RACSB Information Technology
|RACSB Information Technology |
|Plan, Policies and Procedures |
| |
|Last Review by RACSB Board of Directors June 2019|
| |
|Suzanne Poe |
|IT Coordinator |
| |
Rappahannock Area
Community Services Board
Information Technology Plan
[pic]
Information Technology Plan
Table of Contents
Introduction 1
Planning Process 2
Mission 3
Agency Beliefs 4
IT Beliefs 5
Fundamental Principles 6
Goals 8
Objectives 9
Technology Assessment 10
Performance Measures 15
Policies and Procedures 16
Appendices
Introduction
Technology is changing rapidly. The Information Technology (IT) department recognizes the fluid technology environment in which it operates today. The department balances a stewardship role in protecting investments and information assets with the strategic role of pursuing opportunities which strengthen technology to support quality service delivery. RACSB continues to make investments in information technology hardware and software. Through careful planning, efficient business processes, and technical execution, technological investments provide a return on investment in the form of increased access to the agency and improved services.
The IT strategic planning process provides a framework to align the agency’s technological resources to meet the needs of our internal and external customers. The IT Plan guides investment decisions to ensure that limited resources are appropriately allocated to achieve the objectives of our user community.
This process involves maintaining and updating technology, measuring the appropriateness of the technology refresh cycles, and evaluating effectiveness of the technology investments. Using technology effectively to meet end-user requirements and expectations is a critical challenge facing information technology providers. Advances in technology can enable the workforce to provide better and faster service at a reduced cost, but changes in technology can be expensive and complex. New technology must be adopted carefully and integrated wisely into the existing technology infrastructure of an organization in order to maximize the benefits in a cost-effective manner.
The IT department aligns technology solutions to identified business needs, builds partnerships with other Community Services Boards (CSB), and supports the needs of internal customers. The end results are improved processes for operations, greater efficiencies and effectiveness in service delivery, improved opportunities for data sharing and decision making, enhanced capability for access to information, and improved protection of agency assets. In addition to the IT Plan and Five-year Capital Improvement Plan, investments for information technology projects are guided by the fundamental IT principles.
This document is intended to be flexible and allow the Information Technology department, with approval of the Executive Director, to continue to do a better job of drawing upon the talents and skills of all employees at all levels of the organization in order to move the organization to the next level of performance.
Planning Process
The Information Technology planning process is part of the agency’s Capital Improvement Plan. Each year RACSB updates the capital improvement plan. IT needs, resources and plan are evaluated annually to determine the equipment replacement needs, upgrade requirements, and new project needs of the agency. The IT Plan incorporates any technical needs identified in the agency’s strategic plan.
Staff across the agency provided input on values, needs, and expectations related to the future provision of information technology solutions and services as a part of the planning process. The input informs the annual process for development of the IT Plan, including the goals and objectives of the IT office. IT Hardware (Laptops, Desktops, Servers, firewalls, etc.) average a five-year life expectancy before needing replacement.
Yearly an IT Risk Analysis is preformed by an outside party and we evaluation any recommendations made as part of this Risk Analysis. See Appendix E for IT Risk Analysis.
The most current Capital Improvement Plan Budget is included in the IT Policies & Procedures as Appendix R.
Mission
RACSB’s Mission Statement:
Rappahannock Area Community Services Board (RACSB) is dedicated to education, recovery, treatment, and wellness of Planning District 16 residents affected by mental health and substance use disorders and developmental disabilities.
RACSB IT Department’s Mission Statement:
Rappahannock Area Community Services Board (RACSB) IT office is committed to delivering and supporting an innovative technology environment to strengthen the public service commitment of RACSB.
IT supports, manages, and coordinates all aspects of RACSB information technology assets to provide quality services to its staff and assists the agency in improving the delivery of services to our individuals receiving services. RACSB’s information and services are provided through the deployment of proven and dependable technology. IT employs proven best-practice management techniques within the guidelines of agency policies and procedures. The work of IT is performed by RACSB staff, in both direct execution and project management roles. IT partners with the private sector for expert skills to augment capacity to accomplish projects and support operational activities.
Agency Beliefs
The Rappahannock Area Community Services Board advocates and actively promotes the beliefs that:
▪ All people have the right to participate in the life of the community and this should not be diminished by the presence of mental illness, intellectual disability or alcohol and other drug dependence;
▪ Programs and services should be provided to meet the identified needs of all five political jurisdictions in Planning District 16;
▪ Services are best provided at the community level which maximizes the use of natural supports and local networks of care;
▪ Individuals with mental disabilities and chemical dependency should have access to a continuum of quality programs and services, which are accessible, affordable and adapted to meet individual needs;
▪ Services should be delivered at the earliest possible time to prevent or reduce more costly and traumatic interventions in the future;
▪ The system of care should be ethically, racially, culturally, age, gender and language appropriate;
▪ The empowerment of people is achieved by recognizing their worth, dignity, strengths and ability to make informed decisions;
▪ The development of a well-trained and diverse work force is essential to an effective, efficient and outcome-oriented service delivery system;
▪ Ethical practices are inherent in the provision of quality programs and services;
▪ Services and supports should be accountable to those they serve, their families and their community, taxpayers and funding sources;
▪ Interagency collaboration and public/private partnerships promote the delivery of comprehensive services in the least restrictive environment; and
▪ The provision of services should be sensitive to the health, safety and well-being of the community.
IT Beliefs
Accessibility:
We believe in promoting electronic access to information. Information and services should be available wherever and whenever needed, 24-hours a day.
Accountability:
We are responsible to the citizens of the Counties of Caroline, King George, Spotsylvania and Stafford and the City of Fredericksburg, will conduct business in a fiscally responsible manner, and will be good stewards of any funding which is invested in technology.
Communication:
We foster a respectful environment of dialogue and collaboration to ensure that all employees, regardless of position or job function, are well-informed regarding the IT department’s mission of service.
Cooperation:
We believe that teamwork between IT staff, RACSB programs and other entities in the community is fundamental to our work and we strive to share resources in working together responsibly.
Information Protection:
We work diligently to maintain the public’s trust by protecting against unauthorized access, malicious destruction of fiduciary data, and by facilitating the appropriate use of RACSB information in a secure environment.
Technical Expertise:
We strive to provide competent, reliable service delivery and to effectively use innovative technology to enable business solutions.
Valuing IT Workforce:
We believe our staff is the key to our success and thus we commit to creating a dynamic workplace, investing in our employees, and addressing the issues that affect their employment.
Fundamental Principles
1. To provide citizens, the business community, and RACSB employees with timely, convenient access to appropriate information and services through the use of technology.
2. Business needs drive information technology solutions. Strategic partnerships are established between the Community Services Boards to leverage collective knowledge to maximize the productivity of RACSB employees and technology usage.
3. Evaluate business processes for potential operational efficiencies. Use new technologies to support improved business methods.
