Email Policy

Version1.0.2 Last Updated2023-12-18 APPROVED

1. Overview

Electronic email is often the primary communication and awareness method in an organization. At the same time, misuse of email can pose many legal, privacy, and security risks, thus it’s important for users to understand the appropriate use of electronic communications. This is especially critical for AccuCode AI Inc., as we process sensitive healthcare documents and patient information.

2. Purpose

The purpose of this email policy is to ensure the proper use of AccuCode AI Inc.’s email system and make users aware of what is deemed as acceptable and unacceptable use of its email system. This policy outlines the minimum requirements for use of email within AccuCode AI Inc.’s network, with a strong emphasis on protecting sensitive healthcare data.

3. Scope

This policy covers appropriate use of any email sent from an AccuCode AI Inc. email address and applies to all employees, vendors, and agents operating on behalf of AccuCode AI Inc.

4. Policy

4.1 All use of email must be consistent with AccuCode AI Inc.’s policies and procedures of ethical conduct, safety, compliance with applicable laws (including HIPAA and other healthcare regulations), and proper business practices.

4.2 AccuCode AI Inc. email accounts should be used primarily for business-related purposes; personal communication is permitted on a limited basis, but non-AccuCode AI Inc. related commercial uses are prohibited.

4.3 All data contained within an email message or an attachment must be secured according to the Data Protection Standard. Special attention must be given to Protected Health Information (PHI) and healthcare records.

4.4 Any email containing PHI and/or healthcare records must be encrypted using public key cryptography. The ciphers used for encryption must be compliant with FIPS-140-3 standards.

4.5 Email should be retained only if it qualifies as a business record. Email is a business record if there exists a legitimate and ongoing business reason to preserve the information contained in the email.

4.6 Email that is identified as a business record shall be retained according to AccuCode AI Inc.’s Record Retention Schedule.

4.7 Users are prohibited from automatically forwarding email to a third party email system (noted in 4.9 below). Individual messages which are forwarded by the user must not contain confidential or above information, especially PHI.

4.8 Users are prohibited from using third-party email systems and storage servers such as Google, Yahoo, and MSN Hotmail etc. to conduct business, to create or memorialize any binding transactions, or to store or retain email on behalf of AccuCode AI Inc. Such communications and transactions should be conducted through proper channels using AccuCode AI Inc.-approved documentation.

4.9 Using a reasonable amount of AccuCode AI Inc. resources for personal emails is acceptable, but non work related email shall be saved in a separate folder from work related email. Sending chain letters or joke emails from an AccuCode AI Inc. email account is prohibited.

4.10 AccuCode AI Inc. employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system.

4.11 AccuCode AI Inc. may monitor messages without prior notice. AccuCode AI Inc. is not obliged to monitor email messages.

5. Policy Compliance

5.1 Compliance Measurement The InfoSec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions Any exception to the policy must be approved by the InfoSec team in advance.

5.3 Non-Compliance An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.