Update HIPAA policies for 2026

3rd_party_policy.md

@@ -27,10 +27,16 @@ BloomAPI makes every effort to assure all 3rd party organizations are compliant
 4. A standard business associate agreement with Customers and Partners is defined and includes the required security controls in accordance with the organization's security policies. Additionally, responsibility is assigned in these agreements.
 5. BloomAPI has Service Level Agreements (SLAs) with Subcontractors with an agreed service arrangement addressing liability, service definitions, security controls, and aspects of services management.
 	* BloomAPI utilizes monitoring tools to regularly evaluate Subcontractors against relevant SLAs.
+6. Subcontractors that create, receive, maintain, or transmit PHI or Part 2 records for BloomAPI must enter into written agreements requiring restrictions, conditions, and safeguards at least as protective as those applicable to BloomAPI. These agreements must include breach reporting obligations, return or destruction obligations, and restrictions on redisclosure.
 7. Third parties are unable to make changes to any BloomAPI infrastructure without explicit permission from BloomAPI. Additionally, no BloomAPI Customers or Partners have access outside of their own environment, meaning they cannot access, modify, or delete anything related to other 3rd parties. 
 8. Whenever outsourced development is utilized by BloomAPI, all changes to production systems will be approved and implemented by BloomAPI workforce members only. All outsourced development requires a formal contract with BloomAPI.
-9. BloomAPI maintains and annually reviews a list all current Partners and Subcontractors.
-10. BloomAPI assesses security requirements and compliance considerations with all Partners and Subcontracts.
+9. BloomAPI maintains and annually reviews a list of all current Partners and Subcontractors.
+10. BloomAPI assesses security requirements and compliance considerations with all Partners and Subcontractors.
 11. Regular review is conducted as required by SLAs to assure security and compliance. These reviews include reports, audit trails, security events, operational issues, failures and disruptions, and identified issues are investigated and resolved in a reasonable and timely manner.
-13. Any changes to Partner and Subcontractor services and systems are reviewed before implementation.
-14. For all partners, BloomAPI reviews activity annually to assure partners are in line with SLAs in contracts with BloomAPI. 
+12. Any changes to Partner and Subcontractor services and systems are reviewed before implementation.
+13. For all partners, BloomAPI reviews activity annually to assure partners are in line with SLAs in contracts with BloomAPI.
+14. BloomAPI maintains an inventory of third-party services that may create, receive, maintain, or transmit PHI or Part 2 records, including the service purpose, type of data involved, agreement status, and review date.
+15. New subprocessors must be reviewed for PHI and Part 2 exposure, agreement status, data categories, retention, breach notice commitments, and security controls before use with regulated Customer data.
+16. Tools or subprocessors that are not authorized for PHI or Part 2 records may not receive PHI, Part 2 records, patient identifiers, message bodies, patient names, clinical content, or other regulated Customer data.
+
+Current subprocessors and related service review status are maintained in [Subprocessors](subprocessors.md).

README.md

@@ -1,13 +1,13 @@
 # HIPAA Compliance Policies
 
 Our policies have been written with modern, cloud-based technology vendors in mind. We looked far and wide for policy 
-examples that fit our company, and couldn't find any. So we wrote our own. Importantly, these policies have been through 
-three external audits--two HIPAA audits, and one HITRUST audit.
+examples that fit our company, and couldn't find any. So we wrote our own. These policies are internally maintained and
+reviewed at least annually by our Security Officer and Privacy Officer.
 