4. Manage Information Technology as an investment.
• Annually allocate funds sufficient to replace systems and equipment before life-cycle end. Address project and infrastructure requirements through a multi-year planning and funding strategy our 5-Year Capital Improvement Plan (Appendix R).
• Limit resources dedicated to "legacy systems" -- hardware and software approaching the end of its useful life -- to absolutely essential or mandated changes. Designate systems as "legacy" and schedule their replacement. This approach will help focus investments toward the future rather than the present of past.
• Invest in education and training to ensure the IT staff can support current and future technologies.
5. Implement contemporary, but proven technologies. RACSB will stay abreast of emerging trends through an ongoing program of technology evaluation. New technologies will often be introduced through pilot projects where the automation, business benefits, and costs can be evaluated prior to any full-scale adoption.
6. Hardware and software will adhere to open (vendor-independent) standards and minimize proprietary solutions. This approach will promote flexibility, inter-operability, cost effectiveness, and mitigate the risk of dependence on individual vendors.
7. Manage the agency network as a fundamental building block of the Board's IT architecture. The network will connect modern workstations and servers; will provide both internal and external connectivity; will be flexible, expandable, and maintainable; be fully integrated using open standards and capable of providing for the free movement of data, graphics, image, video, and voice.
8. Emphasize the purchase and integration of top quality, commercial-off-the-shelf software (COTS) for use by all staff members. Utilize modern efficient methods and laborsaving tools in a cooperative application development environment. A repository for common information objects (e.g., databases, files, records, methods, application inventories) will be created, shared and reused.
9. Capture data once in order to avoid cost, duplication of effort, and potential for error and share the data whenever possible. Establish and use common data and common databases to the fullest extent. A data administration function will be responsible for establishing and enforcing data policy, data sharing and access, data standardization, data quality, identification and consistent use of key corporate identifiers.
Goals
Leadership:
To provide a unified direction for technological advances and innovations at RACSB. A clearly articulated direction provides the foundation for a consistent and efficient approach to the use and deployment of technology in support of the RACSB mission. The stated direction for RACSB information technology is:
• To promote synergy in the delivery of IT support and services, and
• To foster a collaborative agency approach to the use of technology.
Service Delivery:
To provide quality information technology services and solutions to meet the needs of programs and in turn provide quality services to the citizens of Planning District 16. Quality service delivery encompasses the effective use of current and future technologies and the delineation of efficient business processes for the delivery of those services.
Learning and Growth:
Employee proficiency and productivity can be improved through effective training and a commitment to learning and personal development.
Consultations and Partnerships:
To partner with external contractors and public and private agencies to provide both centralized and distributed implementation of information technologies. The foundation of these partnerships consists of a combination of responsibility and knowledge of IT management, staff, agency representatives, and members from supporting external contractors to work within the consistent framework of RACSB IT standards. This will allow for the maximum utilization of limited resources and the leveraging of existing projects and systems.
Partnerships within RACSB are especially critical to ensuring HIPAA implementation. The goal is to direct a collaborative process of regulatory interpretation for efficiencies related HIPAA implementation strategies. The implementation of HIPAA is a catalyst to those agencies that handle personal information to revisit privacy and confidentiality processes. HIPAA will guide the tactical approach to the storage and delivery of health information as IT promotes its defined long-term goals throughout RACSB. The HIPAA Compliance Program also seeks to partner with IT to foster a cultural change within the agency that is consistent with the regulatory requirements related to health information security.
Each of these goals, independently and in concert with one another, supports IT efforts to formulate and maintain a cost-effective technical architecture that maximizes IT infrastructure responsiveness to changing business requirements.
Objectives
Information Technology will deliver quality and innovative solutions to RACSB staff and provide convenient access to appropriate information and services.
1. Deliver timely and effective responses to customer requirements through teamwork.
2. Provide vision, leadership, and a framework for evaluating emerging technologies and implementing proven information technology solutions.
3. Provide staff with convenient access to appropriate information and services through technology.
4. Work with agency programs to improve business operations by thoroughly understanding business needs and by planning, implementing, and managing the best information technology solutions available.
5. Guarantee a reliable communication and computer infrastructure foundation.
6. Effectively communicate information about plans, projects, and achievements to agency staff.
7. Develop and maintain technically skilled staff members that are competent in current and emerging information technology. Develop a user community that understands and can employ modern technologies to maximize benefits.
8. Ensure effective technical and fiscal management of RACSB operations, resources, technology projects, and contracts.
9. Technology Assessment
Current IT Processes and Services:
The Information Technology Department supports RACSB information technology assets. We also provide leadership to develop and deploy technology services. These services employ standards, policies, and procedures to ensure efficient and effective productivity of our staff resources while emphasizing cost-effective usage of RACSB's technology assets.
Some key components of fulfilling these services are:
• Planning and review of technology investments throughout RACSB;
• Focus on architecture, standards, training and certification of staff;
• Collaboration between CSBs and VITA; and
• Skilled project management.
These services work together to create an agency-wide process and focus for information technology in RACSB.
The process includes representation from all program areas to ensure that as solutions are chosen, they match the goals of the agency as a whole.
Business processes and practices are integral to both the development and sustenance of an IT office and the focused technology approach. The following elements are critical to the successful implementation of information technology solutions for current and future needs.
These processes are:
• Information Technology Planning Process
• Information Technology Architectural Planning and Execution
• Information Technology Investment Portfolio Management
• System Life Cycle Standards
RACSB’s information technology environment has been able to keep in striking range of latest emerging state-of-the art architectures through a strategic investment program.
RACSB's technological improvement strategy provides an adequate IT infrastructure to support programming used to achieve quality and operational improvements as well as redesign business processes to achieve large-scale improvements in service quality and achieve administrative efficiencies.
IT goals and investment funding criteria guide investment decisions based on:
• Convenient Access to Information and Services
• High Level of Responsiveness to staff & outside agencies requirements
• Management of RACSB Information Assets
• Management of RACSB Technology Assets
The criteria were adjusted consistent with resource availability to focus on:
• Mandated Requirements
• Leveraging of Prior Investments
• Enhancing RACSB Security
• Improving Service Quality and Efficiency
• Ensuring a current and supportable Technology Infrastructure
The technology investment is strengthened by the strong long-range planning.
Access to Information and Services, and Improving Service Quality and Efficiency:
Providing state, localities, funders, and RACSB employees with timely, convenient access to appropriate information and services is the most important uses of information technology. The investment strategy provides annual support for projects maximize the accessibility of RACSB information. Many of the projects expand on existing methods of accessing information.
High Level of Responsiveness, Management of Information Assets, and Improving
Service Quality and Efficiency:
Several initiatives use collaborative tools and approaches to formulate business solutions that address customer needs. Efforts continue to provide RACSB with web-based Graphical User Interface (GUI) software and application integration tools to increase utility and functionality of RACSB information systems. Efforts continue to apply these strategies across the portfolio of RACSB systems for improved processing, workflow, data-sharing, creating repeatable processes and program planning. Focusing on internal business practices is a key element to effectively managing RACSB’s information assets. Projects are encouraged that create, share, or reuse a repository of common information objects and components such as databases and records, that provide for data standardization and that streamline processes to capture data only once.
