Smile Digital Health Security Standards

I. Administrative Safeguards

A covered entity or business associate must, in accordance with 45 CFR § 164.306:

1. Security management process.

Implement policies and procedures to prevent, detect, contain and correct security violations. 

Smile Digital Health has implemented privacy and security policies to prevent, detect, contain and correct security violations. These procedures allow Smile Digital Health to manage the selection, development, implementation and maintenance of security measures, protect electronic protected health information and manage the conduct of the organization's workforce.

As a Business Associate, Smile Digital Health has implemented extensive processes and procedures to avoid, mitigate and contain security or privacy incidents. These procedures adhere to the ISO 27001:2022 standard and have obtained the HITRUST CSF v9.4 certification.

Smile Digital Health clients benefit from extensive support plan options that ensure that our Managed Services customers or licensees are able to meet their HIPAA requirements.

2. Risk analysis.

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the covered entity or business associate.

Smile Digital Health has implemented a risk management process to assess potential risks and vulnerabilities to the confidentiality, integrity and availability of the electronic protected health information that we manage. The risk assessment is conducted on an annual basis in order to help the organization identify potential security risks and determine the probability of occurrence and magnitude of risks.

Smile Digital Health works in partnership with its clients to assess and regular review risks. At the organizational level, a stringent corporate risk management system is in place that assesses risks that relate to our products, services and the company overall. These risk assessments are conducted at least every twelve months.

3. Risk management.

Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 CFR § 164.306(a).

Smile Digital Health has appropriate security measures and safeguards in place to reduce risks and vulnerabilities to a reasonable and appropriate level and protect the electronic protected health information (EPHI) for organizations whose data we manage. Executive leadership and management is involved in all risk management and mitigation decisions and security processes are communicated regularly throughout the organization. The organization has also engaged additional third party resources to assess risk management policies and processes and assist in the corporate risk management strategy.

Smile Digital Health has implemented extensive security testing and review as part of the software development lifecycle of its products and as part of the change management activities of the services offered. These practices ensure that potential vulnerabilities are addressed early in the process.

As part of its operations Smile Digital Health has vulnerability management practices for products and services released to ensure that any potential new issues are addressed promptly and effectively. Furthermore, Smile Digital Health has a Responsible Disclosure Policy and welcomes external feedback from various stakeholders.

4. Sanction policy.

Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.

Smile Digital Health has a sanction policy in place to help reinforce our security policies and procedures and deter noncompliance. The organization ensures staff understand security policies and procedures and the consequences of failing to comply, through new hire training and annual training refresher courses. Staff are also required to sign a confidentiality statement of adherence to security policies as a prerequisite to their employment.

As part of its disciplinary process, Smile Digital Health empowers its Human Resources and Compliance departments with the appropriate authority to deter and correct behaviors that may potentially lead to privacy or security incidents.

5. Information system activity review.

Implement procedures to regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports.

Smile Digital Health reviews information system activity and takes into account all systems that store, process, or transmit EPHI to determine if any information is used or disclosed in an inappropriate manner. Systems are configured to automatically alert the appropriate individuals of malicious or suspicious activity and alerts are analyzed. If system activity suggests a security incident has occurred the alert is further investigated.

The company has assigned dedicated staff that regularly audit both internal and client activity in its infrastructure. These procedures are reviewed annually via an internal audit and as part of the organization’s SOC-2 attestation.

6. Assigned security responsibility.

Identify the security official who is responsible for the development and implementation of the policies and procedures.

Smile Digital Health has a dedicated Chief Privacy and Security Officer (CPSO), responsible for the development and implementation of the organization's policies and procedures and to ensure the organization complies with the security rule and all other privacy and security obligations required by law. The organization has also employed additional staff members to the Privacy and Security team to provide support to the CPSO.

The CPSO’s authority and responsibility are documented in corporate policies and reviewed annually with senior management.

7. Workforce security.

Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information and to prevent those workforce members who do not have access from obtaining access to electronic protected health information.

