Skip to content

Data Classification & Handling Standard

Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Data Classification & Handling Policy
Framework Reference: Secure Controls Framework – Data Classification & Handling (DCH)


This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Data Classification & Handling requirements established by Summit Technology Holdings, LLC (STH). It documents the controls and practices used to classify, store, handle, transmit, and dispose of data and media—both digital and physical—based on sensitivity and applicable legal, regulatory, and contractual requirements.


This standard applies to all forms of data created, processed, stored, or transmitted by FRHC, regardless of format (electronic or physical) or location (on-premises, cloud, or third-party hosted). It includes all systems supporting PatientRemedi and Credit Balance, as well as any legacy data for which FRHC retains legal or contractual obligations.


FRHC enforces multiple data protection measures including encryption, access control, and system monitoring to protect sensitive data throughout its lifecycle—at rest, in transit, during processing, and during disposal. These controls ensure compliance with applicable regulations and contractual obligations, including HIPAA protections for ePHI. Collection of personal information is limited to the minimum necessary for a legitimate, identified business purpose; FRHC does not collect personal information beyond what is required to fulfill that purpose, consistent with 201 CMR 17.00 §17.03(2)(g).

  • Parent Policy Mapping: STH Data Classification & Handling Policy, Section 3.1
  • SCF Mapping: DCH-01 (Data Protection)

FRHC categorizes data into four sensitivity levels: Restricted, Confidential, Internal Use, and Public. Classification is based on potential impact from unauthorized disclosure and determines the technical and procedural protections applied. Legal, contractual, or regulatory classifications take precedence over internal classifications.

  • Parent Policy Mapping: STH Data Classification & Handling Policy, Section 3.2
  • SCF Mapping: DCH-02 (Data & Asset Classification)

Access to digital and non-digital media is restricted to designated staff roles based on business need. Social Security Numbers displayed in web portals are masked, showing only the last four digits. Printing sensitive data, including SSNs, is strictly prohibited.

  • Parent Policy Mapping: STH Data Classification & Handling Policy, Section 3.3
  • SCF Mapping: DCH-03 (Media Access)

Printed documents and removable media are marked with classification indicators based on content. Internal documents include confidentiality footers on every page (except public marketing material). Web-based content displaying restricted or confidential data includes visible classification labels.

  • Parent Policy Mapping: STH Data Classification & Handling Policy, Section 3.4
  • SCF Mapping: DCH-04 (Media Marking)

All physical media is confined to the Evocative Datacenter. Access to this facility is governed by controls defined in the Physical & Environmental Security Standard, ensuring protection from unauthorized physical access. Paper records containing personal information — including records containing names combined with Social Security numbers, financial account information, or other regulated identifiers — must be stored in locked cabinets or similarly secured physical locations with access restricted to authorized personnel, consistent with 201 CMR 17.00 §17.05.

  • Parent Policy Mapping: STH Data Classification & Handling Policy, Section 3.5
  • SCF Mapping: DCH-06 (Media Storage)

All laptops, desktops, and portable media are encrypted using BitLocker. Encryption keys are managed using Microsoft Endpoint Manager or other approved mechanisms. Portable media use outside of secure environments requires authorization from the ISO or executive management.

  • Parent Policy Mapping: STH Data Classification & Handling Policy, Section 3.6
  • SCF Mapping: DCH-07 (Media Transportation)

FRHC uses the WiebeTech Drive eRazer to sanitize drives prior to disposal. Media disposal events are logged with serial numbers, dates, and personnel involved. If sanitization is not possible, media is destroyed using shredders, a drill, or through a certified destruction vendor. All disposal actions are logged, and certificates of destruction are retained when applicable.

  • Parent Policy Mapping: STH Data Classification & Handling Policy, Section 3.7
  • SCF Mapping: DCH-08 (Physical Media Disposal)

Media to be reused is sanitized using the WiebeTech Drive eRazer with NIST 800-88 settings. Devices that cannot be sanitized are destroyed per section 3.7 above. Personal data is treated with the same safeguards as other sensitive data for sanitization and disposal purposes.

  • Parent Policy Mapping: STH Data Classification & Handling Policy, Section 3.8
  • SCF Mapping: DCH-09 (System Media Sanitization)

Removable media use is permitted only on a case-by-case basis with ISO or executive approval. Regardless of authorization, all removable media must be encrypted to protect data confidentiality.

  • Parent Policy Mapping: STH Data Classification & Handling Policy, Section 3.9
  • SCF Mapping: DCH-12 (Removable Media Security)

FRHC systems utilize site-to-site VPNs for secure transmission to and from external systems and customers. Encrypted file transfers are performed using a monitored and managed SFTP server.