Core business functions of RACSB are supported by developing, implementing, and maintaining major information system applications. Staff ensures that applications provide services for all RACSB programs and development functions that facilitate the transaction of RACSB business. Additionally, IT supports administrative and management functions such as finance, accounting, budgeting, purchasing, payroll and human resource management, and facilities management functions.
Ensuring a current and supportable Technology Infrastructure, Management of Technology Assets and Enhancing Security:
Direct technical support services are provided for more than 550 users in more than 40 locations. A wide-range of technical services to our customers include communications infrastructure; user access and authentication; agency e-mail management and administration; and desktop technology administration and management.
A single point of contact exists for end-user devices, operating systems, databases, telecommunications, and print services. Additionally, IT is responsible for ensuring the implementation of information security practices that maintain confidence and protect government services and the privacy of sensitive information.
Leveraging of Investments:
IT manages the IT Project Portfolio for major technology initiatives and projects of highest priority for RACSB. Consulting support is provided on major technology acquisitions, including formulation of requests for proposal, assessments of product and vendor viability, formulation and execution of negotiating strategies, evaluation of best-value proposals, consultations on licensing models, pricing structures, and other key terms and conditions of major contracts.
IT provides substantial support to programs in the areas of information technology planning, business process re-engineering, and overall productivity improvement of the computer user community.
Mandated Requirements:
Many investments are necessitated by mandates handed down by the federal or state government impacting business processes and agency operations. Investments for meeting key mandates that result in automated processes nest within all areas of application development and infrastructure. A key program geared around a wide-sweeping mandate is around information privacy.
For example, the HIPAA Compliance Program is guiding the application of the various components of the health Information privacy law throughout RACSB. The associated business relationships are being identified to ensure the application of the law will enhance the consistent delivery of services. Where it is feasible, regulatory requirements are being implemented on a RACSB-wide level.
Existing Technologies:
Advances in technology can enable the workforce to provide better and faster service at a reduced cost; however, changes in technology can also be expensive and complex.
New technology must be adopted carefully and integrated wisely into the existing technology infrastructure of RACSB programs and locations in order to maximize the benefits in a cost-effective manner. Management of our IT Project Portfolio is one of our major challenges.
Security is another critical challenge. The ever-increasing phenomena of virus and cyber-attacks on entities have brought a heightened awareness of security measures and technology to the IT department.
Trends Affecting IT:
As part of the IT Planning effort, six major trends were identified that affect potential technology solutions and enrichments to RACSB’s current technology architecture:
• The workplace is becoming more mobile, so job functions can be performed without having to be tied to a physical location.
• Methods for communicating and collaborating are becoming more automated.
• Information resources must be managed from a full life cycle perspective.
• Security for information and communications systems and privacy of information are critical priorities.
• Technical architectures are facing increased capacity and flexibility demands.
• Staff members are requiring access to information in a variety of ways.
Challenges Affecting the Deployment and Management of IT:
With rapidly changing technology, our challenges are deploying technology with reduced staff and shrinking dollars. The demand for more technology also is increasing which leads to the need for more staff support. We need to find more creative solutions through leveraging staff, partnering with private sector for select services, and investigating outsourcing opportunities.
Emerging Technologies:
There has been a paradigm shift over the last decade in the way the RACSB conducts business. The number of phone calls, emails, and faxes has increased, while the number of paper communications (snail mail) has decreased. State, federal and local expectations for convenient customer service and accurate information continues to grow. In response to these changes, RACSB is placing more emphasis on the deployment of technologies from an agency perspective. This change in perspective also has been influenced by budget constraints, the introduction of HIPAA, the increase in virus activity, the demand for sharing information, and the increasing expectations for the rapid delivery of information.
A business need exists to facilitate communication and collaboration both within RACSB and across all levels of community services. Emerging technologies are evaluated to support communication and collaboration including video conferencing and report sharing.
Improvements in the security and privacy of our agency architecture are a necessity because of the proliferation of viruses and the heightened awareness of the need for information protection. Technologies deployed in this area include on-going risk analysis, automated auditing functions, and implementation of secure email communication technologies.
A need exists to manage data and processes from an agency perspective in order to achieve integrated services. While RACSB has purchased the necessary tools to manage the agency integration of data and processes, the focus must shift to implementing agency standards and methodologies for the deployment of business applications using these technologies. The emphasis must be on reuse of application investments achieved through integration technologies applied at the data and process levels.
Performance Measures
While our IT plan can be considered a roadmap for the future, we need performance measures to both make sure we are on course and to check our progress as we travel toward our goals. Through this IT planning effort, we have recognized that while we are not fully maximizing our use of performance measures as a management tool, we are moving in the right direction, and will persist in continuous improvement. We have performance measures representing every major program area, but we could use more qualitative measures. We intend to use performance measures to help people focus on the execution of the IT plan.
Information Technology is an invisible part of what makes everything else work, an abstract concept that is difficult to communicate. Our outcome-based performance measures help us explain our work and why it’s important to RACSB. Information Technology has been a driver in changing the work climate by making efficiency and effective delivery of service, which we can document through performance measures in agencies. Indicators include: reduced number of no-show appointments; increased fee revenue; additional grants received by agency, etc.
We face many challenges in developing the comprehensive performance measures system we envision. Measuring results is difficult, and a long-term process. We have challenged ourselves to develop more performance measures and to document this performance consistently. As staff participate in collecting, analyzing, and responding to the data we measure, it helps them recognize their work is an important part of RACSB service delivery.
