Acceptable Use Policy

Version1.0.3 Last Updated2024-04-01 APPROVED

1. Overview

AccuCode AI is dedicated to safeguarding its employees, partners, and the company from illegal or harmful actions, whether intentional or unintentional. This policy applies to all internet/intranet/extranet-related systems, which include but are not limited to:

• Computer equipment
• Mobile devices
• Software
• Operating systems
• Storage media
• Network accounts providing electronic mail, internet browsing, and FTP

These systems are the property of AccuCode AI and are intended to be used for business purposes that serve the interests of the company, our clients, and customers during normal operations.

Effective security requires the participation and support of every employee and affiliate who interacts with information and/or information systems. It is the responsibility of each computer user to understand and adhere to these guidelines in their daily activities.

2. Purpose

The purpose of this policy is to outline the acceptable use of computer equipment and other electronic devices at AccuCode AI. These rules are in place to protect the employee and AccuCode AI. Inappropriate use exposes AccuCode AI to cyber risks including virus attacks, ransomware, compromise of network systems and services, data breaches, and legal issues.

3. Scope

This policy applies to the use of information, electronic and computing devices, and network resources to conduct business or interact with internal networks and business systems, whether owned or leased by AccuCode AI, the employee, or a third party. All employees, contractors, consultants, temporary, and other workers at AccuCode AI and its subsidiaries are responsible for exercising good judgment regarding appropriate use of information, electronic devices, and network resources in accordance with AccuCode AI policies and standards, and local laws and regulations.

This policy applies to employees, contractors, consultants, temporaries, and other workers at AccuCode AI, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by AccuCode AI.

4. Policy

4.1 General Use and Ownership

1. AccuCode AI proprietary information stored on electronic and computing devices, whether owned or leased by AccuCode AI, the employee, or a third party, remains the sole property of AccuCode AI. You must ensure through legal or technical means that proprietary information is protected in accordance with the Data Protection Standard.

2. You have a responsibility to promptly report the theft, loss, or unauthorized disclosure of AccuCode AI proprietary information.

3. You may access, use, or share AccuCode AI proprietary information only to the extent it is authorized and necessary to fulfill your assigned job duties.

4. Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should consult their supervisor or manager.

5. For security and network maintenance purposes, authorized individuals within AccuCode AI may monitor equipment, systems, and network traffic at any time, per Infosec’s Audit Policy.

6. AccuCode AI reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.

4.2 Security and Proprietary Information

1. All mobile and computing devices that connect to the internal network must comply with the Minimum Access Policy.

2. System level and user level passwords must comply with the Password Policy. Providing access to another individual, either deliberately or through failure to secure its access, is prohibited.

3. All computing devices must be secured with a password-protected lock screen with the automatic activation feature set to 10 minutes or less. You must lock the screen or log off when the device is unattended.

4. Postings by employees from an AccuCode AI email address to newsgroups or other online platforms should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of AccuCode AI unless posting is during business duties.

5. Employees must use extreme caution when opening email attachments received from unknown senders, which may contain malware.

4.3 Unacceptable Use

The following activities are prohibited. Employees may be exempted from these restrictions during their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).

Under no circumstances is an employee of AccuCode AI authorized to engage in any activity that is illegal under local, state, federal, or international law while utilizing AccuCode AI-owned resources.

4.3.1 System and Network Activities

The following activities are strictly prohibited, with no exceptions:

1. Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by AccuCode AI.

2. Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which AccuCode AI or the end user does not have an active license is strictly prohibited.

3. Accessing data, a server, or an account for any purpose other than conducting AccuCode AI business, even if you have authorized access, is prohibited.

4. Exporting software, technical information, encryption software, or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question.

5. Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, ransomware, etc.).

6. Revealing your account password/passphrase to others or allowing use of your account by others. This includes family and other household members when work is being done at home.

7. Using a computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user’s local jurisdiction.

8. Making fraudulent offers of products, items, or services originating from any AccuCode AI account.

9. Making statements about warranty, expressly or implied, unless it is a part of normal job duties.

10. Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, ping floods, packet spoofing, denial of service, brute-forcing accounts, and forged routing information for malicious purposes.

11. Port scanning or security scanning is expressly prohibited unless prior notification to the Infosec Team is made.

12. Executing any form of network monitoring which will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s normal job/duty.

13. Circumventing user authentication or security of any host, network, or account.

14. Introducing honeypots, honeynets, or similar technology on the AccuCode AI network.

15. Interfering with or denying service to any user other than the employee’s host (for example, denial of service attack).

16. Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user’s terminal session, via any means, locally or via the Internet/Intranet/Extranet.

17. Providing information about, or lists of, AccuCode AI employees to parties outside AccuCode AI.

4.3.2 Email and Communication Activities

1. Sending unsolicited email messages, including the sending of “junk mail” or other advertising material to individuals who did not specifically request such material (email spam).

2. Any form of harassment via email, telephone, text, or paging, whether through language, frequency, or size of messages.

3. Unauthorized use, or forging, of email header information.

4. Solicitation of email for any other email address, other than that of the poster’s account, with the intent to harass or to collect replies.

5. Creating or forwarding “chain letters”, “Ponzi”, or other “pyramid” schemes of any type.

6. Use of unsolicited email originating from within AccuCode AI’s networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by AccuCode AI or connected via AccuCode AI’s network.

7. Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).

4.3.3 Blogging and Social Media

1. Blogging or posting to social media platforms by employees, whether using AccuCode AI’s property and systems or personal computer systems, is also subject to the terms and restrictions set forth in this Policy. Limited and occasional use of AccuCode AI’s systems to engage in blogging or other online posting is acceptable, provided that it is done in a professional and responsible manner, does not otherwise violate AccuCode AI’s policy, is not detrimental to AccuCode AI’s best interests, and does not interfere with an employee’s regular work duties. Blogging or other online posting from AccuCode AI’s systems is also subject to monitoring.

2. AccuCode AI’s Confidential Information policy also applies to blogging. As such, Employees are prohibited from revealing any AccuCode AI confidential or proprietary information, trade secrets, or any other material covered by AccuCode AI’s Confidential Information policy when engaged in blogging.

3. Employees shall not engage in any blogging that may harm or tarnish the image, reputation, and/or goodwill of AccuCode AI and/or any of its employees. Employees are also prohibited from making any discriminatory, disparaging, defamatory, or harassing comments when blogging or otherwise engaging in any conduct prohibited by AccuCode AI’s Non-Discrimination and Anti-Harassment policy.

4. Employees may also not attribute personal statements, opinions, or beliefs to AccuCode AI when engaged in blogging. If an employee is expressing his or her beliefs and/or opinions in blogs, the employee may not, expressly or implicitly, represent themselves as an employee or representative of AccuCode AI. Employees assume any and all risk associated with blogging.

5. Apart from following all laws pertaining to the handling and disclosure of copyrighted or export-controlled materials, AccuCode AI’s trademarks, logos, and any other AccuCode AI intellectual property may also not be used in connection with any blogging or social media activity.

5. Policy Compliance

5.1 Compliance Measurement

The Infosec Team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions

Any exception to the policy must be approved by the Infosec Team in advance.

5.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Artificial Intelligence Policy

Version1.0.4 Last Updated2023-11-06 APPROVED

1. Introduction

AccuCode AI Inc. is committed to the responsible and ethical development and use of artificial intelligence (AI) in our products and services. As a company focused on using AI to automate and streamline healthcare billing and clinical abstraction processes, we recognize the importance of establishing clear guidelines and principles for the use of AI within our organization.

