguards are insufficient. Audits may be conducted to:
  1. Ensure integrity, confidentiality, and availability of information and resources;
  2. Investigate possible security incidents to ensure conformance to Entreprise Dentist.Business Inc. IT and security policies;
  3. Monitor user or system activity where appropriate;
  4. Verify that software patching is being maintained at the appropriate securitylevel; and
  5. Verify virus protection is being maintained at current levels
• Policy Description: Log-in Monitoring

1. Entreprise Dentist.Business Inc. has the right to monitor system access and activity of all workforce members.
2. To ensure that access to servers, workstations, and other computer systems containing ePHI is appropriately secured; the following login monitoring measures shall be implemented:
   1. A mechanism to log and document four or more failed log-in attempts in arow shall be implemented on each network system containing ePHI when thetechnology is capable.
   2. Login activity reports and logs shall be reviewed biweekly at a minimum toidentify any patterns of suspicious activity.
   3. All failed login attempts of a suspicious nature, such as continuous attempts, shall be reported immediately to the Security Officer or the designee for each Entreprise Dentist.Business Inc.

1. To the extent that technology allows, any user ID that has more than four- repeated failed login attempts in a row shall be disabled for a minimum of 30 minutes.

Information System Activity Review – Audit Controls

To ensure that activity for all computer systems accessing ePHI is appropriately monitored and reviewed, these requirements shall be met:

1. Where technology allows, the audit record shall capture sufficient information to establish what events occurred, the sources of the events, and the outcomes of the events.
2. Each fiscal quarter, at a minimum, every application and system administrator or designee shall review audit logs, activity reports, or other mechanisms to document and manage system activity.
3. Indications of improper use shall be reported to management for investigation and follow up.
4. Audit logs of access to networks and applications with ePHI shall be archived.
5. Audit information and audit tools shall be protected from unauthorized access,modification, and deletion.

Policy Responsibilities:

System administrators, Security Officers are responsible to implement and monitor audit controls for all systems that contain ePHI.

Procedures:

Entreprise Dentist.Business Inc. shall submit all new and revised procedures to the Office of HIPAA for approval and ongoing evaluation. The Security Officer shall create audit control checklists and logs to assist with, and standardize, the audit function. Any procedures developed by Entreprise Dentist.Business Inc. shall be consistent with the Entreprise Dentist.Business Inc. HIPAA policies and not deviate from the Entreprise Dentist.Business Inc. standard.

Definitions:

• Covered Entity: A health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction.
• ePHI: Electronic/Protected health information means individually identifiable health information:

• Transmitted by electronic media;

• Maintained in electronic media; or
• Transmitted or maintained in any other form or medium.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 8.0: Incident Response & Reporting

Company Name: Entreprise Dentist.Business Inc.

Policy Name: Incident Response & Reporting

Policy Number: Security 8.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Synopsis of Policy: HIPAA Regulation: 164.308(a)(6) Security incident procedures; Response and reporting

This policy formalizes the response to security incidents and the reporting of them.

It includes identification and response to suspected and known security incidents, their mitigation and the documentation of incidents and their outcomes.

It is imperative that a formal reporting and response policy be followed when responding to security incidents. Therefore, Entreprise Dentist.Business Inc. shall employ tools and techniques to monitor events, detect attacks and provide identification of unauthorized use of the systems that contain Electronic Protected Health Information (ePHI).

The policy details the type of incidents that shall be reported, and who is responsible for notifying whom. It also details the appropriate Response, Tracking and Resolution; and it outlines who is responsible for determining if a report shall be forwarded to the Department of Health and Human Services (HHS).

All HIPAA security related incidents and their outcomes shall be logged and documented by the Compliance Officers. The Compliance Officers shall document and log incidents and outcomes.

The policy specifies that all workforce members are responsible for promptly reporting any security-related incidents to the IT help desk, the Privacy Officer or their manager.

Full Policy Language: HIPAA Regulation:

• 164.308(a)(6) Security incident procedures
• 164.308(a)(6) Response and reportingPolicy Purpose:The purpose of this policy is to formalize the response to, and reporting of, security incidents. This includes identification and response to suspected or known security incidents, the mitigation of the harmful effects of known or suspected security incidents, and the documentation of security incidents and their outcomes. It is imperative that this formal reporting and response policy be followed when responding to security incidents.Policy Description: Entreprise Dentist.Business Inc. shall employ tools and techniques (The Guard and its Process) to monitor events, detect attacks, and provide identification of unauthorized use of the systems that contain ePHI.Reporting

1. All security incidents, threats, or violations that affect or may affect the confidentiality, integrity or availability of electronic protected health information (ePHI) shall be reported and responded to promptly.
2. Incidents that shall be reported include, but are not limited to:
   1. Virus, worm, or other malicious code attacks;
   2. Network or system intrusions;
   3. Persistent intrusion attempts from a particular entity;
   4. Unauthorized access to ePHI, an ePHI based system, or an ePHI based network;
   5. ePHI data loss due to disaster, failure, error, theft;
   6. Loss of any electronic media that contains ePHI;
   7. Loss of the integrity of ePHI; and
   8. Unauthorized person found in Entreprise Dentist.Business Inc. facility.
3. Entreprise Dentist.Business Inc. Compliance Officers shall be notified immediately of any suspected or real security incident. If it is unclear as to whether a situation is a security incident, the Compliance Officers shall be contacted to evaluate the situation.

Response and Resolution

The Compliance Officers shall track the incident. The Compliance Officers shall determine if a report of the incident shall be forwarded to the HHS. Compliance Officers are the only employees that can resolve an incident. The Compliance Officers shall evaluate the report to determine if an investigation of the incident is necessary. The Compliance Officers shall determine if Entreprise Dentist.Business Inc. Counsel, law enforcement, Human Resources, or Entreprise Dentist.Business Inc. Communication and Media Office is to be contacted regarding the incident.

Logging

1. All HIPAA security-related incidents and their outcomes shall be logged and documented by the Compliance Officers. The Compliance Officers shall document and log incidents and outcomes.
2. All incident(s) will be reviewed and investigated and if the breached PHI has been compromised (unauthorized individuals have received and viewed the PHI) the breach will be reported to HHS. Entreprise Dentist.Business Inc. and its Compliance Officers will record all the incidents and retain these incident reports for six years.
3. Entreprise Dentist.Business Inc. shall train personnel in their incident response roles and responsibilities and provide refresher training as needed. Entreprise Dentist.Business Inc. shall test the incident response capability at least annually using tests and exercises to determine the effectiveness.

Policy Responsibilities:

Report violations of this policy to Entreprise Dentist.Business Inc. Compliance Officers.

Workforce members

Workforce members are responsible for promptly reporting any security-related incidents to the Security Officer.

IT Help Desk

The Security Officer documents all security incidents.

Compliance Officers

The Compliance Officer that is responsible to determine if the incident requires further investigation is Pomazanova Olena. Entreprise Dentist.Business Inc. Security and Privacy Officer, shall determine if corrective actions should be

implemented. The Compliance Officers are responsible for documenting the investigations and any corrective actions. The Compliance Officers are responsible for maintaining all documentation on security breaches for six years.

Procedures

Entreprise Dentist.Business Inc. shall submit all new and revised procedures to the Compliance Officers for approval and ongoing evaluation. Any procedures developed by Entreprise Dentist.Business Inc. shall be consistent with Entreprise Dentist.Business Inc. HIPAA policies and not deviate from Entreprise Dentist.Business Inc. standard.

Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected health information means individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

Paper PHI: Protected Health Information that is not in an electronic format.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 9.0: Transmission Security

Company Name: Entreprise Dentist.Business Inc.

Policy Name: Transmission Security

Policy Number: Security 9.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Synopsis of Policy: HIPAA Regulation: 164.312(e)(1) Transmission security; Integrity controls; Encryption and decryption; Encryption

This policy creates the rules which guard against unauthorized access to, or modification of, Electronic Protected Health Information (ePHI) that is being transmitted over an electronic communications network (“data in motion”). It commits resources to assure that when ePHI is transmitted from one point to another, it shall be protected in a manner commensurate with the associated risk.

The policy details standards of encryption, and under which circumstance it is required and when it is optional.

It specifies control requirements of:

• Modem use;
• WAN access;
• Wireless devices;
• Perimeter security; and
• Firewall and details management and workforce responsibilities to execute thepolicy.

Full Policy Language: HIPAA Regulation:

• 164.312(e)(1) Transmission security
• 164.312(e)(1) Integrity controls
• 164.312(a)(1) Encryption and decryption
• 164.312(a)(1) EncryptionPolicy Purpose:The intent of this policy is to guard against unauthorized access to, or modification of, ePHI that is being transmitted over an electronic communications networks. When ePHI is transmitted from one point to another, it shall be protected in an encrypted manner.Policy Description:Encryption:Proven, standard algorithms shall be used as the basis for encryption technologies. The use of proprietary encryption algorithms is not allowed for any purpose unless authorized by the HIPAA Security Officer.Encryption Required:
  1. No ePHI shall be sent outside Entreprise Dentist.Business Inc. domain unless it is encrypted. This includes all email and email attachments sent over a public internet connection.
  2. When accessing a secure network an encryption communication method, such as a VPN, shall be used.
• Encryption Optional:
  1. When using a point-to-point communication protocol to transmit ePHI, no encryption is required.
  2. Dial-up connections directly into secure networks are considered to be secure connections for ePHI and no encryption is required.
• If still using Modems:
  1. Modems shall never be left connected to personal computers in auto-answer mode.
  2. Dialing directly into or out of a desktop computer that is simultaneously connected to a local area network (LAN) or another internal communication network is prohibited.

3. Dial-up access to WAN-connected personal computers at the office is prohibited.

ePHI Transmissions Using Wireless LANs and Devices within Entreprise Dentist.Business Inc. domain:

1. A) The transmission of ePHI over a wireless network within Entreprise Dentist.Business Inc. domain is permitted if both of the following conditions are met:

1. The local wireless network is utilizing an authentication mechanism to ensure that wireless devices connecting to the wireless network are authorized; and
2. The local wireless network is utilizing an encryption mechanism for all transmissions over the aforementioned wireless network and uses two types of authentication.

1. B) If transmitting ePHI over a wireless network that is not utilizing an authentication and encryption mechanism, the ePHI shall be encrypted before transmission.

Perimeter Security

1. Any external connection to Entreprise Dentist.Business Inc. Wide Area Network (WAN) shall come through the perimeter security’s Firewall.
2. If determined safe by the Security Officer, outbound services shall be initiatedfor internal addresses to external addresses.
3. Inbound services shall be negotiated on a case-by-case basis with the SecurityOfficer.
4. All workforce members connecting to the WAN shall sign Entreprise Dentist.Business Inc. IT Confidentiality Agreement before connectivity is established.

Firewall Controls to Transmit ePHI Into and Out of Entreprise Dentist.Business Inc.

