Information Security and Privacy Policy

Table of Contents

Chapter 1: Introduction

1.1 Purpose of the Policy

The primary objective of this Information Security and Privacy Policy is to establish comprehensive guidelines and practices for Ognomy to ensure the protection of Protected Health Information (PHI) as required under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HIPAA Privacy and Security Rules, as amended by the Health Information Technology for Economic and Clinical Health Act enacted as a part of the American Recovery and Reinvestment Act of 2009, together noted as “HIPAA” within this document. This policy underscores our commitment to maintaining the confidentiality, integrity, and availability of PHI, thereby upholding client trust and complying with legal and regulatory requirements.

1.2 Scope

This policy applies universally to all employees, contractors, interns, and affiliates of Ognomy (hereinafter referred to as 'personnel'). It encompasses all forms of PHI – electronic, written, or oral – that the company creates, receives, maintains, or transmits. This policy also covers all technological tools and platforms utilized by the company, with a specific focus on web-based applications hosted on Amazon Web Services (AWS).

1.3 Compliance with HIPAA

HIPAA sets the standard for sensitive patient data protection. As a company that handles PHI, we are obligated to comply with these regulations. This compliance is not only a legal necessity but also a cornerstone of our ethical commitment to safeguarding personal health information. Every member of our team plays a vital role in ensuring this compliance.

1.4 Training and Awareness

To fortify our commitment to HIPAA compliance, we mandate HIPAA training for all new hires. Furthermore, existing staff must undergo annual refresher courses. We also conduct regular updates and awareness campaigns to keep our team abreast of the latest developments in HIPAA regulations and data protection best practices.

1.5 Roles and Responsibilities

The responsibility for data protection is a shared one:

  • The Data Protection Officer (DPO) is tasked with overseeing our data protection strategy and its implementation.

  • All employees must adhere to the practices laid out in this policy and are encouraged to report any suspected or actual breaches or non-compliance to the DPO or their supervisor.

  • Specific responsibilities and protocols are detailed in subsequent chapters of this policy.

1.6 Policy Enforcement

Regular monitoring and auditing will be conducted to ensure compliance with this policy. Non-compliance will be met with appropriate disciplinary actions, which may include warnings, suspension, or even termination of employment or contracts, depending on the severity of the non-compliance.

1.7 Policy Review and Modification

This policy is a living document and will be reviewed and updated periodically to reflect changes in regulatory requirements, technological advancements, and company operations. We welcome feedback and suggestions from all personnel to enhance the effectiveness of this policy.

1.8 Acknowledgement of Understanding

All personnel are required to acknowledge that they have read, understood, and agreed to comply with this policy. Records of these acknowledgments will be maintained by Ognomy as part of our commitment to rigorous compliance and data protection.

Chapter 2: Compliance with HIPAA

2.1 Understanding HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data. As a technology and services company handling Protected Health Information (PHI) for medical practices and organizations, it is crucial for Ognomy to adhere to HIPAA’s stringent requirements. HIPAA compliance at Ognomy is not just a legal obligation but a moral one, ensuring the privacy and security of patient information. This chapter outlines our approach to meeting HIPAA regulations, encompassing the Privacy Rule, Security Rule, and the Breach Notification Rule.

2.2 HIPAA Privacy Rule Compliance

The HIPAA Privacy Rule mandates the protection of all individually identifiable health information, whether electronic, paper, or oral. At Ognomy, we ensure that PHI is only used and disclosed for treatment, payment, and healthcare operations unless expressly authorized by the patient. We adopt a 'minimum necessary' standard for the use of PHI, ensuring that the least amount of information necessary for a task is used or disclosed. Furthermore, we provide patients with our Privacy Policy, clearly outlining how their information is used and their rights regarding their PHI. This notice is made available on our website and provided to patients during their first interaction with our services. Along with Ognomy’s Privacy Policy, Ognomy ensures the HIPAA Notice of Privacy Practices from healthcare organizations that use Ognomy’s services are provided to patients during their first interaction with our services.

