top of page
Information Security Policy

Last updated February 10, 2025

​

1. Purpose

The purpose of this Information Security Policy is to establish measures to protect the confidentiality, integrity, and availability of sensitive patient and business data at BeyondRehab. This policy ensures compliance with industry standards, regulatory requirements (such as HIPAA), and contractual obligations with partners. However, BeyondRehab implements reasonable security measures to mitigate risks but acknowledges that absolute security cannot be guaranteed against unforeseen cyberattacks or third-party failures.

​

2. Scope

This policy applies to all BeyondRehab personnel and third-party vendors who handle or access sensitive information, including electronic protected health information (ePHI), personally identifiable information (PII), and business data.

​

3. Responsibilities

  • Owner/Management: Ensures compliance with security policies and provides necessary resources within reasonable capacity.

  • Personnel: Follow security protocols, report security incidents, and protect sensitive information.

  • Third-Party Vendors: Must adhere to contractual security requirements but remain responsible for their own compliance.

​

4. General Disclaimer

BeyondRehab takes reasonable steps to implement security measures and mitigate risks; however, it cannot be held responsible for security incidents, breaches, or failures beyond its direct control. This includes but is not limited to third-party vendor security issues, unforeseen cyberattacks, user negligence, and software vulnerabilities. The provisions in this policy reflect BeyondRehab’s commitment to reasonable security practices but do not serve as a guarantee against all possible threats.

​

5. Data Protection and Access Control

  • Access to ePHI and PII is granted on a need-to-know basis.

  • Multi-factor authentication (MFA) is required for access to critical systems where feasible.

  • All patient data must be encrypted in transit and at rest.

  • Remote work environments should implement reasonable security measures, such as secure internet connections and endpoint security solutions, as appropriate.

  • Users are responsible for safeguarding their access credentials and ensuring secure usage to prevent unauthorized access incidents.

​

6. Network and System Security

  • All virtual systems handling ePHI must be protected by cloud security measures, including firewalls and antivirus software.

  • Regular security patches and updates must be applied to all virtual platforms and cloud-based applications.

  • While BeyondRehab takes reasonable precautions, security vulnerabilities in third-party software or cloud services remain outside its direct control.

​

7. Virtual Security Measures

  • Secure cloud storage solutions must be used to store all patient and business data.

  • Remote desktop and collaboration tools must have end-to-end encryption.

  • Access to sensitive data must be logged and monitored where feasible.

​

8. Security Awareness and Training

  • Security awareness guidelines will be provided upon engagement with BeyondRehab.

  • Users must exercise caution against cybersecurity threats such as phishing.

  • BeyondRehab will provide general security best practices but is not responsible for individual compliance failures.

​

9. Incident Response and Reporting

  • All security incidents, including suspected breaches, must be reported to the designated administrator.

  • BeyondRehab will take reasonable steps to investigate incidents and engage external professionals if necessary.

​

10. Vendor and Third-Party Security

  • Vendors handling sensitive data must sign a Business Associate Agreement (BAA) and comply with HIPAA requirements.

  • BeyondRehab will conduct reasonable due diligence before engaging third-party vendors.

​

11. Compliance and Auditing

  • BeyondRehab will take reasonable steps to ensure security compliance but does not guarantee adherence at all times.

  • BeyondRehab will comply with HIPAA, state, and federal regulations to the best of its ability within reasonable resources.

​

12. Policy Review and Updates

  • This policy will be reviewed and updated as necessary, but BeyondRehab cannot guarantee protection against all security threats.

  • Changes to security policies will be communicated as needed.

​

Approval and Acknowledgment

By implementing this policy, BeyondRehab is committed to implementing reasonable security measures to protect patient and business data. All personnel must acknowledge this policy as a condition of their engagement.


For any questions regarding this policy, contact us at info@beyondrehab.health.

bottom of page