1. Networks containing systems and applications with ePHI shall implement perimeter security and access control with a firewall.
2. Firewalls shall be configured to support the following minimum requirements:
   1. Limit network access to only authorized workforce members and entities;
   2. Limit network access to only legitimate or established connections (Anestablished connection is return – traffic in response to an applicationrequest submitted from within the secure network.); and
   3. Consoleandothermanagementportsshallbeappropriatelysecuredordisabled.

3. The configuration of firewalls used to protect networks containing ePHI-based systems and applications shall be submitted to the Security Officer for review and approval.

Policy Responsibilities:

All workforce members that transmit ePHI outside Entreprise Dentist.Business Inc. WAN are responsible for ensuring the information is safeguarded by using encryption when using the public internet or a wireless device.

Procedures

Each area of Entreprise Dentist.Business Inc. shall submit all new and revised procedures to the Compliance Officers for approval and ongoing evaluation. Any procedures developed by Entreprise Dentist.Business Inc. shall be consistent with Entreprise Dentist.Business Inc. HIPAA policies and not deviate from Entreprise Dentist.Business Inc. standard.

Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected health information means individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.
  • Paper PHI: Protected Health Information that is not in an electronic format.AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 10.0: Protection from Malicious Software

Company Name: Entreprise Dentist.Business Inc.

Policy Name: Protection from Malicious Software

Policy Number: Security 10.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Synopsis of Policy: HIPAA Regulation: 164.308(a)(5) Protection from malicious software

This policy establishes protections to safeguard against, detect and report malicious software, including but not limited to viruses, worms and trojans. This policy mandates that Entreprise Dentist.Business Inc. shall ensure all computers owned, leased and/or operated by the covered components install and maintain anti-virus software. Additionally, all workstations shall be configured to activate and update anti- virus software automatically each time the computer is turned on or the user logs on the network.

The policy also details the necessary steps in the event that a virus, worm or other malicious code has infected or been identified on a server or workstation. It specifies workforce members’ responsibilities to maintain cyber-hygiene standards; and the IT manager’s responsibilities to support this policy.

Full Policy Language:

HIPAA Regulation:

164.308(a)(5) Protection from malicious software

Policy Purpose:

The intent of this policy is to establish procedures for protections to guard against, detect, and report malicious software. Malicious software includes, but is not limited to, viruses, worms, trojans, ransomware attacks.

Policy Description:

Entreprise Dentist.Business Inc. shall ensure all computers (owned, leased, and/or operated by Entreprise Dentist.Business Inc.) are installed with and maintain anti-virus software. All workstations shall be configured to activate and update anti-virus software automatically each time the computer is turned on or the user logs onto the network.

In the event that a virus, worm, or other malicious code has infected or been identified on a server or workstation, that equipment shall be disconnected from the network until it has been appropriately cleaned.

Policy Responsibilities:

Workforce Responsibilities:

1. Workforce members who utilize laptops to log on to the network shall work with their IT support to ensure all updates are received.
2. Workforce members are not to disable automatic virus scanning features.
3. All non- Entreprise Dentist.Business Inc. computers that directly access the WAN shall have anti-virus software and remain current with updates.
4. All downloaded files shall be virus-checked prior to use.
5. All storage media (i.e. disks) shall be treated as if they contain viruses.Workforce members are permitted to use removable storage disks provided thatall disks are virus checked prior to use.
6. If a virus is detected, workforce members are instructed to immediately contact their Security Officer.
7. For the purposes of protecting data and preventing the spread of viruses,workers shall:
   • Attend HIPAA security training
   • Maintain back-up copies of data files

IT Responsibility:

1. Set up laptop computers so they automatically load virus updates when they are connected to Entreprise Dentist.Business Inc. network.

Procedures

To ensure that all Entreprise Dentist.Business Inc. workforce members are made aware of the threats and vulnerabilities due to malicious code and software such as viruses and worms and are effectively trained to identify and prevent these types of attacks, the following procedures shall be established and implemented:

1. The workforce shall be trained to identify and protect data, when possible, against malicious code and software.
2. Security reminders shall be given to the workforce to inform them of any of new virus, worm, or other type of malicious code that may threaten ePHI.

Entreprise Dentist.Business Inc. shall submit all new and revised procedures to the Compliance Officers for approval and ongoing evaluation. Any procedures developed by Entreprise Dentist.Business Inc. shall be consistent with Entreprise Dentist.Business Inc. HIPAA policies and not deviate from Entreprise Dentist.Business Inc. standards.

Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected health information means individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.
  • Paper PHI: Protected Health Information that is not in an electronic format.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 11.0: Contingency Plan, Disaster Recovery

Company Name: Entreprise Dentist.Business Inc.

Policy Name: Contingency Plan, Disaster Recovery

Policy Number: Security 11.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Synopsis of Policy: HIPAA Regulation: 164.308(a)(7) Contingency plan, Data backup plan, Disaster recovery plan, Emergency mode operation plan, Testing and revision procedures, Applications and data criticality analysis; 164.310(a)(1) Contingency operations

This policy sets forth rules for continuing business without the normal resources of Entreprise Dentist.Business Inc. These include the required procedures for an emergency, disaster or other occurrence (i.e., fire, vandalism, system failure and natural disaster) when any system that contains ePHI is affected, including:

• Applications and data criticality analysis
• Data backup
• Disaster Recovery Plan
• Emergency mode operation plan The policy details specific requirements for each of these critical functions, and the responsibility for the creation, evaluation, testing and updating of the various contingency plans described therein.

Full Policy Language: HIPAA Regulation:

• 164.308(a)(7) Contingency plan
• 164.308(a)(7) Data backup plan
• 164.308(a)(7) Disaster recovery plan
• 164.308(a)(7) Emergency mode operation plan
• 164.308(a)(7) Testing and revision procedures
• 164.308(a)(7) Applications and data criticality analysis
• 164.310(a)(1) Contingency operationsPolicy Purpose:The purpose of this policy is to establish rules for continuing business without the normal resources of Entreprise Dentist.Business Inc. Policy Description:

1. Entreprise Dentist.Business Inc. shall develop procedures for implementation in the event of an emergency, disaster or other occurrence (i.e., fire, vandalism, system failure and natural disaster) when any system that contains ePHI is affected, including:
   1. Applications and data criticality analysis;
   2. Data backup;
   3. Disaster Recovery Plan; and
   4. Emergency mode operation plan.
2. Each of the following plans shall be evaluated and updated at least annually as business needs and technology requirements change.

Applications and Data Criticality Analysis

1. Entreprise Dentist.Business Inc. shall assess the relativecriticality of specific applications and data within Entreprise Dentist.Business Inc. for purposes of developing its Data Backup Plan, its Disaster Recovery Plan and its Emergency Mode Operation Plan.
2. Entreprise Dentist.Business Inc. shall identify critical business functions, define impact scenarios, and determine resources needed to recover from each impact.
3. The assessment of data and application criticality shall be conducted periodically and at least annually to ensure that appropriate procedures are in place for data and applications at each level of risk.

Data Backup Plan

1. All ePHI shall be stored on network servers in order for it to be automatically backed up by the system.
2. ePHI shall not be saved on the local drives of personal computers.
3. ePHI stored on portable media (e.g. thumb drives, external hard drive, CD ROMDisks) shall be saved to the network to ensure backup of ePHI data.
4. Entreprise Dentist.Business Inc. shall conduct daily backups of user-level and system-level information and store the backup information in a secure location. A weekly backup shall be stored offsite.
5. Entreprise Dentist.Business Inc. shall establish and implement a Data Backup Plan pursuant to which it would create and maintainretrievable exact copies of all ePHI.
6. The Data Backup Plan shall apply to all files that may contain ePHI.
7. The Data Backup Plan shall require that all media used for backing up ePHI bestored in a physically secure environment, such as a secure, off-site storage facility. Or, if backup media remains on site, in a physically secure location, different from the location of the computer systems it usually backs up.
8. If a non – Entreprise Dentist.Business Inc. off-site storage facility or backup service is used, a written contract shall be used to ensure that the contractor shall safeguard the ePHI in an appropriate manner.
9. Data backup procedures outlined in the Data Backup Plan shall be tested on, at least, an annual basis to ensure that exact copies of ePHI can be retrieved and made available.

10. Entreprise Dentist.Business Inc. shall submit its new and revised Data Backup Plan to the Compliance Officers for approval.

Disaster Recovery Plan

1. To ensure that Entreprise Dentist.Business Inc. can recover from the loss of data due to an emergency or disaster such as fire, vandalism, terrorism, system failure, or natural disaster affecting systems containing ePHI. Entreprise Dentist.Business Inc. shall establish and implement a Disaster Recover Plan pursuant to which it can restore or recover any loss of ePHI and the systems needed to make that ePHI available in a timely manner. The Disaster Recovery Plan for Entreprise Dentist.Business Inc. shall be incorporated into Entreprise Dentist.Business Inc. Disaster Recovery Plan.
2. The Disaster Recovery Plan shall include procedures to restore ePHI from data backups in the case of a disaster causing data loss.
3. The Disaster Recovery Plan shall include procedures to log system outages, failures, and data loss to critical systems. Also, procedures will be implemented to train the appropriate personnel in regards to the disaster recovery plan.
4. The Disaster Recovery Plan shall be documented and easily available to the necessary personnel at all time(s), who shall be trained to implement the Disaster Recovery Plan.

5. The disaster recovery procedures outlined in the Disaster Recovery Plan shall be tested on a periodic basis to ensure that ePHI and the systems needed to make ePHI available can be restored or recovered.
6. Entreprise Dentist.Business Inc. shall submit its

new and revised Disaster Recovery Plan to the Compliance Officers for approval.

Disaster and Emergency Mode for Small Practices (Larger Organizations like Clinics and Hospitals should use the Full Disaster Recovery Plan)

1. Real Estate/Office Suite: Who to call, Phone Number
2. Computers: Who to call, Phone Number
3. Networking of Computers: Who to call, Phone Number
4. Restoration of Data to Server or Connection to the Internet: Who to call, Phone

Number

5. EHR Support: Who to call, Phone Number
6. Add anything else needed to continue business

Emergency Mode Operation Plan

1. Entreprise Dentist.Business Inc. shall establish and implement (as needed) procedures to enable continuation of critical business processes for protection of the security of ePHI while operating in emergency mode. Emergency mode operation involves critical business processes that shall occur to protect the security of electronic protected health information during and immediately after a crisis situation.
2. Emergency mode operation procedures outlined in the Disaster Plan shall be tested on a periodic basis to ensure that critical business processes can continue in a satisfactory manner while operating in emergency mode.
3. Entreprise Dentist.Business Inc. shall submit its new and revised Emergency Mode Operation Plan to the Compliance Officers for approval.

Policy Responsibilities:

The Compliance/Security Officer shall oversee the creation, evaluation, testing, and updating of the various contingency plans described herein.

Entreprise Dentist.Business Inc. shall submit its new and/or revised procedures and plans to the Security Officer for approval and ongoing evaluation. Any procedures developed by Entreprise Dentist.Business Inc. shall be consistent with Entreprise Dentist.Business Inc. HIPAA policies and not deviate from Entreprise Dentist.Business Inc. standards.

Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected health information means individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.
  • Paper PHI: Protected Health Information that is not in an electronic format.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 12.0: Business Associates

Company Name: Entreprise Dentist.Business Inc.

