Data Classification & Handling Standard
Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Data Classification & Handling Policy
Framework Reference: Secure Controls Framework – Data Classification & Handling (DCH)
1. Purpose
Section titled “1. Purpose”This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Data Classification & Handling requirements established by Summit Technology Holdings, LLC (STH). It documents the controls and practices used to classify, store, handle, transmit, and dispose of data and media—both digital and physical—based on sensitivity and applicable legal, regulatory, and contractual requirements.
2. Applicability
Section titled “2. Applicability”This standard applies to all forms of data created, processed, stored, or transmitted by FRHC, regardless of format (electronic or physical) or location (on-premises, cloud, or third-party hosted). It includes all systems supporting PatientRemedi and Credit Balance, as well as any legacy data for which FRHC retains legal or contractual obligations.
3. Standard
Section titled “3. Standard”3.1 Data Protection
Section titled “3.1 Data Protection”FRHC enforces multiple data protection measures including encryption, access control, and system monitoring to protect sensitive data throughout its lifecycle—at rest, in transit, during processing, and during disposal. These controls ensure compliance with applicable regulations and contractual obligations, including HIPAA protections for ePHI. Collection of personal information is limited to the minimum necessary for a legitimate, identified business purpose; FRHC does not collect personal information beyond what is required to fulfill that purpose, consistent with 201 CMR 17.00 §17.03(2)(g).
- Parent Policy Mapping: STH Data Classification & Handling Policy, Section 3.1
- SCF Mapping: DCH-01 (Data Protection)
3.2 Data & Asset Classification
Section titled “3.2 Data & Asset Classification”FRHC categorizes data into four sensitivity levels: Restricted, Confidential, Internal Use, and Public. Classification is based on potential impact from unauthorized disclosure and determines the technical and procedural protections applied. Legal, contractual, or regulatory classifications take precedence over internal classifications.
- Parent Policy Mapping: STH Data Classification & Handling Policy, Section 3.2
- SCF Mapping: DCH-02 (Data & Asset Classification)
3.3 Media Access
Section titled “3.3 Media Access”Access to digital and non-digital media is restricted to designated staff roles based on business need. Social Security Numbers displayed in web portals are masked, showing only the last four digits. Printing sensitive data, including SSNs, is strictly prohibited.
- Parent Policy Mapping: STH Data Classification & Handling Policy, Section 3.3
- SCF Mapping: DCH-03 (Media Access)
3.4 Media Marking
Section titled “3.4 Media Marking”Printed documents and removable media are marked with classification indicators based on content. Internal documents include confidentiality footers on every page (except public marketing material). Web-based content displaying restricted or confidential data includes visible classification labels.
- Parent Policy Mapping: STH Data Classification & Handling Policy, Section 3.4
- SCF Mapping: DCH-04 (Media Marking)
3.5 Media Storage
Section titled “3.5 Media Storage”All physical media is confined to the Evocative Datacenter. Access to this facility is governed by controls defined in the Physical & Environmental Security Standard, ensuring protection from unauthorized physical access. Paper records containing personal information — including records containing names combined with Social Security numbers, financial account information, or other regulated identifiers — must be stored in locked cabinets or similarly secured physical locations with access restricted to authorized personnel, consistent with 201 CMR 17.00 §17.05.
- Parent Policy Mapping: STH Data Classification & Handling Policy, Section 3.5
- SCF Mapping: DCH-06 (Media Storage)
3.6 Media Transportation
Section titled “3.6 Media Transportation”All laptops, desktops, and portable media are encrypted using BitLocker. Encryption keys are managed using Microsoft Endpoint Manager or other approved mechanisms. Portable media use outside of secure environments requires authorization from the ISO or executive management.
- Parent Policy Mapping: STH Data Classification & Handling Policy, Section 3.6
- SCF Mapping: DCH-07 (Media Transportation)
3.7 Physical Media Disposal
Section titled “3.7 Physical Media Disposal”FRHC uses the WiebeTech Drive eRazer to sanitize drives prior to disposal. Media disposal events are logged with serial numbers, dates, and personnel involved. If sanitization is not possible, media is destroyed using shredders, a drill, or through a certified destruction vendor. All disposal actions are logged, and certificates of destruction are retained when applicable.
