Policies are a set of attestations that govern how a company operates. A company's policies summate and categorize Procedures and Tasks, making it easier to understand how a company handles data, enforces a privacy and security practices, and more.

Pre-defined policies

When running your applications on MedStack Control, you'll inherit a subset of MedStack's privacy and security policies and their mapping to HIPAA mandates. MedStack's privacy and security policies are inherited through a shared responsibility model defined in MedStack's chain of responsibility.

MedStack's inheritable policies are added to your Exos company workspace, helping predefine the policies required to operate in digital health.

Creating policies

A new policy can be created in the "Policies" section by clicking the "Add New Policy" button. Policies can be authored directly in the editor or can be uploaded as an attached file if already existing. It is recommended to author policies in the editor.

Clauses and policy relationships

Clauses are predefined references to authority documents and resources. They are used to connect a policy to other sources of information, ultimately helping your policies map to HIPAA mandates and MedStack Control's inheritance models.

Clauses cannot be created, edited, or deleted by users, but they can be related to policies.

Procedure and policy relationships

Policies can be related to existing "Procedures" that explain how policy attestations are tactically addressed.

Employee and policy acknowledgement

Policies can be made relevant to existing organizational "Roles" to ensure the correct stakeholder is informed about policies that pertain to them.

When a policy is created or updated, all employees with roles scoped to the policy can acknowledge the policy, ensuring all employees are informed about policy changes.

Versioning

A policy version can be updated when a policy is modified. To modify a policy, click the policy name in the Policies table, and select the corresponding edit button to modify either the policy name, or the policy content.

After modifying a policy, the changes can be saved as a Major or a Minor change. Major changes are set when the checkbox for making the modification a major is selected. Minor changes happen when the checkbox for making the modification a major is not selected.

There is a general rule that can advise on labelling modifications as major or minor changes.

Major (x.0)

Major changes update the policy version by a whole number. For example, a major version bump from version 1.0 is 2.0, etc. This is done when a breaking change is introduced to the policy.

For example, if modifications to a policy render the previous policy not usable due to a breaking change, it would be appropriate to label the version bump as a major.

Minor (1.x)

Minor changes update the policy version by a fractional number. For example, a minor version bump from version 1.0 is 1.1, etc. This is done when a change is done to the policy, but does not introduce a breaking change from the previous version of the policy.

Version restoration

You can restore an older version of a policy by selecting Restore this version from the Policy Version tab. Restoring creates an entirely new version with the contents of the selected policy.

Returning to a previous version of a policy. — Restoring a previous version of a policy.

Managing policies

Delete

Policies that have been archived may be permanently deleted from the archived policies table which can be accessed by clicking the ellipsis next to the "Add New Policy" button.

From the archived policies table, click the ellipsis on the policy line item in the Archived Policies table and select "Delete Permanently"

Reordering policies

You can reorder your policies and group them in a way that makes the most sense for your organization. From the Reorder Policies page, simply drag and drop your policies to put them in your desired order.

Navigating to the Reorder page fr — Navigating to the Reorder Policies page from the Policy index.

Limits

The current list includes known limitations for the Policies feature in Exos.

If you have policies that exist in written format, you cannot upload them into the editor. They must be copied and pasted into the editor (which supports markdown) or attached to a policy.