2.3 HIPAA Security Rule Compliance

The HIPAA Security Rule requires us to implement specific safeguards to protect Electronic Protected Health Information (ePHI). We conduct regular risk analyses, at least annually, to identify potential risks to ePHI and employ appropriate measures to mitigate these risks. Access to ePHI is strictly controlled, with measures like unique user identification, emergency access procedures, and two-factor authentication implemented. Additionally, we employ strong encryption methods to protect ePHI both in transit and at rest, further safeguarding it against unauthorized access.

2.4 Breach Notification Rule Compliance

In compliance with the HIPAA Breach Notification Rule, and in the event of a breach involving unsecured PHI, we promptly assess the situation to identify the breach's nature and extent. Affected individuals are notified without undue delay, and in no case later than 60 days after the discovery of the breach. If the breach involves more than 500 individuals, we also notify the Secretary of Health and Human Services and, if necessary, the media, in accordance with HIPAA guidelines.

2.5 Training and Compliance

To ensure all personnel are well-versed in HIPAA requirements, Ognomy conducts comprehensive training upon hire and annual refresher training. These training sessions cover the fundamentals of HIPAA, our specific policies and procedures, and any recent updates to the regulations. Compliance is continuously monitored, with periodic reviews and updates to our practices to ensure ongoing adherence to HIPAA standards.

2.6 Reporting Non-Compliance

We encourage a culture of transparency and responsibility, where any team member can report potential HIPAA violations without fear of retaliation. A designated Privacy Officer is responsible for managing these reports, conducting investigations, and ensuring effective resolution. This reporting mechanism ensures that any potential issues are addressed swiftly and effectively.

2.7 Audit and Assessment

Ognomy conducts annual internal audits to assess our compliance with HIPAA regulations. These audits are comprehensive, covering all aspects of HIPAA Privacy, Security, and Breach Notification Rules. Findings from these audits lead to the development of corrective action plans to address any identified deficiencies. These plans are implemented promptly to ensure continued compliance and protection of PHI.

2.8 Documentation and Record Keeping

Proper documentation is key to demonstrating our compliance with HIPAA. We maintain detailed records of all HIPAA compliance activities, including training records, policy updates, and audit reports. These documents are retained for a minimum of six years and are readily accessible for review by authorized personnel, ensuring transparency and accountability in our HIPAA compliance efforts.

2.9 Review and Update of HIPAA Compliance Practices

In recognition of the evolving nature of healthcare regulations and technologies, Ognomy regularly reviews and updates our HIPAA compliance practices. This ongoing process involves integrating feedback from employees, auditors, and regulatory updates. By staying current with changes in HIPAA regulations and industry best practices, we ensure that our policies and procedures are always aligned with the highest standards of patient data protection.

Chapter 3: Data Protection Measures

3.1 Encryption of Data

At Ognomy, we understand the critical importance of protecting data, especially PHI, from unauthorized access. To this end, robust encryption is a cornerstone of our data protection strategy. All PHI, whether at rest or in transit, is encrypted using industry- standard encryption protocols which are at least as secure as the AES-256 Protocol. This ensures that even in the event of unauthorized access, the data remains unreadable and secure. We regularly review and update our encryption methods to keep pace with technological advancements and emerging threats.

3.2 Access Control Policies

Access to PHI is strictly regulated within our organization. We implement comprehensive access control to ensure that only authorized personnel have access to sensitive data. This includes employing the principle of least privilege, where users are granted only the access necessary to perform their job functions. Regular audits and reviews of user access rights are conducted to prevent any unnecessary access privileges. Additionally, we use robust authentication mechanisms, including multi-factor authentication, to verify the identity of users accessing our systems.

3.3 Audit Controls and Monitoring

Continuous monitoring and auditing are critical components of our data protection measures. Regular audits are conducted to assess the effectiveness of our data protection measures and identify areas for improvement. These audits are comprehensive, covering all aspects of data access, storage, and transmission.

3.4 Data Backup and Disaster Recovery

Understanding the importance of data availability, Ognomy has implemented rigorous data backup and disaster recovery systems. Regular backups of all PHI are conducted to ensure that, in the event of a system failure, data corruption, or other disasters, we can quickly restore the data with minimal disruption to our services. Our disaster recovery systems are tested periodically to ensure their effectiveness and updated as necessary to address new threats or vulnerabilities.

