This policy establishes the scope, objectives, and procedures of BloomAPI's information security risk management process. The risk management process is intended to support and protect the organization and its ability to fulfill its mission.
- 03.a - Risk Management Program Development
- 03.b - Performing Risk Assessments
- 03.c - Risk Mitigation
- 164.308(a)(1)(ii)(A) - HIPAA Security Rule Risk Analysis
- 164.308(a)(1)(ii)(B) - HIPAA Security Rule Risk Management
- 164.308(a)(8) - HIPAA Security Rule Evaluation
- It is the policy of BloomAPI to conduct thorough and timely risk assessments of the potential threats and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) (and other confidential and proprietary electronic information) it stores, transmits, and/or processes for its Customers and to develop strategies to efficiently and effectively mitigate the risks identified in the assessment process as an integral part of the BloomAPI's information security program.
- Risk analysis and risk management are recognized as important components of BloomAPI's corporate compliance program and information security program in accordance with the Risk Analysis and Risk Management implementation specifications within the Security Management standard and the evaluation standards set forth in the HIPAA Security Rule, 45 CFR 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(1)(i), and 164.308(a)(8).
- Risk assessments are done throughout product life cycles:
- Before the integration of new system technologies and before changes are made to BloomAPI physical safeguards; and
- These changes do not include routine updates to existing systems, deployments of new systems created based on previously configured systems, deployments of new Customers, or new code developed for operations and management of the BloomAPI Platform.
- While making changes to BloomAPI physical equipment and facilities that introduce new, untested configurations.
- BloomAPI performs periodic technical and non-technical assessments of the security rule requirements as well as in response to environmental or operational changes affecting the security of ePHI.
- BloomAPI implements security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to:
- Ensure the confidentiality, integrity, and availability of all ePHI BloomAPI receives, maintains, processes, and/or transmits for its Customers;
- Protect against any reasonably anticipated threats or hazards to the security or integrity of Customer ePHI;
- Protect against any reasonably anticipated uses or disclosures of Customer ePHI that are not permitted or required; and
- Ensure compliance by all workforce members.
- Any risk remaining (residual) after other risk controls have been applied, requires sign off by the senior management and BloomAPI's Security Officer.
- All BloomAPI workforce members are expected to fully cooperate with all persons charged with doing risk management work, including contractors and audit personnel. Any workforce member that violates this policy will be subject to disciplinary action based on the severity of the violation according to BloomAPI's policies, which is outlined in the BloomAPI Policy Management Policy.
- The implementation, execution, and maintenance of the information security risk analysis and risk management process is the responsibility of BloomAPI's Security Officer (or other designated employee), and the identified Risk Management Team.
- All risk management efforts, including decisions made on what controls to put in place as well as those to not put into place, are documented and the documentation is maintained for six years.
Maintain documentation of all risk assessment, risk management, and risk mitigation efforts for a minimum of six years.