SANCTION POLICY

Publication date: March 5, 2025.

Purpose: To facilitate compliance with the Health Insurance Portability and Accountability Act (HIPAA) Standards for Privacy of Individually Identifiable Health Information (Privacy Standards), 45 CFR Parts 160 and 164, Administrative Requirements, the HIPAA Standards for the Protection of Electronic Protected Health Information (Security Standards), 45 CFR Parts 160, 162, and 164, the Health Information Technology for Economic and Clinical Health Act (HITECH), Subtitle D – Privacy, and 45 CFR Parts 160 and 164, Breach Notification for Unsecured Protected Health Information. To establish guidelines for sanctions for violations of the Company Privacy Policies (IP.PRI.001 through IP.PRI.013).

Policy: The Company applies sanctions for violations of confidentiality and information security consistently. This document describes the use of the condition for the application of sanctions due to the violation of the terms of data retention, as well as any violation related to the User's privacy and/or information security of his Data.

This Sanction Policy regulates the methods of determining violations of Data security and/or information security in general. The Sanction Policy describes the categories of violations with examples and recommended actions, as well as procedures for failed tests.

  1. DEFINITION 
    1. User is any person who installs the App to receive Services for the purpose of monitoring their health.
    2. Personal Data is any information that is in the public domain, allowing you to directly or indirectly identify the User. For example, first name, last name, phone number, IP address.
    3. Employee is any natural person or contractor who cooperates with the Company on the basis of an employment contract or other regulatory law.
    4. Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
    5. Data is a common name for Personal Data and Data concerning health
    6. Doctor is a qualified specialist in the field of medicine, who is chosen by the User to receive Services for diagnosing his health or monitoring his condition.
    7. DeHealth company (hereinafter referred to as the "Company" or "DeHealth") is a DEHEALTH TECHNOLOGIES, INC, registered at 1049 El Monte Avenue, Ste C #846,
Mountain View, CA 94040, United States, EIN: 36-5099713, which provides Services to Users.
    8. DeHealth application (hereinafter referred to as the "App") is a service created so that the User can check the state of his health and monitor the change in his health.
    9. Third Party means a natural or legal person, government agency, institution or body, other than the User or Company.
    10. Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that sets rules about who can see and receive medical information.
  2. GENERAL PROVISION
    1. This Sanction Policy applies to all directors, officers, contractors, and offshore and onshore Employees of (1) the Company; (2) affiliates and entities that regularly provide management services to the Company; and (3) any person or entity (and their respective Employees, officers and directors) performing duties for, providing services to, or acting on behalf of the Company; (4) Doctors
  3. LEVELS OF VIOLATIONS
    1. The Company determines the following levels of violations of the terms of Data processing by the Company's Employees:

      Level

      Violations

      Sanction

      Level I violation is accidental or due to lack of privacy/security education

      Leaving a computer terminal unattended with available Data;

      Unauthorized access to Data concerning the User's health.

      Asking another Employee to access User Data.

      Transfer of password(s) to log in to the software to other Employees

      Verbal warning and retraining in policy and procedure related to HIPAA. See General Expectations for Supervisors.

      Written warning and retraining in policy and procedure related to HIPAA.

      Level II violation is a purposeful disregard for the Privacy Policy or other Company documents.

      Targeted access to Data concerning health without a legitimate reason for doing so.

      Using another Employee's access code.

      Access and use of the Application, the Company's software or other computer systems that contain or process Data concerning health.

      Using Data concerning health for own purposes and/or transferring Data concerning health to any Third Party without proper permission;

      Disclosure of Data concerning health without obtaining proper identification and/or proper authorization to disclose Data concerning health.

      Recurrence of a Level I violation after appropriate training.

      Final written warning and training with a letter in the personnel file regarding the incident.

      Suspension of one to three days from work, application of disciplinary measures and additional training.

      Level III violation is a malicious disregard of the Privacy Policy and other Company documents.

      Disclosure of Data concerning health for personal benefit or benefit outside the organization.

      Disclosure of Data concerning health or any data with the intention of harming the User or the Company.

      Changing or destroying Data concerning health without receiving an instruction from the Company.

      Distribution of Data concerning health in public access.

      Repeat violation of level II.

      Application of fines to the Employee in the form of fines and termination of employment.
  4. EXCEPTIONS
    1. Sanctions as described in this policy shall not be imposed against Employees or business associates for the following actions:
      1. Engaging in whistleblower activities.
      2. Submitting a complaint to the Secretary of the Department of Health and Human Services.
      3. Participating in an investigation.
      4. Registering opposition to a violation of this Sanction Policy.
  5. RESPONSIBILITY
    1. The Employee undertakes to notify the Company of any violations of the processing of Data concerning health within 2 hours from the moment of their occurrence.
    2. In the event of any violation of the processing of Data concerning health, the Employee undertakes to take all necessary actions to immediately stop the unlawful disclosure of Data concerning health.
    3. In the event of receiving a notification of a violation of the processing of Data concerning health by an Employee, the Company conducts a disciplinary investigation to determine the application of fines to such an Employee.
    4. In the case of receiving a notification of a violation of the processing of Data concerning health by an Employee, the Company as soon as possible takes actions to stop the disclosure of the receipt of a notification of a violation of the processing of Data concerning health by the Company, and the suspension of the Employee until the circumstances of the disclosure are clarified.
    5. All reports of violations of the processing of Data concerning health, regardless of the level, will be treated with respect and confidentiality for both the Employee and the User to whom the Data concerning health is concerned.
    6. Violations of the confidentiality of processing Data concerning health will be recorded and stored in the Company's appropriate disclosure log.
  6. CHANGING THE SANCTION POLICY
    1. The Company has the right to change the provisions of the Sanction Policy in case of changes in the methods and ways of ensuring the security of Data.
    2. If changes are made to the Sanction Policy, the Company trains its Employees and adds new provisions to this Sanction Policy.