25. Reseller Security Policy
When entering into an agreement to resell Luma Health products, reseller will ensure that their customer follows these Information Security guidelines:
- Customer will develop and maintain a set of Policies, Procedures and Standards relating to Information Security and Data Privacy meeting the requirements of HIPAA as a minimum.
- Customer will develop and maintain a workforce training program which at minimum covers customers Standards, Policies and Procedures, HIPAA Security and Privacy Rules and Information Security best practices on at least an annual basis.
- Customer will implement strong physical and technical safeguards designed to keep covered information secure:
- Technical Safeguards will include but not be limited to; restricting access to covered information to authorized personnel only; requiring unique and strong authentication methods such as multi-factor authentication; monitoring systems for unusual activity; using strong encryption for data both at rest and in transit; implementing an auto-logout function
- Physical Safeguards will include but are not limited to; Restrictions on who can access custom facilities, restricting who has physical access to workstations and electronic media; procedures for securely disposing of electronic devices and media containing covered information when they are no longer required.
- Customer will perform a risk assessment on at least an annual basis which shall include but not be limited to; reviewing records to track access to covered information and detect security incidents; evaluate the effectiveness of security measures in place; evaluate potential risks to covered information.
- Customer will develop Standards, Policies and Procedures which outline what actions are to be taken and by whom in the event of a data breach.
- Customer will develop Standards, Policies and Procedures to fully investigate any HIPAA violation including investigation and corrective action plans.