 ## Policy Index
 
 * [Introduction](introduction.md)
-* [HIPAA Inheritance for BloomText Customers](hipaa_inheritance.md)
+* [BloomText Shared Responsibility Matrix](shared_responsibility_matrix.md)
 * [Policy Management Policy](policy_management_policy.md)
 * [Risk Management Policy](risk_management_policy.md)
 * [Roles Policy](roles_policy.md)
@@ -18,6 +18,7 @@ three external audits--two HIPAA audits, and one HITRUST audit.
 * [Facility Access Policy](facility_access_policy.md)
 * [Incident Response Policy](incident_response_policy.md)
 * [Breach Policy](breach_policy.md)
+* [Part 2 SUD Records Policy](part_2_sud_records_policy.md)
 * [Disaster Recover Policy](disaster_recovery_policy.md)
 * [Disposable Media Policy](disposable_media_policy.md)
 * [IDS Policy](ids_policy.md)
@@ -27,6 +28,7 @@ three external audits--two HIPAA audits, and one HITRUST audit.
 * [Employees Policy](employees_policy.md)
 * [Approved Tools Policy](approved_tools_policy.md)
 * [3rd Party Policy](3rd_party_policy.md)
+* [Subprocessors](subprocessors.md)
 * [Key Definitions](key_definitions.md)
 * [BloomAPI HIPAA Business Associate Agreement ("BAA")](bloomapi_hipaa_business_associate_agreement.md)
 * [HIPAA Mappings to BloomAPI Controls](hipaa_mapping_to_bloomapi_controls.md)

approved_tools_policy.md

@@ -1,3 +1,7 @@
 # Approved Tools Policy
 
-BloomAPI utilizes a suite of approved software tools for internal use by workforce members. These software tools are either self-hosted, with security managed by BloomAPI, or they are hosted by a Subcontractor with appropriate business associate agreements in place to preserve data integrity. Use of other tools requires approval from BloomAPI leadership.
+BloomAPI utilizes a suite of approved software tools for internal use by workforce members. These software tools are either self-hosted, with security managed by BloomAPI, or they are hosted by a Subcontractor with appropriate business associate agreements and, where applicable, Part 2 or qualified service organization terms in place to preserve data integrity and confidentiality. Use of other tools requires approval from BloomAPI leadership.
+
+Workforce members may not enter PHI, ePHI, Part 2 records, Customer credentials, incident details containing identifiers, or other regulated Customer data into unapproved tools, including generative AI tools, ticketing systems, messaging systems, analytics tools, debugging services, or file sharing services. Emergency use of an unapproved tool requires documented approval by the Security Officer or Privacy Officer and must be reviewed after the emergency.
+
+Workforce members must access systems containing PHI, ePHI, or Part 2 records using a BloomAPI-managed browser (Google Workspace-managed Chrome signed in with a BloomAPI account), in which browser extensions are restricted by default to an administrator-approved allowlist. Installing or using browser extensions outside that allowlist on any profile used to access regulated Customer data is prohibited, and the same emergency-approval and post-review process described above applies to any exception.

auditing_policy.md

@@ -26,12 +26,12 @@ This policy applies to all BloomAPI Add-on systems, that store, transmit, or pro
 
 ## Applicable Standards from the HIPAA Security Rule
 
-* 45 CFR § 164.308(a)(1)(ii)(D) - Information System Activity Review
-* 45 CFR § 164.308(a)(5)(ii)(B) & (C) - Protection from Malicious Software & Log-in Monitoring
-* 45 CFR § 164.308(a)(2) - HIPAA Security Rule Periodic Evaluation
-* 45 CFR § 164.312(b) - Audit Controls
-* 45 CFR § 164.312(c)(2) - Mechanism to Authenticate ePHI
-* 45 CFR § 164.312(e)(2)(i) - Integrity Controls
+* 45 CFR § 164.308(a)(1)(ii)(D) - Information System Activity Review
+* 45 CFR § 164.308(a)(5)(ii)(B) & (C) - Protection from Malicious Software & Log-in Monitoring
+* 45 CFR § 164.308(a)(2) - HIPAA Security Rule Periodic Evaluation
+* 45 CFR § 164.312(b) - Audit Controls
+* 45 CFR § 164.312(c)(2) - Mechanism to Authenticate ePHI
+* 45 CFR § 164.312(e)(2)(i) - Integrity Controls
 
