Skip to content

Data Privacy Standard

Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Data Privacy Policy
Framework Reference: Secure Controls Framework – Data Privacy (PRI)


This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Data Privacy requirements established by Summit Technology Holdings, LLC (STH). It documents FRHC’s privacy program, governance responsibilities, and operational controls for protecting the personal data—including ePHI, PII, and other regulated data categories—that FRHC collects, processes, and stores.


This standard applies to all FRHC employees, contractors, and third parties handling personal data on behalf of FRHC. It applies to all FRHC systems, applications, and processes that collect, process, transmit, or store personal data in any format.


FRHC maintains a documented data privacy program defining organizational responsibilities, governance, and accountability for protecting personal data. FRHC’s Corporate Legal Counsel serves as the designated Chief Privacy Officer (CPO), responsible for overseeing privacy activities, ensuring compliance with HIPAA and other applicable requirements, and coordinating responses to privacy incidents. Privacy governance is reviewed annually and updated as regulatory or operational requirements change.

  • Parent Policy Mapping: STH Data Privacy Policy, Section 3.1
  • SCF Mapping: PRI-01 (Data Privacy Program), PRI-01.1 (Chief Privacy Officer (CPO))

FRHC maintains a Notice of Privacy Practices (NPP) in compliance with the HIPAA Privacy Rule. The NPP is provided to patients and covered individuals at the point of service and is posted on FRHC’s website. The NPP is reviewed annually and updated to reflect any changes in processing activities, legal requirements, or organizational practices.

  • Parent Policy Mapping: STH Data Privacy Policy, Section 3.2
  • SCF Mapping: PRI-02 (Data Privacy Notice)

FRHC obtains appropriate authorization and consent before using or disclosing protected health information beyond treatment, payment, and healthcare operations as defined under HIPAA. Individual authorizations are documented, retained, and can be revoked at any time in accordance with HIPAA requirements and FRHC’s authorization procedures.

  • Parent Policy Mapping: STH Data Privacy Policy, Section 3.3
  • SCF Mapping: PRI-03 (Choice & Consent)

3.4 Restrict Collection to Identified Purpose

Section titled “3.4 Restrict Collection to Identified Purpose”

FRHC limits personal data collection to what is necessary for defined, legitimate business and healthcare purposes. Data is not re-used for purposes beyond those originally collected without proper authorization or a documented legal basis. Data minimization principles are applied in system design and operational workflows.

  • Parent Policy Mapping: STH Data Privacy Policy, Section 3.4
  • SCF Mapping: PRI-04 (Restrict Collection To Identified Purpose)

FRHC retains personal data, including ePHI, only as long as required by applicable law, regulation, or business necessity, consistent with FRHC’s Data Classification & Handling Standard and applicable retention schedules. When personal data is no longer needed, it is securely disposed of using methods that render data irretrievable, consistent with FRHC’s approved disposal procedures.

  • Parent Policy Mapping: STH Data Privacy Policy, Section 3.5
  • SCF Mapping: PRI-05 (Personal Data (PD) Retention & Disposal)

FRHC provides individuals with the ability to access, request corrections to, and request restrictions on their personal data in accordance with HIPAA individual rights provisions. Requests are processed in a timely, secure, and verifiable manner. FRHC’s procedures for handling individual rights requests are documented and reviewed annually.

  • Parent Policy Mapping: STH Data Privacy Policy, Section 3.6
  • SCF Mapping: PRI-06 (Data Subject Empowerment)

3.7 Information Sharing With Third Parties

Section titled “3.7 Information Sharing With Third Parties”

FRHC shares personal data with third parties only when necessary and authorized under applicable law. Business Associate Agreements (BAAs) are executed with all vendors and service providers who access, process, or store ePHI on FRHC’s behalf. Third-party privacy obligations are reviewed as part of FRHC’s Third Party Management program.

  • Parent Policy Mapping: STH Data Privacy Policy, Section 3.7
  • SCF Mapping: PRI-07 (Information Sharing With Third Parties)

FRHC provides annual privacy training to all employees and contractors with access to personal data or ePHI. Privacy controls are tested as part of FRHC’s annual SOC 2 Type II audit and internal review processes. Monitoring is performed to detect and respond to potential privacy violations.

  • Parent Policy Mapping: STH Data Privacy Policy, Section 3.8
  • SCF Mapping: PRI-08 (Personal Data (PD) Control Testing, Training & Monitoring)

FRHC maintains evidence of privacy notices, authorization forms, retention schedules, BAAs, and training records. The CPO reviews privacy program effectiveness annually and oversees remediation of identified gaps. Evidence is retained to support SOC 2 Type II audits and HIPAA Privacy Rule compliance assessments.


All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.

Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.


Parent Policy:

  • Summit Technology Holdings – Data Privacy Policy

Regulatory Requirements:

  • HIPAA Privacy Rule:
    • 45 CFR §164.520 – Notice of Privacy Practices
    • 45 CFR §164.522 – Rights to Request Restrictions
  • AICPA SOC 2 Trust Services Criteria:
    • Privacy (P1–P9)

Framework Alignment:

  • PRI-01 – Data Privacy Program
  • PRI-01.1 – Chief Privacy Officer (CPO)
  • PRI-02 – Data Privacy Notice
  • PRI-03 – Choice & Consent
  • PRI-04 – Restrict Collection To Identified Purpose
  • PRI-05 – Personal Data (PD) Retention & Disposal
  • PRI-06 – Data Subject Empowerment
  • PRI-07 – Information Sharing With Third Parties
  • PRI-08 – Personal Data (PD) Control Testing, Training & Monitoring

RevDescriptionDateApproved
-Policy createdJuly 2021M Machin
1.0Formatting UpdateSeptember 2022WSI
2.0Updated and approved for 2024July 2024WSI
3.0Updated and approved for 2025July 2025M Machin
4.0Converted to StandardApril 2026M Machin

Internal Use Only