top of page

Security Policy
Created April 2023

This policy documents Ahava Nutrition, LLC’s (“Organization”) written policies and procedures to protect patient electronic protected health information (“e-PHI”) under the HIPAA Security Rule and in compliance with 45 CFR §§ 164.302–164.316. Definitions, unless otherwise noted, comport with 45 CFR § 164.304.
Security Policies—The Organization shall:
1) Ensure the confidentiality, integrity, and availability of all e-PHI that the Organization
creates, receives, maintains, or transmits;
2) Protect against reasonably anticipated threats or hazards to the security or integrity of
such information;
3) Protect against any reasonably anticipated uses or disclosures of such information that are
not permitted or required by law; and
4) Ensure compliance with these policies and procedures by its workforce.
Disclosure and Use of e-PHI—The Organization shall use and disclose e-PHI only as permitted by law or as authorized by a patient, as detailed in the Organization’s HIPAA Privacy Policy. The Organization shall obtain and document satisfactory assurances from business associates with which the Organization shares e-PHI that such business associates shall appropriately safeguard e-PHI in compliance with applicable law. Nevertheless, the Organization cannot guarantee that business associates and other medical practitioners, insurers, and third parties with which the Organization may share e-PHI, as permitted or required by law, are in compliance with HIPAA or other applicable laws.
Security Management Process—The Organization has completed a risk analysis and has
implemented security measures detailed in this document. As a solo-practitioner operation, the Organization’s sanction policy is limited to the Recordkeeping and Notification provisions below, as well as periodic reviews of these security policies and procedures detailed in the Applicability, Review, and Revision provision. As a solo-practitioner operation, the Organization’s information system activity review is reasonably and appropriately limited to maintaining the security measures detailed in this document, as well as maintaining the Record keeping and Applicability, Review, and Revision provisions below.
Assigned Security Responsibility—The Organization’s solo practitioner shall serve as the
security official responsible for the development and implementation of the policies and
procedures in this document and required by law.

Workforce Security and Implementation Access Management—As a solo-practitioner
operation, authorization and/or supervision, workforce clearance procedures, termination
procedures, isolating health care clearing house functions, access authorization, and access
establishment and modification are neither reasonable nor appropriate to protect e-PHI.

Security Awareness and Training—The Organization’s solo practitioner shall maintain security awareness and training by staying current with industry practice and standards as reasonable and appropriate. The Organization shall maintain standard and up-to-date malicious software protection and password management, and shall periodically update security. As a solo-practitioner operation, log-in monitoring is neither reasonable nor appropriate, in consideration of the minimal risk of unauthorized access to workstations.
Security Incident Procedures—The Organization shall take reasonable and appropriate steps to prevent and mitigate security incidents. In the event of a breach of unsecured PHI, the
Organization shall provide notice to the Secretary of Health and Human Services and to affected individuals as required by 45 CFR § 164.400 et seq. and Massachusetts General Law (MGL) ch.93H § 3. The Organization shall notify without unreasonable delay each individual whose unsecured PHI has been, or is reasonably believed to have been, part of a breach, according to the notification specifications of 45 CFR § 164.404 and MGL ch. 93H § 3. The Organization shall notify the Secretary of Health and Human Services of such a breach according to the provisions of 45 CFR § 164.408. The Organization shall maintain records of suspected and known security incidents as required by law.
Contingency Plan—The Organization shall maintain measures to protect and restore data in the event of an emergency or disaster. This shall include maintaining backups of e-PHI for the purposes of data backup, disaster recovery, and emergency operations. The Organization shall periodically test and revise this plan. In an emergency affecting specific applications or data access, critical operations shall be maintained through communication with patients and their healthcare providers. The Organization’s security contingency plan may involve consultation with legal and information technology support to the extent that it is reasonable and appropriate.
Facility Access Controls—As a wholly telehealth operation, facility access controls are neither
reasonable nor appropriate for the Organization, as the Organization does not maintain a facility.
Workstation Use and Security—The Organization shall maintain a singular workstation or
minimal set of workstations at which all functions are performed and at which e-PHI is accessed. The workstation(s) shall be maintained in private surroundings. As a solo-practitioner operation that does not maintain a facility, physical safeguards to restrict access to workstations shall primarily consist of standard physical barriers preventing access to a building, as well as password protection and other standard cybersecurity barriers.
Device and Media Controls—Hardware and electronic media shall be under the sole custody of the solo practitioner of the Organization. E-PHI and/or hardware or electronic media on which it is stored shall be disposed of when no longer in use and no longer required to be maintained by law, using reasonable and appropriate means including but not limited to using secure data erasure software. E-PHI shall be fully erased from electronic media before the media are made available for re-use. As a solo-practitioner operation, it is neither reasonable nor appropriate for the Organization to maintain a record of the movements of hardware and electronic media or the person responsible. Movement of equipment shall be minimal, and e-PHI shall be subject to secure data backup and storage.