Policy Name: Business Associates

Policy Number: Security 12.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Review Date: January 25th, 2021.

Synopsis of Policy: HIPAA Regulation: 164.308(b)(1) Business associate contracts and other arrangements, Written contract or other arrangements

This policy defines procedures for determining which contractual and business relationships are considered “Business Associates” as defined by HIPAA. In addition, this policy addresses requirements for tracking designated Business Associates (BAs) and how to follow up on complaints about the BAs.

Full Policy Language: HIPAA Regulation:

• 164.308(b)(1) Business associate contracts and other arrangements
• 164.308(b)(1) Written contract or other arrangements Policy Purpose:To document the policy and procedure for determining which contractual and business relationships are considered “Business Associates” as defined by HIPAA. In addition, this policy addresses tracking designated Business Associates and how to follow up on complaints about Business Associates.Policy Description:Business Associates

1. Entreprise Dentist.Business Inc. has many contractual and business relationships, and policies related to its contracts and business relationships. However, not all contractors or business partners are “Business Associates” as defined by HIPAA. This policy only applies to contractors or business partners that come within the definition of a “Business Associate.” Essentially, any person or organization that you hire to help you do something and for that contract to work, you must either directly share PHI or ePHI or give them access to PHI or ePHI would be considered a BA and would need a BA agreement signed by that entity.
2. Compliance Officers of Entreprise Dentist.Business Inc. shall review contracts to determine if the contract requires a Business Associate Agreement. If a Business Associate Agreement is required: contract managers must complete the Business Associate Agreement (BAA) and notify the Compliance Officers. This BAA requires the Business Associate to provide satisfactory assurance that the Business Associate shall appropriately safeguard the confidential information and report any security incidents. Entreprise Dentist.Business Inc. shall audit the Business Associate via electronic questionnaire. If decided by the Compliance Officers, Entreprise Dentist.Business Inc. shall conduct a security audit of the Business Associate’s HIPAA Policies and Procedures as a means of due diligence to ensure that the Business Associate is taking the necessary precautions under the HIPAA Security Rule to protect the data that is shared with them.

Business Associate Non-Compliance

1. If Entreprise Dentist.Business Inc. knows of a pattern of activity or practice of a Business Associate that constitutes a material breach or violation of an obligation under the contract or other arrangement, Entreprise Dentist.Business Inc. shall take reasonable steps to repair the breach or end the violation, as applicable. This includes working with, and providing consultation to, the Business Associate.
2. If such steps are unsuccessful, Entreprise Dentist.Business Inc. shall terminate the contract or arrangement, if feasible. If termination is not feasible, the problem shall be reported to the Office of Civil Rights (OCR) within 30 days of the incident.

Policy Responsibilities:

Compliance Officers of Entreprise Dentist.Business Inc. shall work together to ensure that all Business Associates are identified, tracked, and investigated when an allegation is made.

Procedures

Tracking and Identifying Entreprise Dentist.Business Inc. Business Associates

Entreprise Dentist.Business Inc. shall identify those business relationships that meet the definition of a Business Associate. Contract managers shall note that designation in the contract record and notify the Compliance Officer when a contractor is determined to be a Business Associate.

Response to Complaints about Business Associates

Entreprise Dentist.Business Inc.  workforce members who receive a report or complaint from any source about inappropriate safeguards to ePHI by Business Associates shall provide information regarding that report or complaint to the Compliance Officers. The Compliance Officers shall coordinate with the Business Associate’s contract administrator to document the alleged violation and determine if remediation is required in order for the Business Associate to attain/retain contract compliance.

Where contract compliance cannot be attained/retained, Entreprise Dentist.Business Inc. shall terminate the contract, if feasible. If termination is not feasible, the Compliance Officers shall report the problem to the Office of Civil Rights within 30 days of the incident.

Definitions

• Business Associate: On behalf of the covered entity, completes a function or activity involving the use or disclosure of protected health information (PHI), including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and re-pricing; or, provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity or, to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected health information means individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.
  • Paper PHI: Protected Health Information that is not in an electronic format.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 13.0: Monitoring and Effectiveness

Company Name: Entreprise Dentist.Business Inc.

Policy Name: Monitoring and Effectiveness

Policy Number: Security 13.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Review Date: January 25th, 2021.

Synopsis of Policy: HIPAA Regulation: 164.308(a)(1) Perform a periodic technical and non-technical evaluation, requiring a process for Security management, risk analysis and risk management)

This policy establishes periodic evaluations of Entreprise Dentist.Business Inc. compliance with HIPAA policies and procedures. Security assessments shall be conducted periodically to confirm continued compliance with security standards and specifications. Assessments will determine if security controls are correctly implemented, and, as implemented, are effective in their application.

The policy also establishes procedures for Change Management of systems governed by the HIPAA Security Rule. The policy specifies the need for Change Control, Change Notification, Change Implementation, Change Closure and Evaluation.

The policy also specifies management and workforce responsibilities for implementation.

Full Policy Language: HIPAA Regulation:

• 164.308(a)(1) Perform a periodic technical and non-technical evaluation
• 164.308(a)(1) Security management process
• 164.308(a)(1) Risk analysis
• 164.308(a)(1) Risk managementPolicy Purpose:The intent of this policy is to establish periodic evaluations on whether Entreprise Dentist.Business Inc. is complying with the HIPAA policies and procedures to effectively provide confidentiality, integrity and availability of electronic protected health information (ePHI). Security assessments shall be conducted periodically to determine continued compliance with security standards and specifications. Assessments are conducted to:
  1. Determine if security controls are correctly implemented, and, as implemented, are effective in their application;
  2. Ensure that HIPAA security regulations, policies, and directives are met; and
  3. Implement security measures sufficient to reduce risks and vulnerabilities to areasonable and appropriate level.
• Policy Description:
• Risk Assessment & Management:
• Entreprise Dentist.Business Inc., along with the Security Officer, shall monitor the effectiveness of Entreprise Dentist.Business Inc. ability to secure ePHI. In order to accomplish this, a risk assessment shall be conducted when:
  1. New technology is implemented that either contains ePHI or is used to protect ePHI;
  2. New facilities that maintain or house ePHI are designed;
  3. Existing facilities that maintain or house ePHI are being remodeled or thedesign layout is being altered;
  4. New programs, functions, or departments are added that affect the security of Entreprise Dentist.Business Inc.;
  5. Security breaches are identified; and
  6. Changes in the mode or manner of service delivery are made.
• Security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level shall be documented and implemented.

Change Control

The primary goal of change management is to facilitate communications and coordinate all changes that may occur in the IT environment. These changes include, but are not limited to, the installation, update, or removal of network services and components, operating system upgrades, application or database servers and software.

Change Notification

1. For informational purposes, the Compliance Officers shall be notified of changes by email no less than 48 hours in advance.
2. Emergency Changes shall be communicated to the Compliance Officers as soon as is reasonable.
3. Any change that encounters difficulties that could adversely affect customers, patients, or clients shall be communicated to the Compliance Officers as soon as is reasonable.

Change Implementation

All non-emergency changes shall occur within the recognized downtime unless approved in advance by all affected parties or for inter-departmental changes as department procedures dictate.

Change Closure

The disposition of all changes shall be documented.

Evaluation

Entreprise Dentist.Business Inc. shall conduct an assessment of security controls at least annually to determine the extent to which controls are implemented correctly, operating as intended, and producing the desired outcome. Technical and non-technical evaluations are to be conducted periodically to identify any new risks or to determine the effectiveness of the HIPAA Security Policies and Procedures. These evaluations include but are not limited to the following:

1. Random audit reviews of a facility’s physical environment security;
2. Random audit reviews of workstation security;
3. Periodic, unannounced tests of the physical, technical, and administrative controls;
4. Assessment of changes in the environment or business process that may affect the HIPAA Security Policies and Procedures;
5. Assessment when new federal, state or local laws and regulations are passed that may affect the HIPAA Security Policies and Procedures;
6. Assessment of the effectiveness of the HIPAA Security Policies and Procedures when security violations, breaches or other security incidents occur; and
7. Assessment of redundancy needed in the network or servers for ePHI availability.

Policy Responsibilities:

Compliance Officers

HIPAA Compliance Officers:

1. Are responsible to coordinate with the Security Officers to conduct audits of covered component compliance with the HIPAA security rule;
2. Shall coordinate the production of procedures to implement this policy; and
3. Are responsible for providing tools and processes for assessing technical and nontechnical evaluations as part of Entreprise Dentist.Business Inc. ongoing compliance efforts.

If assessments recommend changes to the HIPAA Policies and Procedures, the Compliance Officers are responsible for reviewing these changes and presenting them to management. If needed, the Compliance Officers will update the workforce training materials.

Procedures

The Compliance Officers shall write procedures to ensure ongoing evaluation and assessments are completed to mitigate risks to ePHI.

Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected health information means individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.
  • Paper PHI: Protected Health Information that is not in an electronic format.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 14.0: Security Awareness and Training

Company Name: Entreprise Dentist.Business Inc.

Policy Name: Security Awareness and Training

Policy Number: Security 14.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Review Date: January 25th, 2021.

Synopsis of Policy: HIPAA Regulation: 164.308(a)(5) Security awareness and training; Security reminders Texas Med Rec Privacy Act: THSC §2.I.181.101 Training Required

This policy ensures that all members of Entreprise Dentist.Business Inc. workforce who can access Electronic Protected Health Information (ePHI) receive the necessary training in order to implement and maintain the HIPAA Security Policies and Procedures. The intent is also to prevent any violations of confidentiality, integrity or availability of ePHI. Since Security Awareness Training is key to eliminating Entreprise Dentist.Business Inc. exposure to both malicious threats and accidental errors and omissions, its components are specified in the policy, along with training frequency, record keeping, and ongoing reminders.

Compliance with Texas Medical Records Privacy Act security awareness and training requirements (as noted above) are also fulfilled in this policy.

Full Policy Language: HIPAA Regulation:

• 164.308(a)(5) Security awareness and training
• 164.308(a)(5) Security remindersPolicy Purpose:The intent of this policy is to ensure that all members of Entreprise Dentist.Business Inc. workforce that can access to electronic protected health information (ePHI) receives the necessary training in order to implement and maintain the HIPAA Security Policies and Procedures. Also, the intent of this policy is to prevent any violations of confidentiality, integrity or availability of ePHI.Policy Description:Security Awareness Training
  Security awareness training is key to eliminating Entreprise Dentist.Business Inc. exposure to both malicious threats and accidental errors or omissions.System & Application TrainingThis policy sets forth a minimum standard for system and application security awareness to reduce Entreprise Dentist.Business Inc. risk:
  1. Proper uses and disclosures of the ePHI stored in the application;
  2. How to properly log on and log off the application;
  3. Protocols for correcting user errors;
  4. Instructions for contacting a designated person or help desk when ePHI mayhave been altered or destroyed in error; and
  5. Reporting a potential security breach.
• HIPAA Security Training

1. All members of the workforce that are part of Entreprise Dentist.Business Inc. shall receive security training. The Compliance Officers will provide the training and materials.
   1. Worker Level Training: This training entails Security Policies and Procedures that directly affect workers.
   2. Managerial – Supervisory Training: This training entails all of the HIPAA Security Policies and Procedures and Management’s role in enforcement and supervision.
2. All new workforce members are required to attend the appropriate training within 60 days of entering the workforce.