This Artificial Intelligence Policy outlines AccuCode AI’s requirements and standards for the adoption, development, and deployment of AI systems. It applies to all AccuCode AI employees, contractors, and third-party partners involved in AI-related activities.

2. Guiding Principles

1. Compliance: AccuCode AI will comply with all applicable laws, regulations, and industry standards related to the use of AI in the healthcare sector.

2. Ethics: AI systems developed and used by AccuCode AI will adhere to ethical principles, ensuring fairness, transparency, and the avoidance of bias.

3. Privacy and Security: AccuCode AI will prioritize the protection of sensitive healthcare information and personal data when using AI. We will obtain Business Associate Agreements (BAAs) from any AI inference providers and host models privately whenever possible.

4. De-identification: AccuCode AI will use de-identified information for AI development and training to protect patient privacy.

5. Transparency: AccuCode AI will maintain transparency about the use of AI in our products and services, providing clear information to clients and stakeholders.

6. Human Oversight: AI systems will be subject to human oversight and control, with qualified professionals monitoring and validating AI outputs.

3. AI Development and Deployment

1. Embedded AI Tools: When using embedded AI tools in existing software, AccuCode AI employees should exercise caution and ensure that the tools align with our guiding principles and do not introduce undue risks.

2. Model Hosting: AI models should be hosted privately whenever feasible to maintain control over data and ensure security.

3. Data Quality: AccuCode AI will ensure that the data used for AI training and development is accurate, relevant, and representative of the intended use cases.

4. Testing and Validation: AI systems will undergo rigorous testing and validation processes to assess their performance, fairness, and potential biases before deployment.

5. Monitoring and Maintenance: Deployed AI systems will be continuously monitored and maintained to ensure their ongoing effectiveness, reliability, and adherence to ethical standards.

4. Prohibited Uses

AccuCode AI prohibits the use of AI systems for the following high-risk purposes:

1. Diagnosing or treating medical conditions without human oversight and validation.
2. Making decisions that directly impact patient care or treatment plans without human review.
3. Analyzing or processing sensitive personal information without explicit consent and necessary safeguards.
4. Engaging in any activities that violate privacy laws, such as HIPAA, or other applicable regulations.

5. Employee Responsibilities

1. AccuCode AI employees involved in AI development and use must adhere to this policy and the guiding principles outlined herein.
2. Employees should report any concerns or potential violations of this policy to their supervisor or the designated AI ethics officer.
3. Employees must complete required training on AI ethics, privacy, and security before engaging in AI-related activities.

6. Third-Party Partnerships

1. AccuCode AI will conduct due diligence on third-party AI providers and partners to ensure their practices align with our AI policy and guiding principles.
2. Third-party agreements will include provisions related to data privacy, security, and ethical AI use.
3. AccuCode AI will obtain BAAs from AI inference providers before engaging in any data sharing or processing activities.

7. Policy Enforcement and Review

1. This AI policy will be enforced by the designated AI ethics officer and the AccuCode AI leadership team.
2. Violations of this policy may result in disciplinary action, up to and including termination of employment or contract.
3. This policy will be reviewed and updated annually, or as needed, to ensure its relevance and effectiveness in light of evolving AI technologies and regulations.

By establishing and adhering to this Artificial Intelligence Policy, AccuCode AI aims to harness the power of AI responsibly and ethically to improve healthcare processes while prioritizing patient privacy, data security, and the highest standards of professional conduct.

Employee Internet Use Monitoring and Filtering Policy

Version1.0.4 Last Updated2024-02-22 APPROVED

1. Purpose

The purpose of this policy is to define standards for monitoring and filtering employee internet use at AccuCode AI Inc. These measures are designed to ensure employees use the internet in a safe and responsible manner that protects sensitive healthcare data, and enables monitoring and investigation of employee web activity if needed for security incidents.

2. Scope

This policy applies to all employees, contractors, vendors and agents using an AccuCode AI-owned or personally-owned computer or device connected to the company network. It covers all user-initiated web traffic and communications between AccuCode AI’s network and the internet, including web browsing, instant messaging, file transfers and sharing. Server-to-server traffic like SMTP, backups, automated data transfers and database communications are excluded.

3. Policy

3.1 Internet Activity Monitoring

The IT department shall monitor all internet activity from devices connected to the corporate network. The monitoring system must log the source IP address, date, time, protocol, and destination site/server for all traffic. Where feasible, it should also log the User ID associated with the activity. Internet activity logs must be retained for at least 180 days.

3.2 Internet Activity Reports

General trend and activity reports will be provided to employees upon request to IT. The Computer Security Incident Response Team (CSIRT) shall have access to all reports and logs as needed for security incident investigations. Specific reports identifying users, sites, teams or devices will only be provided to HR upon written request.

3.3 Web Content Filtering

The IT department shall block access to websites and protocols deemed inappropriate for AccuCode AI’s corporate environment, including but not limited to:

• Adult/sexually explicit content
• Advertisements & pop-ups
• Chat and instant messaging
• Gambling
• Hacking
• Illegal drugs
• Intimate apparel and swimwear
• Peer-to-peer file sharing
• Personals and dating
• Social networking
• SPAM, phishing and fraud
• Spyware
• Tasteless and offensive content
• Violence, intolerance and hate speech
• Web-based email

3.4 Filtering Rule Changes

IT shall periodically review and recommend changes to the web filtering rules. HR will review the recommendations and decide on any changes, which will be documented in this policy.

3.5 Filtering Exceptions

Employees may request an exception to unblock a miscategorized site by submitting an IT help desk ticket. For blocked sites that are categorized correctly, employees must submit an exception request to HR. Approved exceptions will be submitted to IT in writing. IT will unblock approved sites for that user only and maintain a log of exceptions.

4. Policy Compliance

4.1 Compliance Measurement

The InfoSec team will verify compliance with this policy through methods such as periodic walkthroughs, video monitoring, tool reports, audits and feedback.

4.2 Exceptions

Any policy exceptions must be approved in advance by the InfoSec team.

4.3 Non-Compliance

Violating this policy may result in disciplinary action up to and including termination of employment.

Privacy Policy

Version1.0.3 Last Updated2024-02-27 APPROVED

1. Introduction

a. Purpose of the Privacy Policy: At AccuCode AI, we are committed to protecting the privacy and security of the personal and sensitive information we process in the course of providing our AI-powered healthcare document processing services. This Privacy Policy outlines how we collect, use, disclose, and safeguard the data entrusted to us by our clients, which include hospitals, clinics, and other healthcare providers. By clearly communicating our privacy practices, we aim to foster transparency and trust with our clients and their patients.

b. AccuCode AI’s Commitment to Protecting Privacy: Accucode recognizes the importance of maintaining the confidentiality and security of the healthcare data we process. We are dedicated to upholding the highest standards of privacy and complying with all applicable laws and regulations, including the Health Insurance Portability and Accountability Act (HIPAA) in the United States and other relevant data protection regulations worldwide. Our commitment to privacy is integral to our mission of revolutionizing healthcare document processing while respecting the rights and privacy of individuals.