Information Technology Policies
Table of Contents
1. Introduction of Information Technology (IT) Services
1. Organization and Updates to the IT Manual
2. Security of Electronic Protected Healthcare (PHI) Information
3. Network & Network Security
1. Network Layout
2. Network Maintenance Schedule
3. Backup and Disaster Recovery
4. Anti-Virus Protection
5. Access to Computer Room
6. Control file changes and Network Changes
7. Downtime / Network Maintenance
8. Network Security
9. Remote Network access
10. Wireless Access to RACSB’s Network
11. Payment Card Industry-Data Security Standards (PCI-DSS)
4. Personal Computers
1. Workstation Use
1. Passcodes
2. Data Access
3. Printers
4. Screen Savers
5. Downloads
6. Software
7. Virus Protection
8. Personal Equipment / Software
9. Staff Terminations
10. Assistive Technology & Environmental Modifications for Staff
2. Portable (Laptop/Tablet) Computers
1. Remote Access
2. Physical Security of equipment
3. Computer Disposal
1. Servers / CPU’s / Laptop / Portable Computers
2. Printers
3. Diskettes
4. Cassette tapes
5. DVD/CD’s
6. USB Drives and Memory Cards
5. Email
1. General usage
1. Forwarding of Email to Outside Accounts
2. Web Mail
3. Email on Personal Smart Phones
4. Security / Encryption of Email
2. Email Consent - Individuals Receiving Services
6. Internet Security and Usage
7. Telecommunications
1. Phones
2. Cellular Phones
3. Smart Phones
4. Text Messaging
8. Tele-Facsimile (Fax)
9. Data
1. Minimum Necessary
2. Data Accuracy / Integrity
3. Billing and Reporting
4. Service Entry
10. Electronic Health Record (EHR)
10.1 Electronic Signature
10.2 Downtime Procedure
10.3 Electronic Applications
10.3.1 Electronic Prescriptions
10.3.2 Electronic Labs
10.4 Web Portal
10.5 Electronic Record Retention
11. Assistive Technology – Individuals Receiving Services
1. Telehealth
2. Video Phone
3. Environmental Modifications
4. Maintenance of computers utilized by Individuals receiving services
12. Video Surveillance
Appendix / Procedures
a) Community Individuals Receiving Services Submission (CCS3)
b) Core Services Taxonomy
c) Human Resources Social Networking Policy
d) Information Systems Standards of Conduct \ RACSB Staff equipment setup Request \ IT Employee Separation Checklist
e) IT Risk Assessment
f) Cell Phones Check-out Form
g) Virginia Relay Access Information Summary
h) Business Associates Agreement
i) Privacy Plan (HIPAA)
j) Information about Recycling of Computer Hardware
k) Network Layout / Server Listing / Rack configuration
l) Library of Virginia Record Retention and Electronic Records Retentions
m) IT Staff Job Descriptions
n) Fixed Asset Disposal Form
o) Downtime contingency and services/server restoration priorities.
p) Email Encryption Directions
q) RACSB Internal and External Reporting Requirements
r) RACSB Five-Year Capital Improvement Plan / IT Program Goals
s) Setting up staff & staff name changes for the network and the Electronic Health Record
t) Directions for entry of services into the Electronic Health Record
u) Library of Virginia Email Management Guidelines
v) Informed Consent for Telehealth / Staff Telehealth training time log
w) IT Related Contractors and contact information
1 Introduction of Information Technology (IT) Services
[pic]
Introduction
To remain competitive, better serve our individuals receiving services, and provide our employees with the best tools to do their jobs, Rappahannock Area Community Services Board (RACSB) makes available to our workforce access to one or more forms of electronic media and services: including computers, email, telephones, voicemail, fax machines, online services, Intranet, and Internet.
RACSB encourages the use of these mediums and associated services because they can make communications more efficient and effective and because they are valuable sources of information about vendors, customers, technology, new products and services. Electronic media and services provided by RACSB are to facilitate and support RACSB business. All computer users have the responsibility to use these resources in a professional, ethical and lawful manner.
To ensure all employees are responsible, the following Policies and Procedures have been established for using RACSB’s computer systems and electronic media. No policy can cover every possible situation, instead, it is designed to express RACSB’s philosophy and set forth general principles when using the computer system and electronic services.
In addition to the Information Technology Policies and Procedures, staff at RACSB will comply with all Human Rights Policies, Personnel Policies, Privacy Policies, and other related RACSB policies when using RACSB computer resources.
RACSB staff must limit their access of Protected Healthcare Information (PHI) contained in RACSB’s computer system to the extent necessary to perform their job duties.
Organization and Updates to the IT Manual
Organization
The IT Policy and Procedure Manual is organized by the main document being the IT Policies. The Policies are the “high level overall plan embracing the general goals” of the IT office and do not significantly change often.
The Appendices of the manual are the supporting documentation to the policies and change as software and technology changes, often. The Appendices are used by IT staff as our desk procedures for the everyday operations of the IT department.
Updates
This document was originally an appendix of the Financial Policies and Procedures, but grew so large, that continuing as part of that manual was no longer practical. In 2003, with all the new HIPAA Privacy policies, the IT Manual became a free-standing manual. It is updated annually. The IT Policies are reviewed and approved by the Board of Directors; the Appendices of the manual are maintained by the IT Coordinator.
2 Security of Electronic Protected Healthcare Information
[pic]
Introduction
It is the policy of Rappahannock Area Community Services Board (RACSB) that all personnel must preserve the integrity and the confidentiality of medical and other sensitive information pertaining to our individuals receiving services. The purpose of this policy is to ensure that RACSB and its officers, employees, and agents have the necessary medical and other information to provide the highest therapeutic care possible while protecting the confidentiality of that information to the highest degree possible so that individuals receiving services are not reluctant to provide information to RACSB’s Information Management system, its officers, employees, and agents for purposes of treatment. Security is the method by which the privacy and confidentiality of individuals receiving services protected information is maintained in compliance with federal laws.
The three primary laws at the federal level that regulate the handling, storage and transmission of PHI are:
• The Health Insurance Portability and Accountability Act of 1996, also known as HIPAA
• The Health Information Technology for Economic and Clinical Health Act, also known as the HITECH Act which supplements the HIPAA regulations
• Title 42 of the Code of Federal Regulations, Part 2 which relates specifically to confidentiality of alcohol and drug abuse patient records
To that end, RACSB and its officers, employees, and agents will:
• Collect and use individual information only for the purposes of providing services and for supporting the delivery, payment, integrity, and quality of those services. RACSB and its officers, employees, and agents will not use or supply electronic individual medical information for non-health care uses, such as direct marketing, employment, or credit evaluation purposes.
• Collect and use electronic individual information for the following purposes:
o Providing accurate, up-to-date, and complete information about patients at the point of care
o Enabling quick access to patient records for more coordinated, efficient care
o Securely sharing electronic information with patients and other clinicians
o Helping providers more effectively diagnose patients, reduce medical errors, and provide safer care
o Improving patient and provider interaction and communication, as well as health care convenience
o Enabling safer, more reliable prescribing
o Helping promote legible, complete documentation and accurate, streamlined coding and billing
o Enhancing privacy and security of patient data
o Helping providers improve productivity
o Reducing costs through decreased paperwork, improved safety, reduced duplication of testing, and improved health.
o To receive reimbursement for services provided.
o For analysis and similar purposes designed to improve the quality and to reduce the cost of health care.
o As a basis for required reporting of health information. See Appendix A for the Community Consumer Submission (CCS) extract requirements and Appendix B for the Core Services Taxonomy required data collection elements from the Virginia Department of Behavioral Health and Developmental Services. (DBHDS)
• Recognize that medical information collected and entered into RACSB’s electronic information system regarding individuals receiving services must be accurate, timely, complete, and available when needed. RACSB and its officers, employees, and agents will:
o Use their best efforts to ensure the accuracy, timeliness, and completeness of data and to ensure that authorized personnel can access it when needed.
o Complete and authenticate medical records in accordance with the law, medical ethics, and accreditation standards.
o Maintain medical records for the retention periods required by law and professional standards.
o Not alter or destroy an entry in a record, but rather designate it as an error while leaving the original entry intact and create and maintain a new entry showing the correct data.
o Implement reasonable measures to protect the integrity of all data maintained about individuals receiving services.
