Fox and Geese has a Security Officer [164.308(a)(2)] and Privacy Officer
[164.308(a)(2)] appointed to assist in maintaining and enforcing safeguards
towards compliance. The responsibilities associated with these roles are
Applicable Standards from the HITRUST Common Security Framework
- 02.f - Disciplinary Process
- 06.d - Data Protection and Privacy of Covered Information
- 06.f - Prevention of Misuse of Information Assets
- 06.g - Compliance with Security Policies and Standards
Applicable Standards from the HIPAA Security Rule
- 164.308(a)(2) - Assigned Security Responsibility
- 164.308(a)(5)(i) - Security Awareness and Training
The Privacy Officer is responsible for assisting with compliance and security
training for workforce members, assuring the organization remains in compliance
with evolving compliance rules, and helping the Security Officer in his
- Provides annual training to all workforce members of established policies and
procedures as necessary and appropriate to carry out their job functions, and
documents the training provided.
- Assists in the administration and oversight of business associate agreements.
- Manage relationships with customers and partners as those relationships
affect security and compliance of PHI or PII.
- Assist Security Officer as needed.
The current Fox and Geese Privacy Officer is Peter Bray
Workforce Training Responsibilities
- The Privacy Officer facilitates the training of all workforce members as
- New workforce members within their first month of employment;
- Existing workforce members annually;
- Existing workforce members whose functions are affected by a material
change in the policies and procedures, within a month after the material
change becomes effective;
- Existing workforce members as needed due to changes in security and risk
posture of Fox and Geese.
- The Security Officer or designee maintains documentation of the training
session materials and attendees for a minimum of six years.
- The training session focuses on, but is not limited to, the following
subjects defined in Fox and Geese's security policies and procedures:
- HIPAA Privacy, Security, and Breach notification rules;
- HITRUST Common Security Framework;
- NIST Security Rules;
- Risk Management procedures and documentation;
- Auditing - Fox and Geese may monitor access and activities of all users;
- Workstations may only be used to perform assigned job responsibilities;
- Users may not download software onto Fox and Geese's workstations and/or
systems without prior approval from the Security Officer;
- Users are required to report malicious software to the Security Officer
- Users are required to report unauthorized attempts, uses of, and theft of
Fox and Geese's systems and/or workstations;
- Users are required to report unauthorized access to facilities
- Users are required to report noted log-in discrepancies (i.e. application
states user's last log-in was on a date user was on vacation);
- Users may not alter PHI or PII maintained in a database, unless
authorized to do so by a Fox and Geese Customer;
- Users are required to understand their role in Fox and Geese's
- Users may not share their user names nor passwords with anyone;
- Requirements for users to create and change passwords;
- Users must set all applications that contain or transmit PHI or PII to
automatically log off after 15 minutes of inactivity;
- Supervisors are required to report terminations of workforce members and
other outside users;
- Supervisors are required to report a change in a user's title, role,
department, and/or location;
- Procedures to backup PHI or PII;
- Procedures to move and record movement of hardware and electronic media
containing PHI or PII;
- Procedures to dispose of discs, CDs, hard drives, and other media
containing PHI or PII;
- Procedures to re-use electronic media containing PHI or PII;
- SSH key and sensitive document encryption procedures.
The Security Officer is responsible for facilitating the training and
supervision of all workforce members [164.308(a)(3)(ii)(A) and
164.308(a)(5)(ii)(A)], investigation and sanctioning of any workforce member
that is in violation of Fox and Geese security policies and non-compliance with
the security regulations [164.308(a)(1)(ii)(c)], and writing,
implementing, and maintaining all polices, procedures, and documentation related
to efforts toward security and compliance [164.316(a-b)].
The current Fox and Geese Security Officer is Peter Bray
The Security Officer, in collaboration with the Privacy Officer, is responsible
for facilitating the development, testing, implementation, training, and
oversight of all activities pertaining to Fox and Geese's efforts to be
compliant with the HIPAA Security Regulations, HITRUST CSF, and any other
security and compliance frameworks. The intent of the Security Officer
Responsibilities is to maintain the confidentiality, integrity, and availability
of PHI or PII. The Security Officer is appointed by and reports to the Board of
Directors and the CEO.
These organizational responsibilities include, but are not limited to the
- Oversees and enforces all activities necessary to maintain compliance and
verifies the activities are in alignment with the requirements.
- Helps to establish and maintain written policies and procedures to comply
with the Security rule and maintains them for six years from the date of
creation or date it was last in effect, whichever is later.
- Reviews and updates policies and procedures as necessary and appropriate to
maintain compliance and maintains changes made for six years from the date of
creation or date it was last in effect, whichever is later.
- Facilitates audits to validate compliance efforts throughout the
- Documents all activities and assessments completed to maintain compliance and
maintains documentation for six years from the date of creation or date it
was last in effect, whichever is later.
- Provides copies of the policies and procedures to management, customers, and
partners, and has them available to review by all other workforce members to
which they apply.