2. Information We Collect

a. Types of personal information collected: AccuCode AI collects various types of personal information from the healthcare documents we process, including but not limited to:

• Patient names, addresses, and contact information
• Patient demographic information such as age, gender, and date of birth
• Medical record numbers and patient ID numbers
• Diagnosis, treatment, and procedure information from patient charts and records
• Health insurance policy numbers and coverage details
• Other personal health information (PHI) necessary to provide our data abstraction, medical coding or billing services

b. How the information is collected: The personal information processed by AccuCode AI is collected from:

• Healthcare provider organizations such as hospitals and clinics that are our customers
• These providers securely transfer patient medical records, charts and other documents containing personal information to AccuCode AI
• AccuCode AI does not collect personal information directly from patients

c. Purpose for collecting the information: AccuCode AI collects and processes this personal information for the purpose of:

• Providing our AI-powered document abstraction, medical coding and billing services to healthcare provider customers
• Automating and streamlining the insurance claims and verifications process on behalf of our providers
• Improving the efficiency and accuracy of medical billing and claims submission
• Personal information is used only for the business purposes it was collected for and not for other reasons

The personal information collected is necessary for AccuCode AI to analyze medical documentation, determine appropriate insurance codes, and submit claims on behalf of healthcare providers. AccuCode AI is committed to responsibly using AI technologies to process PHI, protect individual privacy rights, and maintain the confidentiality and security of all personal data handled.

3. How We Use the Information

We use the personal and health information we collect in the following ways:

a. To provide our AI healthcare automation services: We process patient charts, medical records, and other documents provided by hospitals and clinics in order to automate and streamline insurance billing and clinical abstraction using our artificial intelligence systems. This includes extracting relevant data from the documents, analyzing it, and generating insurance claims and bills.

b. To improve our services: We use the information to continuously monitor, test, and enhance the performance, accuracy, and capabilities of our AI insurance billing platform. This allows us to optimize our algorithms, fix any issues, and develop new features that better serve the needs of our healthcare provider clients and their patients.

c. For research and development of our AI systems: The de-identified health information we process helps to train and improve our machine learning models and natural language processing capabilities. Our data science and engineering teams analyze the data to identify patterns, correlations and opportunities to make our AI smarter and expand its knowledge. We never share or allow access to our proprietary AI models outside of AccuCode AI. Furthermore, we ensure that no real patient personally identifiable information (PII) is ever incorporated into the models during training - only de-identified data is used for R&D purposes.

d. Aggregation of de-identified data for analytics: We may compile and analyze aggregated, de-identified data across our platform to uncover trends, insights and benchmarks related to insurance billing, revenue cycle management, and the healthcare industry. This statistical data cannot be used to identify any individual patient. We may share these de-identified learnings with clients, partners, or publicly.

4. Information Sharing and Disclosure

At AccuCode AI, we are committed to protecting the privacy and confidentiality of the personal information entrusted to us. We do not sell any personal information to third parties under any circumstances.

We only share personal information in the following limited situations:

a. Healthcare Providers (Our Clients): We share relevant personal information with the healthcare providers who are our clients and from whom we receive patient charts and other documents for processing. This sharing is necessary to provide our AI-powered abstraction, coding & billing automation services and is carried out in compliance with applicable laws and regulations, such as HIPAA.

b. Service Providers Under Contract: We may engage trusted third-party service providers to assist us in delivering our services effectively. These service providers undergo a thorough vetting process to ensure they meet our stringent security and privacy standards, including compliance with HIPAA regulations. We require all service providers to sign a formal Business Associate Agreement (BAA) that legally obligates them to safeguard the personal information we share with them according to HIPAA laws and regulations.

Our service providers are only permitted to use the information for the specific purposes outlined in our contracts and are prohibited from using it for their own purposes or from disclosing it to others. They must implement appropriate technical, physical, and administrative safeguards to protect the confidentiality, integrity, and availability of the personal information they process on our behalf.

c. As Required by Law: In certain circumstances, we may be compelled to disclose personal information to comply with legal obligations, such as in response to a valid court order, subpoena, or government request. We will only disclose the minimum amount of information necessary to fulfill the legal requirement and will take steps to ensure the confidentiality of the data shared.

d. De-Identified or Aggregated Data: We may share de-identified or aggregated data that cannot be used to identify specific individuals with third parties for research, analysis, or other purposes. This data is stripped of all personally identifiable elements and is used in a manner that does not compromise the privacy of our business clients or their patients.

5. Data Security

a. Security Measures: AccuCode AI is committed to protecting the confidentiality, integrity, and availability of the personal information we process. We employ a comprehensive, defense-in-depth security program that includes:

• Firewalls and intrusion detection systems to monitor and block unauthorized access attempts

• Endpoint Detection and Response (EDR) software to detect, investigate and respond to advanced threats

• Formal vulnerability and patch management program to identify, prioritize and remediate vulnerabilities

• IP whitelisting and required access through Virtual Private Networks (VPNs) to reduce attack surface

• Regular vulnerability scanning and penetration testing to identify and address security weaknesses

• Timely installation of software patches and updates to remediate known vulnerabilities

• Client-specific data segmentation and encryption to ensure that each client’s data is isolated and protected from unauthorized access

• Data sovereignty measures to ensure that all data is stored and processed within the United States, in compliance with applicable laws and regulations

• Comprehensive access logging and monitoring to track and audit all access to sensitive data, enabling detection and response to any unauthorized access attempts

• Strict adherence to the principle of least privilege through Role-Based Access Control (RBAC), ensuring that users are granted only the minimum permissions necessary to perform their job functions

b. Data Encryption: All personal information is encrypted in transit and at rest using FIPS 140-3 compliant encryption algorithms. We use Transport Layer Security (TLS 1.3) for data in transit and AES-256 or stronger encryption for data at rest.

Each client’s data is segregated and encrypted with a unique client-specific key, which is rotated periodically. Encryption keys are generated using a hardware-based random number generator and stored in a secure, SOC-II compliant key management system with strict access controls and auditing.

Our encryption practices fully comply with FIPS 140-3, HIPAA and HITRUST requirements for protecting sensitive healthcare information.

c. Backup Security and Ransomware Prevention: All client data backups are encrypted with the same strong, client-specific encryption used for data at rest. Backups are retained for 180 days and securely destroyed thereafter.

To protect against ransomware, we employ:

• Regular backups isolated from the main network and inaccessible to unauthorized users

• Immutable backups that cannot be altered or deleted once written

• Strict access controls and network segmentation to contain potential attacks

• Continuous monitoring for suspicious activity and prompt incident response

• Disaster Recovery and Business Continuity plans to ensure data availability and integrity

d. Access Controls & Employee Training: Access to personal data is strictly limited based on least privilege principles and controlled through secure multi-factor authentication.

All employees undergo mandatory annual training on HIPAA compliance, proper handling of personal information, identifying and reporting security incidents, secure development practices, and phishing awareness. Employees must pass assessments to demonstrate understanding and retention of training content.

Employees are bound by confidentiality agreements, and any violation of our privacy and security policies results in disciplinary action up to termination.

e. Third-Party Risk Management: AccuCode AI conducts thorough due diligence and ongoing monitoring of all third-party service providers and partners with access to personal data. All vendors must adhere to strict contractual requirements for data protection.

g. Incident Response and Breach Notification: In the event of a data breach, AccuCode AI will execute our Incident Response Plan to contain the incident, assess the impact, and restore the integrity of our systems. We will notify affected clients and relevant authorities in accordance with with the Arkansas Personal Information Protection Act (Ark. Code § 4-110-101 et seq.)