Access Control and Audit Controls—Access to electronic information systems maintaining e-
PHI shall be restricted by means of user identification maintained by the Organization’s solo
practitioner. In an emergency, information may be accessed by the practitioner through a
substitute workstation and/or by accessing backed-up e-PHI. Automatic logoff, encryption, and decryption mechanisms shall be maintained as available through the Organization’s hardware and software. The Organization shall record and review as necessary any authorized or unauthorized access to information systems that contain or use e-PHI.
Integrity and Authentication—The Organization shall protect e-PHI from improper alteration
or destruction by upholding the policies and procedures detailed in this document, including restricting physical access to hardware to unauthorized users, password protecting hardware, maintaining adequate and up-to-date threat protection software, and encrypting and backing up e-PHI. In the event of any indication of unauthorized access, data loss, or data degradation, the Organization shall check against backed up e-PHI, and corroborate with patients and their healthcare providers, as necessary, to confirm that e-PHI has not been altered or destroyed, and to restore e-PHI if necessary.
Person or Entity Authentication—Internal access to e-PHI shall be restricted to the
Organization’s solo practitioner. The identities of external persons and entities seeking access to e-PHI shall be verified by communication with patients and their representatives, and/or by communication with healthcare providers and business associates.
Transmission Security—The Organization shall strive to prevent unauthorized access to e-PHI being transmitted over an electronic communications network by using secure patient portals and other secure communications methods, as well as common-sense verification of identities and communication security measures. Improper modification of electronically transmitted e-PHI shall be prevented by communication with patients and health care providers to ensure veracity of information, as well as by the security measures described in this document. E-PHI shall be encrypted when reasonable and appropriate using the Organization’s software and other data services.
Business Associate Contracts—The Organization shall establish with business associates and
subcontractors satisfactory contractual assurances that business associates and subcontractors shall appropriately safeguard e-PHI information in compliance with applicable law, including the provisions of 45 CFR § 164.314. Such contracts shall include provisions that business associates and subcontractors shall report to the Organization any security incident of which they become aware, including breaches of unsecured PHI, that may affect the Organization or the Organization’s patients.
Recordkeeping—The Organization shall maintain e-PHI as long as it is in use and as long as
required by law, after which it shall be disposed of according to the policies and procedures
herein. The Organization shall maintain records of material actions, activities, and assessments related to security, including of any security incidents or losses of data. The Organization shall maintain this document and versions, as well as records of security actions, activities, and assessments required by law for six years from the date of creation or the date when it last was in effect, whichever is later. Documentation shall be available to the solo practitioner, who is solely responsible for implementing the policies and procedures herein.
Applicability, Review, and Revision—This document is not intended to be an exhaustive record of all security measures maintained by the Organization. These policies and procedures are periodically reviewed and updated by the Organization to ensure compliance with law, adequacy, and relevance, and in response to environmental or operational changes affecting the security of the Organization and e-PHI. The Organization reserves the right to change this policy at any time, as is permitted by law.

bottom of page