• Recognize that individuals receiving services have a right of privacy. RACSB and its officers, employees, and agents will respect individuals receiving services’ individual dignity at all times. RACSB and its officers, employees, and agents will respect individuals receiving services’ privacy to the extent consistent with providing the highest quality care possible and with the efficient administration of the facility and computer systems. (Refer to Appendix I for RACSB privacy policy and Appendix H for the Business Associates Agreement)
• RACSB will release only the minimum necessary PHI (Protected Health Information) to accomplish the intended purpose of use, disclosure, or request.
• Examples of Individually Identifiable Health Information that are PHI includes:
o Name
o Geographical subdivision smaller than a state, except for the first three digits of a zip code
o All dates, except for year including birth/death dates, admission/discharge dates
o Phone or fax number
o E-mail address
o Social Security Number
o Medical record number
o Health plan beneficiary number
o Account number
o Certificate/license number
o Vehicle identifiers and serial numbers (including license plates)
o Device identifiers and serial numbers
o Web URL
o IP address
o Biometric identifier (for example a finger print)
o Full face photographic and any comparable image
o It also includes identifiable information of relatives, household members, and employers.
• Act as responsible information stewards and treats all electronic medical record data and related financial, demographic, and lifestyle information as sensitive and confidential. Consequently, RACSB and its officers, employees, and agents will:
o Treat all individual medical record data as confidential in accordance with professional ethics, accreditation standards, and legal requirements.
o Not divulge medical record data unless the individual receiving services (or his/her authorized representative) have properly consented to the release or the release is otherwise authorized by law, such as communicable disease reporting, child abuse reporting, and the like.
o When releasing medical record data, take appropriate steps to prevent unauthorized re-disclosures, such as specifying that the recipient may not further disclose the information without consent or as authorized by law.
o Implement reasonable measures to protect the confidentiality of medical and other information maintained about individuals receiving services.
o Remove individual receiving services identifiers when appropriate, such as in statistical reporting and in medical research studies.
o Not disclose financial or other individuals receiving services information except as necessary for billing or other authorized purposes as authorized by law and professional standards.
• Recognize that some medical information is particularly sensitive, such as HIV/AIDS information, mental health and developmental disability information, alcohol and drug abuse information, and other information about sexually transmitted or communicable diseases and that disclosure of such information could severely harm individuals receiving services, such as by causing loss of employment opportunities and insurance coverage, as well as the pain of social stigma. Consequently, RACSB and its officers, employees, agents and computer systems will treat such information with additional confidentiality protections as required by law, professional ethics, and accreditation requirements.
• Recognize that, although RACSB “owns” the medical record, the individuals receiving services have a right of access to information contained in the record. RACSB and its officers, employees, and agents will—
o Permit individuals receiving services access to their electronic medical records except when access would be detrimental to the individuals receiving services under the so-called therapeutic exceptions to individuals receiving services access.
o Provide individuals receiving services an opportunity to request correction of inaccurate data in their records in accordance with the law and professional standards.
All officers, agents, and employees of RACSB must adhere to this policy. RACSB will not tolerate violations of this policy. Violation of this policy is grounds for disciplinary action, up to and including termination of employment and criminal or professional sanctions in accordance with RACSB’s Personnel policies, Human Rights Policies and Privacy Policies.
Appendix D includes the IT Standard of Conduct signed by all employees, the RACSB Staff equipment setup form, and the IT Separation checklist. These forms are for the purpose of staff acknowledgement of the receipt and agreement to the IT Standards of Conduct for RACSB employees and staff, request and approval of supervisors for staff access and revocation of access to agency equipment, programs and designated agency information.
Compliance
Users must immediately report violations of this policy to their program manager or supervisor and to the privacy or security officer.
Enforcement
All program managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination from employment, professional discipline, or criminal prosecution, in accordance with the CSB’s Personnel policies, Human Rights Policies and Privacy Policies.
3 Network
[pic]
Introduction
Rappahannock Area Community Services Board's Information Technology (IT) Department will maintain prevention activities and reserve systems to assure access to a current and complete computer network system during regular business hours. RACSB has adopted this policy to comply with the federal law requiring contingency plans to respond to emergencies and with accreditation standards, as well as our duty to protect the confidentiality and integrity of confidential medical information as required by other laws, professional ethics, and accreditation requirements. All personnel of the Information Technology Department must be familiar and demonstrate competence with the contents of this plan and follow its guidance, as appropriate, in a disaster.
All data network access devices, including switches, routers, hubs, firewalls and access points, must be set up, configured, and administered by IT Staff. All such devices must be physically in secure locations. Any computer or electronic device found connected to the network and not administered or already permitted in writing by the IT Coordinator is subject to disconnection and confiscation by IT staff without notice.
Scheduled downtime is necessary for all areas of the network in order to perform maintenance and upgrades on the network electronic devices. IT staff will notify and work with affected users to create reasonable scheduling of the downtimes that will mitigate the effect of these necessary downtimes on users’ operations.
3.1 Network Layout
See Appendix K
3.2 Network Maintenance Schedule
[pic]
To make sure our computer systems are working at optimal performance basic maintenance must be completed on the computer systems or software.
Daily
Back up all on site Network Servers to include Avatar and Great Plains
Monitor hard drive disk space on all servers
Monitor CPU usage on all servers
Disable all active directory users that are no longer needed
Twice Weekly
Reboot all Avatar servers
Weekly
Check to verify that New Virus Definitions have been downloaded and installed on all Network Servers
Check for operating system updates on servers and install and reboot if needed
Monthly
Reboot all network hub, routers, firewalls, switches, etc.
Install Avatar software patches
3.3 Backup and Disaster Recovery
Purpose:
To develop an on-going program for the prevention of damage to the main computer system.
To develop a plan for recovery of current and complete data as soon as possible following a disaster or damage to the main computer systems.
Procedures:
I. PREVENTION
A. The main computer equipment will be maintained under a hardware maintenance contract to allow for repair and maintenance of defective or damaged equipment.
B. An uninterruptible power supply (UPS) is installed to prevent damage caused by power fluctuations and allow for a normal shutdown in the event of a power failure.
C. All computers will have a virus scan program installed with the basic setup of the computer. The standard virus protection used by RACSB is Malewarebytes.
D. Regular back-up procedures will be followed for data files and software files to insure recovery of the most current information.
Backup Schedule – Data on our servers is backed up daily to on site using Veeam to a Storage Area Network (SAN) device.
Continually throughout the day data is replicated to the cloud based Azure site recovery.
E. Users will date and initial all original sources of entry, (i.e., entry forms, etc.) and file in a manner that will allow the gathering of this data for reentry in the event of emergency recovery procedures.
II. CONTINGENCY PLAN FOR MAJOR DISASTERS
In the event of a disaster, a four-phase cycle will take place to bring about full restoration of normal processing; detection and reaction, implementation, initiation of backup site procedures, establishment of full recovery at backup site.