6. Data Retention

a. Personal Information: AccuCode AI will retain personal information only for as long as necessary to fulfill the purposes for which it was collected and to provide the services requested by our clients. Once the personal information is no longer needed for these purposes, we will securely delete or anonymize the data in accordance with our data destruction policies and applicable laws and regulations.

b. De-Identified Information: In order to improve our services and advance our research and development efforts, AccuCode AI may retain de-identified information derived from the processed healthcare documents for a longer period. This de-identified information will have all personally identifiable elements removed, making it impossible to associate the data with any specific individual. The retention of de-identified information will be in compliance with applicable laws and regulations, and will be used solely for the purposes of enhancing our AI algorithms, conducting research, and improving our service offerings.

7. Your Privacy Rights

At AccuCode AI, we respect privacy rights and are committed to providing you with the necessary tools to manage your personal information. As a business client, you have the following rights:

a. Right to access your personal information: You have the right to request access to the personal information we hold about you. Upon request, we will provide you with a copy of your personal information in a structured, commonly used, and machine-readable format.

b. Right to request corrections: If you believe that the personal information we hold about you is inaccurate, incomplete, or outdated, you have the right to request corrections. We will take reasonable steps to verify the accuracy of the information and make the necessary updates.

c. Right to request deletion: You have the right to request the deletion of your personal information from our systems. We will comply with your request unless we have a legal obligation to retain the information or if it is necessary for the establishment, exercise, or defense of legal claims.

d. How to submit a privacy request: To submit a privacy request, please follow these steps:

1. Email privacy@accucodeai.com with the subject line “Privacy Request.”
2. In the body of the email, clearly state the nature of your request (access, correction, or deletion) and provide the necessary details to help us process your request.
3. Our privacy team will acknowledge receipt of your request within 5 business days and provide you with an estimated timeline for resolution.
4. We may require additional information to verify your identity before processing your request to ensure the security of your personal information.

Please note that in some cases, we may not be able to fully comply with your request due to legal obligations. In such instances, we will provide you with a detailed explanation and work with you to find an appropriate solution.

8. Policy Updates

a. Privacy Policy Updates: AccuCode AI reserves the right to update or modify this Privacy Policy periodically to reflect changes in our practices, services, or legal requirements. We encourage you to review this Privacy Policy regularly to stay informed about how we collect, use, and protect your information.

b. Privacy Policy Update Notice: In the event of any significant changes to this Privacy Policy, AccuCode AI will provide notice to our clients through email, prominent notice on our website, or other appropriate communication channels. It is your responsibility to review the updated Privacy Policy and ensure your continued agreement with its terms.

9. Contact Us

a. Contact Information: If you have any questions, concerns, or requests regarding this Privacy Policy or AccuCode AI’s privacy practices, please contact our Privacy Officer at:

  AccuCode AI, Inc.
  815 Technology Dr
  Unit 241124
  Little Rock, AR 72223

  (501) 442-4421
  privacy@accucode.com

We are committed to addressing your privacy concerns and will strive to respond to your inquiry in a timely manner.

Acceptable Encryption Policy

Version1.0.2 Last Updated2023-11-29 APPROVED

1. Overview

The purpose of this policy is to provide guidance on the acceptable use of encryption technologies within AccuCode AI, Inc. to ensure the protection of sensitive data, compliance with Federal regulations, and adherence to industry best practices.

2. Purpose

The purpose of this policy is to limit the use of encryption to algorithms that have undergone substantial public review and have been proven to work effectively.

3. Scope

This policy applies to all employees of AccuCode AI, Inc.

4. Policy

4.1 Algorithm Requirements

• 4.1.1 Ciphers in use must meet or exceed the set defined as “AES-compatible” or “partially AES-compatible” according to the IETF/IRTF Cipher Catalog, or the set defined for use in the United States National Institute of Standards and Technology (NIST) publication FIPS 140-3, or any superseding documents according to the date of implementation. The use of the Advanced Encryption Standard (AES) with a minimum key size of 256 bits (AES256) is required for symmetric encryption.

• 4.1.2 Algorithms in use must meet the standards defined for use in NIST publication FIPS 140-3 or any superseding document, according to the date of implementation. The use of the RSA and Elliptic Curve Cryptography (ECC) algorithms is strongly recommended for asymmetric encryption.

• 4.1.3 Signature Algorithms:

  • ECDSA: P-256
  • RSA: 2048 bits minimum (Must use a secure padding scheme, such as PKCS#7)
  • LDWM: SHA256

4.2 Hash Function Requirements

AccuCode AI, Inc. adheres to the NIST Policy on Hash Functions.

4.3 Key Agreement and Authentication

• 4.3.1 Key exchanges must use one of the following cryptographic protocols: Diffie-Hellman, IKE, or Elliptic curve Diffie-Hellman (ECDH).

• 4.3.2 End points must be authenticated prior to the exchange or derivation of session keys.

• 4.3.3 Public keys used to establish trust must be authenticated prior to use. Examples of authentication include transmission via cryptographically signed message or manual verification of the public key hash.

• 4.3.4 All servers used for authentication (for example, RADIUS or TACACS) must have installed a valid certificate signed by a known trusted provider.

• 4.3.5 All servers and applications using SSL or TLS must have the certificates signed by a known, trusted provider.

4.4 Key Generation

• 4.4.1 Cryptographic keys must be generated using hardware-based random number generators (RNGs) and stored securely in key vaults to prevent loss, theft, or compromise.

• 4.4.2 Key generation must be seeded from an industry-standard random number generator (RNG) that complies with NIST Annex C: Approved Random Number Generators for FIPS PUB 140-3.

• 4.4.3 Key rotation must be performed regularly, with the frequency determined by the sensitivity of the data and the criticality of the system.

5. Policy Compliance

5.1 Compliance Measurement

The InfoSec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions

Any exception to the policy must be approved by the InfoSec team in advance.

5.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

6. Related Standards, Policies, and Processes

• National Institute of Standards and Technology (NIST) publication FIPS 140-3
• NIST Policy on Hash Functions

Data Breach Response Policy

Version1.0.1 Last Updated2023-12-12 APPROVED

1. Introduction

AccuCode AI Inc. is committed to protecting the privacy and security of the personal and sensitive information it collects, processes, and stores. This Data Breach Response Policy establishes the goals and procedures for responding to data breaches involving protected health information (PHI) and personally identifiable information (PII).

2. Scope

This Policy applies to all employees, contractors, and third-party partners of AccuCode AI who have access to PHI or PII in the course of their duties.

3. Definitions

• Data Breach: An unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of PII maintained by the Company.
• Personally Identifiable Information (PII): An individual’s first name, or first initial and his or her last name, in combination with any one or more of the following data elements when either the name or the data element is not encrypted or redacted:
  • Social Security number;
  • Driver’s license number or state identification card number;
  • Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
  • Medical information (any individually identifiable information, in electronic or physical form, regarding the individual’s medical history or medical treatment or diagnosis by a health care professional);
  • Biometric data (data generated by automatic measurements of an individual’s biological characteristics) and any other unique biological characteristics of an individual if used to uniquely authenticate the individual’s identity for access to a system of account.

4. Roles and Responsibilities

• Information Security Officer (ISO): Responsible for overseeing the implementation of this Policy and ensuring compliance with applicable laws and regulations.
• Incident Response Team (IRT): Responsible for investigating and responding to data breaches, as directed by the ISO. The IRT shall include representatives from Legal, IT, Human Resources, and other departments as necessary.
• All Employees: Responsible for immediately reporting any suspected data breaches to the ISO or IRT.

