# Hospital Policy

> **Template and counsel-review notice.** This document is a website/app integration template, not a legal opinion. Before publication, replace bracketed placeholders, confirm actual data flows, obtain advice from qualified counsel for each jurisdiction and regulated workflow, and approve final wording through privacy, security, product, marketing, health/clinical, and executive stakeholders. Do not promise controls, certifications, response times, retention periods, or legal rights unless they are actually implemented and operationally supported.


**Effective date:** September 18, 2024  
**Last updated:** September 18, 2024  
**Organization:** NEXQ Inc.  
**Services covered:** NEXQ websites, web applications, protected workspace surfaces, mobile app surfaces, APIs, secure healthcare and healthtech workflow demonstrations, quantum encryption, diagnostics, oncology, longevity, research collaboration, support, and related services  
**Privacy contact:** hello@nexq.us  
**Security contact:** hello@nexq.us  
**Mailing address:** Irvine, CA, United States — contact hello@nexq.us for legal notices


## 1. Scope
This policy applies to hospital-facing deployments, patient portals, emergency department workflows, scheduling, billing, patient communications, clinical integrations, EHR interfaces, medical devices, remote monitoring, visitor systems, vendor access, and workforce tools.

## 2. Hospital governance
Deployments must align with hospital policies, HIPAA, 42 CFR Part 2 where applicable, state medical/privacy laws, cybersecurity requirements, procurement terms, infection-control/physical-access requirements, patient-safety obligations, and clinical governance. Obtain hospital sponsor approval before production changes.

## 3. PHI/ePHI safeguards
Apply role-based access, least privilege, MFA, session controls, logging, break-glass controls where appropriate, encryption, key management, data segregation, audit reports, and secure backup/restore. Patient identifiers must be minimized in logs, URLs, analytics, notifications, and screenshots.

## 4. Tracking and web/mobile analytics
Do not deploy advertising or retargeting trackers on hospital pages, patient portals, appointment pages, billing flows, symptom pages, condition pages, or mobile app screens that may reveal health context unless approved by legal/privacy/security and the hospital customer. Tag manager access must be restricted and audited.

## 5. Notice of Privacy Practices support
Where the organization operates as a covered entity or supports a covered entity, coordinate Notice of Privacy Practices content and patient-rights workflows. NPP templates must reflect HIPAA, applicable Part 2/SUD requirements, reproductive-health protections, organizational practices, and customer-specific processes.

## 6. Clinical safety and downtime
Document clinical safety risks, downtime procedures, incident escalation, maintenance windows, emergency-use limitations, patient-safety impact, and customer notification requirements. Do not push updates that alter clinical workflow without change control and hospital approval.

## 7. Vendor and remote access
Remote access to hospital systems must use approved secure channels, MFA, named accounts, session logging, least privilege, and termination procedures. Vendors must sign BAAs, security addenda, data-processing terms, and hospital-specific policies as applicable.