A. Detection and Reaction
As soon as an emergency situation happens the Executive Director should be notified who in turn would notify the appropriate emergency authorities. If the IT Coordinator cannot be reached contact the next available person on the list.
IT Coordinator
IT Assistant Coordinator
IT Lead Specialist
The person that responds to the emergency from this point on shall be referred to as the IT Disaster Recovery Captain.
B. In the event of damage to the computer, the following steps will be taken:
1. At the time, the IT Disaster Recovery Captain has been contacted and will make a decision based on the problem encountered and contact one or more of the contractors found in Appendix W,
2. If the IT Disaster Recovery Captain has elected to power down the computer or if the computer powers down by itself for any reason, it should not be powered up until approval has been received from the hardware vendor and the IT Coordinator.
3. In case of fire or flood, and the decision has been made by the IT Disaster Recovery Captain not to relocate the computers to an alternate site, the following steps should be taken:
a. Notify all users
b. Power down the computers
c. Power down all printers and peripherals
d. Turn off the UPS
e. Unplug all equipment
f. Cover all equipment with plastic
g. Notify the hardware vendor to have equipment checked for damage
C. Initiation of backup site procedures
1. In the event that conditions are present (hurricane, flood, fire etc.) and the Executive Director has chosen to relocate the administration, the servers and network equipment all shall be packed up and readied for transport to the designated facility.
D. Establishment of full recovery at backup site
1. Relocation Steps:
a. Determine, which alternate backup facility, needs to be used:
Alternate Backup Site #1 Spotsylvania County Clinic
Alternate Backup site #2 Stafford County Clinic
Alternate Backup Site #3 Caroline County Clinic
b. Notify backup site of intent to use facility.
➢ Notify users to sign off programs and hold source documents
➢ Power down computers
➢ Power down all printers and peripherals
➢ Turn off UPS
➢ Unplug all equipment
➢ Ready equipment for transport
➢ Take all needed manuals, tapes, and forms
➢ Cover remaining equipment with plastic
c. Transportation of equipment begins.
d. Begin setup and assembly of equipment at backup site.
e. Establish hardware and supply needs.
f. Order necessary equipment and supplies
g. Notify all programs and users of current backup facilities and recent events, amount of damage and anticipated timeframes.
h. IT Disaster Recovery Captain to contact the CSB Risk Manager to do the following if appropriate:
Minor Damage
Anticipated downtime one to two days. Damage may include hardware, software, mechanical equipment, electrical equipment or the facility.
Major Damage
Anticipated downtime three to six days. Major Damage to hardware or facility.
Catastrophe
Anticipated downtime one week or more. Computer room or facility completely destroyed. Restoration will begin both at alternate site and current facility.
i. Photograph site and equipment to include cabling.
j. Prepare report that outlines damages and disposition of hardware.
k. Have CSB Risk Manager Contact the insurance company, follow up with adjuster, and initiate insurance claims.
2. Notify all Computer users by email and/or telephone:
a. Batch by date all information entered since the last available backup in preparation for re-entry of this information.
b. Wait for further instructions on the availability of the system.
c. Bring up system if okay has been given by IT Coordinator or IT Disaster Recovery Captain.
d. If the equipment is new, test.
e. Restore latest full system backup and latest data only backups.
f. Begin testing to verify file and database integrity.
g. Establish processing schedule for operations.
h. Start processing critical applications.
III. RESTORATION OF FACILITIES AND OPERATIONS AT ORIGINAL/NEW SITE
A. Coordinate the repair/construction of the original/new location.
B. Contact hardware vendors to determine if hardware is repairable or must be replaced
C. Contact cable company to verify existing cabling is good or if needs replacement.
D. Order any other data handling equipment (CSU/DSU, routers, modems, switch boxes, surge protectors, etc.).
E. Contact Broadband providers and arrange for new services. Set up schedule for proposed completion.
F. Give purchasing department a list of all items required.
G. Contact all Program Directors and determine what PC’s, terminals, printers, modems, surge protectors or software needs replacing.
1. Set up time frame and schedule ordering, delivery and installation.
2. Make departments aware of this schedule and what our expectations are of them. See appendix O for Priority of restoring of systems and contingency plan for IT Operations during network downtime.
H. As soon as equipment is replaced or repaired, retrieve and restore the latest full system and latest data only backups. Following restoration of the backup(s) to the computer equipment, test the system to make sure it is in good working order and that the restore procedures worked.
I. Notify AVATAR users that:
1. They may sign back on the system.
2. They must re-enter the data gathered in step II.D.2.a.
3. After re-entering the data selected in step II.D.2.a, they should check the area of information affected to make sure it is correct and up-to-date before resuming entry of previously un-entered information.
PREPLANNING AND ON-GOING RESPONSIBILITY
A. Disaster Planning Coordinator
1. Keep IT Disaster Plan Updated; correcting names, addresses and telephone numbers.
2. Ensure plan is properly distributed. Electronic copies are to be kept off site available to all alternate locations.
3. Periodically check alternate backup facilities.
4. Formally update Plan annually.
5. Schedule IT emergency management team meeting every six-months, discuss current status.
6. Meeting with other agency disaster recovery team leaders following agency guidelines.
7. Develop and keep current computer room labeling of equipment.
8. Keep and maintain documentation of all computer hardware configurations.
9. Review insurance coverage with Director of Finance and Administration and IT Coordinator annually to verify coverage is adequate and current.
TRAINING
A. Employees will be trained in the preventive backup and recovery implementation procedures of the data on their assigned equipment.
TESTING
A. An unannounced testing of the plan may be conducted once a year, requiring simulation restore and data recovery procedures for one day’s work.
IV. MONITORING AND EVALUATION:
A. The IT Coordinator will conduct monitoring of prevention procedures periodically.
B. Evaluation of the plan will be done following annual testing and in the event of an actual emergency.
3.4 Anti-Virus
Computer viruses are a reality and not likely to ever go away. Although their creation is malicious, their spread is often innocent – occurring as people simply perform their duties. RACSB cannot assume responsibility for the damage caused by viruses. RACSB will, however, control viruses on our network and equipment and help in the fight against viruses.
Definition:
A computer virus is a program designed to replicate and spread on its own, preferably without a user’s knowledge. Computer viruses spread by attaching themselves to another program, such as word processing or spreadsheet programs, or to the boot sector of a diskette. When an infected file is executed or the computer is started from an infected disk, the virus itself is executed.
In order to protect our computer systems from virus attack, RACSB implements methods that lower the opportunity for infection. RACSB will have in place firewalls, network and workstation virus protection software. In cases of serious virus threats, RACSB reserves the right to disconnect our network from the outside World Wide Web, in order to maintain better virus protection.
RACSB has centrally managed virus protection software. This allows for central deployment, uniform policy enforcement and the ability to push our virus definition updates out to users logged on to the network.