Smile Digital Health has implemented policies and procedures to ensure all workforce members have appropriate access to EPHI and to prevent workforce members who do not have access from obtaining access. The organization provides only the minimum necessary access to EPHI that is required for an individual to perform their job. Staff that need access to EPHI to carry out their job duties are identified and the organization makes reasonable efforts to control all access by ensuring the appropriate authorization and supervision, workforce clearance and termination policies and procedures are in place.

The company has assigned dedicated staff that regularly audit both internal and client roles and their assigned access. These procedures are reviewed annually via an Internal Audit and as part of the organization’s SOC-2 attestation.

8. Authorization and/or supervision.

Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.

Checks and balances are in place to ensure all staff have appropriate access to EPHI. The organization has implemented authorization and supervision procedures to ensure proper permissions are assigned to system users that may need to access, use or disclose EPHI as a function of their job.

The company has assigned dedicated staff that regularly audit both internal and client roles, their assigned access and the manner by which they access PHI. Findings are shared regularly with the relevant covered entity.

These procedures are reviewed annually via an Internal Audit and as part of the organization’s SOC-2 attestation.

9. Workforce clearance procedure.

Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.

Smile Digital Health has procedures in place to determine whether system users with authorized access to EPHI have received appropriate clearance. User access is reviewed and approved by executive leadership to ensure it is appropriate and required for the users role.

The company has assigned dedicated staff that regularly audit both internal and client roles and their assigned access. These procedures are reviewed annually via an Internal Audit and as part of the organization’s SOC-2 attestation.

10. Termination procedures.

Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends.

Smile Digital Health has procedures in place to audit, review, and remove access privileges when a staff member, contractor, or other individual previously entitled to access information leaves the organization voluntarily or involuntarily. Processes are also in place to change access levels when a staff member's job description changes that may require either more or less access to EPHI.

These procedures are reviewed annually via an Internal Audit and as part of the organization’s SOC-2 attestation.

11. Information access management.

Implement policies and procedures for authorizing access to electronic protected health information.

Smile Digital Health has implemented policies and procedures for authorizing access to EPHI to minimize the risks associated with inappropriate disclosure, alteration, or destruction of our electronic information. The company complies with the HIPAA Privacy Rule minimum necessary requirements, which requires us to evaluate our security practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information. In addition, the organization has processes in place for determining which individuals or entities might need access to EPHI within their work environment.

12. Isolating health care clearinghouse functions.

If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.

This is not applicable to Smile Digital Health, as it is not a health care clearinghouse. However the organization has policies and procedures in place to protect any protected health information that it transmits, manages, and stores, from unauthorized access.

13. Access authorization.

Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process or other mechanism.

Smile Digital Health has policies and procedures in place for granting access to EPHI and ensuring the appropriate authorization is documented in accordance with the Privacy Rule. The organization identifies individuals who have authority to grant access privileges and has technical and authentication processes in place when granting access to workforce members, such as creating unique usernames and passwords.

14. Access establishment and modification.

Implement policies and procedures that, based upon the covered entity's or the business associate's access authorization policies, establish, document, review and modify a user's right of access to a workstation, transaction, program or process.

Smile Digital Health has implemented and manages the creation and modification of access privileges to workstations, transactions, programs and processes. Workforce members' access privileges are reviewed and monitored on a continuous basis, existing procedures are updated as necessary and any changes made are documented.

15.Security awareness and training.

Implement a security awareness and training program for all members of its workforce (including management).

Smile Digital Health has implemented a security and awareness program to help mitigate internal security risks and vulnerabilities. Privacy and Security awareness training is required for all new and existing workforce members and refresher training is provided on an annual basis. In addition, periodic retraining is given whenever environmental or operational changes affect the security of EPHI, or as changes are made to privacy and security regulations and mandates.

16. Security reminders.

Periodic security updates.

Smile Digital Health provides security reminders to their workforce through formal retraining of current, as well as, new policies and procedures. In addition, security reminders are communicated to workforce members during weekly organizational wide team meetings, internal communication tools, monthly privacy and security meetings and the organization's monthly newsletter.

17. Protection from malicious software.

Procedures for guarding against, detecting and reporting malicious software.