3.5 Data Integrity Measures

Maintaining the integrity of PHI is paramount. We implement strict controls to ensure that data is not improperly altered or destroyed. This includes authorization audit trails to detect any and all modifications to protected health data. Regular data integrity audits are conducted to ensure that the data we store and process remains accurate and unaltered.

3.6 Physical Security

Ognomy does not currently occupy physical space where PHI is housed or accessed. To ensure physical compliance, the security features of the Ognomy system ensures that wherever PHI is accessed, that there are multi-factor access controls, encryption of data, and secure session management.

3.7 Vendor and Third-Party Management

As we rely on vendors and third parties for various services, ensuring their compliance with our data protection standards is crucial. We conduct thorough due diligence before engaging with any vendor and regularly monitor their compliance with our data protection policies. Any vendor handling PHI must adhere to the same standards of data protection as Ognomy, as outlined in binding agreements and subject to regular audits, and sign a HIPAA Business Associate Subcontractor agreement with Ognomy to ensure we are having vendors and third-parties adhere to our standards.

3.8 Policy Review and Modification

Our data protection measures are not static; they evolve as threats and technologies change. Therefore, we regularly review and update our data protection policies and procedures. This process involves analyzing the latest data protection trends, regulatory changes, and technological advancements. Employee feedback and insights from audits also play a crucial role in this ongoing process.

Chapter 4: Use of AWS in Data Handling and Security

4.1 AWS Compliance and Security Standards

Ognomy leverages Amazon Web Services (AWS) for hosting and managing our web-based applications, recognizing its robust security measures and compliance with various standards, including HIPAA. Ognomy has signed a Business Associate Agreement with AWS. AWS provides a secure and compliant infrastructure for handling PHI, but it is our responsibility to ensure that our use of AWS services adheres to the necessary compliance and security standards. We regularly review AWS updates and guidelines to ensure our practices align with their security and compliance frameworks.

4.2 Implementing AWS Security Features

To enhance data protection, we utilize several AWS security features. This includes the Amazon Virtual Private Cloud (VPC), which allows us to create a private network within the AWS cloud, ensuring that our data is isolated from other users. We also leverage AWS Identity and Access Management (IAM) to control who can access our AWS resources, enforcing strict access controls and role-based permissions. AWS Key Management Service (KMS) is used to manage and control the encryption keys used to encrypt our data, ensuring that only authorized personnel can access sensitive information.

4.3 Data Backup and Redundancy on AWS

Data backup and redundancy are critical for maintaining the availability and integrity of PHI. Ognomy employs both AWS and MongoDB’s robust data backup solutions to ensure that our data is regularly backed up and can be quickly restored in case of loss or corruption. 

4.4 Ensuring Secure Data Transfers to and from AWS

When transferring data to and from AWS and MongoDB Atlas servers, Ognomy ensures that all data is encrypted both in transit and at rest. For data in transit, we use secure protocols such as TLS (Transport Layer Security) to protect the data as it moves between systems. For data at rest within AWS and MongoDB, we use encryption mechanisms provided by AWS and MongoDB respectively, including encrypted storage options, to safeguard our data against unauthorized access.

4.5 Monitoring and Responding to AWS Security Alerts

Continuous monitoring is crucial in identifying and responding to potential security threats. We utilize AWS monitoring tools such as Amazon CloudWatch to keep track of system operations and activities within our AWS environment. These tools enable us to detect unusual activities or potential security threats in real-time, allowing for immediate investigation and response to mitigate risks.

4.6 Regular Audits and Compliance Checks

As part of our internal audits that are performed at least annually, Ognomy reviews our AWS environment to ensure compliance with our data protection policies and HIPAA regulations. These reviews assess the effectiveness of our security measures, identify potential vulnerabilities, and ensure that our use of AWS services remains compliant and secure. We also keep abreast of AWS’s own compliance certifications and audits, ensuring that the services we use continue to meet the highest standards of data protection and security.

4.7 Vendor and Partner Access in AWS

In cases where vendors or partners require access to our AWS environment, we enforce strict controls and oversight. IAM based access control is utilized, following the principle of least privilege, and is monitored and audited regularly. All vendors and partners are subject to the same data protection and security policies as our internal teams, ensuring a consistent and secure approach to PHI management.