5. Incident Response Procedures

1. Identification: Any employee who becomes aware of a potential data breach must immediately notify the ISO or IRT.
2. Investigation: The IRT will promptly investigate the reported incident to determine whether a data breach has occurred and the scope of the breach.
3. Containment: If a data breach is confirmed, the IRT will take immediate steps to contain the breach and prevent further unauthorized access or disclosure.
4. Notification: The ISO will notify affected individuals, clients, and regulatory authorities as required by applicable laws and regulations.
   • Notification to affected Arkansas residents shall be made in the most expedient time and manner possible and without unreasonable delay, subject to any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.
   • Notification is not required if after a reasonable investigation the Company determines there is no reasonable likelihood of harm to consumers.
   • If the affected class of persons to be notified exceeds 1,000, the Company must disclose the breach to the Attorney General at the same time it notifies the affected class, or 45 days after it determines there is a reasonable likelihood of harm to individuals, whichever is first.
5. Remediation: The IRT will work with IT and other departments to identify and address any vulnerabilities that contributed to the breach.
6. Documentation: The ISO will document the incident, including the response actions taken and any remediation measures implemented. The Company must retain a copy of the determination of the breach and any supporting documentation for five years from the date the breach was determined.

6. Training and Awareness

All employees will receive regular training on data privacy and security best practices, as well as their responsibilities under this Policy. The ISO will ensure that the Policy is widely communicated and easily accessible to all personnel.

7. Policy Review and Update

This Policy will be reviewed and updated annually, or more frequently as needed, to ensure it remains effective and compliant with applicable laws and regulations.

8. Enforcement

Violations of this Policy may result in disciplinary action, up to and including termination of employment or contract. AccuCode AI, Inc. reserves the right to report violations to appropriate law enforcement authorities.

By implementing this Data Breach Response Policy, AccuCode AI Inc. demonstrates its commitment to protecting the privacy and security of the sensitive information entrusted to it, and to responding promptly and effectively to any data breaches that may occur in compliance with Arkansas law.

Database Credentials Policy

Version1.0.1 Last Updated2023-11-01 APPROVED

Purpose

This policy establishes the requirements for securely storing and managing database credentials used by applications and systems to access AccuCode AI’s production databases containing sensitive healthcare information, including Protected Health Information (PHI). Proper credential management is critical to prevent unauthorized access to databases that could lead to data breaches.

Scope

This policy applies to all employees, contractors, and third-parties responsible for developing and maintaining applications and systems that connect to AccuCode AI’s production databases. It covers all databases used to store sensitive data, including but not limited to patient records, billing information, and analytics data.

Policy Statements

1. Credential Storage

   • Database credentials must never be hard-coded or stored in clear text in application source code, configuration files, or repositories.
   • Credentials must be stored securely using a password manager, secrets management system, or secure configuration management tool approved by the Security team.
   • Access to stored credentials must be strictly limited to authorized personnel on a need-to-know basis.

2. Credential Usage

   • Applications must only retrieve database credentials immediately prior to use and not store them in memory longer than necessary.
   • Memory containing credentials must be cleared immediately after use.
   • Credentials must never be logged, exposed in error messages, or transmitted over the network in an unencrypted format.

3. Credential Uniqueness

   • Each application, service or script must use its own unique database credentials. Sharing of credentials between applications is prohibited.
   • Database accounts must be created with the minimum privileges required for the application to function.

4. Credential Rotation

   • Database credentials must be rotated at least every 90 days, or more frequently for critical systems.
   • Credentials must also be rotated immediately in the event of a suspected compromise or personnel changes.

5. Encryption Requirements

   • Stored credentials must be encrypted using strong, industry-standard encryption algorithms (e.g. AES-256).
   • Encryption keys must be managed securely and access limited to authorized personnel.
   • Client-specific encryption keys must be used in the database to provide an additional layer of security. These keys should be stored in a secure key vault.

6. Logging and Monitoring

   • All access to databases must be logged and monitored for suspicious activity.
   • Failed login attempts must be logged and investigated.
   • Anomalous usage patterns (e.g. increased volume, off-hour access) must trigger alerts.

7. Third-Party Access

   • Third-party access to production databases is prohibited unless explicitly approved by the Security team.
   • Third-parties must adhere to all provisions of this policy when granted access.
   • Third-party accounts must be disabled immediately upon termination of the contract or services.

8. PHI Protection

   • Any PHI stored in databases must be isolated and encrypted at rest.
   • Databases containing PHI must not be directly exposed to the internet. Network segmentation must be used as a defense in depth strategy.

Enforcement

The InfoSec team will verify compliance with this policy through periodic audits and ongoing monitoring of database access logs. Employees found to have violated this policy may face disciplinary action up to and including termination. Violations by contractors or vendors may result in contract termination. Applications not adhering to this policy will not be approved for production use.

Exceptions

Any exceptions to this policy must be approved in advance by submitting a written request to the InfoSec team detailing the business justification, scope and duration of the exception. Exceptions will be granted on a case-by-case basis.

Review Cadence

This policy will be reviewed and updated annually or more frequently as needed to respond to changes in regulations, technology, and business practices.

End User Encryption Key Protection Policy

Version1.0.0 Last Updated2023-11-21 APPROVED

1. Overview

Encryption Key Management, if not done properly, can lead to compromise and disclosure of private keys used to secure sensitive data and hence, compromise of the data. While users may understand it’s important to encrypt certain documents and electronic communications, they may not be familiar with minimum standards for protecting encryption keys.

2. Purpose

This policy outlines the requirements for protecting encryption keys that are under the control of end users at AccuCode AI Inc. These requirements are designed to prevent unauthorized disclosure and subsequent fraudulent use. The protection methods outlined will include operational and technical controls, such as key backup procedures, encryption under a separate key, and use of tamper-resistant hardware.

3. Scope

This policy applies to any encryption keys used for business purposes and to protect data owned by AccuCode AI Inc. The public keys contained in digital certificates are specifically exempted from this policy.

4. Policy

All encryption keys covered by this policy must be protected to prevent their unauthorized disclosure and subsequent fraudulent use.

4.1 Secret Key Encryption Keys

Keys used for secret key encryption, also called symmetric cryptography, must be protected as they are distributed to all parties that will use them. During distribution, the symmetric encryption keys must be encrypted using a stronger algorithm with a key of the longest key length for that algorithm authorized in AccuCode AI’s Acceptable Encryption Policy.

Symmetric encryption keys, when at rest, must be protected with security measures at least as stringent as the measures used for distribution of that key.

4.2 Public Key Encryption Keys

Public key cryptography, or asymmetric cryptography, uses public-private key pairs. The public key is included in the digital certificate issued to the end user. The private key should only be available to the end user to whom the corresponding digital certificate is issued.

4.2.1 AccuCode AI’s Public Key Infrastructure (PKI) Keys

The public-private key pairs used by AccuCode AI’s public key infrastructure (PKI) are generated and managed using Microsoft Azure. The private key associated with any encryption certificates must be escrowed in compliance with policies.

4.2.2 Other Public Key Encryption Keys

If the keys are generated in software, the end user is required to create at least one backup of these keys and store any backup copies securely using a password manager protected by 2FA. The user is also required to create an escrow copy of any private keys used for encrypting data and deliver the escrow copy to the InfoSec team for secure storage in Azure Key Vault.

All backups, including escrow copies, shall be protected with a password or passphrase that is compliant with the Password Policy. InfoSec representatives will store and protect the escrowed keys as described in the Certificate Practice Statement Policy.