- Parent Policy Mapping: STH Data Classification & Handling Policy, Section 3.7
- SCF Mapping: DCH-08 (Physical Media Disposal)
3.8 System Media Sanitization
Section titled “3.8 System Media Sanitization”Media to be reused is sanitized using the WiebeTech Drive eRazer with NIST 800-88 settings. Devices that cannot be sanitized are destroyed per section 3.7 above. Personal data is treated with the same safeguards as other sensitive data for sanitization and disposal purposes.
- Parent Policy Mapping: STH Data Classification & Handling Policy, Section 3.8
- SCF Mapping: DCH-09 (System Media Sanitization)
3.9 Removable Media Security
Section titled “3.9 Removable Media Security”Removable media use is permitted only on a case-by-case basis with ISO or executive approval. Regardless of authorization, all removable media must be encrypted to protect data confidentiality.
- Parent Policy Mapping: STH Data Classification & Handling Policy, Section 3.9
- SCF Mapping: DCH-12 (Removable Media Security)
3.10 Use of External Information Systems
Section titled “3.10 Use of External Information Systems”FRHC systems utilize site-to-site VPNs for secure transmission to and from external systems and customers. Encrypted file transfers are performed using a monitored and managed SFTP server.
- Parent Policy Mapping: STH Data Classification & Handling Policy, Section 3.10
- SCF Mapping: DCH-13 (Use of External Technology Assets, Applications and/or Services (TAAS))
3.11 Media & Data Retention
Section titled “3.11 Media & Data Retention”FRHC maintains a formal retention schedule covering business, financial, personnel, insurance, client, and system data. Data retention periods range from one year to permanent based on category. Application data is retained for the life of the client contract. The following schedule defines retention periods for major data categories:
| Category | Type of Record | Retention Period |
|---|---|---|
| Business Records | Amendments | Permanent |
| Annual Reports | Permanent | |
| Articles of Incorporation | Permanent | |
| Board of Directors (elections, minutes, committees, etc.) | Permanent | |
| Bylaws | Permanent | |
| Capital stock & bond records | Permanent | |
| Charter | Permanent | |
| Business Contracts & agreements | Permanent | |
| Records Copyrights | Permanent | |
| Correspondence (General) | 7 years | |
| Correspondence (Legal) | Permanent | |
| Partnership agreement | Permanent | |
| Patents | Permanent | |
| Service marks | Permanent | |
| Stock transfers | Permanent | |
| Trademarks | Permanent | |
| Financial Records | Audit report (external) | Permanent |
| Audit report (internal) | 3 years | |
| Balance sheets | Permanent | |
| Bank deposit slips, reconciliations & statements | 10 years | |
| Budgets | 3 years | |
| Cash disbursement & receipt record | 10 years | |
| Financial Checks (canceled) | Permanent | |
| Customer Invoices and Credit memos | Permanent | |
| Depreciation schedule | Permanent | |
| Dividend register & canceled dividend checks | Permanent | |
| Employee expense reports | 3 years | |
| Employee payroll records (W-2, W-4, annual earnings records, etc.) | Permanent | |
| Financial statements (annual) | Permanent | |
| General ledger | Permanent | |
| Internal reports (work orders, sales reports, production reports) | 3 years | |
| Inventory lists | 3 years | |
| Investments (sales & purchases) | Permanent | |
| Profit / Loss statements | Permanent | |
| Purchase and sales contracts | 3 years | |
| Purchase order | 3 years | |
| Subsidiary ledgers (accounts receivable, accounts payable, etc.) | Permanent | |
| Tax returns | Permanent | |
| Vendor Invoices | 7 years | |
| Worthless securities | 7 years | |
| Personnel Records | Accident report/injury claim | 7 years |
| Attendance Records | 3 years | |
| Employee benefit plans | 7 years | |
| Employment applications (not hired) | 1 year | |
| Garnishments | 3 years | |
| I-9 Forms | Permanent | |
| Personnel Medical and exposure records – toxic substances | Permanent | |
| Organization Charts | Permanent | |
| OSHA Logs | Permanent | |
| OSHA Training Documentation | Permanent | |
| Patents | Permanent | |