4.8 Review and Enhancement of AWS Security Practices

Our security practices related to AWS are not static; they evolve as technologies and threats change. We are committed to continuously reviewing and enhancing our AWS security practices, taking into account new AWS features, emerging security threats, and industry best practices. This ongoing process ensures that our use of AWS remains at the forefront of data security and compliance.

Chapter 5: Web-Based Application Security

5.1 Application Security Best Practices

At Ognomy, we recognize that the security of our web-based applications is crucial in protecting PHI and ensuring compliance with HIPAA. Our development and IT teams adhere to industry best practices for application security. This includes following the OWASP (Open Web Application Security Project) Top Ten as a baseline for identifying and mitigating common web application vulnerabilities. Regular security reviews and updates of our applications are conducted to address emerging threats and ensure ongoing protection of PHI.

5.2 Secure Coding Practices

Secure coding is a cornerstone of our application development process. Our developers are trained in secure coding techniques, focusing on preventing common vulnerabilities such as SQL injection, cross-site scripting, and cross-site request forgery. Code reviews are employed to identify and rectify security flaws during the development lifecycle. We also implement version control and change management practices to maintain the integrity of our application codebase.

5.3 Data Input Validation and Sanitization

To prevent malicious data inputs that could compromise our web applications, we implement rigorous data input validation and sanitization processes. All inputs are validated against expected formats and sanitized to remove potentially harmful data before processing. These measures are essential in preventing injection attacks and ensuring the integrity of the data processed by our applications.

5.4 Secure Session Management

We understand the importance of secure session management in protecting user interactions with our web-based applications. Sessions are managed securely with unique session identifiers, and session data is encrypted. We implement timeouts for sessions to reduce the risk of unauthorized access in case of user inactivity. Additionally, robust authentication mechanisms, including multi-factor authentication, are employed to verify the identity of users accessing our applications.

5.5 Application Layer Security

Application layer security is a critical focus area for us. We employ firewalls and intrusion detection systems to monitor and protect our web applications from attacks. Secure Socket Layer (SSL)/Transport Layer Security (TLS) encryption is used to protect data in transit between the user’s browser and our applications. Regular security assessments, including penetration testing, are conducted to identify and address vulnerabilities.

5.6 Regular Security Assessments and Audits

Our web-based applications undergo regular security assessments and audits to identify potential vulnerabilities and ensure compliance with data protection policies. These assessments include both automated scans and manual testing by security experts. Any identified vulnerabilities are promptly addressed, and mitigation strategies are implemented to strengthen the security of our applications.

5.7 Incident Response Plan for Web Applications

In the event of a security incident affecting our web applications, we will quickly identify, contain, and mitigate any security breaches. Affected parties will be notified and relevant authorities in accordance with HIPAA requirements and our own data breach response policies.

5.8 Continuous Improvement and Review

The landscape of web application security is constantly evolving. Therefore, we are committed to the continuous improvement of our application security practices. This involves regularly reviewing and updating our security measures to align with new technologies, emerging threats, and best practices in application security. Employee feedback and insights from security assessments are integral to this process of continuous improvement.

Chapter 6: Data Breach Response Protocol

6.1 Identification and Assessment of a Data Breach

At Ognomy, recognizing and promptly responding to data breaches is a critical aspect of our data protection strategy. Once a potential breach is reported, a designated response team pulled together by the Privacy Officer swiftly assesses the situation to determine the extent and impact of the breach, identifying the type of data involved and the individuals potentially affected.

6.2 Containment and Eradication

Upon identification of a data breach, our primary goal is to contain and eradicate the source of the breach. This may involve isolating affected systems, revoking or changing access credentials, or taking other immediate actions to prevent further unauthorized access to PHI. Our Data Protection Officer and  IT team work diligently to identify and eliminate the root cause of the breach, whether it is a technical flaw, a process failure, or a human error, to prevent recurrence.