4.3 Hardware Token Storage

Hardware tokens storing encryption keys, such as YubiKeys, will be treated as sensitive company equipment when outside company offices. Hardware tokens will not be stored or left connected to any end user’s computer when not in use. For end users traveling with hardware tokens, they will not be stored or carried in the same container or bag as any computer.

4.4 Passwords and Passphrases

All passwords or passphrases used to protect encryption keys must meet complexity and length requirements described in AccuCode AI’s Password Policy.

4.5 Loss and Theft

The loss, theft, or potential unauthorized disclosure of any encryption key covered by this policy must be reported immediately to the InfoSec Team. InfoSec personnel will direct the end user in any actions that will be required regarding revocation of certificates or public-private key pairs.

5. Policy Compliance

5.1 Compliance Measurement

The InfoSec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions

Any exception to the policy must be approved by the InfoSec team in advance.

5.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

HIPAA Workstation Security Policy

Version1.0.4 Last Updated2023-10-16 APPROVED

1. Purpose

The purpose of this policy is to provide guidance for workstation security for AccuCode AI Inc. workstations in order to ensure the security of information on the workstation and information the workstation may have access to. Additionally, the policy provides guidance to ensure the requirements of the HIPAA Security Rule “Workstation Security” Standard 164.310(c) are met.

2. Scope

This policy applies to all employees, contractors, workforce members, vendors and agents with an AccuCode AI Inc.-owned or personal-workstation connected to the AccuCode AI Inc. network.

3. Policy

Appropriate measures must be taken when using workstations to ensure the confidentiality, integrity and availability of sensitive information, including protected health information (PHI) and that access to sensitive information is restricted to authorized users.

3.1 Workforce Members

Workforce members using workstations shall consider the sensitivity of the information, including protected health information (PHI) that may be accessed and minimize the possibility of unauthorized access.

3.2 Physical and Technical Safeguards

AccuCode AI Inc. will implement physical and technical safeguards for all workstations that access electronic protected health information to restrict access to authorized users.

3.3 Appropriate Measures

Appropriate measures include:

1. Restricting physical access to workstations to only authorized personnel.
2. Securing workstations (screen lock or logout) prior to leaving area to prevent unauthorized access.
3. Enabling a password-protected screen saver with a short timeout period to ensure that workstations that were left unsecured will be protected. The password must comply with AccuCode AI Inc. Password Policy.
4. Complying with all applicable password policies and procedures. See Password Construction Guidelines for more details.
5. Ensuring workstations are used for authorized business purposes only.
6. Never installing unauthorized software on workstations.
7. Storing all sensitive information, including protected health information (PHI) on network servers.
8. Keeping food and drink away from workstations in order to avoid accidental spills.
9. Securing laptops that contain sensitive information by using cable locks or locking laptops up in drawers or cabinets.
10. Installing privacy screen filters or using other physical barriers to alleviate exposing data.
11. Ensuring workstations are left on but logged off in order to facilitate after-hours updates.
12. Exit running applications and close open documents.
13. Ensuring that all workstations use a surge protector (not just a power strip) or a UPS (battery backup).
14. If wireless network access is used, ensure access is secure by following the AccuCode AI Inc. Wireless Communication policy.

3.4 Remote Employees

Remote employees must adhere to the following additional measures:

1. Ensure the workstation is used in a private, secure location to prevent unauthorized access to sensitive information.
2. Use company-provided virtual private network (VPN) to securely access the AccuCode AI Inc. network and resources.
3. Avoid using public Wi-Fi networks. If necessary, use the company-provided VPN to ensure secure connection.
4. Ensure the workstation’s operating system, antivirus software, and other security software are up to date.
5. Report any security incidents or suspected breaches immediately to the InfoSec team.

4. Policy Compliance

4.1 Compliance Measurement

The InfoSec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

4.2 Exceptions

Any exception to the policy must be approved by the InfoSec team in advance.

4.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Removable Media Policy

Version1.0.0 Last Updated2024-01-29 APPROVED

1. Overview

Removable media is a well-known source of malware infections and has been directly tied to the loss of sensitive information in many organizations. AccuCode AI Inc. processes sensitive healthcare documents such as patient charts from hospitals and clinics, making it crucial to minimize the risk of data loss or exposure and reduce the risk of acquiring malware infections on company computers.

2. Purpose

The purpose of this policy is to minimize the risk of loss or exposure of sensitive information maintained by AccuCode AI Inc. and to reduce the risk of acquiring malware infections on computers operated by the company.

3. Scope

This policy covers all computers and servers operating in AccuCode AI Inc.

4. Policy

1. AccuCode AI Inc. staff may only use removable media in their work computers when strictly necessary for performing their assigned duties.
2. The use of removable media is discouraged, and staff should seek alternative methods for data transfer and storage whenever possible.
3. Removable media may not be connected to or used in computers that are not owned or leased by AccuCode AI Inc. without explicit permission from the InfoSec team.
4. Sensitive information should be stored on removable media only when required in the performance of assigned duties or when providing information required by other state or federal agencies.
5. When sensitive information is stored on removable media, it must be encrypted in accordance with the AccuCode AI Inc. Acceptable Encryption Policy.
6. Exceptions to this policy may be requested on a case-by-case basis through the AccuCode AI Inc. exception procedures.

5. Policy Compliance

5.1 Compliance Measurement

The InfoSec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-throughs, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions

Any exception to the policy must be approved by the InfoSec team in advance.

5.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Information Logging Standard

Version1.0.5 Last Updated2024-03-18 APPROVED

1. Overview

Logging from critical systems, applications, and services can provide key information and potential indicators of compromise. Although logging information may not be viewed on a daily basis, it is critical to have from a forensics standpoint. This standard outlines the requirements for logging in systems that handle Protected Health Information (PHI) and Personally Identifiable Information (PII).

2. Purpose

The purpose of this document is to identify specific requirements that information systems must meet in order to generate appropriate audit logs and integrate with AccuCode AI’s log management function. The goal is to ensure that PHI and PII are never logged in clear text, and are always redacted when possible.

3. Scope

This policy applies to all production systems at AccuCode AI that process, store, or transmit PHI or PII.

4. Policy

4.1 General Requirements

All systems that handle PHI, PII, accept network connections, or make access control decisions shall record and retain audit logging information sufficient to answer the following questions:

1. What activity was performed?
2. Who or what performed the activity, including where or on what system the activity was performed from (subject)?
3. What the activity was performed on (object)?
4. When was the activity performed?
5. What tool(s) was the activity used to perform the activity?
6. What was the status (such as success vs. failure), outcome, or result of the activity?

4.2 PHI and PII Logging Requirements

In addition to the general logging requirements, systems handling PHI and PII must adhere to the following:

1. PHI and PII must never be logged in clear text.
2. If PHI or PII must be logged, it should be redacted, masked, or hashed.
3. Access to systems containing PHI and PII must be logged.
4. Failed access attempts to systems or data containing PHI and PII must be logged.

4.3 Activities to be Logged

Logs shall be created whenever any of the following activities are requested to be performed by the system:

1. Create, read, update, or delete PHI or PII
2. Create, update, or delete information not covered in #1
3. Initiate or accept a network connection
4. User authentication and authorization for activities covered in #1 or #2
5. Grant, modify, or revoke access rights
6. System, network, or services configuration changes
7. Application process startup, shutdown, or restart
8. Application process abort, failure, or abnormal end
9. Detection of suspicious/malicious activity

4.4 Elements of the Log

Logs shall identify or contain at least the following elements, directly or indirectly:

1. Type of action
2. Subsystem performing the action
3. Identifiers for the subject requesting the action
4. Identifiers for the object the action was performed on
5. Before and after values when action involves updating data
6. Date and time the action was performed, including time-zone
7. Whether the action was allowed or denied by access-control mechanisms
8. Description and/or reason-codes of why the action was denied

4.5 Log Retention

Audit logs must be retained for a minimum of 180 days.

