25. Reseller Security Policy

When entering into an agreement to resell Luma Health products, reseller will ensure that their customer follows these Information Security guidelines:

• Customer will develop and maintain a set of Policies, Procedures and Standards relating to Information Security and Data Privacy meeting the requirements of HIPAA as a minimum.
• Customer will develop and maintain a workforce training program which at minimum covers customers Standards, Policies and Procedures, HIPAA Security and Privacy Rules and Information Security best practices on at least an annual basis.
• Customer will implement strong physical and technical safeguards designed to keep covered information secure:
  • Technical Safeguards will include but not be limited to; restricting access to covered information to authorized personnel only; requiring unique and strong authentication methods such as multi-factor authentication; monitoring systems for unusual activity; using strong encryption for data both at rest and in transit; implementing an auto-logout function
  • Physical Safeguards will include but are not limited to; Restrictions on who can access custom facilities, restricting who has physical access to workstations and electronic media; procedures for securely disposing of electronic devices and media containing covered information when they are no longer required.
• Customer will perform a risk assessment on at least an annual basis which shall include but not be limited to; reviewing records to track access to covered information and detect security incidents; evaluate the effectiveness of security measures in place; evaluate potential risks to covered information.
• Customer will develop Standards, Policies and Procedures which outline what actions are to be taken and by whom in the event of a data breach.
• Customer will develop Standards, Policies and Procedures to fully investigate any HIPAA violation including investigation and corrective action plans.