Data Management Policy

RosettaHealth’s Data Management Policy covers the physical management of data as it applies to backups and the process and procedures associated with the access and release of ePHI.

Data backup is an important part of the day-to-day operations of RosettaHealth. To protect the confidentiality, integrity, and availability of ePHI, both for RosettaHealth and RosettaHealth Customers, complete backups are done daily to assure that data remains available when it needed and in case of a disaster. In addition RosettaHealth has backup mechanisms in place for all critical business operations data.

RosettaHealth recognizes that special care must be taken when dealing with data that could potentially contain ePHI. Therefore specific policies and procedures have been defined concerning PHI Uses and Disclosure.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 01.v - Information Access Restriction

  • 06.c Protection of Organizational Records

Applicable Standards from the HIPAA Security Rule

  • 164.308(a)(7)(ii)(A) - Data Backup Plan

  • 164.310(d)(2)(iii) - Accountability

  • 164.310(d)(2)(iv) - Data Backup and Storage

  • 164.502 - Uses and disclosures of protected health information: General rules.

  • 164.504 - Uses and disclosures: Organizational requirements.

  • 164.506 - Uses and disclosures to carry out treatment, payment, or health care operations.

  • 164.508 - Uses and disclosures for which an authorization is required.

  • 164.510 - Uses and disclosures requiring an opportunity for the individual to agree or to object.

  • 164.512 - Uses and disclosures for which an authorization or opportunity to agree or object is not required.

  • 164.514 - Other requirements relating to uses and disclosures of protected health information.

Control of Sensitive Information

Any disclosure, publication or sharing of information that is considered sensitive to company operations, but is not catagorized as ePHI or ePII, must have written approval from one of the following roles: CEO, COO, or CTO

Storage Policy and Procedures

  1. RosettaHealth Platform Production

    1. A snapshot of each EBS volume attached to a production environment EC2 instance is to be taken and stored encrypted as a recoverable backup nightly. Standard daily backups are retained for 15 days and allow for both individual and full instance restores.

    2. Backups of production systems and any associated data is to performed by ClearDATA. ClearDATA provides managed backups for all machines in the RosettaHealth production AWS environment as EBS snapshots.

    3. Request for restoration from backup can be initiated by a RosettaHealth Admin via the ClearDATA portal by creating a ticket specifying the instance to restore and the date from which to restore.

    4. Periodic testing of backups is performed by requesting instantiation of a new EC2 instance based on the previous nights backups.

    5. All data stored in AWS S3 service is encrypted at rest and in transit.

    6. All transaction logging data is stored for a minumim of 7 years.

  2. RosettaHealth Business Information Management

    1. Information important to the business operations of the RosettaHealth are stored and managed in one of the following systems (depending on context and use):

      1. DropBox for Business

      2. Google GSuite

      3. Atlassian BitBucket

      4. Slack

      5. 1Password

      6. FreshDesk

    2. Each Information management system provides backup, restore and versioning of information assets.

    3. Security audits/certifications of each been reviewed and found satisfactory for use.

    4. No ePHI is allowed in any of the RosettaHealth Business Information Management systems.

PHI Uses and Disclosures

  1. RosettaHealth recognizes it must implement policies and procedures to ensure that all uses, and disclosures of PHI are made or denied in accordance with HIPAA law and regulations.

  2. RosettaHealth recognizes that for especially sensitive information, such as AIDS/HIV, alcohol and drug abuse prevention and treatment, and the like, patient consent to disclosure must be informed. That is, made with the patient’s or consumer’s knowledge of the risks and benefits of the disclosure.

  3. Any disclosed data must be the minimum necessary required to meet the request and apply specifically to the applicable patient or set of patients only. A limited data set appropriate to the request will be generated and the data elements required by the disclosure request must be documented as part of the request. As a BAA we operate as an intermediary and don't create or store a limited data set.

  4. De-identification of any data required for disclosure will be compliant to any applicable state or federal law and HIPAA Safe Harbor provision. De-identification of any data required for disclosure will be at the discretion of the Privacy Officer. A description of the de-identification to include what data elements are de-identified, how the de-identification was implemented, and who in RosettaHealth performed the de-identification will be included in the disclosure documentation. De-identified elements will include: name, date of birth, gender, address, social security, medical record numbers or other identifiers, telecom, and similar information for any patient relatives.

  5. RosettaHealth recognizes that any disclosure of confidential patient information carries with it the potential for an unauthorized redisclosure that breaches confidentiality.