| Pension plan agreement | Permanent | |
| Personnel files | Permanent | |
| Profit sharing agreement | Permanent | |
| Insurance | Fire inspection reports | 7 years |
| Group disability records | 7 years | |
| Insurance HIPAA-related documentation | 6 years | |
| Insurance policies | Permanent | |
| Safety records | 3 years | |
| Settled insurance claims | 7 years | |
| Real Estate | Deeds | Permanent |
| Mortgages | 3 years | |
| Plans & blueprints | Permanent | |
| Real Estate Plant cost ledger | Permanent | |
| Property appraisals | Permanent | |
| Property register | Permanent | |
| Miscellaneous | Server audit trail history | 1 year |
| Router/Firewall audit trail history | 1 year | |
| Visitor Logs | 1 year | |
| Client Data | PatientRemedi Data | Life of Contract |
| Credit Balance Data | Life of Contract |
- Parent Policy Mapping: STH Data Classification & Handling Policy, Section 3.11
- SCF Mapping: DCH-18 (Media & Data Retention)
3.12 Information Disposal
Section titled “3.12 Information Disposal”When sensitive or regulated data — including ePHI — is no longer required, it is deleted directly within the PatientRemedi application infrastructure (v1 and v2). Deletion is performed through the application’s data management functions, which remove records from the underlying database. Once deleted in this manner, the data is no longer accessible through the application or its supporting systems.
Subsequent database backups overwrite preceding backups in accordance with the established backup retention schedule. As the backup cycle progresses, backups containing deleted records are replaced, ensuring that deleted data does not persist in backup storage beyond the retention window.
Physical media disposal follows the procedures described in Sections 3.7 and 3.8 in compliance with NIST SP 800-88.
- Parent Policy Mapping: STH Data Classification & Handling Policy, Section 3.12
- SCF Mapping: DCH-21 (Information Disposal)
4. Compliance & Governance
Section titled “4. Compliance & Governance”FRHC maintains evidence supporting data classification and handling controls, including classification registers, disposal logs, destruction certificates, media transport records, and retention schedule documentation. Evidence is retained and made available to Summit Technology Holdings, LLC (STH) to support enterprise governance, audit, and compliance activities.
5. Enforcement
Section titled “5. Enforcement”All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.
Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.
6. References
Section titled “6. References”Parent Policy:
- Summit Technology Holdings – Data Classification & Handling Policy
Regulatory Requirements:
- HIPAA Security Rule:
- 45 CFR §164.308(a)(1)(ii)(A) – Risk Analysis
- 45 CFR §164.308(a)(5)(ii)(C) – Data Disposal
- 45 CFR §164.312(a)(2)(iv) – Access Control – Encryption
- AICPA SOC 2 Trust Services Criteria:
- Security (CC6.1, CC6.2)
- Confidentiality (C1.1, C1.2)
- Privacy (P8.1)
- Massachusetts 201 CMR 17.00:
- §17.03(2)(g) – Limiting the Amount of Personal Information Collected
- §17.05 – Physical Access Controls for Records Containing Personal Information
Framework Alignment:
- DCH-01 – Data Protection
- DCH-02 – Data & Asset Classification
- DCH-03 – Media Access
- DCH-04 – Media Marking
- DCH-06 – Media Storage
- DCH-07 – Media Transportation
- DCH-08 – Physical Media Disposal
- DCH-09 – System Media Sanitization
- DCH-12 – Removable Media Security
- DCH-13 – Use of External Technology Assets, Applications and/or Services (TAAS)
- DCH-18 – Media & Data Retention
- DCH-21 – Information Disposal
7. Revision Tracking
Section titled “7. Revision Tracking”| Rev | Description | Date | Approved |
|---|---|---|---|
| - | Policy created | April 2021 | M Machin |
| 1.0 | General Update and review | October 2023 | M Machin |
| 2.0 | Updated and approved for 2024 | July 2024 | WSI |
| 3.0 | Updated and approved for 2025 | July 2025 | M Machin |
| 4.0 | Converted to Standard | April 2026 | M Machin |
| 4.1 | Added data minimization (§3.1) and paper records locked storage (§3.5); added 201 CMR 17.00 citations | April 2026 | M Machin |