4.6 Formatting and Storage

The system shall support the formatting and storage of audit logs in such a way as to ensure the integrity of the logs and to support enterprise-level analysis and reporting. Acceptable formats include:

1. Windows Event Logs collected by a centralized log management system
2. Logs in a documented format sent via syslog protocols to a centralized log management system
3. Logs stored in an PostgreSQL database that itself generates audit logs
4. Other open logging mechanisms that support the requirements

5. Policy Compliance

5.1 Compliance Measurement

The InfoSec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions

Any exception to the policy must be approved by the InfoSec team in advance.

5.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Medical Coding System Logging Standard

Version1.0.5 Last Updated2023-10-20 APPROVED

1. Overview

Logging from the medical coding AI system can provide critical information for auditing, compliance, and understanding how the AI model arrived at specific coding decisions. Although this logging information may not be viewed on a daily basis, it is essential to have from a forensics and accountability standpoint. This standard outlines the requirements for logging in the medical coding AI system that handles Protected Health Information (PHI).

2. Purpose

The purpose of this document is to identify specific requirements that the medical coding AI system must meet in order to generate appropriate audit logs and integrate with AccuCode AI’s log management function. The goal is to ensure that PHI is never logged in clear text and is always redacted before being stored for auditing purposes.

3. Scope

This policy applies to the medical coding AI system at AccuCode AI that processes PHI from healthcare documents such as patient charts, for the purpose of automating healthcare billing and clinical abstraction.

4. Policy

4.1 General Requirements

The medical coding AI system shall record and retain audit logging information sufficient to answer the following questions:

1. What specific healthcare document was processed?
2. What AI model or version of the model performed the coding?
3. When was the coding performed?
4. What codes were assigned by the AI system?
5. What was the confidence level or probability for each code assigned?
6. What key features or evidence from the document were used to assign each code?

4.2 PHI Logging Requirements

In addition to the general logging requirements, the medical coding AI system handling PHI must adhere to the following:

1. PHI must never be logged in clear text.
2. PHI must be redacted, masked, or hashed before logging.
3. Access to the AI system must be logged.
4. Failed access attempts to the AI system must be logged.

4.3 Activities to be Logged

Logs shall be created whenever any of the following activities are performed by the medical coding AI system:

1. Healthcare document is uploaded or ingested
2. AI model processes the healthcare document
3. Codes are assigned to the healthcare document
4. User authenticates to view the coding results and audit logs
5. AI model is updated or re-trained on new data
6. Detection of suspicious activity or model drift

4.4 Elements of the Log

Logs shall identify or contain at least the following elements, directly or indirectly:

1. Document ID (masked)
2. AI model name and version
3. Date and time the coding was performed, including time-zone
4. Assigned codes and their confidence levels/probabilities
5. Key features or evidence used to assign each code, with PHI redacted
6. User ID who accessed the results and audit logs
7. Reason for any failures or exceptions in processing

4.5 Log Retention

Audit logs with PHI redacted must be retained for a minimum of 7 years for compliance purposes.

4.6 Formatting and Storage

The system shall support the formatting and storage of audit logs in such a way as to ensure the integrity of the logs and to support enterprise-level analysis and reporting. Acceptable formats include:

1. Logs in a documented format sent via syslog protocols to a centralized log management system
2. Logs stored in a PostgreSQL database that itself generates audit logs
3. Other open logging mechanisms that support the requirements

5. Policy Compliance

5.1 Compliance Measurement

The InfoSec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions

Any exception to the policy must be approved by the InfoSec team in advance.

5.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Extranet Policy

Version1.0.3 Last Updated2023-10-16 APPROVED

1. Purpose

This document outlines the policy for third-party organizations connecting to AccuCode AI Inc. networks for the purpose of transacting business related to the company.

2. Scope

This policy applies to all connections between third parties that require access to non-public AccuCode AI Inc. resources, regardless of the technology used for the connection (e.g., telco circuit or VPN). Connections to third parties such as Internet Service Providers (ISPs) or the Public Switched Telephone Network do not fall under this policy.

3. Policy

3.1 Security Review

All new extranet connectivity requests must undergo a security review conducted by the InfoSec team. The review ensures that access aligns with business requirements and adheres to the principle of least access.

3.2 Business Case

All production extranet connections must be accompanied by a valid written business justification, approved by a project manager in the extranet group. Lab connections must be approved by the team responsible for lab security.

3.3 Point of Contact

The Sponsoring Organization must designate a Point of Contact (POC) responsible for the portions of this policy and the Third Party Agreement that pertain to them. The relevant extranet organization must be promptly informed of any changes to the POC.

3.4 Modifying or Changing Connectivity and Access

All access changes must be accompanied by a valid business justification and are subject to security review. Changes must be implemented via the corporate change management process. The Sponsoring Organization is responsible for notifying the extranet management group and/or InfoSec of any material changes to their originally provided information.

3.5 Terminating Access

When access is no longer required, the Sponsoring Organization must notify the responsible extranet team, which will terminate the access as appropriate. The extranet and lab security teams must conduct annual audits of their respective connections to ensure that all existing connections are still needed and that the provided access meets the connection’s needs. Deprecated connections or those no longer used to conduct business will be terminated immediately. InfoSec and/or the extranet team will notify the POC or the Sponsoring Organization of any changes prior to taking action.

4. Policy Compliance

4.1 Compliance Measurement

The InfoSec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

4.2 Exceptions

Any exception to the policy must be approved by the InfoSec team in advance.

4.3 Non-Compliance

Employees found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Mobile Device Encryption Policy

Version1.0.5 Last Updated2024-01-23 APPROVED

1. Overview

Mobile devices such as smartphones and tablets can create added risk and potential targets for data loss, especially given the sensitive nature of the healthcare documents processed by AccuCode AI. As such, their use must be in alignment with appropriate standards, and encryption technology should be used when possible to protect sensitive data.

2. Purpose

This document describes AccuCode AI’s Information Security requirements for encrypting data at rest on mobile devices to ensure the confidentiality and integrity of sensitive healthcare information.

3. Scope

This policy applies to any mobile device issued by or used for business which contains stored data owned by AccuCode AI Inc.

4. Policy

All mobile devices containing stored data owned by AccuCode AI must use an approved method of encryption to protect data at rest. Mobile devices are defined to include laptops, smartphones, and tablets. Users are expressly forbidden from storing data on devices that are not issued by AccuCode AI, such as storing email or sensitive documents on a personal device.

4.1 Laptops

Laptops must employ full disk encryption with an approved software encryption package that is FIPS 140-3 compliant. BitLocker (for Windows) and FileVault (for macOS) are recommended encryption solutions.

4.2 Smartphones and Tablets

Any data stored on a smartphone or tablet must be saved to an encrypted file system using AccuCode AI-approved software that is FIPS 140-3 compliant. AccuCode AI shall also employ remote wipe technology to remotely disable and delete any data stored on a smartphone or tablet which is reported lost or stolen. Mobile Device Management (MDM) solutions should be used to enforce encryption and remote wipe capabilities.

