312-929-2661

WRITTEN INFORMATION SECURITY POLICY (WISP)

Effective Date: April 23, 2026 | Last Updated: April 23, 2026

INTRODUCTION

This Written Information Security Policy (“WISP”) establishes the guidelines, procedures, and standards for safeguarding sensitive information at Hudson Facial Plastic Surgery (“Practice,” “we,” “us,” or “our”), a facial plastic surgery and medical aesthetics practice located at 1640 N Wells St. Unit 207, Chicago, IL 60614. This policy is designed to protect the confidentiality, integrity, and availability of sensitive information, including Protected Health Information (PHI) as defined under HIPAA and Personally Identifiable Information (PII) as defined under applicable Illinois law.

This WISP is required under and intended to comply with:

  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, 45 CFR Parts 160 and 164
  • The Health Information Technology for Economic and Clinical Health Act (HITECH)
  • The Illinois Personal Information Protection Act (PIPA), 815 ILCS 530
  • The Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14
  • The Federal Trade Commission (FTC) Safeguards Rule, where applicable

1. SCOPE AND APPLICABILITY

This policy applies to:

  • All employees of Hudson Facial Plastic Surgery, whether full-time, part-time, or temporary
  • All independent contractors, consultants, and third-party service providers who access, store, transmit, or handle sensitive information on behalf of the Practice
  • All forms of sensitive information maintained by the Practice, whether in electronic or physical form, at rest or in transit
  • All systems, devices, networks, and applications used to create, receive, maintain, or transmit sensitive information

2. DEFINITIONS

  • Protected Health Information (PHI): Individually identifiable health information created, received, maintained, or transmitted by the Practice in any form (electronic, paper, or oral), as defined under HIPAA
  • Electronic PHI (ePHI): PHI that is created, received, maintained, or transmitted in electronic form
  • Personally Identifiable Information (PII): Information that can be used to identify, contact, or locate a specific individual, including name, address, date of birth, Social Security number, financial account numbers, and medical information, as defined under Illinois PIPA
  • Biometric Information: Biometric identifiers and biometric information as defined under Illinois BIPA, including retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, and related data
  • Information Security Officer (ISO): The designated individual responsible for overseeing this WISP
  • Business Associate: A person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of the Practice
  • Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations
  • Breach: The acquisition, access, use, or disclosure of unsecured PHI or PII in a manner not permitted by applicable law

3. INFORMATION SECURITY OFFICER

Hudson Facial Plastic Surgery shall designate an Information Security Officer (ISO) responsible for implementing, maintaining, and enforcing this WISP. The ISO shall report directly to Dr. Caroline Hudson and shall be responsible for:

  • Developing, implementing, and updating information security policies and procedures
  • Conducting and documenting periodic risk assessments
  • Overseeing employee security training and awareness programs
  • Managing and responding to security incidents and breaches
  • Ensuring Business Associate Agreements are in place with all applicable vendors
  • Monitoring compliance with this WISP and applicable law
  • Maintaining records of all security-related activities

Until a separate ISO is formally designated, Dr. Caroline Hudson shall serve as the Practice’s Information Security Officer.

4. RISK ASSESSMENT AND MANAGEMENT

4.1 Risk Assessment

The Practice shall conduct a thorough and accurate assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI and other sensitive information at least annually, and whenever there is a significant operational or environmental change. Risk assessments shall be documented and retained.

4.2 Risk Management

Based on the results of the risk assessment, the Practice shall implement reasonable and appropriate security measures to reduce identified risks to a reasonable and appropriate level. Risk management activities shall be documented and reviewed regularly.

4.3 Sanction Policy

The Practice shall apply appropriate sanctions against workforce members who fail to comply with this WISP or applicable security policies. Sanctions may range from verbal or written warning to termination of employment or contract, and may include referral to law enforcement authorities where violations involve criminal conduct.

5. WORKFORCE SECURITY

5.1 Authorization and Supervision

The Practice shall implement procedures to ensure that all workforce members who access sensitive information have appropriate authorization and are appropriately supervised. Access shall be granted on a minimum necessary basis — each workforce member shall have access only to the information required to perform their specific job functions.

5.2 Workforce Clearance

Prior to granting access to sensitive information, the Practice shall verify the identity and credentials of workforce members and, where appropriate, conduct background checks in accordance with applicable law.

5.3 Termination Procedures

Upon termination of employment or contract, the Practice shall promptly:

  • Revoke all physical and electronic access to Practice systems and facilities
  • Retrieve all Practice-issued devices, keys, badges, and access credentials
  • Change passwords and access codes to systems and facilities the terminated individual had access to
  • Document all termination procedures

6. ACCESS CONTROLS

6.1 Unique User Identification

Each workforce member shall be assigned a unique user ID for accessing Practice systems containing sensitive information. Shared login credentials are strictly prohibited.