Smile Digital Health has put the proper security measures, processes and procedures in place to help protect our systems and the managed EPHI from becoming damaged, destroyed or attacked by malicious software threats. Staff are trained that malicious software is frequently brought into the organization through email attachments and programs downloaded from the internet. The training provided by Smile Digital Health helps staff understand and recognize the dangers of successful malicious software invasions and the damaging impact they could have on our organization's information systems. Staff are also made aware of how to detect and report suspicious programs or activities.

18. Log-in monitoring.

Procedures for monitoring log-in attempts and reporting discrepancies.

Smile Digital Health ensures all staff are aware of log-in attempts that are not appropriate. Staff must attend privacy and security awareness training in which they are educated on appropriate log on requirements and password management. Staff have been made aware that inappropriate or attempted log-ins can occur when someone enters multiple combinations of usernames and/or passwords to attempt to gain access to our information systems.

To mitigate these risks, systems are monitored to detect successful and unsuccessful attempts as part of the regular activity audits.

19. Password management.

Procedures for creating, changing and safeguarding passwords.

Smile Digital Health ensures all system users are trained on how to safeguard information and the guidelines established for creating strong passwords. Staff have been made aware of the risks when sharing passwords with others and are encouraged to commit passwords to memory. In addition, staff are trained not to write passwords down and leave them in areas that are visible or accessible to others.

Additionally, wherever EPHI is accessed, staff must authenticate using multi-factor authentication.

20. Security incident procedures.

Implement policies and procedures to address security incidents.

Smile Digital Health has incident management policies and procedures in place which address how to identify privacy and security incidents and the appropriate steps that an individual should take to ensure the incident gets reported to the correct individuals. Incidents reported are documented, investigated and appropriate action steps are taken. The organization evaluates privacy and security incidents as a part of ongoing risk management.

21. Response and reporting.

Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.

Smile Digital Health ensures all privacy and security incidents are properly addressed. The organization has incident management policies and procedures in place which address how to identify privacy and security incidents and the appropriate steps that an individual should take to ensure the incident gets reported to the correct individuals. Incidents reported are documented, investigated and appropriate action steps are taken. The organization reports all incidents to impacted clients/customers as outlined in their incident management process, as stipulated by contractual agreements and as required by HIPAA. The organization evaluates privacy and security incidents as a part of ongoing risk management.

22. Contingency plan.

Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure and natural disaster) that damages systems that contain electronic protected health information.

Smile Digital Health has established contingency plan strategies for responding to emergencies and how access to EPHI will be recovered should the organization experience an occurrence such as a fire, vandalism, system failure, natural disaster, power outage or any other disruption to critical business operations.

23. Data backup plan.

Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.

Smile Digital Health has established and implemented a backup and restore policy and supporting procedures as an important safeguard to ensure that retrievable exact copies of EPHI are maintained. Procedures are checked and tested annually to ensure they are effective.

24. Disaster recovery plan.

Establish (and implement as needed) procedures to restore any loss of data.

Smile Digital Health has established and implemented a disaster recovery plan, accessible to individuals within the organization. The plan addresses what data will be recovered and restored in the event of a disaster emergency, as well as other services specific to the organization’s operating environment.

The supporting plans are tested annually or when significant changes in the infrastructure are implemented.

25. Emergency mode operation plan.

Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.

In the event Smile Digital Health needs to operate in emergency mode due to a technical failure or power outage, the organization has procedures in place to protect the security of EPHI maintained on its systems and enable the continuation of critical business processes.

26. Testing and revision procedures.

Implement procedures for periodic testing and revision of contingency plans.

Smile Digital Health reviews their contingency plans on an annual basis and will make revisions during that time if necessary. In addition, the organization performs testing on disaster recovery and emergency mode operations by conducting annual tests. Results of each testing exercise are reviewed and documented and any issues identified are addressed.

27. Applications and data criticality analysis.

Assess the relative criticality of specific applications and data in support of other contingency plan components.

Smile Digital Health performs assessments and data criticality analysis on their software and data applications that store, maintain, or transmit EPHI to help determine how important each is to their business needs.

Smile Digital Health works with the client to document data criticality in contracts and agreements.