3. Entreprise Dentist.Business Inc. is required to ensure that all of their workforce members receive training.

Tracking Security Training:

Entreprise Dentist.Business Inc. training coordinator or designee shall enter their workforce members into The Guard to sign them up for the appropriate level of training.

HIPAA Security Reminders

1. The Compliance Officers shall develop and implement periodic security updates and issue reminders to Entreprise Dentist.Business Inc. workforce. These security reminders shall be provided using any media that is most effective for Entreprise Dentist.Business Inc. (e.g. email, posters, newsletters, intranet site, etc.).
2. At a minimum, these reminders shall be provided on a quarterly basis.

Policy Responsibilities:

Compliance Officers are responsible for ensuring that all workforce members in their operational areas are trained no later than 30 days after entering their workforce. In addition, the Compliance Officers will have oversight responsibility to audit reports from The Guard to ensure required workforce member attendance. If needed, the Compliance Officers may require workforce members to attend more training if security incidents warrant this remedial action.

Procedures

Entreprise Dentist.Business Inc. shall document written

procedures on how new workers are notified and sent to training.

Entreprise Dentist.Business Inc. shall submit its new and revised procedures and plans to the Compliance Officers for approval and ongoing evaluation. Any procedures developed by Entreprise Dentist.Business Inc. shall be consistent with Entreprise Dentist.Business Inc. HIPAA policies and will not deviate from Entreprise Dentist.Business Inc. standard.

Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.).

Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.

• ePHI: Electronic/Protected health information means individually identifiable health information:

• Transmitted by electronic media;
• Maintained in electronic media; or
• Transmitted or maintained in any other form or medium.
• Paper PHI: Protected Health Information that is not in an electronic format.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 15.0: Sanctions Policy

Company Name: Entreprise Dentist.Business Inc..

Policy Name: Sanctions Policy

Policy Number: Security 15.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Review Date: January 25th, 2021.

Synopsis of Policy: HIPAA Regulation: 164.308(a)(1) Sanctions policy

This policy specifies enforcement, sanctions, penalties and disciplinary actions that may be applied against workforce members who fail to comply with all security policies and procedures. This policy ensures that information system workforce members know they can be held accountable for their actions.

The policy details all requirements of its fulfillment and penalties for non-compliance. It is of critical importance for all members of Entreprise Dentist.Business Inc. workforce to read this policy in full, and acknowledge having read it with signature.

Full Policy Language:

HIPAA Regulation:

• 164.308(a)(1) Sanctions policy

Policy Purpose:

The intent of this policy is to specify enforcement, sanctions, penalties, and disciplinary actions that may be applied against workforce members who fail to comply with the security policies and procedures. This policy ensures that workforce members know they can be held accountable for their actions.

Policy Description:

Sanctions

1. The definition of Entreprise Dentist.Business Inc. workforce is taken from the Privacy Rule. In Section 160.103, of the Privacy Rule, the term “workforce” is defined as, “Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.” The workforce shall guard against improper uses or disclosures of Entreprise Dentist.Business Inc. confidential client protected health information.
2. All members of Entreprise Dentist.Business Inc. workforce are required to be aware of their responsibilities under Entreprise Dentist.Business Inc. HIPAA Security Rule policies.
3. All members of Entreprise Dentist.Business Inc. workforce are required to sign the HIPAA Confidentiality form indicating that they have been informed of the business practices in Entreprise Dentist.Business Inc. as they relate to security.
4. Managers and supervisors are responsible for ensuring that workforce members who have access to ePHI are informed of their responsibilities. Management is responsible for ensuring timely and appropriate training, that updates are communicated broadly, and that old/discontinued information is purged from common usage.
5. Members of Entreprise Dentist.Business Inc. workforce who violate Entreprise Dentist.Business Inc.  policies and procedures regarding the safeguarding of an individual’s confidential information are subject to disciplinary action by Entreprise Dentist.Business Inc.  up to and including immediate dismissal from employment or service. For violations of these polices, corrective action, including but not limited to contract cancellation or termination of services, shall be implemented by Entreprise Dentist.Business Inc.  for those members of the workforce who are not subject to Entreprise Dentist.Business Inc. discipline process.

1. Members of Entreprise Dentist.Business Inc. workforce who knowingly and willfully violate state or federal law for failure to safeguard ePHI are subject to criminal investigation and prosecution or civil monetary penalties.
2. If Entreprise Dentist.Business Inc. fails to enforce security safeguards, Entreprise Dentist.Business Inc. may be subject to administrative penalties by the Office of Civil Rights (OCR), including federal funding penalties.

Reporting violations

All workforce members shall notify the Compliance Officers when there is a reasonable belief that any security policies or procedures are being violated.

Retaliation prohibited

1. Neither Entreprise Dentist.Business Inc. as an entity nor

any member of Entreprise Dentist.Business Inc. workforce shall intimidate, threaten, coerce, discriminate against, or take any other form of retaliatory action against any individual for:

1. Exercising any right established under Entreprise Dentist.Business Inc. policy;
2. Participating in any process established under Entreprise Dentist.Business Inc. policy including the filing of a complaint with the Entreprise Dentist.Business Inc. or with the Office of Civil Rights;
3. Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing relating to Entreprise Dentist.Business Inc. policy and procedures; and
4. Opposing any unlawful act or practice, provided that the individual or other person (including a member of the Entreprise Dentist.Business Inc. workforce) has a good faith belief that the act or practice being opposed is unlawful and the manner of such opposition is reasonable and does not involve a use or disclosure of an individual’s protected confidential information in violation of Entreprise Dentist.Business Inc. policy.

2. Those engaging in retaliation shall be subject to the sanctions under this policy.

Policy Responsibilities:

All workforce members are responsible for notifying the Compliance Officers when there is a belief that any security policies are being violated. In addition, suspected violations should be reported to the Security Officer.

Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected health information means individually identifiable health information:o Transmitted by electronic media;
  o Maintained in electronic media; or
  o Transmitted or maintained in any other form or medium.
• Paper PHI: Protected Health Information that is not in an electronic format.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 16.0: Policies and Procedures

Company Name: Entreprise Dentist.Business Inc..

Policy Name: Policies and Procedures

Policy Number: Security 16.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Review Date: January 25th, 2021.

Synopsis of Policy: HIPAA Regulation: 164.316. a Policies and procedures;.316.a.1 Documentation; 316.a.1.i Time limit; .316.a.1.ii Availability; .316.a.1.iii Updates

This policy formalizes the process by which Entreprise Dentist.Business Inc. HIPAA Security Rule policies and procedures are created, documented and implemented in accordance with regulations. It specifies the role of the various Compliance Officers in development, discussion and implementation of new policies and regular review of current policies.

It details documentation requirements surrounding policy administration.

Full Policy Language: HIPAA Regulation:

• 164.316. a Policies and procedures
• 164.316.a.1 Documentation
• 164.316.a.1.i Time limit
• 164.316.a.1.ii Availability
• 164.316.a.1.iiiUpdates Policy Purpose:The intent of this policy is to formalize the process by which Entreprise Dentist.Business Inc. HIPAA Security Rule policies and procedures are created, documented, and implemented in accordance with regulations.Policy Description:
  1. The Compliance Officers shall implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications or other requirements of the HIPAA Security Rule. The Compliance Officers shall work with workforce members to draft and revise policies and procedures.
  2. All policies and procedures implemented to comply with the HIPAA Security Rule shall be documented in writing (which may be in electronic form). All records of actions, activities, or assessments required by the Rule shall be documented. The documentation shall be detailed enough to communicate the security measures taken and to facilitate periodic evaluations.
  3. Documentation shall be retained for a minimum of 6 years from the time of its creation or the date when it last was in effect, whichever is later.
  4. All documentation shall be available to those persons responsible for implementing the procedures to which the documentation pertains.
  5. Documentation shall be reviewed at least annually, and updated as needed, in response to environmental or operational changes affecting the security of the electronic protected health information (ePHI).
• Policy Responsibilities:
• Compliance Officers
• The Compliance Officers shall be responsible for leading the development, implementation, and maintenance of the policies, procedures, and related documentation.
• Department Management
• Entreprise Dentist.Business Inc. shall submit all new and revised procedures to the Compliance Officers for approval and ongoing evaluation.

Procedures

In general the following process is used to develop and implement policies and procedures:

1. The Compliance Officers shall draft new or updated HIPAA information security policies;
2. The new information security policy shall be presented to the Head of Entreprise Dentist.Business Inc. for awareness, input, and endorsement;
3. The Compliance Officers shall give final approval for the new or updated policy; and
4. The Compliance Officers shall communicate the new or updated policy to the workforce including updating training and related materials as needed.

Any procedures developed by Entreprise Dentist.Business Inc. shall be consistent with Entreprise Dentist.Business Inc. HIPAA policies and not deviate from Entreprise Dentist.Business Inc. standard.

Definitions

• Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate Definition: any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
• ePHI: Electronic/Protected health information means individually identifiable health information:
  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.
  • Paper PHI: Protected Health Information that is not in an electronic format.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Security 17.0: Satellite Office and Home Office Policy

Company Name: Entreprise Dentist.Business Inc.

Policy Name: Satellite Office and Home Office Policy

Policy Number: Security 17.0.

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Review Date: January 25th, 2021.

Synopsis:

This policy is designed to help Entreprise Dentist.Business Inc. designate and protect Satellite and Home Offices that directly perform services for the Covered Entity or Business Associate.

Definitions:

Satellite Office: A Satellite Office is a non-descript location, with no signage to designate that it is part of, or performs services for, the main organization. This location is not used for storing PHI documented in physical or digital form. It is strictly used for providing treatment and then leaving. When leaving, there is no footprint, no computers, no charts, no trash: nothing that can be traced back to any of the PHI that was interacted with. If any of the above does not apply, then this site is considered a location and is subject to all the HIPAA requirements that the main office is subject to.

Home Office: A home office with no signage to designate that it is part of, or performs services for, the main organization. This location is not used for storing charts, for storing computers, and does not retain any documentation. It is strictly used for providing treatment and healthcare viewing of electronic records. There is no footprint, no data stored on computers, no charts, no trash: nothing that can be traced back to any of the PHI that was interacted with. Entreprise Dentist.Business Inc.

should not allow storage of PHI at the Home Office. Printed matter should be shredded immediately after use, and it should not be stored. Computers should be set up so PHI cannot download from the main site. No footprint can be left. If any of the above does not apply, then this site is considered a location and is subject to all the HIPAA requirements that the main office is subject to.