RACSB’s anti-virus software is used to protect our email users from receiving infected messages. This software filters email to detect common viruses and viruses of greatest threat. If a virus is detected, the message is discarded shielding the email recipient. RACSB servers regularly scan incoming email queues for virus keywords and isolates infected email messages. Unfortunately, RACSB is unable to send acknowledgement of the message removal.
RACSB IT staff should be notified immediately of any suspicion of viruses. Helpdesk staff will log a problem in the problem system to notify system staff of possible new or particularly damaging viruses.
RACSB IT staff will be responsible for distributing information regarding virus outbreaks and alert RACSB staff by email or other means if appropriate.
3.5 Computer Room Access
The room that houses the servers for RACSB is to be closed and locked at all times. All visitors to the server room will be escorted by an IT staff member. Access card is needed for entry to the room. No unescorted individuals are allowed in the server room at any time. No food or beverages, including water, is allowed in the server room.
3.6 Control File changes and Network Changes
When changes are required to the master control of our network operating systems, network resources or software programs; the changes are recorded in a help desk log within the Trackit program. This entry ensures that all IT staff members are aware of the changes that happen to software, hardware and or operating system.
3.7 Downtime/Network Maintenance
From time-to-time, it will be necessary to make the system unavailable for the purpose of performing upgrades, maintenance or housekeeping tasks. The goal of these tasks is to ensure maximum system performance and prevent future system failures.
The following activities fall within the definition of planned downtime:
• Application of patches to the operating system and other applications in order to fix vulnerabilities, eradicate bugs, add functionality or improve performance.
• Upgrades to system physical memory or storage capacity.
• Installation or upgrade of applications and services
• System performance tuning
• Regular system backup for purposes of disaster recovery.
In the event any of these activities will require downtime to perform, every effort will be made to perform the procedures during off-hours in order to minimize the impact to those who use the affected systems.
On occasion, it may be necessary to have planned downtime during regular business hours to install patches and updates or perform more elaborate procedures. If this is the case, the planned downtime will be communicated to users of the affected resources using the notification of downtime below.
Unexpected circumstances may arise where system or services will be interrupted without prior notice. Every effort will be made to avoid such circumstances. However, incidences may arise involving a compromise of system security, the potential for damage to equipment or data, or emergency repairs. If the affected system(s) cannot be brought back online within one hour, affected users will be contacted via the notification of downtime described below. In the event of an unplanned network outage – Notify the Information Technology department immediately. Do not assume someone else has notified them.
Notification of Downtime:
Users will be notified of downtime according to the following procedures.
• The IT Coordinator, Assistant IT Coordinator or Director of Operations will be responsible for notifying all identified user of the planned downtime, as well as any unplanned interruptions to the system(s) availability as they occur.
• When planned Avatar downtime is required all attempts will be made to avoid heavy usage times (such as times outpatient clinics are open) and to keep downtime to a minimum so that implementing contingency actions won’t be necessary. Paper forms should be utilized during Avatar downtime if needed and should be scanned into the Electronic Health record or entered when it is available.
• The IT Coordinator, Assistant IT Coordinator or Director of Operations will first notify all affected users via an all staff email. All users are responsible for checking email for downtime and system status notification. In the event that the email is unavailable due to emergency downtime, the IT Coordinator, Assistant IT Coordinator or Director of Operations will contact the office managers by phone to inform them of the situation.
• If general maintenance procedures will cause planned downtime during regular business hours, and the procedure will last less than 1 day, then the IT Coordinator or Assistant IT Coordinator must notify system users at least 24-hours prior to the planned downtime.
• If planned downtime beyond general maintenance is schedule that will last longer than one (1) day, then the IT Coordinator, Assistant IT Coordinator or Director of Operations must give three (3) business days’ notice for every day of anticipated system unavailability. This step must be taken regardless of whether the downtime is schedule to take place during off hours or regular business hours.
• In the event of emergency downtime, the IT Coordinator, Assistant IT Coordinator or Director of Operations will use his/her discretion in notifying end user of the situation. In emergency circumstances where time is of the essence, it may not be possible for The IT Coordinator, Assistant IT Coordinator or Director of Operations to engage in normal downtime notifications activities. When emergency measures are completed, or if one (1) hour has elapsed with no resolution, then the IT Coordinator, Assistant IT Coordinator or Director of Operations will contact all user with information on system status and/or information on additional expected downtime.
All downtime announcements will provide the following information:
• Systems and services that are affected, as well as suggested alternatives to them (if any)
• Start and end times of the planned downtime period, or estimated time to recover in the event of emergency downtime.
• The reasons why the downtime is taking place.
• Any ongoing problems that are anticipated as a result of the downtime event.
• Any enhancement that will available after the downtime.
If the end user(s) foresee critical need of a system during a period of planned downtime, the user is able to contact the IT Coordinator, Assistant IT Coordinator or Director of Operations in advance of the downtime to make an appeal. The utmost effort will be made to reschedule the downtime or make alternatives arrangements for required resources.
3.8 Network Security
All information traveling over Rappahannock Area CSB computer networks that has not been specifically identified as the property of other parties will be treated as though it is an RACSB’s asset. It is the policy of RACSB to prohibit unauthorized access, disclosure, duplication, modification, diversion, destruction, loss, misuse, or theft of this information. In addition, it is the policy of RACSB to protect information belonging to third parties that have been entrusted to RACSB in a manner consistent with its sensitivity and in accordance with all applicable agreements.
3.9 Remote Network Access
The purpose of this policy is to define rules and requirements for connecting to RACSB’s Network from any host. The policy and requirements are designed to minimize the potential exposure of RACSB from damages which may result from unauthorized use of RACSB’s resources. Damages include the loss of sensitive or confidential date, intellectual property, damage to public image, and damage to critical RACSB’s internal system.
This policy applies to all RACSB employees, contractors, vendors, and agents with RACSB owned or contracted computers and workstations connecting to the RACSB network. It is the responsibility of RACSB employees, contractors, vendors and agents with remote access privileges to RACSB’s network to ensure their remote access connection is given the same consideration as the user’s on-site connection to RACSB. When accessing the RACSB network from a remote location, authorized users are responsible for preventing the access to any RACSB computer resource and data by non-authorized users.
Secure remote access to the RACSB Network is strictly controlled with Fortinet Virtual Private Network (VPN) encryption software as well as user names and passwords.
3.10 Wireless Network Access
The provisional (guest) wireless network’s access on non RACSB owned equipment is to be determined by the Division Directors. Staff must provide the reason as to why its use is needed before permission is granted. Staff must ask their immediate supervisor and Division Director’s permission to have access to the provisional networks on personal equipment. Once approved, the request is forwarded to the IT department from the Division Director.
At RACSB’s Residential facilities and Day Support sites, the provisional network can be used by the individuals receiving services for internet access.
The provisional wireless network can be used on agency owned smart TVs and tablets to utilize subscription streaming services and to download apps.
At clinics, the RACSB_Provisional wireless network is to be used for business purposes only. Staff members who utilize these networks for consumer use must report to IT any sites they do not wish consumers to visit. These wireless networks can be given to other agencies who visit RACSB facilities to perform their work duties while on site. The Provisional wireless networks are strongly filtered by the firewall.