6.2 Password Management

All passwords shall meet the following minimum requirements:

  • Minimum length of twelve (12) characters
  • Combination of uppercase letters, lowercase letters, numbers, and special characters
  • Not contain easily guessable information (name, birthdate, common words)
  • Changed at least every ninety (90) days or immediately upon suspected compromise
  • Not reused from any of the previous ten (10) passwords

6.3 Multi-Factor Authentication (MFA)

The Practice shall implement multi-factor authentication for all remote access to Practice systems and, where technically feasible, for all access to systems containing ePHI or other sensitive information.

6.4 Automatic Logoff

Workstations and devices shall be configured to automatically log off or lock after a period of inactivity not to exceed fifteen (15) minutes.

6.5 Emergency Access

The Practice shall establish procedures for obtaining necessary access to ePHI during an emergency or system failure. Emergency access procedures shall be documented and tested periodically.

7. PHYSICAL SAFEGUARDS

7.1 Facility Access Controls

The Practice shall implement physical security measures to limit access to facilities housing sensitive information and information systems to authorized personnel only. These measures include:

  • Locked doors and restricted access to clinical and administrative areas
  • Visitor sign-in and escort procedures
  • Secured storage for physical records containing PHI or PII
  • Locked cabinets or drawers for sensitive paper documents when not in use

7.2 Workstation Use and Security

All workstations used to access ePHI shall be:

  • Positioned to prevent unauthorized viewing by patients or visitors
  • Locked or logged off when unattended
  • Located in areas with appropriate physical access controls
  • Protected by up-to-date antivirus and endpoint security software

7.3 Device and Media Controls

  • All portable devices (laptops, tablets, USB drives, mobile phones) used to store or transmit ePHI shall be encrypted
  • Removal of devices or media containing ePHI from the Practice’s premises shall require prior authorization from the ISO
  • Prior to disposal, reuse, or redistribution, all electronic media and devices shall undergo secure data sanitization (wiping, degaussing, or physical destruction) in accordance with NIST guidelines
  • The Practice shall maintain a record of the movements of hardware and electronic media and any personnel responsible for their handling

8. TECHNICAL SAFEGUARDS

8.1 Encryption

  • All ePHI transmitted over open networks (including the Internet and email) shall be encrypted using industry-standard encryption protocols (minimum AES-256 for data at rest; TLS 1.2 or higher for data in transit)
  • All portable devices and removable media containing ePHI shall be encrypted
  • Unencrypted ePHI shall not be transmitted via standard email without explicit patient authorization

8.2 Audit Controls

The Practice shall implement hardware, software, and procedural mechanisms to record and examine activity in information systems that contain or use ePHI. Audit logs shall be reviewed periodically by the ISO and retained in accordance with applicable law.

8.3 Integrity Controls

The Practice shall implement policies and procedures to protect ePHI from improper alteration or destruction. Electronic mechanisms shall be used to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.

8.4 Network Security

  • The Practice’s network shall be protected by a properly configured firewall
  • Wireless networks used to transmit ePHI shall use WPA2 or WPA3 encryption at minimum
  • Guest Wi-Fi networks shall be segregated from internal networks containing ePHI
  • All network access shall be logged and monitored

8.5 Software and Patch Management

  • All software and operating systems used by the Practice shall be kept current with security patches and updates
  • Unsupported or end-of-life software shall not be used on systems that access or store ePHI
  • New software or applications shall be reviewed for security compliance prior to deployment

9. BUSINESS ASSOCIATE MANAGEMENT

9.1 Business Associate Agreements (BAAs)

The Practice shall execute a written Business Associate Agreement (BAA) with every Business Associate prior to disclosing PHI to that Business Associate. BAAs shall require Business Associates to:

  • Implement appropriate safeguards to protect PHI
  • Report security incidents and breaches to the Practice
  • Comply with all applicable HIPAA Security Rule requirements
  • Return or destroy PHI upon termination of the agreement

9.2 Vendor Assessment

Prior to engaging any vendor or service provider that will have access to sensitive information, the Practice shall assess the vendor’s security practices and capabilities. Vendor assessments shall be documented.

10. CONTINGENCY PLANNING

10.1 Data Backup

The Practice shall implement a data backup plan to create and maintain retrievable exact copies of ePHI. Backups shall be:

  • Performed at least daily for active records
  • Stored in a secure, encrypted format
  • Maintained at an off-site location or in a secure cloud environment
  • Tested for restoration capability at least annually

10.2 Disaster Recovery

The Practice shall maintain a disaster recovery plan that establishes procedures for restoring any loss of data and resuming normal operations following a system failure, natural disaster, or other emergency. The disaster recovery plan shall be tested at least annually.