Requirements of Compliance for Satellite and Home Offices:

1. Devices used at Satellite and Home sites must be protected and encrypted and listed in the Device Audit as encrypted.
2. Site(s) must have a Physical Site Audit filled out and stored in The Guard.
3. All Entreprise Dentist.Business Inc. staff that work in theSatellite and Home offices must go through HIPAA training.
4. No footprint (evidence of PHI) will be allowed at either Satellite or HomeOffices.
5. If the above are not followed, the organization must defend their decisions to theDepartment of Health and Human Services (HHS) should a breach occur and these protocols are not followed.

Example of a Satellite Office:

A Doctor’s office in city A has a lot of patients in city B, so once a week they use a site in city B (i.e., an examination room in another doctor’s office, etc.) to see patients who live there so they do not have to travel as far. This site is not used for storing charts, for storing computers, or for leaving any documentation behind. It is strictly used for seeing the Doctor’s patients, and then leaving. When leaving, they leave behind no footprint, no computers, no charts, no trash, and nothing about or pertaining to any of the patients that were there that day.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Privacy 21.0: Breach Notification

Company Name: Entreprise Dentist.Business Inc.

Policy Name: Breach Notification

Policy Number: Privacy 21.0

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Review Date: January 25th, 2021.

Synopsis of Policy: Breach Notification

This policy provides guidance for breach notification by Entreprise Dentist.Business Inc. when impermissive or unauthorized access, acquisition, use, and/or disclosure of Entreprise Dentist.Business Inc. patients’ Protected Health Information (PHI) occurs. Breach notification will be carried out in compliance with the American Recovery and Reinvestment Act (ARRA)/Health Information Technology for Economic and Clinical Health Act (HITECH), Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act (Omnibus Rule), as well as any other federal or state notification law.

The full policy, of which this serves as executive summary, details and defines all aspects of inappropriate, wrongful, accidental, or willful breaches of protected health information (PHI). The complete policy also identifies required procedures to alert those who have been subject of a breach, and additional notification requirements (governmental agencies, law enforcement, etc.).

Any Entreprise Dentist.Business Inc. workforce member coming in contact with PHI in their regular duties must read the complete policy and attest to having read and understanding it.

Full Policy Language: Purpose:

To provide guidance for breach notification by covered entities when impermissive or unauthorized access, acquisition, use and/or disclosure of Entreprise Dentist.Business Inc. patient protected health information occurs. Breach notification will be carried out in compliance with the American Recovery and Reinvestment Act (ARRA)/Health Information Technology for Economic and Clinical Health Act (HITECH), Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act (Omnibus Rule), as well as any other federal or state notification law.

The Federal Trade Commission (FTC) has published breach notification rules for vendors of personal health records as required by ARRA/HITECH. The FTC rule applies to entities not covered by HIPAA, primarily vendors of personal health records. The rule was effective September 24, 2009 with full compliance required by February 22, 2010.

Background:

The American Recovery and Reinvestment Act of 2009 (ARRA) was signed into law on February 17, 2009. Title XIII of ARRA is the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH significantly impacted the Health Insurance Portability and Accountability (HIPAA) Privacy and Security Rules. While HIPAA did not require notification when patient protected health information (PHI) was inappropriately disclosed, covered entities may have chosen to include notification as part of the mitigation process. HITECH required notification of certain breaches of unsecured PHI to the following: individuals, Secretary of the Department of Health and Human Services (HHS), and the media. The effective implementation date for these provisions was September 23, 2009.

In January of 2013, the “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules” (Omnibus Rule) modified the HITECH definition of a breach to eliminate the previous “harm” standard and was effective September 23, 2013. It states that an “acquisition, access, use, or disclosure in a manner not permitted is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment” of at least the following factors:

1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used the protected health information or to whom the disclosure was made;
3. Whether the protected health information was actually acquired or viewed; and
4. The extent to which the risk to the protected health information has beenmitigated.

Definitions:

Access: Means the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.

Agent: An agent of Entreprise Dentist.Business Inc. is determined in accordance with federal common law of agency. Entreprise Dentist.Business Inc. is liable for the acts of its agents. An agency relationship exists if Entreprise Dentist.Business Inc. has the right or authority of Entreprise Dentist.Business Inc. to control the agent’s conduct in the course of performing a service on behalf of Entreprise Dentist.Business Inc. (i.e. give interim instructions, direct the performance of the service).

Breach: Means the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI and is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:

1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used the protected health information or to whom the disclosure was made;
3. Whether the protected health information was actually acquired or viewed; and
4. The extent to which the risk to the protected health information has beenmitigated.

Breach excludes:

1. Any unintentional acquisition, access, or use of PHI by a workforce member orperson acting under the authority of a Covered Entity (CE) or Business Associate (BA) if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule;
2. Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE or BA, or organized health care arrangement in which the CE participates, and the information received as a result of such disclosure is not further used or disclosed

in a manner not permitted under the Privacy Rule; and

3. A disclosure of PHI where a CE or BA has a good faith belief that an

unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

Covered Entity: A health plan, health care clearinghouse, or a healthcare provider who transmits any health information in electronic form.

Disclosure: Disclosure means the release, transfer, provision of, access to, or divulging in any manner of information outside the entity holding the information.

Individually Identifiable Health Information: That information that is a subset of health information, including demographic information collected from an individual, and is created or received by a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Law Enforcement Official: Any officer or employee of an agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, who is empowered by law to investigate or conduct an official inquiry into a potential violation of law; or prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.

Organization: For the purposes of this policy, the term “organization” shall mean the covered entity to which the policy and breach notification apply.

Protected Health Information (PHI): Protected health information means individually identifiable health information that is: transmitted by electronic media; maintained in electronic media; or transmitted or maintained in any other form or medium (see regulations for complete definition and exclusions).

Unsecured Protected Health Information: Protected health information (PHI) that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Pub. L.111-5 on the HHS website.

1. Electronic PHI has been encrypted as specified in the HIPAA Security rule by the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without the use of a confidential process or key and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The following encryption processes meet this

standard.

1. Valid encryption processes for data at rest (i.e. data that resides indatabases, file systems, and other structured storage systems) are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices; and
2. Valid encryption processes for data in motion (i.e. data that is moving through a network, including wireless transmission) are those that comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are Federal Information Processing Standards FIPS 140-2 validated.

2. The media on which the PHI is stored or recorded has been destroyed in the following ways:

1. Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction; and
2. Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publications 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.

Workforce: Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such entity, whether or not they are paid by the covered entity or business associate.

Policy Statement/s:

1. Discovery of Breach: A breach of PHI shall be treated as “discovered” as of the first day on which an incident that may have resulted in a breach is known to Entreprise Dentist.Business Inc. or, by exercising reasonable diligence would have been known to Entreprise Dentist.Business Inc. (includes breaches by Entreprise Dentist.Business Inc. business associates). Entreprise Dentist.Business Inc. shall be deemed to have knowledge of a breach if such breach is known or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent (e.g. a business associate acting as an agent of the organization) of Entreprise Dentist.Business Inc. (see attachment for examples of breach of unsecured protected heath information). Following the discovery of a potential breach, Entreprise Dentist.Business Inc. shall begin an investigation (see organizational policies for security incident response and/or risk management incident response), conduct a risk assessment, and based on the results of the risk assessment, begin the process to notify each individual whose PHI has been, or is reasonably believed to by Entreprise Dentist.Business Inc. to have been accessed, acquired, used, or disclosed as a

result of the breach. Entreprise Dentist.Business Inc. shall also begin the process of determining what external notifications are required or should be made (e.g., Secretary of Department of Health & Human Services (HHS), media outlets, law enforcement officials, etc.).

1. Breach Investigation: Entreprise Dentist.Business Inc. shall name an individual to act as the investigator of the breach (e.g., privacy officer, security officer, risk manager, etc.). The investigator shall be responsible for the management of the breach investigation, completion of a risk assessment, and coordinating with others in Entreprise Dentist.Business Inc. as appropriate (e.g., administration, security incident response team, human resources, risk management, public relations, legal counsel, etc.) The investigator shall be the key facilitator for all breach notification processes to the appropriate entities (e.g., HHS, media, law enforcement officials, etc.). All documentation related to the breach investigation, including the risk assessment and notifications made, shall be retained for a minimum of six years.
2. Risk Assessment: For an acquisition, access, use or disclosure of PHI to constitute a breach, it must constitute a violation of the Privacy Rule. A use or disclosure of PHI that is incident to an otherwise permissible use or disclosure and occurs despite reasonable safeguards and proper minimum necessary procedures would not be a violation of the Privacy Rule and would not qualify as a potential breach. An “acquisition, access, use, or disclosure in a manner not permitted is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment” of at least the following factors:
   1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
   2. The unauthorized person who used the protected health information or towhom the disclosure was made;
   3. Whethertheprotectedhealthinformationwasactuallyacquiredorviewed;and
   4. The extent to which the risk to the protected health information has beenmitigated.
3. Entreprise Dentist.Business Inc. shall document the risk assessment as part of the investigation in the incident report form noting the outcome of the risk assessment process. Entreprise Dentist.Business Inc. has the burden of proof for demonstrating that all notifications were made as required or that the use or disclosure did not constitute a breach. Based on the outcome of the risk assessment, Entreprise Dentist.Business Inc. will determine the need to move forward with breach notification. Entreprise Dentist.Business Inc. may make breach notifications without completing a risk assessment.

1. Timeliness of Notification: Upon determination that breach notification is required, the notice shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach by Entreprise Dentist.Business Inc. involved or the business associate involved that is acting as Entreprise Dentist.Business Inc. agent. It is the responsibility of Entreprise Dentist.Business Inc. to demonstrate that all notifications were made as required, including evidence demonstrating the necessity of delay.
2. Delay of Notification Authorized for Law Enforcement Purposes: If a law enforcement official states to Entreprise Dentist.Business Inc. that a notification, notice, or posting would impede a criminal investigation or cause damage to national security, Entreprise Dentist.Business Inc. shall:
   1. If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting of the time period specified by the official; or
   2. If the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described above is submitted during that time.
3. Content of the Notice: The notice shall be written in plain language and must contain the following information:
   1. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
   2. A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
   3. Any steps the individual should take to protect themselves from potential harm resulting from the breach;
   4. A brief description of what Entreprise Dentist.Business Inc. is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches; and
   5. Contact procedures for individuals to ask questions or learn additional information, which includes a toll-free telephone number, an e-mail address, Web site, or postal address.
4. Methods of Notification: The method of notification will depend on the individuals/entities to be notified. The following methods must be utilized accordingly:

1. Notice to Individual(s): Notice shall be provided promptly and in the following form:

1. Written notification by first-class mail to the individual at their last known address or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification shall be provided in one or more mailings as information is available. If Entreprise Dentist.Business Inc. knows that the individual is deceased and has the address of the next of kin or personal representative of the individual, written notification by first-class mail to the next of kin or personal representative shall be carried out. Limited examples (refer to preamble for more examples):
   1. Entreprise Dentist.Business Inc. may send one breach notice addressed to both a plan participant and the participant’s spouse or other dependents under the plan who are affected by a breach, if they all reside at a single address and all individuals to which the notice applies are clearly identified on the notice. When a plan participant (and/or spouse) is not the personal representative of a dependent under the plan, however, address a breach notice to the dependent himself or herself; and
   2. In the limited circumstance that an individual affirmatively chooses not to receive communications from a health care provider at any written addresses or email addresses and has agreed only to receive communications orally or by telephone, the provider may telephone the individual to request and have the individual pick up their written breach notice from the provider directly. In cases in which the individual does not agree or wish to travel to the provider to pick up the written breach notice, the health care provider should provide all of the information in the breach notice over the phone to the individual, document that it has done so, and the Department will exercise enforcement discretion in such cases with respect to the ‘‘written notice’’ requirement.
2. Substitute Notice: In the case where there is insufficient or out- of-date contact information (including a phone number, email address, etc.) that precludes direct written or electronic notification, a substitute form of notice reasonably calculated to reach the individual shall be provided. A substitute notice need not be provided in cases where there is insufficient or out-of-date contact information that precludes written notification to the next of kin or personal representative.