4.3 Keys

All encryption keys and passphrases must meet complexity requirements described in AccuCode AI’s Password Protection Policy. Keys should be securely stored and managed using a FIPS 140-3 compliant key management system.

4.4 Loss and Theft

The loss or theft of any mobile device containing AccuCode AI data must be reported immediately to the Information Security team.

5. Policy Compliance

5.1 Compliance Measurement

The Information Security team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions

Any exception to the policy must be approved by the Information Security team in advance.

5.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Password Protection Policy

Version1.0.3 Last Updated2023-12-25 APPROVED

1. Overview

Passwords are a critical aspect of computer security. A weak or compromised password can result in unauthorized access to our most sensitive data and/or exploitation of our resources. All staff, including contractors and vendors with access to systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

2. Purpose

The purpose of this policy is to establish a standard for the secure use and protection of all work related passwords.

3. Scope

The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any facility, has access to the network, or stores any non-public information.

4. Policy

4.1 Password Creation and Use

4.1.1 All user-level and system-level passwords must conform to the Password Construction Standards.

4.1.2 Users must use a separate, unique password for each of their work related accounts. Users may not use any work related passwords for their own, personal accounts.

4.1.3 Staff are required to use authorized, approved password managers to securely store and manage all their work related passwords.

4.1.4 User accounts that have system-level privileges granted through group memberships or programs such as sudo must have a unique password from all other accounts held by that user to access system-level privileges. In addition, hardware-based multi-factor authentication is required for any privileged accounts.

4.2 Password Change

4.2.1 Passwords should be changed only when there is reason to believe a password has been compromised or fails to meet our Password Creation Requirements. We do not recommend the use or setting of regular password expiration.

4.3 Password Protection

4.3.1 Passwords must not be shared with anyone, including supervisors and coworkers. All passwords are to be treated as sensitive, Confidential information.

4.3.2 Passwords must not be inserted into email/chat messages or other forms of electronic communication, nor revealed over the phone to anyone.

4.3.3 Passwords may be stored only in password managers authorized by the organization.

4.3.4 Do not use the “Remember Password” feature of applications (for example, web browsers).

4.3.5 Any individual suspecting that their password may have been compromised must report the incident and change all relevant passwords.

4.4 Application Development

Application developers must ensure that their programs contain the following security precautions:

4.4.1 Applications must support authentication of individual users, not groups.

4.4.2 Applications must not store passwords in clear text or in any easily reversible form.

4.4.3 Applications must not transmit passwords in clear text over the network.

4.4.4 Applications must provide for some sort of role management, such that one user can take over the functions of another without having to know the other’s password.

4.5 Multi-Factor Authentication

4.5.1 Hardware-based multi-factor authentication is required and must be used whenever possible, not only for work related accounts but personal accounts also.

5. Policy Compliance

5.1 Compliance Measurement

The Infosec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions

Any exception to the policy must be approved by the Infosec team in advance.

5.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Remote Access Policy

Version1.0.2 Last Updated2024-01-16 APPROVED

1. Overview

Remote access to AccuCode AI’s corporate network is essential to maintain our team’s productivity, especially with many employees working from home. However, remote access often originates from networks with lower security postures that may already be compromised. While these remote networks are beyond AccuCode AI’s direct control, we must mitigate the risks to the best of our ability, particularly given the sensitive protected health information (PHI) we handle.

2. Purpose

The purpose of this policy is to define rules and requirements for connecting to AccuCode AI’s network from any remote host. These rules aim to minimize the potential exposure to damages which may result from unauthorized access to PHI and other sensitive data. Damages include the loss of PHI, damage to public image, fines, and other financial liabilities.

3. Scope

This policy applies to all employees and contractors with an AccuCode AI-owned or personally-owned computer used to connect to the corporate network to do work on behalf of AccuCode AI. This covers any remote access connections, including email and intranet access.

4. Policy

Employees and contractors with remote access privileges to AccuCode AI’s network must ensure their remote access connection is as secure as an on-site connection.

When accessing the network from a personal computer, authorized users are responsible for preventing access by non-authorized users, including family members. Performing illegal activities through the network is strictly prohibited.

4.1 Requirements

• 4.1.1 Secure remote access must use encryption (e.g. VPN) and strong passphrases.

• 4.1.2 Authorized users shall protect their login credentials, even from family members.

• 4.1.3 When connecting to AccuCode AI’s network, the remote host must not be connected to any other network simultaneously, with the exception of personal networks under the complete control of the authorized user.

• 4.1.4 Use of external resources requires advance approval from InfoSec.

• 4.1.5 All remote hosts must have up-to-date antivirus software.

• 4.1.6 Personal equipment must not be used for remote access.

4.2 Protecting PHI When Working Remotely

• Ensure home workspace cannot be viewed by others, including family.
• Lock computer when not in use. Never leave it unattended and accessible.
• Do not print PHI at home.
• Do not store PHI on removable media.
• Only discuss PHI in private where conversations cannot be overheard.
• Report any potential PHI breaches immediately, even if unintentional.

5. Policy Compliance

The InfoSec team will verify compliance to this policy through various methods, including audits and business tool reports. Any exceptions must be approved by InfoSec in advance. Employees found to have violated this policy may face disciplinary action, up to and including termination.

Remote Access Tools Policy

Version1.0.1 Last Updated2024-01-12 APPROVED

1. Overview

AccuCode AI Inc. processes sensitive healthcare documents containing protected health information (PHI). Remote access tools provide a convenient way for users and support staff to share screens and access systems remotely. However, if not properly secured and controlled, these tools can also open backdoors into the network that could lead to theft, unauthorized access or destruction of sensitive data assets.

Therefore, only approved, monitored and strictly governed remote access tools may be used on AccuCode AI’s computer systems. This policy defines the requirements for using remote access tools.

2. Scope

This policy applies to all remote access connections where either end terminates at an AccuCode AI owned or managed asset or system.

3. Policy Requirements

All remote access tools used to communicate with AccuCode AI assets and systems must adhere to the following:

3.1 Approved Tools List

Only remote access tools on the approved software list maintained by the IT department are permitted. The current approved tools are:

• SSH (with AD auth)
• Microsoft Remote Desktop (over VPN only)
• Citrix GoToMyPC (over VPN only)

Procedures for secure configuration of each approved tool are provided by IT and must be followed. The list of approved tools is subject to change.

3.2 Authentication

• All remote access tools that allow communication from external networks must require multi-factor authentication using methods such as hardware tokens, smart cards, or additional PIN/password.
• Authentication must use Active Directory or LDAP as the user identity source.
• Authentication protocols must be resistant to replay attacks, such as OAuth 2.0.
• Both ends of remote access sessions must be mutually authenticated.

3.3 Access Control

• Remote access tools must be configured to use application layer proxies rather than allowing direct connections through perimeter firewalls.
• Connections must be encrypted end-to-end using strong encryption protocols in compliance with AccuCode AI’s network encryption policy.

3.4 Security Tools

Remote access tools must not interfere with, disable or circumvent antivirus, DLP, or other security systems.

3.5 Procurement

All remote access tools must be purchased through and approved by the IT department via the standard procurement process.

4. Policy Compliance

4.1 Compliance Measurement

The Information Security team will verify compliance to this policy through various methods, including but not limited to:

• Reports from business tools
• Internal and external audits
• Feedback to the policy owner

4.2 Exceptions

Any exceptions to this policy must be approved in advance by the Information Security team.

4.3 Non-Compliance

Employees found to have violated this policy may face disciplinary action up to and including termination of employment.