28. Evaluation.

Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.

Smile Digital Health conducts annual reviews and on-going evaluations of the technical and non-technical aspects of their security program to ensure security standards and certifications are maintained and reasonable and appropriate measures are in place to comply with the Security Rule. Subsequent periodic evaluations are performed in response to environmental or operational changes that affect the security of EPHI.

II. Business Associate Contracts & Other Arrangements

1. Business associate contracts and other arrangements.

A covered entity may permit a business associate to create, receive, maintain or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with 45 CFR § 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.

Smile Digital Health operates as a business associate and has agreements in place where applicable, for subcontractors who create, receive, maintain, or transmit EPHI on the organization's behalf. The organization ensures satisfactory assurance is obtained in accordance with 45 CFR § 164.314(a) and that information will be appropriately safeguarded.

2. A business associate may permit a business associate that is a subcontractor to create, receive, maintain or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with 45 CFR § 164.314(a), that the subcontractor will appropriately safeguard the information.

Smile Digital Health operates as a business associate and has agreements in place where applicable, for subcontractors who create, receive, maintain or transmit EPHI on the organizations behalf. The organization ensures satisfactory assurance is obtained in accordance with 45 CFR § 164.314(a) and that information will be appropriately safeguarded.

3. Written contract or other arrangement.

Document the satisfactory assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of 45 CFR § 164.314(a).

Smile Digital Health operating as a business associate and has agreements in place where applicable, for subcontractors who create, receive, maintain, or transmit electronic protected health information on the organization's behalf. The organization ensures satisfactory assurance is obtained in accordance with 45 CFR § 164.314(a) and that information will be appropriately safeguarded.

III. Physical Safeguards

A covered entity or business associate must, in accordance with 45 CFR § 164.306:

1. Facility access controls.

Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

Although the majority of Smile Digital Health's workforce is remote, the organization has implemented policies and procedures to limit physical access to its electronic information systems and the facility in which they are housed. The organization has policies and procedures in place to help control physical access such as locked doors, restricted building access, electronic control systems, security officers and video surveillance monitoring.

2. Contingency operations.

Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.

Smile Digital Health is a remote workforce however, the organization ensures physical security and appropriate access to EPHI is maintained during contingency operations where reasonable and as applicable to the nature of our business operations.

3. Facility security plan.

Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering and theft.

Smile Digital Health has facility security plan policies and procedures in place to ensure only authorized individuals have access to facilities and equipment that contain EPHI. Physical access controls allow individuals with legitimate business needs to obtain access to our on site facility and will deny access to individuals without a legitimate business need. Procedures are in place to prevent tampering and theft of EPHI and related equipment that could contain EPHI data. The organization determines which individuals may need access to facilities and equipment, including staff, visitors and other business partners to prevent unauthorized physical access, tampering and theft. Policies and procedures are reviewed on an annual basis and updated if there are any significant changes.

4. Access control and validation procedures.

Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control and control of access to software programs for testing and revision.

Smile Digital Health has developed procedures to control and validate an individual's access to facilities based on their role or function. The majority of Smile Digital Health's workforce is remote, however, appropriate measures are in place to control access to software programs for testing and revision. Methods used for controlling and validating access to facilities include security guards, identification badges and entry devices such as key cards and key fobs. Visitor controls are in place requiring them to sign in, wear visitor badges and be escorted by authorized personnel. A list of individuals with physical access to our facility is maintained and regularly reviewed.

5. Maintenance records.

Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).

Smile Digital Health has implemented procedures to document repairs and modifications to physical components of the facility. The organization maintains a list of authorized maintenance personnel and documents repairs and modifications where reasonable and appropriate.

6. Workstation use.

Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.

Smile Digital Health maintains policies and procedures which address appropriate business use of workstations. Staff are reminded that inappropriate use of computer workstations can expose the organization to risks such as malware, compromise of information systems and breaches of confidentiality. Regardless of where an individual's workstation is located, the organization sets the same safeguards and standards for all managed workstations that have the ability to access EPHI. Staff have also been trained to ensure their device is timed out and locked before walking away from their workstation. In addition, the organization performs daily antivirus software updates and scans.