1. In a case in which there is insufficient or out-of-date contact information for fewer than 10 individuals, then the substitute notice may be provided by an alternative form of written notice, telephone, or other means.
2. In the case in which there is insufficient or out-of-date contact information for 10 or more individuals, then the substitute notice shall be in the form of either a conspicuous posting for a period of 90 days on the home page of the organization’s website, or a conspicuous notice in a major print or broadcast media in Entreprise Dentist.Business Inc. geographic areas where the individuals affected by the breach likely reside. The notice shall include a toll-free number that remains active or at least 90 days where an individual can learn whether his or her PHI may be included in the breach.

3. If Entreprise Dentist.Business Inc. determines that notification requires urgency because of possible imminent misuse of unsecured PHI, notification may be provided by telephone or other means, as appropriate in addition to the methods noted above.

1. Notice to Media: Notice shall be provided to prominent media outlets serving the state and regional area (of the breached patients) when the breach of unsecured PHI affects 500 or more of Entreprise Dentist.Business Inc. patients of a State or jurisdiction.
   1. The Notice shall be provided in the form of a press release.
   2. What constitutes a prominent media outlet differs depending upon the state or jurisdiction where Entreprise Dentist.Business Inc. affected patients reside. For a breach affecting more than 500 individuals across a particular state, a prominent media outlet may be a major, general interest newspaper with a daily circulation throughout the entire state. In contrast, a newspaper serving only one town and distributed on a monthly basis, or a daily newspaper of specialized interest (such as sports or politics) would not be viewed as a prominent media outlet. Where a breach affects more than 500 individuals in a limited jurisdiction, such as a city, then a prominent media outlet may be a major, general-interest newspaper with daily circulation throughout the city, even though the newspaper does not servethe whole State.
2. Notice to Secretary of HHS: Notice shall be provided to the Secretary ofHHS as follows below. The Secretary shall make available to the public on the HHS Internet website a list identifying covered entities involved in

all breaches in which the unsecured PHI of more than 500 patients is accessed, acquired, used, or disclosed.

1. For breaches involving 500 or more individuals, the organization shall notify the Secretary of HHS as instructed at www.hhs.gov at the same time notice is made to the individuals.
2. For breaches involving fewer than 500 individuals, the organization will maintain a log of the breaches. The breaches may be reported during the calendar year or no later than 60 days after the end of that calendar year in which the breaches were discovered (e.g., 2017 breaches must be submitted by 3/1/2018 – 60 days). Instructions for submitting the logged breaches are provided at www.hhs.gov.

9. Maintenance of Breach Information/Log: As described above and in addition to the reports created for each incident, Entreprise Dentist.Business Inc. shall maintain a process to record or log all breaches of unsecured PHI regardless of the number of patients affected. The following information should be collected/logged for each breach (see sample Breach Notification Log):

1. A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of patients affected, if known;
2. A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, etc.);
3. A description of the action taken with regard to notification of patients, the media, and the Secretary regarding the breach;
4. The results of the risk assessment; and
5. Resolution steps taken to mitigate the breach and prevent futureoccurrences.

10.Business Associate Responsibilities: In 2013, the Omnibus Rule extended liability for compliance to the HIPAA Privacy and Security Rules to business associates and their subcontractors. With these modifications, business associates are now directly liable for impermissible uses and disclosures, provision of breach notification to the covered entity, completing breach risk assessments, breach documentation requirements, and civil and criminal penalties for violations. The business associate (BA) of Entreprise Dentist.Business Inc. that accesses, creates, maintains, retains, modifies, records, stores, transmits, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, without unreasonable delay and in no case later than 60 calendar days after discovery of a breach, notify Entreprise Dentist.Business Inc. of such breach (when the business associate is an agent of the organization, this notification must be provided within a shorter timeframe as specified in Entreprise Dentist.Business Inc. Business Associate Agreement policy). Such notice shall include the identification of each

individual whose unsecured protected health information has been, or is reasonably believed by the BA to have been, accessed, acquired, or disclosed during such breach. The BA shall provide Entreprise Dentist.Business Inc. with any other available information that the organization is required to include in notification to the individual at the time of the notification or promptly thereafter as information becomes available. Upon notification by the BA of discovery of a breach, Entreprise Dentist.Business Inc. will be responsible for notifying affected individuals, unless otherwise agreed upon by the BA to notify the affected individuals (note: It is the responsibility of the Covered Entity to document this notification).

1. Workforce Training: Entreprise Dentist.Business Inc. shall train all members of its workforce on the policies and procedures with respect to PHI as necessary and appropriate for the members to carry out their job responsibilities. Workforce members shall also be trained as to how to identify and promptly report breaches within Entreprise Dentist.Business Inc., as well as return or destroy PHI, as appropriate for the incident. Workforce members that assist in investigating, documenting, and resolving breaches are trained on how to complete these activities.
2. Complaints: Entreprise Dentist.Business Inc. must provide a process for individuals to make complaints concerning the organization’s patient privacy policies and procedures or its compliance with such policies and procedures. Individuals have the right to complain about Entreprise Dentist.Business Inc. breach notification processes.
3. Sanctions: Entreprise Dentist.Business Inc. shall have in place and apply appropriate sanctions against members of its workforce who fail to comply with privacy policies and procedures.
4. Retaliation/Waiver: Entreprise Dentist.Business Inc. may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any privacy right. Entreprise Dentist.Business Inc. may not require individuals to waive their privacy rights under as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.

Applicable Federal/State Regulations:

• ▪  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act (Omnibus Rule);
• ▪  ARRA Title XIII Section 13402 – Notification in the Case of Breach;
• ▪  FTC Breach Notification Rules – 16 CFR Part 318;
• ▪  45 CFR Parts 160 and 164 – HIPAA Privacy and Security Rules; and
• ▪  WI § 134.98 – Notice of Unauthorized Acquisition of Personal Information (Note:Not applicable to Covered Entities under HIPAA).

ATTACHMENTS

Note: Each of these events may not rise to the level of a “breach.” This can only be determined by completing the risk assessment analysis and making a determination of whether or not there was “harm” to the individual.

• ▪  Workforce members access the electronic health records of a celebrity who is treated within the facility and they are not involved in the patient’s care.
• ▪  Stolen or lost laptop containing unsecured protected health information.
• ▪  Papers containing protected health information found scattered along roadside after improper storage in truck by business associate responsible for disposal (shredding).
• ▪  Posting of patient’s HIV+ health status on Facebook by a laboratory tech who carried out the diagnostic study.
• ▪  Misdirected e-mail of listing of drug seeking patients to an external group list.
• ▪  Lost flash drive containing database of patients participating in a clinical study.
• ▪  EOB (Explanation of Benefits) sent to wrong guarantor.
• ▪  Provider accessing the health record of divorced spouse for information to be usedin a custody hearing.
• ▪  Workforce members accessing electronic health records for information onfriends or family members out of curiosity/without a business-related purpose.
• ▪  EMT takes a cell phone picture of patient following a MVA and transmits phototo friends.
• ▪  Misfiled patient information in another patient’s medical records which is broughtto the organization’s attention by the patient.
• ▪  Medical record copies in response to a payer’s request lost in mailing process andnever received.
• ▪  Misdirected fax of patient records to a local grocery store instead of therequesting provider’s fax.
• ▪  Briefcase containing patient medical record documents stolen from car.
• ▪  PDA with patient-identifying wound photos lost.
• ▪  Intentional and non-work related access by staff member of neighbor’sinformation.
• ▪  Medical record documents left in public access cafeteria.Penalties for Breach: Penalties for violations of HIPAA have been established under HITECH as indicated below. The penalties do not apply if the organization did not know (or by exercising reasonable diligence would not have known) of the violation or if the failure to comply was due to a reasonable cause and was corrected within thirty days.

Examples of Potential Breaches of Unsecured Protected Health Information

Breach Penalties

Penalties will be based on the organization’s culpability for the HIPAA violation. The Secretary of HHS will base its penalty determination on the nature and extent of both the violation and the harm caused by the violation. The Secretary still will have the discretion to impose corrective action without a penalty in cases where the person did not know (and by exercising reasonable diligence would not have known) that such person committed a violation.

The maximum penalty is $50,000 per violation, with a cap of $1,500,000 for all violations of an identical requirement or prohibition during a calendar year.

The minimum civil monetary penalties are tiered based upon the entity’s perceived culpability for the HIPAA violation, as follows:

Tier A

▪

Tier B

▪

Tier C

▪

Tier D

▪

– If the offender did not know

$100 for each violation, total for all violations of an identical requirement during a calendar year cannot exceed $25,000.

– Violation due to reasonable cause, not willful neglect

$1,000 for each violation, total for all violations of an identical requirement during a calendar year cannot exceed $100,000.

– Violation due to willful neglect, but was corrected.

$10,000 for each violation, total for all violations of an identical requirement during a calendar year cannot exceed $250,000.

– Violation due to willful neglect, but was NOT corrected.

$50,000 for each violation, total for all violations of an identical requirement during a calendar year cannot exceed $1,500,000.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

Privacy 22.0: Organizational Code of Conduct

Entreprise Dentist.Business Inc. and its employees must, at all times, comply with all applicable laws and regulations. Entreprise Dentist.Business Inc. will not condone the activities of employees who achieve results through violation of the law or unethical business dealings. This includes any payments for illegal acts, indirect contributions, rebates, and bribery. Entreprise Dentist.Business Inc. does not permit any activity where public scrutiny or opinions would damage the reputation of Entreprise Dentist.Business Inc..

All business conduct should be well above the minimum standards required by law. Accordingly, employees must ensure that their actions cannot be interpreted, in any way, in contravention of the laws and regulations governing Entreprise Dentist.Business Inc. operations.

Employees uncertain about the application or interpretation of any legal requirements should refer the matter to their supervisor, who, if necessary, should seek appropriate legal advice.

Employees need to utilize the company provided systems in a correct and timely manner.

General Employee Conduct:

Entreprise Dentist.Business Inc. expects its employees will conduct themselves in a business-like manner. Drinking, gambling, fighting, swearing, and similar unprofessional activities are strictly prohibited while on the job.

Employees must not engage in sexual harassment, or conduct themselves in a way that could be construed as such. For example, by using inappropriate language, keeping or posting inappropriate materials in their work area, or accessing inappropriate materials on their Entreprise Dentist.Business Inc. computer.