  6. RosettaHealth incurs costs when releasing patient information (copying, postage, and so forth) and is permitted under HIPAA Regulations and under State law to charge a reasonable fee to offset those costs.

  7. RosettaHealth has the right to potentially access PHI contained within a HealthBus message as part of normal operations and system trouble shooting.

  8. It is the responsibility of RosettaHealth Customers to manage any disclosure requests for patient PHI from patients.

  9. RosettaHealth will only respond to requests for disclosure of messages (and any potential PHI they may contain) from parties that we have a BAA agreement with or upon receipt of legal notice for disclosure.

  10. Procedures for the release of PHI

    1. The following priorities and time frames shall apply to requests for disclosures of PHI:

      1. Emergency requests involving immediate emergency care of patient: immediate processing.

      2. Priority requests pertaining to current care of patient: within one workday.

      3. Subpoenas and depositions: as required.

      4. All other requests: within five (5) workdays

    2. Information required:

      1. Receipt of a HIPAA-Authorization-for-Use-or-Disclosure-of-Health-Information.pdf document.

      2. Notarized ID Proofing document notarized-identity-verification.pdf as per Person and Identity Verification Table below.

    3. Disclosure Monitoring and Logging – RosettaHealth Privacy Officer will maintain a log to track the step-by-step process towards completion of each request for the release of PHI. The log shall contain the following information:

      1. Date received the request.

      2. Identifying information requested

      3. Name and status of person making request.

      4. Information released.

      5. Date released.

  11. Prohibition of Redisclosure -- Unless a law or regulation requires a more specific prohibition on redisclosure (usually for AIDS/HIV, alcohol and drug abuse, and other particularly sensitive medical information), each disclosure outside the facility shall contain the following notice: Any potential medical information pertaining to the HealthBus message is confidential and legally privileged. The recipient must abide by all applicable regulations and laws regarding any further disclosure of the information.

  12. Retention of Disclosure Requests -- The designated Privacy Officer, or other responsible party will retain the original request, the authorization for release of information.

  13. Disclosure Quality Control -- The Privacy Official shall conduct a routine audit of the release of information at least yearly, paying particular attention to the following:

    1. Validity of authorizations.

    2. Appropriateness of information abstracted in response to the request.

    3. Retention of authorization, request, and transmitting cover letter.

    4. Procedures for telephone, electronic, and in-person requests.

    5. Compliance with designated priorities and time frames.

    6. Proper processing of fees.

    7. Maintenance of confidentiality.

  14. Annual Policy Review - The Security and Privacy Official, or other responsible party shall review this policy least annually.

  15. Capacity to Authorize -- RosettaHealth requires a written, signed, current, valid authorization to release medical information as follows:

Person and Identity Verification Table

Person to Identify In-Person Encounter Telephone Encounter Request in Writing (Fax, e-mail, mail, support-ticket, hand-delivered)
Attorney Presents with business card and photo identification (i.e. drivers license or organization ID badge) It would be difficult to verify identity and authority by phone. Verification in person or in writing may be required Supplies business card, photo identification (i.e. driver’s license or org ID badge), letterhead. Confirmation call is required.
State or Federal Official Presents an agency I.D. badge; Presents with a written statement of legal authority; Presents with a written statement of appointment on approp. govt. letterhead; Presents with warrant, court order, or legal process issued by a grand jury, or a judicial or admin. tribunal; Presents with a contract for services or purchase order; Official states release is necessary to prevent or lessen the threat to the health/safety of a person/public. Official states release is necessary to prevent or lessen the threat to the health/safety of a person/public. Written statement of legal authority; Written statement of appointment on appropriate government; Warrant, court order, or other legal process issued by a grand jury or a judicial or administrative tribunal;
Federal Department of Health and Human Services​ Presents an agency I.D. badge; Presents with a written statement of legal authority; Presents with a written statement of appointment on approp. govt. letterhead; Presents with warrant, court order, or legal process issued by a grand jury, or a judicial or admin. tribunal; Presents with a contract for services or purchase order; Official states release is necessary to prevent or lessen the threat to the health/safety of a person/public. Official states release is necessary to prevent or lessen the threat to the health/safety of a person/public. Written statement of legal authority; Written statement of appointment on appropriate government; Warrant, court order, or other legal process issued by a grand jury or a judicial or administrative tribunal;
RosettaHealth Customer Recognize requestor/ organization Recognize requestor or organization Recognize requestor/ organization
Individual N/A N/A Must provide a notarized proof of identity (Confirmation call is required). Depending on the nature of the request other information (ex Date of Birth) may be required as well.