- Annually, and as necessary, reviews and updates documentation to respond to
environmental or operational changes affecting the security and risk posture
of PHI or PII stored, transmitted, or processed within Fox and Geese
- Develops and provides periodic security updates and reminder communications
for all workforce members.
- Implements procedures for the authorization and/or supervision of workforce
members who work with PHI or PII or in locations where it may be accessed.
- Maintains a program promoting workforce members to report non-compliance
with policies and procedures.
- Promptly, properly, and consistently investigates and addresses reported
violations and takes steps to prevent recurrence.
- Applies consistent and appropriate sanctions against workforce members who
fail to comply with the security policies and procedures of Fox and Geese
- Mitigates, to the extent practicable, any harmful effect known to Fox and
Geese of a use or disclosure of PHI or PII in violation of Fox and Geese's
policies and procedures, even if effect is the result of actions of Fox
and Geese business associates, customers, and/or partners.
- Reports security efforts and incidents to administration immediately upon
discovery. Responsibilities in the case of a known PHI or PII breach are
documented in the Fox and Geese Breach Policy.
- The Security Officer facilitates the communication of security updates and
reminders to all workforce members to which it pertains. Examples of
security updates and reminders include, but are not limited to:
- Latest malicious software or virus alerts;
- Fox and Geese's requirement to report unauthorized attempts to access PHI
- Changes in creating or changing passwords;
- Additional security-focused training is provided to all workforce members
by the Security Officer. This training includes, but is not limited to:
- Data backup plans;
- System auditing procedures;
- Redundancy procedures;
- Contingency plans;
- Virus protection;
- Patch management;
- Media Disposal and/or Re-use;
- Documentation requirements.
- The Security Officer works with the COO to ensure that any security
objectives have appropriate consideration during the budgeting process.
- In general, security and compliance are core to Fox and Geese's technology
and service offerings; in most cases this means security-related
objectives cannot be split out to separate budget line items.
- For cases that can be split out into discrete items, such as licenses
for commercial tooling, the Security Officer follows Fox and Geese's
standard corporate budgeting process.
- At the beginning of every fiscal year, the COO contacts the Security
Officer to plan for the upcoming year's expenses.
- The Security Officer works with the COO to forecast spending needs based
on the previous year's level, along with changes for the upcoming year
such as additional staff hires.
- During the year, if an unforeseen security-related expense arises that
was not in the budget forecast, the Security Officer works with the COO
to reallocate any resources as necessary to cover this expense.
Supervision of Workforce Responsibilities
Although the Security Officer is responsible for implementing and overseeing all
activities related to maintaining compliance, it is the responsibility of all
workforce members (i.e. team leaders, supervisors, managers, directors,
co-workers, etc.) to supervise all workforce members and any other user of Fox
and Geese's systems, applications, servers, workstations, etc. that contain PHI
- Monitor workstations and applications for unauthorized use, tampering, and
theft and report non-compliance according to the Security Incident Response
- Assist the Security and Privacy Officers to ensure appropriate role-based
access is provided to all users.
- Take all reasonable steps to hire, retain, and promote workforce members and
provide access to users who comply with the Security regulations and Fox and
Geese's security policies and procedures.
Sanctions of Workforce Responsibilities
All workforce members report non-compliance of Fox and Geese's policies and
procedures to the Security Officer or other individual as assigned by the
Security Officer. Individuals that report violations in good faith may not be
subjected to intimidation, threats, coercion, discrimination against, or any
other retaliatory action as a consequence.
- The Security Officer promptly facilitates a thorough investigation of all
reported violations of Fox and Geese's security policies and procedures. The
Security Officer may request assistance from others.
- Complete an audit trail/log to identify and verify the violation and
sequence of events.
- Interview any individual that may be aware of or involved in the incident.
- All individuals are required to cooperate with the investigation process
and provide factual information to those conducting the investigation.
- Provide individuals suspected of non-compliance of the Security rule and/or
Fox and Geese's policies and procedures the opportunity to explain their
- The investigator thoroughly documents the investigation as the
investigation occurs. This documentation must include a list of all
employees involved in the violation.
- Violation of any security policy or procedure by workforce members may result
in corrective disciplinary action, up to and including termination of
employment. Violation of this policy and procedures by others, including
business associates, customers, and partners may result in termination of the
relationship and/or associated privileges. Violation may also result in civil
and criminal penalties as determined by federal and state laws and
- A violation resulting in a breach of confidentiality (i.e. release of PHI
to an unauthorized individual), change of the integrity of any PHI or PII,
or inability to access any PHI or PII by other users, requires immediate
termination of the workforce member from Fox and Geese.
- The Security Officer facilitates taking appropriate steps to prevent
recurrence of the violation (when possible and feasible).
- In the case of an insider threat, the Security Officer and Privacy Officer
are to set up a team to investigate and mitigate the risk of insider
malicious activity. Fox and Geese workforce members are encouraged to come
forward with information about insider threats, and can do so anonymously.
- The Security Officer maintains all documentation of the investigation,
sanctions provided, and actions taken to prevent reoccurrence for a minimum
of six years after the conclusion of the investigation.