Conflicts of Interest:

Entreprise Dentist.Business Inc. expects that employees will perform their duties conscientiously, honestly, and in accordance with the best interests of Entreprise Dentist.Business Inc.. Employees must not use their positions, or the knowledge gained as a result of their positions, for private or personal advantage. Regardless of the circumstance(s), if employees sense that a course of action they have pursued, are presently pursuing, or are even contemplating pursuing may involve them in a conflict of interest with their employer, they should immediately communicate all those facts to their supervisor.

Outside Activities, Employment, and Directorships:

All employees share a serious responsibility for Entreprise Dentist.Business Inc. good public relations, especially at the community level. Their readiness to help with religious, charitable, educational, and civic activities brings credit to Entreprise Dentist.Business Inc.  and is encouraged.

Employees must, however, avoid acquiring any business interest, or participating in any other activity outside Entreprise Dentist.Business Inc. that would, or would appear to:

• Create an excessive demand upon their time and attention, thus depriving Entreprise Dentist.Business Inc. of their best efforts on the job.
• Create a conflict of interest – an obligation, interest, or distraction – that may interfere with the independent exercise of judgment in Entreprise Dentist.Business Inc. best interest.

Relationships With Clients and Suppliers:

Employees should avoid investing in or acquiring a financial interest in any business organization that has a contractual relationship with Entreprise Dentist.Business Inc. Also, avoid entering into a contractual agreement with an entity that provides goods or services, or both, to Entreprise Dentist.Business Inc. if such investment or interest could influence or create the impression of influencing their decisions in the performance of their duties on behalf of Entreprise Dentist.Business Inc.

Gifts, Entertainment, and Favors:

Employees must not accept entertainment, gifts, or personal favors that could, in any way, influence (or appear to influence) business decisions in favor of any person or organization with whom or with which Entreprise Dentist.Business Inc. has, or is likely to have, business dealings. Similarly, employees must not accept any other preferential treatment under these circumstances because their positions with Entreprise Dentist.Business Inc. might be inclined to, or be perceived to, place them under obligation to return the preferential treatment.

Kickbacks and Secret Commissions:

Regarding Entreprise Dentist.Business Inc. business activities: Employees may not receive payment or compensation of any kind, except as authorized under Entreprise Dentist.Business Inc. business and payroll policies. In particular, Entreprise Dentist.Business Inc. strictly prohibits the acceptance of kickbacks and secret commissions from suppliers or others. Any breach of this rule will result in immediate termination and prosecution to the fullest extent of the law.

Organization Funds and Other Assets:

Employees who have access to Entreprise Dentist.Business Inc. funds in any form must follow the prescribed procedures for recording, handling, and protecting money as detailed in Entreprise Dentist.Business Inc. policies and procedures or other explanatory materials. Entreprise Dentist.Business Inc. imposes strict standards to prevent fraud and dishonesty. If employees become aware of any evidence of fraud and dishonesty, they should immediately advise their supervisor or seek appropriate legal guidance so that Entreprise Dentist.Business Inc. can promptly investigate.

When an employee’s position requires spending Entreprise Dentist.Business Inc. funds or incurring any reimbursable personal expenses, that individual must use good judgment on Entreprise Dentist.Business Inc. behalf to ensure that the funds were used in a strictly professional capacity and benefited Entreprise Dentist.Business Inc..

Entreprise Dentist.Business Inc.  funds and all other assets of Entreprise Dentist.Business Inc. are purposed for Entreprise Dentist.Business Inc. only and not for personal benefit. This includes the personal use of organizational assets, such as computers.

Organization Records and Communications:

Accurate and reliable records of many kinds are necessary to meet Entreprise Dentist.Business Inc. legal and financial obligations and to manage the affairs of Entreprise Dentist.Business Inc. Entreprise Dentist.Business Inc.  books and records must reflect, in an accurate and timely manner, all business transactions. The employees responsible for accounting and recordkeeping must fully disclose and record all assets, liabilities (or both) while exercising diligence in enforcing these requirements.

Employees must not make or engage in any false record or communication of any kind, whether internal or external, including but not limited to:

• False expense, attendance, production, financial, or similar reports and statements
• False advertising, deceptive marketing practices, or other misleading representationsDealing With Outside People and Organizations:Employees must take care to separate their personal roles from their organizational positions when communicating on matters not involving Entreprise Dentist.Business Inc. business.
  Employees must not use organizational identification, stationery, supplies, and equipment for personal or political matters.When communicating publicly on matters that involve Entreprise Dentist.Business Inc. business, employees must not presume to speak for Entreprise Dentist.Business Inc.  on any topic. This is unless they are certain that the views they express are those ofEntreprise Dentist.Business Inc. and it is Entreprise Dentist.Business Inc. desire that such views be publicly disseminated.When dealing with anyone outside Entreprise Dentist.Business Inc. including public officials, employees must take care not to compromise the integrity or damage the reputation of Entreprise Dentist.Business Inc.. This applies as well to any outside individual, business, or government body.Prompt Communications:In all matters relevant to customers, suppliers, government authorities, the public, and others in Entreprise Dentist.Business Inc., all employees must make every effort to achieve and accurately complete timely communications – responding promptly and courteously to all proper requests for information and to all complaints.Privacy and Confidentiality:
  When handling financial and personal information about customers or others with whom Entreprise Dentist.Business Inc. has dealings, observe the following principles:

• Collect, use, and retain only the personal information necessary for Entreprise Dentist.Business Inc. business dealings. Whenever possible, obtain any relevant information directly from the person concerned. Use only reputable and reliable sources to supplement this information.
• Retain information only for as long as necessary or as required by law. Protect the physical security of this information.
• Limit internal access and personal information to those with a legitimate business reason for seeking that information. Use only personal information for the purposes for which it was originally obtained. Obtain the consent of the person concerned before externally disclosing any personal information, unless legal process or contractual obligation provides otherwise.Attendance:
  This policy details how absences and tardiness are counted for the purposes of maintaining excellent customer service throughout the business day.

• Family and Medical Leave Act: Absences due to illnesses or injuries that qualify under the Family and Medical Leave Act (FMLA) will not be counted against an employee’s attendance record. Medical documentation within the guidelines of the FMLA may be required in these instances.

Absences and Tardiness:

• Prescheduled times away from work using accrued vacation, holiday, flex or PTO (where available) days are not considered occurrences for the purpose of this policy.
• An absence occurs when an employee misses more than three hours of work within a normal workday. An absence of multiple days due to the same illness, injury, or other incident will be counted as one occurrence for the purpose of this policy. A tardy arrival, early departure or other shift interruption is considered a one-half occurrence. On occasion and with prior approval of the supervisor, an employee who is tardy may adjust that day’s schedule to work an equivalent amount of time at the end of the shift, and a one-half occurrence will not be counted. Arrival and departure times will be determined by the time on the time recording system in each department. An employee is considered late if he or she reports to work more than five minutes after the scheduled starting time; an early departure is one in which the employee leaves before the lcheduled end of his or her shift. If an employee is scheduled to work overtime and either fails to report or reports after the scheduled start time, an occurrence will be charged as noted above.

HIPAA Policy 24.0: Social Media

Company Name: Entreprise Dentist.Business Inc.

Policy Name: Social Media

Policy Number: HIPAA Policy 24.0

Effective Date: January 25th, 2019.

Review Date: January 25th, 2021.

Responsible for Review: Olena Pomazanova.

Review Date: January 25th, 2021

Synopsis of Policy: Policy 24.0 Social Media

This policy provides guidance for employee use of social media, which should be broadly understood for purposes of this policy to include blogs, wikis, micro-blogs, message boards, chat rooms, electronic newsletters, online forums, social networking sites, and other sites and services that permit users to share information with others in a contemporaneous manner.

Procedures:

The following principles apply to professional use of social media on behalf of Entreprise Dentist.Business Inc. as well as personal use of social media when referencing Entreprise Dentist.Business Inc.

1. Employees should be aware that is never acceptable to post to social websites any information regarding patients, their condition, their treatment plan, and that sanctions up to and including termination will occur.
2. Employees need to know and adhere to the [Company’s Code of Conduct, Employee Handbook, and other Entreprise Dentist.Business Inc. policies] when using social media in reference to Entreprise Dentist.Business Inc..
3. Employees should be aware of the effect their actions may have on their images, as well as Entreprise Dentist.Business Inc. image. The information that employees post or publish may be public information for a long time.
4. Employees should be aware that Entreprise Dentist.Business Inc. may observe content and information made available by employees through social media. Employees should use their best judgment in posting material that is neither inappropriate nor harmful to Entreprise Cype Inc. Entreprise Dentist.Business Inc., its employees, or its customers.
5. Although this is not an exclusive list, some specific examples of prohibited social media conduct include posting commentary, content, or images that are defamatory, pornographic, proprietary, harassing, libelous, or that can create a hostile work environment.
6. Employees are not to publish, post, or release any information that is considered confidential or private. If there are questions about what is considered confidential, employees should check with the Human Resources Department and/or their supervisor.
7. Social media networks, blogs and other types of online content can generate press, media attention, or legal questions. Employees should refer these inquiries to authorized Entreprise Dentist.Business Inc. spokespersons.
8. If employees find that they encounter a situation while using social media that threatens to become antagonistic, employees should disengage from the dialogue in a polite manner and seek the advice of a supervisor.
9. Employees should get appropriate permission before they refer to or post images of current (or former) employees, members, vendors, and suppliers. Additionally, employees should get appropriate permission to use a third party’s copyrights, copyrighted material, trademarks, service marks, or other intellectual property.

1. Social media use shouldn’t interfere with employee’s responsibilities at Entreprise Dentist.Business Inc. Entreprise Dentist.Business Inc. computer systems are to be used for business purposes only. When using Entreprise Dentist.Business Inc. computer systems, use of social media for business purposes is allowed (ex: Facebook, Twitter, Entreprise Dentist.Business Inc. blogs, and LinkedIn). However, personal use of social media networks, or personal blogging of online content is discouraged and could result in disciplinary action.
2. Subject to applicable law, after-hours online activity that violates Entreprise Dentist.Business Inc. Code of Conduct or any other company policy may subject an employee to disciplinary action or termination.
3. If employees publish content after-hours that involves work or subjects associated with Entreprise Dentist.Business Inc., a disclaimer should be used, such as this: “The postings on this site are my own and may not represent Entreprise Dentist.Business Inc. positions, strategies, or opinions.”
4. It is highly recommended that employees keep Entreprise Dentist.Business Inc. – related social media accounts separate from personal accounts, if practical.

AUTHORIZED BY: Olena Pomazanova, President, Privacy/Security Officer

ENTREPRISE DENTIST.BUSINESS INC.’S WEB SITE AND SUBSITES PRIVACY POLICY

Entreprise Dentist.Business Inc. respects your privacy. In this regard, Entreprise Dentist.Business Inc. has prepared this Web site privacy policy (the “Privacy policy”) to communicate to its users how Entreprise Dentist.Business Inc. collects, uses and discloses personal information collected about them on the Web site. This privacy Policy applies to www.dentist.business and its authorized sub-sites that expressly adopt, display or link back to this privacy policy.