6.3 Notification Procedures

In line with HIPAA’s Breach Notification Rule, Ognomy ensures affected individuals are notified without undue delay, and in no case later than 60 days after the discovery of the breach. If the breach involves more than 500 individuals, we notify the Secretary of Health and Human Services as well as relevant media outlets as required by HIPAA. Our notification includes details about the breach, the type of data involved, the steps we have taken in response, and guidance for individuals to protect themselves from potential harm.

6.4 Investigation and Analysis

Post-breach, a thorough investigation is conducted to understand how the breach occurred and why. This involves analyzing the breach's causes, the effectiveness of our response, and any shortcomings in our current security measures. The investigation helps in developing an understanding of the breach's context and contributing factors, providing critical insights for improving our security posture.

6.5 Documentation and Reporting

All data breaches, regardless of their size, are meticulously documented. This documentation includes details of the breach, the response actions taken, the investigation findings, and the outcomes. These records are crucial for regulatory compliance, internal audits, and future reference to improve our data protection measures.

6.6 Post-Breach Recovery and Restoration

After a breach, our focus shifts to recovery and restoration of affected systems and data. This includes restoring data from backups if necessary, and ensuring that all systems are secure and functioning normally before resuming regular operations. We also evaluate and implement additional security measures as needed to fortify our defenses against future breaches.

6.7 Review and Revision of Breach Response Procedures

Following a data breach, we conduct a comprehensive review of our response procedures. This review aims to identify any areas for improvement in how we detect, respond to, and recover from data breaches. We revise our response protocols and procedures based on these findings to ensure they remain effective and align with best practices and regulatory requirements.

6.8 Continuous Improvement in Breach Response

Data breach response is an area of continual learning and improvement. Ognomy is committed to staying abreast of the latest trends and best practices in breach response and incorporating these insights into our protocols. We regularly evaluate our breach response strategy to ensure it is robust, effective, and capable of protecting our clients' sensitive information in a rapidly evolving digital landscape.

Chapter 7: Data Confidentiality Agreements

7.1 Importance of Confidentiality Agreements

At Ognomy, we recognize that data confidentiality is foundational to our operations and the trust our clients place in us. To reinforce this commitment, all employees, contractors, and third-party vendors that access PHI are required to sign HIPAA Confidentiality Agreements or a HIPAA Business Associate Agreement. These agreements are legally binding documents that outline the responsibilities and expectations regarding the handling of PHI and other sensitive information.

7.2 Components of the Confidentiality Agreement

Each Confidentiality Agreement encompasses several key components:

  • Protection of PHI: The agreement stipulates the necessity of protecting PHI, outlining specific measures that must be taken to safeguard this information.

  • Use and Disclosure Restrictions: It clearly defines the acceptable use and disclosure of PHI, emphasizing adherence to HIPAA regulations and company policies.

  • Reporting Obligations: Individuals are required to immediately report any suspected or actual breaches of confidentiality or security incidents.

  • Duration of Confidentiality: The agreement specifies that confidentiality obligations continue even after the termination of employment or contract with Ognomy.

7.3 Training of Confidentiality Agreements

HIPAA training that is completed at least annually covers the details within these Confidentiality Agreements to ensure understanding and compliance.

7.4 Regular Updates and Reaffirmation

The landscape of data protection and privacy laws is continually evolving. To ensure that our Confidentiality Agreements remain relevant and effective, they are reviewed and updated regularly. Additionally, employees and contractors are required to reaffirm their understanding and commitment to these agreements annually, or whenever significant updates are made.

7.5 Penalties for Breach of Confidentiality

Ognomy maintains a strict stance on breaches of confidentiality. Any violation of the Confidentiality Agreement is subject to severe consequences, which may include disciplinary action, termination of employment or contract, and legal action, depending on the severity of the breach. These penalties are clearly outlined in the agreement to ensure that all parties are aware of the ramifications of non-compliance.

7.6 Vendor and Third-Party Confidentiality Agreements

Our commitment to confidentiality extends to our partnerships and collaborations. All vendors and third-party service providers who have access to PHI or other sensitive data are also required to sign Confidentiality Agreements. These agreements are tailored to the specific nature of their engagement with Ognomy but maintain the same level of rigor and commitment to data protection as our internal agreements.

