hirc-logo-r HIRC_Logo-mark---blue Diagonal background separation icon-grid list-ul-regular Engaged Badge icon-plus-blue icon-plus-minus circle-question-regular

Human Resource Security Policy

Last Updated and Effective: April 9, 2026

Scope: Applies to HIRC personnel and to contractors, MSP staff, and vendors who perform work for or on behalf of HIRC and who access HIRC-controlled systems or data.

Purpose

To define HIRC’s personnel-focused security commitments that protect information and systems and support HIRC’s SOC 2 Type I objectives.

Key commitments

HIRC is a member-governed association consisting of healthcare providers, suppliers, and health care supply chain industry businesses involved at various stages of the healthcare supply chain.
HIRC Participants may be (a) actual or potential competitors, or (b) actual or potential trading partners. HIRC does not, and may not, play any role in the competitive decisions of HIRC Participants or their employees, and HIRC does not restrict competition in any industry in any manner.

HIRC is committed to:

  • Personnel screening: Role-appropriate, risk-proportionate screening for individuals who will access sensitive environments.
  • Confidentiality: Personnel agree to confidentiality and data-protection obligations as a condition of access; additional signed confidentiality instruments are required for privileged or Domain B roles.
  • Onboarding & training: New personnel complete security and policy training; role-based training is required for privileged users and those with Domain B access.
  • Access lifecycle: Accounts are provisioned only after documented authorization; access is reviewed periodically and revoked promptly when no longer required.
  • Privileged access controls: Administrative/logical separation of privileged accounts and supervisory review of privileged activity.
  • Vendor & contractor controls: Third parties performing HR or administrative functions are governed by the vendor risk program and contractual data protections.
  • Payroll, records & privacy: Personnel and payroll records are treated as Confidential and managed under HIRC data-handling and retention rules.
  • Offboarding: Prompt revocation of access and recovery of assets at role change or termination; confidentiality obligations survive separation.

Assurance & evidence

HIRC documents personnel control design and retains evidence (for example, training records, access reviews, confidentiality acknowledgements, vendor DPAs) to support SOC 2 attestation. Members may request further documentation under appropriate confidentiality protections.

Contact for further information: partners@hirc.org

How members can obtain more detail

For members requiring more information (detailed control mappings, SOC reports, or full policy documents), HIRC will provide additional documentation upon request under appropriate confidentiality agreements or through a secure member portal. Contact: partners@hirc.org.