Collection and use of personal information

We may collect personal information such as your name, address, personal e-mail address and telephone and fax numbers that you voluntarily provide to us when you request information about our services, submit questions, register for services, or when you submit your resume in relation to a career opportunity. The aforementioned personal information provided by you may then be used to communicate with you in connection with your various inquiries or to consider you for employment purposes.

We may also collect information in connection with your visit to our Web site through the use of cookies. Such information will be used to analyze trends, to administer the site, to track visitors’ movements around the site and to gather demographic information about our visitor base as a whole. The use of cookies merely identifies you as a number, that is, your name, address or any other information that directly identifies you will not be collected. Additional details regarding the use of various technologies are provided below.

Disclosure of personal information

We may disclose the personal information collected through this Web site with our affiliates for internal business purposes.

We may also share information provided by you with service providers that we retain to perform services on our behalf. These service providers are contractually limited from using or disclosing the information except as is necessary to perform the services or to comply with legal requirements. Furthermore, we may disclose information about you where we are required or permitted by law to do so.

Links to websites not belonging to Entreprise Dentist.Business Inc.

This Web site may contain links to third party Web sites that are not affiliated with Entreprise Dentist.Business Inc. Entreprise Dentist.Business Inc. does not in any way endorse or make any representations about such third party Web sites. The links are simply made available for your convenience. As such, Entreprise Dentist.Business Inc. is not responsible for the privacy practices or content of such third party Web sites. If you choose to access those links, we encourage you to review their respective privacy policies before submitting any of your personal information.

Our security measures to protect your personal information

To protect the personally identifiable information you transmit through your use of this Web site, we maintain reasonable physical, technical and administrative safeguards to help protect against the unauthorized access, use and disclosure of the information.

Access and correction

By sending us an email via go@dentist.business, you may request information about the existence of the personal information voluntarily provided by you through our Website, and request access to such information in order to have it deleted, updated or corrected, subject to certain legal restrictions.

Use of technology: cookies & logs

As previously mentioned, Entreprise Dentist.Business Inc. may use cookies to collect information about its visitors. Cookies are identifiers that are transferred to your computer’s hard drive through your Web browser to enable our systems to recognize your browser. You may choose to disable cookies on your computer by modifying your Web browser.

Entreprise Dentist.Business Inc. may also use logs to collect information about its visitors. Entreprise Dentist.Business Inc. may review server logs for security purposes, for example, to detect intrusions into our network. Server log data, which contains visitors’ IP addresses, could in instances of criminal malfeasance be used to trace and identify individuals. In such instances, raw data logs would be shared with appropriate investigative bodies authorized to investigate such breaches of security. Like cookies, logs do not cross reference the information automatically collected with any type of personal information that is voluntarily offered by you on or through this Web site.

Consent

By using this Web site and sub-sites, you consent to the collection, use and disclosure of your personal information by us in the manner described in this Privacy policy. Entreprise Dentist.Business Inc. reserves the right to make changes to this Privacy policy from time to time without notice.

Privacy questions and access

For additional information about our online privacy practices, please contact:

Entreprise Dentist.Business Inc., 500, Place d’Armes, Suite 1800, Montréal, QC, H2Y 2W2

User Agreement

Welcome to Dentist.Business. We’re glad you’re here, and we hope you enjoy everything we have to offer.

Please read these User Agreement carefully because it’s a binding agreement between You and Entreprise Dentist.Business Inc., (“We”).

This User Agreement govern your use of the www.dentist.business or any other sites that link to this User Agreement. In this User Agreement, the word “Sites” refers to each of these websites and the services offered on those Sites. You automatically agree to this User Agreement and to our Privacy Policies simply by using or logging into the Sites.

Please note that we offer many services. Your use of Entreprise Dentist.Business Inc.’s applications or services are provided by Entreprise Dentist.Business Inc.’s pursuant to a separate manually or digitally-executed agreement. Those additional terms become part of your agreement with us, if you use the services or log into the Sites.

Your Accounts

You may be required to create an account and specify a password in order to use certain services or features on the Sites. To create an account, you must be at least 18 years old and you must provide truthful and accurate information about yourself. Don’t try to impersonate anyone else when you create your account. If your information changes at any time, please update your account to reflect those changes.

In some cases, an account may be assigned to you by an administrator, such as your employer. If you are using or logging into an account assigned to you by an administrator, additional terms may apply to your use of the Sites. Moreover, your administrator may be able to access or disable your account without our involvement.

You may not share your account with anyone else. Please keep your password confidential, and try not to use it on other websites. If you believe that your account has been compromised at any time, please notify your system administrator.

Modifications and Termination

We reserve the right to modify our Sites at any time, with or without notice to you. For example, we may add or remove functionality or features, and we may suspend or stop a particular feature altogether. We also reserve the right to charge a fee for any of our features at any time. If you don’t like any changes, you can stop using our Sites at any time.

Content You Post

We may provide opportunities for you to post text, photographs, videos, or other content (collectively, “Content”) on the Sites. You can only post Content if you own all the rights to that Content, or if another rights holder has given you permission.

Please note that we will not disclose or reproduce any ePHI or  and we respect PIPEDA and HIPPA requirements. Our Privacy Policies are top priority for us and we  collect use and disclose personal information only for those purposes necessary to administer registration and membership; establish and maintain communications with members, registrants, contacts; facilitate registrations for sessions and respond to inquiries. “Business information” means business name, business address, business telephone number, name(s) of owner(s), officer(s) and director(s), job titles, business registration numbers (GST, RST, source deductions), financial status. Although business information is not subject to PIPEDA, confidentiality of business information will be treated with the same security measures by Entreprise Dentist.Business Inc. staff and as is required for individual personal information under PIPEDA.

You agree to indemnify, release, and hold us harmless from any all liability, claims, actions, loss, harm, damage, injury, cost or expense arising out of any Content you post.

Keep in mind that if you send us any information, ideas, suggestions, or other communications to us, those communications will not be confidential. Moreover, unless we tell you otherwise, we reserve the right to reproduce, use, disclose, and distribute such communications without any obligation to you. This close is not related to the respect of any personal and business information.

Content Posted by Others

We are not responsible for, and do not endorse, Content posted by any other person. Accordingly, we may not be held liable, directly or indirectly, for any loss or damage caused to you in connection with any Content posted by another member.

Your Use of the Sites

Please do not use the Sites in a way that violates any laws, infringes on anyone’s rights, is offensive, or interferes with the Sites or any features on the Sites (including any technological measures we employ to enforce this Agreement).

It should be common sense, so we won’t bore you with a list of things you shouldn’t do. But if we (in our sole discretion) determine that you have acted inappropriately, we reserve the right to take down Content, terminate your account, prohibit you from using the Sites, and take appropriate legal actions.

Using our Site does not give you ownership of any intellectual property rights to the content you access. You may not use content from our Sites unless you obtain permission from us or its owner, or unless you are otherwise permitted by law.

When you use a Site or send communications to us through a Site, you are communicating with us electronically. You consent to receive electronically any communications related to your use of a Site. We may communicate with you by email or by posting notices on the Site. You agree that all agreements, notices, disclosures and other communications that are provided to you electronically satisfy any legal requirement that such communications be in writing. All notices from us intended for receipt by you shall be deemed delivered and effective when sent to the email address you provide to us. Please note that by submitting Content, creating a user account or otherwise providing us with your email address, postal address or phone number, you are agreeing that we or our agents may contact you at that address or number in a manner consistent with our Privacy Policies.

Intellectual Property

If you believe any Content on the Services infringes your copyrights, you may request that remove the Content from the Services (or disable access to that Content) by contacting us via go@dentist.business

Social Networks

The Service may include features that operate in conjunction with certain third party social networking websites that you visit such as Facebook, Instagram, YouTube, Vimeo, and Twitter (“Social Network Features”). While your use of the Social Network Features is governed by these Terms, your access and use of third party social networking sites and the services provided through the Services is governed by the terms of service and other agreements posted on these sites. You are responsible for ensuring that your use of those sites complies with any applicable terms of service or other agreements.

Our Warranties and Disclaimers

We provide our Services using a commercially reasonable level of care and promise to do our best to make sure you enjoy the Services. But there are certain things that we don’t promise about our Services.

OTHER THAN AS EXPRESSLY SET OUT IN THIS USER AGREEMENT, NEITHER ENTREPRISE DENTIST.BUSINESS INC.’S NOR ITS AGENTS OR SERVICE PROVIDERS (THE “SERVICES ENTITIES”) MAKE ANY SPECIFIC PROMISES ABOUT THE SITES. FOR EXAMPLE, WE DON’T MAKE ANY COMMITMENTS ABOUT THE CONTENT WITHIN THE SITES, THE SPECIFIC FUNCTION OF THE SITES, OR THEIR RELIABILITY, AVAILABILITY, OR ABILITY TO MEET YOUR NEEDS. WE PROVIDE THE SITES “AS IS”.

SOME JURISDICTIONS PROVIDE FOR CERTAIN WARRANTIES, LIKE THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. TO THE EXTENT PERMITTED BY LAW, WE EXCLUDE ALL WARRANTIES

Liability for our Services

EXCEPT WHERE PROHIBITED, THE SERVICES ENTITIES SHALL NOT BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES ARISING FROM YOUR USE OF THE SITES OR ANY THIRD PARTY’S USE OF THE SITES. THESE EXCLUSIONS INCLUDE, WITHOUT LIMITATION, DAMAGES FOR LOST PROFITS, LOST DATA, COMPUTER FAILURE, OR THE VIOLATION OF YOUR RIGHTS BY ANY THIRD PARTY, EVEN IF THE SERVICES ENTITIES HAVE BEEN ADVISED OF THE POSSIBILITY THEREOF AND REGARDLESS OF THE LEGAL OR EQUITABLE THEORY UPON WHICH THE CLAIM IS BASED.

Additional Details

We may modify this User Agreement at any time so be sure to check back regularly. By continuing to use or log in to a Site after this User Agreement have changed, you indicate your agreement to the revised User Agreement. If you do not agree to the changes, you should stop using or logging in to the Sites.

The Sites may contain links to third-party websites. That doesn’t mean that we control or endorse those websites, or any goods or services sold on those websites. Similarly, the Sites may contain ads from third-parties. We do not control or endorse any products being advertised.

If you do not comply with this User Agreement, and we don’t take action right away, this doesn’t mean we’re OK with what you did, or we are giving up any rights that we may have (such as taking action in the future).

This User Agreement is governed by and construed in accordance with the laws of Quebec, without regard to its conflict of laws rules. You expressly agree that the exclusive jurisdiction for any claim or dispute under this User Agreement and or your use of the Services resides in the courts located in Montreal, Quebec, and you further expressly agree to submit to the personal jurisdiction of such courts for the purpose of litigating any such claim or action. If it turns out that a particular provision in this User Agreement is not enforceable, that will not affect any other provision.

This User Agreement was last updated on January 25th, 2019.