7.7 Monitoring Compliance with Confidentiality Agreements

To ensure ongoing compliance, Ognomy actively monitors adherence to the Confidentiality Agreements. This includes regular reviews of access logs and investigations of any suspicious activities. Compliance monitoring helps us to identify potential risks and address them proactively.

7.8 Reporting and Addressing Violations

Employees are encouraged to report any suspected violations, with the assurance that their reports will be handled with the utmost confidentiality and professionalism. All reports are thoroughly investigated, and appropriate actions are taken to address and rectify any violations.

7.9 Continuous Improvement of Confidentiality Practices

In our pursuit of excellence in data protection, Ognomy is committed to continuously improving our confidentiality practices. We regularly seek feedback from our employees and partners, review industry best practices, and adapt our approaches to enhance the effectiveness of our Confidentiality Agreements and the overall confidentiality culture within our organization.

Chapter 8: Vulnerability Management Policy

8.1 Purpose

The purpose of having a Vulnerability Management Policy is to define the requirements for identifying, assessing, and mitigating vulnerabilities within Ognomy's information systems and networks. This policy aims to protect the confidentiality, integrity, and availability of our information assets by ensuring vulnerabilities are managed effectively.

8.2 Scope

This policy applies to all employees, contractors, and third-party vendors who manage or use Ognomy's information systems, including hardware, software, and network components.

8.3 Roles and Responsibilities

The IT Security Team along with the Data Protection Officer (DPO) is responsible for the overall management and execution of the vulnerability management program, including scanning, assessment, and mitigation activities. System owners must ensure that vulnerabilities within their systems are addressed in a timely manner. All employees and contractors are responsible for adhering to the vulnerability management policy and reporting any suspected vulnerabilities to the IT Security Team or the DPO.

8.4 Vulnerability Identification

Patch management involves monitoring vendor announcements and security bulletins to identify new vulnerabilities and ensure timely application of patches. Periodic penetration testing will be performed to identify vulnerabilities that may not be detected by automated tools.

8.5 Vulnerability Mitigation

Remediation plans will be developed and implemented to address identified vulnerabilities. This may include applying patches, reconfiguring systems, or implementing additional security controls. The effectiveness of remediation efforts will be verified through follow-up scans and tests.

8.6 Reporting and Documentation

All identified vulnerabilities and remediation efforts must be reported to the IT Security Team or DPO. Key metrics related to vulnerability management, including the number of vulnerabilities identified, the time taken to remediate them, and the overall risk posture of the organization, will be tracked and reported.

8.7 Continuous Improvement of Vulnerability Management

The vulnerability management policy and procedures will be regularly reviewed and updated to ensure they remain effective and aligned with industry best practices and regulatory requirements. Regular training and awareness programs will be provided to employees and contractors on vulnerability management practices and their roles in the process.

Chapter 9: Policy Review and Update

9.1 Commitment to Regular Policy Review

At Ognomy, we understand that the landscape of data protection and technology is continually evolving. To ensure our Information Security and Privacy Policy remains effective and relevant, we are committed to regularly reviewing and updating it. This ongoing process is crucial for maintaining compliance with current laws and regulations, adapting to new cybersecurity threats, and incorporating technological advancements.

9.2 Involving Key Stakeholders in the Review Process

The review process involves key stakeholders from various departments within our organization, including IT, legal, human resources, and operations. This collaborative approach ensures that diverse perspectives and expertise are considered, leading to a more comprehensive and effective policy. Additionally, we engage with external experts, such as legal advisors and cybersecurity professionals, to provide insights and recommendations.

9.3 Assessing Emerging Threats and Technologies

A significant aspect of our policy review involves assessing new threats and technological developments that could impact our data protection strategies. We stay informed about the latest cybersecurity trends, threat intelligence reports, and technological innovations. This information is critical in identifying potential areas for policy enhancement.

9.4 Incorporating Regulatory Changes and Best Practices

Our policy updates also reflect changes in data protection regulations, HIPAA guidelines, and industry best practices. We monitor regulatory developments and adjust our policy to ensure continued compliance. Adopting best practices from industry standards and frameworks helps in strengthening our data protection measures.