7. Workstation security.

Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.

Smile Digital Health has implemented physical workstation security safeguards that address how workstations are protected from unauthorized users. The organization does not permit storing PHI on workstations. Appropriate measures are in place to restrict access to sensitive information at our physical location, e.g. sensitive information, would be stored in a locked cage, monitored using in office surveillance cameras and kept in a secure room where only authorized personnel can enter.

8. Device and media controls.

Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility and the movement of these items within the facility.

Smile Digital Health ensures the proper handling of electronic media and has policies and procedures in place that govern the receipt and removal of hardware and electronic media that contain EPHI.

9. Disposal.

Implement policies and procedures to address the final disposition of electronic protected health information and/or the hardware or electronic media on which it is stored.

Before disposing of any electronic media that contains EPHI, the organization ensures it is unusable, unreadable and or inaccessible. Smile Digital Health has developed policies and procedures that address the disposal of EPHI and electronic media on which EPHI is stored.

10. Media reuse.

Implement procedures for removal of electronic protected health information from electronic media before the media are made available for reuse.

Smile Digital Health has implemented procedures for removal of EPHI from electronic media prior to reuse to prevent unauthorized access to information.

11. Accountability.

Maintain a record of the movements of hardware and electronic media and any person responsible therefore.

Where applicable, if media containing EPHI is moved from one location to another, the organization has implemented a process for maintaining a record of the movements and any responsible person. All devices/assets contain a tag, which is essential for the tracking process.

12. Data backup and storage.

Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

Smile Digital Health has established and implemented backup and restore policy and procedures as an important safeguard and as a best practice so that retrievable exact copies of EPHI are maintained. Procedures are checked and tested quarterly to ensure they are effective.

IV. Technical Safeguards

A covered entity or business associate must, in accordance with 45 CFR § 164.306:

1. Access control.

Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).

Smile Digital Health has implemented access controls to provide system users with the appropriate rights and privileges to access and perform system functions. The organization has access controls in place which enable authorized users to access the minimum necessary information needed to perform their job functions. Even staff responsible for monitoring and administering information systems with EPHI, such as system administrators, only have access to EPHI as appropriate for their specific role and job function as specified in 45 CFR § 164.308(a)(4)[Information Access Management].

2. Unique user identification.

Assign a unique name and/or number for identifying and tracking user identity.

Smile Digital Health assigns each of their users a unique user identifier which allows the organization to track user activity and hold users accountable for functions performed on information systems that may contain EPHI. The organization does not reuse identifiers from terminated staff members.

3. Emergency access procedure.

Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.

Smile Digital Health has the appropriate operational process in place for obtaining access to necessary EPHI during an emergency situation. Disaster recovery plans are in place to instruct staff on possible ways to gain access to EPHI if needed, in the event normal environmental systems, such as electrical power, have been severely damaged or rendered inoperative due to a natural or manmade disaster.

4. Automatic logoff.

Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

Smile Digital Health trains staff to practice logging off the system they are working on when their workstation is unattended. As an additional safeguard, devices managed by the organization are configured to a screen saver that is password protected after a period of system inactivity which helps prevent unauthorized individuals from accessing EPHI if workstations are left unattended.

For services that Smile Digital Health offers, user session time-outs are enforced to ensure that idle users are logged off.

5. Encryption and decryption.

Implement a mechanism to encrypt and decrypt electronic protected health information.

To help protect data from being accessed and viewed by unauthorized users, Smile Digital Health has implemented policies and procedures to ensure all data managed by the company, including EPHI, follows the proper encryption and decryption standards.

All EPHI processed and stored by Smile Digital Health is encrypted in transit and at rest.

6. Audit controls.

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

To help record and examine information system activity and determine if a security violation has occurred, Smile Digital Health has implemented audit controls for managed information systems that contain or use EPHI.

7. Integrity.

Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

To help ensure data or information has not been altered or destroyed in an unauthorized or accidental manner, Smile Digital Health has implemented policies and procedures to help protect the integrity of the EPHI managed from improper alteration or destruction.