10.3 Emergency Mode Operations

The Practice shall establish and implement procedures to enable continuation of critical business processes for the protection of ePHI while operating in emergency mode.

11. SECURITY INCIDENT RESPONSE

11.1 Identifying and Reporting Incidents

All workforce members are required to immediately report any known or suspected security incident to the ISO. Reports shall be made verbally and confirmed in writing within twenty-four (24) hours of discovery.

11.2 Incident Response Procedures

Upon receiving a report of a security incident, the ISO shall:

  1. Confirm and assess the nature and scope of the incident
  2. Contain the incident to prevent further unauthorized access or disclosure
  3. Preserve evidence relevant to the incident
  4. Eradicate the cause of the incident
  5. Restore systems and operations to normal
  6. Document all incident response activities

11.3 Breach Notification

In the event of a breach of unsecured PHI or PII, the Practice shall provide timely notification as required by applicable law:

Under HIPAA:

  • Affected individuals shall be notified without unreasonable delay and in no case later than sixty (60) calendar days after discovery
  • The U.S. Department of Health and Human Services (HHS) Office for Civil Rights shall be notified; breaches affecting 500 or more individuals in Illinois shall also be reported to prominent media outlets
  • All breaches, regardless of size, shall be logged and reported to HHS annually

Under Illinois PIPA (815 ILCS 530):

  • Affected Illinois residents shall be notified in the most expedient time possible following discovery of a breach
  • The Illinois Attorney General shall be notified of breaches affecting more than 500 Illinois residents
  • Notification shall be provided in writing, by email (if the affected individual has consented), by telephone, or by substitute notice as permitted by law

12. TRAINING AND AWARENESS

12.1 Initial Training

All new workforce members shall complete information security and HIPAA privacy and security training prior to being granted access to any sensitive information or systems.

12.2 Annual Training

All workforce members shall complete refresher training on information security policies, HIPAA requirements, and this WISP at least once per calendar year. Training completion shall be documented and records retained for a minimum of six (6) years.

12.3 Training Topics

Training shall cover, at minimum:

  • HIPAA Privacy and Security Rules and individual rights
  • Proper handling and minimum necessary use of PHI and PII
  • Password security and access control requirements
  • Recognition and reporting of phishing, social engineering, and other cyber threats
  • Physical security of devices, workstations, and paper records
  • Incident reporting procedures
  • Illinois BIPA obligations regarding biometric information
  • Illinois PIPA breach notification requirements

13. DOCUMENTATION AND RECORD RETENTION

The Practice shall document all policies, procedures, actions, activities, and assessments required by this WISP and applicable law. Documentation shall be:

  • Retained for a minimum of six (6) years from the date of creation or the date it was last in effect, whichever is later (per HIPAA requirements)
  • Maintained in a secure, accessible format
  • Made available to the HHS Office for Civil Rights upon request
  • Reviewed and updated as necessary in response to operational changes, environmental changes, or new legal requirements

14. BIOMETRIC INFORMATION SECURITY (BIPA)

In compliance with the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14, the Practice shall:

  • Maintain a publicly available written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information
  • Store, transmit, and protect biometric data using reasonable security measures meeting the same standard of care as other confidential and sensitive information
  • Restrict access to biometric data to workforce members who require it to perform their job functions
  • Never sell, lease, trade, or profit from biometric identifiers or information
  • Not disclose biometric data without prior written consent, except as required by law

15. POLICY REVIEW AND UPDATES

This WISP shall be reviewed and updated:

  • At least annually
  • Following any security incident or breach
  • Whenever there is a significant change to the Practice’s operations, facilities, or technology
  • In response to new or amended applicable laws or regulations

All updates shall be documented, dated, and communicated to all workforce members.

16. ENFORCEMENT AND SANCTIONS

Violations of this WISP may result in disciplinary action up to and including immediate termination of employment or contract. Serious violations — particularly those involving intentional or unauthorized disclosure of PHI, PII, or biometric information — may result in civil or criminal legal action under HIPAA, Illinois BIPA, Illinois PIPA, or other applicable law.

17. CONTACT — INFORMATION SECURITY OFFICER

Questions, concerns, or reports regarding this WISP or information security matters should be directed to:

Hudson Facial Plastic Surgery — Information Security Officer 1640 N Wells St. Unit 207 Chicago, IL 60614 Phone: 312-929-2661 Fax: 312-500-5024 Email: info@hudsonfacialplastics.com