Security Policies & Procedures

 1. Workforce Management

NMS Health is committed to securing all information handled on behalf of our clients. All employees are required to:

  • Pass pre-employment background checks.

  • Sign binding confidentiality agreements upon hire.

  • Complete ongoing security and privacy awareness training, including:

    • Phishing and social engineering prevention

    • Secure password hygiene

    • Malware and ransomware awareness

    • Social media security best practices

Access to systems is role-based and granted using the principle of least privilege. Employees only access systems and data necessary for their specific job functions related to occupational health or employee screening services.

NMS Health uses multi-factor authentication (MFA) wherever technically feasible and requires secure authentication for access to systems containing sensitive information.

Access reviews, log monitoring, and system activity audits are conducted regularly by the Security and Privacy Officer, along with administrative staff, to ensure compliance with internal policies and SOC 2-aligned best practices.

NMS restricts access to personally identifiable information (PII) and individually identifiable health information (IIHI) to authorized personnel (employees, contractors, or agents) involved in delivering client-approved services. All personnel are bound by confidentiality agreements and subject to disciplinary actions, including termination, for violations.

 2. Information Security

Our core information security objective is to prevent unauthorized access, disclosure, alteration, or destruction of the data entrusted to us by clients, employees, and other stakeholders.

Types of protected information include (but are not limited to):

  • Personally Identifiable Information (PII)

  • Individually Identifiable Health Information (IIHI)

  • Client organizational data

Key protections include:

  • Data Encryption: All sensitive data is encrypted in transit using SSL/TLS protocols and, where applicable, at rest using modern encryption standards.

  • Endpoint Protection: All employee workstations are centrally managed, monitored for malware, and protected by regularly updated antivirus software and firewalls.

  • Patch Management: System administrators ensure that operating system updates, security patches, and vulnerability fixes are applied promptly to all workstations and servers.

  • Access Controls: NMS can restrict employee access to any system, application, or service based on their job role or compliance needs.

  • Cloud & Virtualization: NMS systems and workforce tools are cloud-based or hosted in secure virtual environments. Employees are prohibited from storing sensitive data on local devices.

  • Data Loss Prevention: Data is protected against loss due to human error or device theft by enforcing centralized data storage, cloud backups, and restricted access policies.

3. Physical Security

The NMS Health headquarters is physically secured with:

  • Keypad access

  • 24/7 electronic surveillance

4. Individually Identifiable Health Information (IIHI)

NMS Health processes IIHI as part of our occupational health and employee screening services. IIHI is defined as any data that can reasonably be used to identify an individual in connection with their health history or care.

This data is stored and transmitted using industry best practices, including encryption, access controls, and audit logging. Data is only retained and used as necessary to fulfill client service agreements and in compliance with applicable laws.

5. Security Governance

We align our security program with the AICPA SOC 2 Trust Services Criteria, including:

  • Security

  • Confidentiality

  • Availability

  • Processing Integrity

  • Privacy

 

Revised 04-05-2025