9.5 Feedback Mechanism for Continuous Improvement

Feedback from employees, clients, and partners is an invaluable part of our policy review process. We encourage open communication and provide channels for stakeholders to offer suggestions and feedback on our data protection practices. This feedback is carefully considered during policy revisions to ensure that our policy addresses the needs and concerns of all parties involved.

9.6 Documenting and Communicating Policy Changes

Any changes made to the policy are thoroughly documented, with clear explanations of the revisions and their implications. We ensure that these changes are communicated effectively to all employees and relevant stakeholders. This communication includes not just the dissemination of the updated policy but also training sessions, if necessary, to ensure everyone understands the new requirements and procedures.

9.7 Training on Updated Policies

Following significant policy updates, we conduct training sessions for all staff to ensure they are aware of the changes and understand their roles and responsibilities in line with the new policy. These training sessions are mandatory and tailored to different departments and roles within the organization.

9.8 Record Keeping and Historical Policy Archive

We maintain records of all policy versions, including the dates of changes and the reasons behind them. This historical archive serves as a reference to track the evolution of our data protection strategies and provides insights for future policy developments.

9.9 Scheduled Review and Update Cycle

Our Information Security and Privacy Policy is scheduled for review at least annually. However, reviews may occur more frequently if significant regulatory changes, technological advancements, or emerging threats necessitate an earlier assessment. This scheduled cycle ensures that our policy does not become outdated and continues to align with our commitment to robust data protection.

Chapter 10: Policy Acknowledgement

10.1 Acknowledgement of Policy Understanding

At Ognomy, it is vital that all employees, contractors, and affiliated parties clearly understand and acknowledge their role in protecting sensitive information, particularly PHI. To formalize this understanding, we require all relevant parties to acknowledge that they have read, understood, and agree to abide by the Information Security and Privacy Policy. This acknowledgement is a critical part of our compliance process and is mandatory for continued association with our company.

10.2 Procedure for Acknowledgement

The process of policy acknowledgement is integrated into our onboarding process for new employees and contractors. Additionally, when significant updates are made to the policy, all existing personnel are required to review and re-acknowledge their understanding and commitment to the updated policy. This acknowledgement is typically facilitated through a digital signature process, ensuring a verifiable and efficient method of recording this commitment.

10.3 Reinforcement of Policy Importance

During the acknowledgement process, we emphasize the importance of this policy in safeguarding PHI and maintaining the integrity and reputation of our company. This reinforcement is part of our broader effort to cultivate a culture of security and compliance within the organization.

10.4 Record Keeping of Acknowledgements

Records of all acknowledgements are meticulously maintained by our Human Resources and Compliance departments. These records serve as evidence of our due diligence in ensuring that all personnel are informed and compliant with our data protection policies. They are also essential for audit purposes and in demonstrating our commitment to regulatory compliance.

10.5 Consequences of Non-Acknowledgement

Failure to acknowledge the Information Security and Privacy Policy may result in restricted access to sensitive information and systems. For employees and contractors, this acknowledgement is a condition of their employment or engagement. Non-compliance with this requirement is taken seriously and may lead to disciplinary actions, up to and including termination of employment or contract.

10.6 Regular Reminders and Awareness Campaigns

In addition to formal acknowledgements, we regularly remind employees and contractors of the policy and their obligations. These initiatives are designed to keep data protection at the forefront of everyone's mind and reinforce the importance of adhering to our policies.

10.7 Integration with Other Compliance Efforts

The acknowledgement of the Information Security and Privacy Policy is part of a broader compliance and ethics program at Ognomy. This integration ensures that data protection is not seen in isolation but as an integral part of our overall commitment to ethical business practices and compliance with all relevant laws and regulations.

10.8 Continuous Improvement of Acknowledgement Process

We continually evaluate and improve the process of policy acknowledgement. This includes exploring more effective ways to communicate the policy, enhancing the ease of the acknowledgement process, and ensuring that the process effectively conveys the importance of each individual's role in data protection.

10.9 Reinforcement Through Leadership

Leadership at Ognomy plays a crucial role in reinforcing the importance of policy acknowledgement. By setting an example and regularly discussing the importance of data protection, our leaders foster an environment where compliance and ethical behavior are valued and prioritized.