  • Parent Policy Mapping: STH Data Classification & Handling Policy, Section 3.10
  • SCF Mapping: DCH-13 (Use of External Technology Assets, Applications and/or Services (TAAS))

FRHC maintains a formal retention schedule covering business, financial, personnel, insurance, client, and system data. Data retention periods range from one year to permanent based on category. Application data is retained for the life of the client contract. The following schedule defines retention periods for major data categories:

CategoryType of RecordRetention Period
Business RecordsAmendmentsPermanent
Annual ReportsPermanent
Articles of IncorporationPermanent
Board of Directors (elections, minutes, committees, etc.)Permanent
BylawsPermanent
Capital stock & bond recordsPermanent
CharterPermanent
Business Contracts & agreementsPermanent
Records CopyrightsPermanent
Correspondence (General)7 years
Correspondence (Legal)Permanent
Partnership agreementPermanent
PatentsPermanent
Service marksPermanent
Stock transfersPermanent
TrademarksPermanent
Financial RecordsAudit report (external)Permanent
Audit report (internal)3 years
Balance sheetsPermanent
Bank deposit slips, reconciliations & statements10 years
Budgets3 years
Cash disbursement & receipt record10 years
Financial Checks (canceled)Permanent
Customer Invoices and Credit memosPermanent
Depreciation schedulePermanent
Dividend register & canceled dividend checksPermanent
Employee expense reports3 years
Employee payroll records (W-2, W-4, annual earnings records, etc.)Permanent
Financial statements (annual)Permanent
General ledgerPermanent
Internal reports (work orders, sales reports, production reports)3 years
Inventory lists3 years
Investments (sales & purchases)Permanent
Profit / Loss statementsPermanent
Purchase and sales contracts3 years
Purchase order3 years
Subsidiary ledgers (accounts receivable, accounts payable, etc.)Permanent
Tax returnsPermanent
Vendor Invoices7 years
Worthless securities7 years
Personnel RecordsAccident report/injury claim7 years
Attendance Records3 years
Employee benefit plans7 years
Employment applications (not hired)1 year
Garnishments3 years
I-9 FormsPermanent
Personnel Medical and exposure records – toxic substancesPermanent
Organization ChartsPermanent
OSHA LogsPermanent
OSHA Training DocumentationPermanent
PatentsPermanent
Pension plan agreementPermanent
Personnel filesPermanent
Profit sharing agreementPermanent
InsuranceFire inspection reports7 years
Group disability records7 years
Insurance HIPAA-related documentation6 years
Insurance policiesPermanent
Safety records3 years
Settled insurance claims7 years
Real EstateDeedsPermanent
Mortgages3 years
Plans & blueprintsPermanent
Real Estate Plant cost ledgerPermanent
Property appraisalsPermanent
Property registerPermanent
MiscellaneousServer audit trail history1 year
Router/Firewall audit trail history1 year
Visitor Logs1 year
Client DataPatientRemedi DataLife of Contract
Credit Balance DataLife of Contract
  • Parent Policy Mapping: STH Data Classification & Handling Policy, Section 3.11
  • SCF Mapping: DCH-18 (Media & Data Retention)

When sensitive or regulated data — including ePHI — is no longer required, it is deleted directly within the PatientRemedi application infrastructure (v1 and v2). Deletion is performed through the application’s data management functions, which remove records from the underlying database. Once deleted in this manner, the data is no longer accessible through the application or its supporting systems.

Subsequent database backups overwrite preceding backups in accordance with the established backup retention schedule. As the backup cycle progresses, backups containing deleted records are replaced, ensuring that deleted data does not persist in backup storage beyond the retention window.

Physical media disposal follows the procedures described in Sections 3.7 and 3.8 in compliance with NIST SP 800-88.

  • Parent Policy Mapping: STH Data Classification & Handling Policy, Section 3.12
  • SCF Mapping: DCH-21 (Information Disposal)

FRHC maintains evidence supporting data classification and handling controls, including classification registers, disposal logs, destruction certificates, media transport records, and retention schedule documentation. Evidence is retained and made available to Summit Technology Holdings, LLC (STH) to support enterprise governance, audit, and compliance activities.


All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.

Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.


Parent Policy:

  • Summit Technology Holdings – Data Classification & Handling Policy

Regulatory Requirements:

  • HIPAA Security Rule:
    • 45 CFR §164.308(a)(1)(ii)(A) – Risk Analysis
    • 45 CFR §164.308(a)(5)(ii)(C) – Data Disposal
    • 45 CFR §164.312(a)(2)(iv) – Access Control – Encryption
  • AICPA SOC 2 Trust Services Criteria:
    • Security (CC6.1, CC6.2)
    • Confidentiality (C1.1, C1.2)
    • Privacy (P8.1)
  • Massachusetts 201 CMR 17.00:
    • §17.03(2)(g) – Limiting the Amount of Personal Information Collected
    • §17.05 – Physical Access Controls for Records Containing Personal Information

Framework Alignment:

  • DCH-01 – Data Protection
  • DCH-02 – Data & Asset Classification
  • DCH-03 – Media Access
  • DCH-04 – Media Marking
  • DCH-06 – Media Storage
  • DCH-07 – Media Transportation
  • DCH-08 – Physical Media Disposal
  • DCH-09 – System Media Sanitization
  • DCH-12 – Removable Media Security
  • DCH-13 – Use of External Technology Assets, Applications and/or Services (TAAS)
  • DCH-18 – Media & Data Retention
  • DCH-21 – Information Disposal

RevDescriptionDateApproved
-Policy createdApril 2021M Machin
1.0General Update and reviewOctober 2023M Machin
2.0Updated and approved for 2024July 2024WSI
3.0Updated and approved for 2025July 2025M Machin
4.0Converted to StandardApril 2026M Machin
4.1Added data minimization (§3.1) and paper records locked storage (§3.5); added 201 CMR 17.00 citationsApril 2026M Machin

Internal Use Only