8. Mechanism to authenticate electronic protected health information.

Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

The organization conducts a risk analysis to help identify the risks to the integrity of EPHI and confirm that EPHI has not been altered or destroyed. Once risks to the integrity of data have been identified, security measures that can reduce those risks are discussed and implemented.

9. Person or entity authentication.

Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Smile Digital Health has authentication procedures in place to verify an individual is who they claim to be before allowing access to EPHI. All system users are required to provide proof of identity by using a unique password or PIN. If the authentication credentials entered into an information system match those stored in that system, the user is authenticated. Once properly authenticated, the user is granted the authorized access privileges required to perform their job functions.

10. Transmission security.

Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

Smile Digital Health has implemented technical security measures to comply with security rule standards and help guard against unauthorized access to EPHI in the event EPHI is inadvertently transmitted over an electronic network. All EPHI transmitted is encrypted in transit.

11. Integrity controls.

Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.

Smile Digital Health has security measures in place to ensure EPHI is not improperly modified during transmission and to ensure that the data sent is the same as the data received. Databases are encrypted and any EPHI transmitted is in encrypted format. The organization communicates with staff, customers and clients security measures required to protect the integrity of their data during transmission.

12. Encryption.

Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

To help protect data from being accessed and viewed by unauthorized users, Smile Digital Health has implemented policies and procedures to ensure all data managed by the company, including EPHI, follows the proper encryption standards.

V. Organizational Requirements

1. Business associate contracts or other arrangements.

The contract or other arrangement required by 45 CFR § 164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable.

Smile Digital Health has contractual arrangements in place with customers and clients that will have access to any EPHI in which they manage, perform functions or activities on their behalf, or provide specified services that involve the use or disclosure of protected health information.

2. Business associate contracts.

The contract must provide that the business associate will:

(A) In accordance with 45 CFR § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section

Smile Digital Health ensures that any subcontractor that creates, receives, maintains, or transmits EPHI on its behalf is in compliance with the applicable requirements of the privacy and security rules in accordance with §164.308(b)(2).

(B) Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by 45 CFR § 164.410.

Smile Digital Health ensures that any security incident in which the organization becomes aware of, including breaches of unsecured protected health information, is investigated as outlined in the organization's incident management process and reported to the impacted covered entity as stipulated in contractual agreements.

3. Business associate contracts with subcontractors.

The requirements apply to the contract or other arrangement between a business associate and a subcontractor required by 45 CFR § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.

Smile Digital Health ensures that any subcontractor that creates, receives, maintains, or transmits electronic protected health information on their behalf is in compliance with the applicable requirements of the privacy and security rules in accordance with 45 CFR §164.308(b)(2) and required by 45 CFR § 164.308(b)(4).

VI. Policies, Procedures and Documentation Requirements

A covered entity or business associate must, in accordance with § 164.306:

1. Policies and procedures.

Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in 45 CFR § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.

Smile Digital Health has implemented reasonable and appropriate policies and procedures required by the Security Rule. Policies and procedures are modified as necessary to meet the changing needs of the organization, changes made are documented and implemented in accordance with the Security Rule standards as specified in 45 CFR § 164.306(b)(2)(i), (ii), (iii), and (iv).

2. Documentation.

Maintain the policies and procedures (which may be electronic) form and if an action, activity or assessment is required to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.

Smile Digital Health has implemented and maintains policies and procedures to comply with documentation standard 45 CFR § 164.316(b)(1). If an action, activity or assessment is required to be documented, a written record of the action, activity, or assessment is maintained by the organization.

3. Time limit.

Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.

Smile Digital Health complies with the minimum 6 year retention period for required documentation under the Security Rule. Any documentation retained by the company longer than 6 years will be based on state law, obligations stipulated in written contractual agreements, or other business related reasons.

4. Availability.

Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.

Where applicable, the organization will make documentation available in printed manuals and/or on Intranet/company websites.

5. Updates.

Review documentation periodically and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.

Smile Digital Health manages their documentation to ensure it reflects the current status of their security plans and procedures. The organization reviews all relevant documentation on an annual basis and makes necessary updates as needed in response to environmental or operational changes that could impact the security of EPHI.