Information System Activity Review Policy

The Company audits the software and systems used to process Data concerning health for compliance with all applicable laws, regulations, Company policies and procedures, including all HIPAA provisions.

The Company audits the software and systems used to process Data concerning health for compliance with all applicable laws, regulations, Company policies and procedures, including all HIPAA provisions.

The Company cooperates with the owners of software and systems to promptly respond to any security incidents in the processing of Data, including verification of compliance with HIPAA regulations.

Reason for the Policy: To ensure that source systems are identified, appropriately categorized, monitored and reviewed to ensure compliance with institutional policies and procedures and Federal HIPAA regulations related to system activity controls, and to discourage, prevent and detect security violations.

  1. DEFINITION 
    1. User is any person who installs the App to receive Services for the purpose of monitoring their health.
    2. Personal Data is any information that is in the public domain, allowing you to directly or indirectly identify the User. For example, first name, last name, phone number, IP address.
    3. Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
    4. Data is a common name for Personal Data and Data concerning health
    5. DeHealth company (hereinafter referred to as the "Company" or "DeHealth") is a DEHEALTH TECHNOLOGIES, INC, registered at 1049 El Monte Avenue, Ste C #846,
Mountain View, CA 94040, United States, EIN: 36-5099713, which provides Services to Users.
    6. DeHealth application (hereinafter referred to as the "App") is a service created so that the User can check the state of his health and monitor the change in his health.
    7. Software is a system or software that is used to process and/or store User Data based on regulatory documents signed between the Company and the owner of such software.
    8. Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that sets rules about who can see and receive medical information.
  2. POLICY SECTION
    1. The Company uses several approaches to identify Software and creates and maintains a tracking database for identified Software:
      1. Company shall use communications as a proactive method to request members of secured components to self-identification source systems to be included in the Software's inventory database;
      2. Using its own Software inventory database, the Company annually sends notices to Software Owners requesting confirmation or updating of required Software information.
      3. Using the Software's database, Company shall identify system records that are incomplete, out of date, or outside of Company and HIPAA standards and contact Software owners to ensure that information is updated or Data handling practices are revised.
      4. The Company implements a procedure for performing an annual random check of the Software to verify the data accuracy of the selected Software.
    2. The Сompany has developed an incident response plan (Incident Response Plan) in accordance with the NIST SP 800-61 protocol, which includes the creation of incident response teams (CIRT), restriction of access to compromised systems, rapid notification of relevant persons and analysis of root causes (Root Cause Analysis).
  3. AUDIT
    1. The Company cooperates with the owners of the Software and conducts an audit of the operation of the Software and the security configuration of the Data processing every 6 months in conjunction with any regular audits or response to security incidents. The frequency and scope of required checks may vary depending on the activity of each Software's data criticality profile.
  4. RESPOND TO SECURITY INCIDENTS
    1. The Company is developing criteria for use in Software database reporting aimed at identifying Software that deviates from HIPAA requirements. Company works with Software owners to ensure compliance with Company policies and HIPAA. In particular, the Company will review procedures for reviewing system logs for all Software.
  5. ACTIVITY REVIEW SCOPE
    1. The Company will promptly respond to any security incidents in the processed Data and will take further action to ensure compliance with its policies and HIPAA standards, and shall require a prompt response from the owners of the Software, including the provision of reports by the owners of the Company's Software.
  6. SYSTEM ACTIVITY REVIEW
    1. The process of verifying the activity of the Software includes checking the system activity logs. This process may include reviewing the following types of system activity information, both a full review and a selective review of the Software:
      1. Review of Security Incidents Response reports.
      2. System user privileges grants and changes logs.
      3. User-level Software access logs, if available.
      4. User level Software activity logs, if available.
      5. User level transaction log reports, if available.
      6. Exception reports.
  7. CONTACTS

    SUBJECT 

    CONTACT

    Contact information

    HIPAA Privacy 

    Legal Counsel

    [email protected]

    HIPAA Security

    Legal Counsel

    [email protected]