 # Auditing Policies
 
@@ -45,7 +45,7 @@ This policy applies to all BloomAPI Add-on systems, that store, transmit, or pro
 	* Application: Application level audit trails generally monitor and log all user activities, including data accessed and modified and specific actions.
 	* System: System level audit trails generally monitor and log user activities, applications accessed, and other system defined specific actions. BloomAPI utilizes file system monitoring from OSSEC to assure the integrity of file system data.
 	* Network: Network level audit trails generally monitor information on what is operating, penetrations, and vulnerabilities.
-3. BloomAPI shall log all incoming and outgoing traffic to into and out of its environment. This includes all successful and failed attempts at data access and editing. Data associated with this data will include origin, destination, time, and other relevant details that are available to BloomAPI.
+3. BloomAPI maintains logs from current audit and security event sources appropriate to the service. These logs may include HTTP/WAF traffic, system events, authentication and access events, monitoring alerts, error events, and incident investigation records depending on the system and configuration.
 4. BloomAPI leverages process monitoring tools throughout its environment.
 5. BloomAPI shall identify "trigger events" or criteria that raise awareness of questionable conditions of viewing of confidential information. The "events" may be applied to the entire BloomAPI Platform or may be specific to a Customer, partner, business associate, Platform Add-on or application (See Listing of Potential Trigger Events below).
 6. BloomAPI's Security Officer and Privacy Officer are authorized to select and use auditing tools that are designed to detect network vulnerabilities and intrusions. Such tools are explicitly prohibited by others, including Customers and Partners, without the explicit authorization of the Security Officer. These tools may include, but are not limited to:
@@ -89,9 +89,31 @@ This policy applies to all BloomAPI Add-on systems, that store, transmit, or pro
 
 ## Audit Log Security Controls and Backup
 
-4. Audit logs shall be protected from unauthorized access or modification, so the information they contain will be made available only if needed to evaluate a security incident or for routine audit activities as outlined in this policy.
-5. All audit logs are encrypted in transit and at rest to control access to the content of the logs.
-6. Audit logs shall be stored on a separate system to minimize the impact auditing may have on the privacy system and to prevent access to audit trails by those with system administrator privileges. This is done to apply the security principle of "separation of duties" to protect audit trails from hackers.
+1. Audit logs shall be protected from unauthorized access or modification, so the information they contain will be made available only if needed to evaluate a security incident or for routine audit activities as outlined in this policy.
+2. Audit logs are encrypted in transit and at rest where supported by the logging system and hosting environment.
+3. Audit logs should be stored or protected in a manner that limits the ability of production system administrators to alter audit evidence without detection.
+
+## Current Audit and Security Event Sources
+
+BloomAPI currently uses the following sources for audit, monitoring, and security event review:
+
+1. Google Cloud Armor HTTP and WAF logs for network and application-edge traffic visibility.
+2. Server and machine logs for system activity, service behavior, and authentication events where available.
+3. Customer account login and access events where available in application records.
+4. Database records that track last activity for Customer accounts.
+5. Grafana alerts for operational and security-relevant monitoring events.
+6. Sentry alerts and error events for application diagnostics.
+7. Incident tickets, investigation notes, and breach analysis records created during security or privacy investigations.
+
+## Recommended Audit Log Gaps and TODOs
+
+The following items must be verified before they are represented as completed audit controls:
+
+1. Confirm whether GCP Cloud Audit Logs are enabled and retained for IAM, administrative, and configuration changes.
+2. Confirm whether BloomAPI stores explicit login history or only last-activity records.
+3. Confirm whether support or administrator access to Customer accounts is logged separately.
+4. Confirm whether failed login and MFA events are logged and retained.
+5. Confirm whether production deploy and change logs are retained for audit review.
 
 ## Workforce Training, Education, Awareness and Responsibilities
 
@@ -110,11 +132,10 @@ This policy applies to all BloomAPI Add-on systems, that store, transmit, or pro
 
 ## Retention of Audit Data
 
-1. Audit logs shall be maintained based on organizational needs. There is no standard or law addressing the retention of audit log/trail information. Retention of this information shall be based on:
-A. Organizational history and experience.
-B. Available storage space.
-1. Reports summarizing audit activities shall be retained for a period of six years.
-3. Log data is currently retained and readily accessible for a 1-month period. Beyond that, log data is available via cold backup. 
+1. Raw operational log retention depends on the logging source, system configuration, storage limits, and security needs. BloomAPI verifies each current log source before representing a final retention period as a completed control.
+2. Reports summarizing audit activities shall be retained for a period of six years.
+3. Security incident records, breach investigation documentation, risk assessments, access review evidence, and policy records are retained according to the applicable policy and legal/compliance requirements.
+4. Raw operational logs are distinct from legal and compliance records. A six-year documentation requirement does not mean every raw machine or application log is retained for six years.
 
 ## Potential Trigger Events