IT & Information Security

Acceptable Use Policy — Summary

A summary of the terms governing your use of HealthBook+ systems, accounts, and devices. The complete policy is maintained in Vanta.

Our commitment

HealthBook+ IT and Information Security are committed to protecting your privacy while meeting our regulatory and contractual obligations. The controls described here exist to safeguard our personnel, our customers, and the Protected Health Information entrusted to us — not to surveil your personal life. When we monitor, we do so with the minimum scope necessary.

A regulated environment

HB+ operates under the HIPAA Security Rule, with a control environment aligned to ISO 27001. Protected Health Information (PHI/ePHI) and other confidential data may only be accessed, stored, or transmitted using HB+-approved systems and only for authorized business purposes.

Devices

Company-issued devices. HB+ owns all company-issued hardware and electronic systems, including any data stored on or transmitted from them. You are responsible for protecting your assigned device against theft, loss, and damage, and for reporting incidents promptly to IT.

Bring Your Own Device (BYOD). Personal devices may be used for HealthBook+ email and approved messaging tools only. Any broader use of a personal device for HB+ business requires written justification and formal approval. HB+ data must not be saved to any personal device.

Removable media. Use of USB drives, memory sticks, flash drives, and similar removable storage with HB+ data or devices is prohibited.

Mobile Device Management (MDM)

All HB+-issued devices must be enrolled in the appropriate MDM platform — Jamf Pro for macOS and Microsoft Intune for Windows. MDM enforces:

Full-disk encryption (FileVault, BitLocker)
Operating system and application patch compliance
Endpoint malware protection (XProtect, Microsoft Defender)
Auto-lock screensaver activation within 15 minutes
Local host firewall
Centralized security logging

Remote wipe. When HB+ invokes a remote wipe in response to loss, theft, or departure, what is wiped depends on device ownership:

HB+–owned device

A full device wipe: operating system, applications, configuration, and all data are reset to a baseline state. Personal files stored on a company device are not exempt — do not keep personal data on company hardware.

Personal (BYOD) device

A selective wipe of the HB+ work profile only. HealthBook+ removes corporate accounts, managed apps, and HB+ data. Your personal apps, photos, messages, contacts, and personal accounts are not touched.

Access to HealthBook+ email and messaging from a personal device is permitted only through HB+-approved applications under Microsoft Intune App Protection.

Clear screen

Lock your device whenever you step away (⊞+L on Windows, ⌘+Ctrl+Q on macOS). Configure manual auto-lock to no more than 10 minutes; MDM enforces a 15-minute backstop.

Privacy at home and on calls. Take care to prevent unauthorized individuals — including household members — from viewing HB+ information on your screen, and be deliberate about what is visible during external screen-shares.

Acceptable use of systems and data

Sensitive data, including PHI/ePHI and other confidential information, must be encrypted at rest and in transit. Confidential information sent outside the organization must use HB+-approved encrypted channels.
HB+ data, including ePHI, must not be stored on personal drives, unmanaged network shares, or other unmanaged locations.
Use of public, unsecured, or untrusted networks for HB+ work is permitted only when protected by HB+ approved connectivity.
Credentials, MFA codes, API keys, and equivalent secrets must never be shared, written in plaintext, transmitted via IM or email, or stored outside approved secret-management systems.
Personal email accounts (Gmail, iCloud Mail, Yahoo, etc.) must not be used to send, receive, store, or forward HealthBook+ business data.
Do not attempt to access another team member's account, misrepresent your identity, or impersonate HB+, an employee, or another user.

Monitoring and your privacy

HealthBook+ logs and monitors activity on its systems, devices, and networks for security, compliance, audit, and incident-response purposes. Monitoring is scoped to HB+ resources, not to your personal life.

What we monitor

Authentication, access, and configuration changes to HB+ systems, accounts, and data
Email and messaging within HB+ tenants
Endpoint security telemetry from MDM and security agents on HB+-issued and BYOD devices
HealthBook+ data accessed through approved applications on personal devices

What we don't

Personal accounts (personal email, social media, banking, etc.)
Content of personal apps on personal devices
Personal device passcodes, biometric data, or location
Use of non-HB+ systems on personal time

HealthBook+ reserves the right to access, audit, or review any data stored on or transmitted through HB+-owned systems and HB+ tenants, with or without prior notice, where required for security, legal, regulatory, or investigative purposes.

Conduct

Personal use of HealthBook+ systems is permitted where it does not interfere with your role responsibilities, productivity, or business confidentiality.
Limited and occasional use of HealthBook+ devices to access social media is acceptable, provided it is professional, does not disclose confidential information, and does not interfere with your duties.
Content that is sexually explicit, harassing, discriminatory, violent, defamatory, or otherwise offensive must not be created, stored, or transmitted using HealthBook+ systems.
Personnel must not engage in discriminatory, disparaging, defamatory, or harassing communications about HealthBook+, its personnel, customers, or affiliates — including on social media or external blogs.
If you discover that an HB+ device has connected to a website containing sexually explicit, racist, violent, or other potentially offensive material, leave the site immediately and report it.

Reporting

Suspected violations, security incidents, lost or stolen devices, and inadvertent exposure to prohibited content must be reported promptly to the Information Security team at security@healthbookplus.ai, via the IT Helpdesk portal at helpdesk.healthbookplus.ai, and to your direct manager.

Enforcement

Violations of this policy may result in corrective action up to and including termination of employment or contract, and may be referred to law enforcement or regulators where appropriate. Refer to the Acceptable Use Policy, Code of Conduct, and Incident Reporting Procedure in Vanta for the complete terms.