3. Policy Management Policy

Luma implements policies and procedures to maintain compliance and integrity of data. The Security Officer and Privacy Officer are responsible for maintaining policies and procedures and assuring all Luma workforce members, business associates, customers, and partners are adherent to all applicable policies. Previous versions of policies are retained to assure ease of finding policies at specific historic dates in time.

3.1 Applicable Standards

3.1.1 Applicable Standards from the HITRUST Common Security Framework

  • 12.c - Developing and Implementing Continuity Plans Including Information Security

3.1.2 Applicable Standards from the HIPAA Security Rule

  • 164.316(a) - Policies and Procedures
  • 164.316(b)(1)(i) - Documentation

3.2 Maintenance of Policies

  1. All policies are stored and up to date to maintain Luma compliance with HIPAA, HITRUST, NIST, and other relevant standards. Updates and version control are done similar to source code control.
  2. Policy update requests can be made by any workforce member at any time. Furthermore, all policies are reviewed annually by both the Security and Privacy Officer to assure they are accurate and up-to-date.
  3. Luma employees may request changes to policies using the following process:
    1. The Luma employee initiates a policy change request by creating an Issue in ClickUp. The change request may optionally include a GitHub pull request from a separate branch or repository containing the desired changes.
    2. The Security Officer or the Privacy Officer is assigned to review the policy change request.
    3. Once the review is completed, the Security Officer or Privacy Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further review and documentation.
    4. If the review is approved, the Security Officer or Privacy Officer then marks the Issue as Done, adding any pertinent notes required.
  4. If the policy change requires technical modifications to production systems, those changes are carried out by authorized personnel using Luma’s change management process (§9.4).
  5. All policies are made accessible to all Luma workforce members.
    • Changes are communicated to all Luma team members through Slack or during regular company meetings.
  6. All policies, and associated documentation, are retained for 6 years from the date of its creation or the date when it last was in effect, whichever is later
    • Version history of all Luma policies is done via GitHub.
  7. The policies and information security policies are reviewed and audited annually, or after significant changes occur to Luma’s organizational environment. Issues that come up as part of this process are reviewed by Luma management to assure all risks and potential gaps are mitigated and/or fully addressed. The process for reviewing policies is outlined below:
    1. The Security Officer initiates the policy review by creating a ticket in ClickUp.
    2. The Security Officer or the Privacy Officer is assigned to review the current Luma policies.
    3. If changes are made, the above process is used. All changes are documented in the Issue.
    4. Once the review is completed, the Security Officer or Privacy Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further review and documentation.
    5. If the review is approved, the Security Officer or Privacy Officer then marks the Issue as Done, adding any pertinent notes required.
    6. Policy review is monitored on a quarterly basis using ClickUp reporting to assess compliance with above policy.
  8. Luma utilizes the Audit Program Protocol from OCR (part of HHS) to track compliance on an annual basis. In order to track and measure adherence on an annual basis, Luma uses the following process to track audits, both full and interim:
    1. The Security Officer initiates the audit activity by creating an Issue in ClickUp.
    2. The Security Officer or the Privacy Officer is assigned to own and manage the activity.
    3. Once the activity is completed, the Security Officer approves or rejects the Issue.
    4. If the review is approved, the Security Officer then marks the Issue as Done, adding any pertinent notes required.
    5. Compliance with annual compliance assessments, utilizing the Audit Program Protocol from OCR as a framework, is monitored on a quarterly basis using ClickUp reporting to assess compliance with above policy.

Additional documentation related to maintenance of policies is outlined in §5.3.1.