3.11 Payment Card Industry-Data Security Standards (PCI DSS)
Rappahannock Area CSB will take all steps to ensure that all merchant card (Credit Cards) equipment and applications used by RACSB are kept compliant with the Payment Card Industry-Data Security Standards (PCI DSS). To assist in validating the agency’s compliance with the PCI DSS, RACSB has enrolled with ControlScan for providing PCI security validation services.
The PCI security services include an annual Self-Assessment Questionnaire (SAQ) and quarterly vulnerability scans for external facing IP addresses used by our Point of Service (POS) equipment.
RACSB follows the requirements for the processing of Merchant Cards.
System Settings
▪ Change vendor default security settings prior to installing the system on the network.
▪ Disable or change default accounts and passwords prior to installing the system on the network.
▪ Harden production systems by removing all unnecessary services and protocols.
▪ Use secure, encrypted communications for remote administrative access.
Stored Data Protection
▪ Dispose of sensitive cardholder data when it is no longer needed.
▪ Do not store the full contents of any track from the magnetic strip in any manner.
▪ Do not store the card-validation code (the three-digit value printed on the signature panel of a card) in any manner.
▪ Mask all but the last four digits of the account number when displaying cardholder data.
▪ Accounts numbers must be securely stored by means of encryption or truncation.
▪ Account numbers must be sanitized before being logged in the audit trail.
▪ Access to card account numbers must be restricted for users on a need-to-know basis.
▪ Employees having access to systems containing bulk merchant card data are background checked/screened.
Transmitted Data Protection
▪ Transmissions of sensitive cardholder data must be encrypted through the use of SSL (Secure Sockets Layer).
▪ Credit card numbers must NOT be transmitted via email.
Anti-Virus Protection
▪ All Microsoft Windows Servers and workstations must have antivirus software installed and the virus definitions must be updated regularly.
Applications and Systems Security
▪ All networks will be established in accordance with the firewall configurations as specified by requirements of PCI DSS.
▪ All systems must be updated with the latest security patches within 30 days of their release.
▪ The software and development process must be based on industry best practice and information security must be included throughout the process.
▪ Sensitive cardholder data must be sanitized before it is used for testing and development.
▪ All changes must be formally authorized, planned and logged.
▪ Sensitive cardholder data stored in cookies must be secured or encrypted.
Account Security
▪ All users must authenticate using a unique user ID and password.
▪ Remote access must be via a secure connection.
▪ All passwords must be encrypted.
▪ All user accounts must be revoked immediately upon termination.
▪ All user accounts must be regularly reviewed to ensure that malicious, out-of-date and unknown accounts do not exist.
▪ All inactive accounts must be automatically disabled after a pre-defined period.
▪ Vendor accounts used for remote maintenance must be disabled when not needed
▪ Group, shared or generic accounts are prohibited.
▪ Passwords must be changed at least every 90 days.
▪ Passwords must follow strong password conventions.
▪ Multiple password attempts or brute force attacks must result in an account lockout.
Physical Access
▪ Multiple physical security controls must prevent unauthorized access to the facility.
▪ Equipment and media containing cardholder data must be physically protected against unauthorized access.
▪ Cardholder data printed on paper or received by fax must be protected against unauthorized access.
▪ Proper procedures for the distribution and disposal of any media containing cardholder data must be followed.
▪ All media devices that store cardholder data must be inventoried and properly secured. The merchant copy of receipts shall be kept for a minimum of 18 months.
▪ Cardholder data must be deleted or destroyed before it is physically disposed (e.g. by shredding paper and degaussing media).
▪ All cache containing merchant card data must be cleared daily.
Access tracking
▪ All access to cardholder data must be logged.
▪ Logs must contain successful and unsuccessful login attempts and all access to the audit logs.
▪ Critical system clocks must be synchronized with the agency’s time server, and logs must include date and time stamps.
▪ Logs must be secured, regularly backed up and retained for one year.
Security breaches – Incident Plan
RACSB shall adhere to all requirements pertaining to the establishment of a security incident plan as required by the PCI Data Security Standard and other applicable policies. This includes any actions necessary to secure any exposed data and report the incident to appropriate agency management.
Training
As specified by PCI DSS, all employees having access to merchant card data must be advised of the expectation of being aware of the sensitivity of data and their responsibilities for protecting it. Each division within the agency acting as a merchant shall ensure that all employees responsible for systems or procedures related to merchant card transactions or data will be provided proper training relating to the policies and procedures for merchant card processing. Each employee will be required to acknowledge in writing that they have read and understood the agency’s applicable security policies and procedures.
4 Personal Computers
[pic]
4.1 Workstation Use
Introduction
The Information Technology Department has adopted this Policy on Workstation Use to comply with HIPAA, with the draft regulations requirement for such a policy and with accreditation standards, as well as with our duty to protect the confidentiality and integrity or medical information as required by law, professional ethics, and accreditation requirements. All personnel of the Information Technology Department and all facility personnel that use computer terminals must be familiar with the contents of this policy and follow its guidance, as appropriate, when using computer equipment. Familiarity with the plan and demonstrated competence in the requirements of the plan are an important part of every Information Technology Department employee’s responsibilities, as well as that of every other facility employee who uses computer terminals.
Assumptions
• Every computer workstation in the facility is vulnerable to environmental threats, such as fire, water damage, power surges, and the like.
• Any computer workstation in the facility can access confidential individuals receiving services information if the user has the proper authorization.
• Computer screens can be visible to individuals who do not have access to confidential information that may appear on the screen.
Preventative Measures
• New employees, whether they use computers in their daily work activities or not, will be required to read, understand and sign the IT Standards of Conduct (Appendix D) as part of their RACSB orientation process.
• All computer users will monitor the computer’s operating environment and report potential threats to the computer and to the integrity and confidentiality of data contained in the computer system. For example, if air conditioning fails and the temperature around the computer could exceed a safe level, the user must immediately notify the Information Technology Office and maintenance.
• All computers plugged into an electrical power outlet will use a surge suppressor approved and provided by the Information Technology office.
• All personnel using computers will familiarize themselves with and comply with the facility’s disaster plans and take appropriate measures to protect computers and data from disasters.
• Personnel using computers will not smoke at or near the workstation, if located in RACSB facilities or elsewhere. Personnel using computers will use caution when eating or drinking in the vicinity of the workstation to prevent damage due to spills and so forth. Any loss or damage to RACSB computer or equipment is a standard of conduct violation under RACSB’s personnel Policies.
• Employees may not use the facility’s system to solicit for outside business ventures, organizational campaigns, or political or religious causes. Nor may they enter, transmit, or maintain communications of a discriminatory or harassing nature or materials that are obscene or X-rated. No person shall enter, transmit, or maintain messages with derogatory or inflammatory remarks about an individual’s race, age, disability, religion, national origin, physical attributes, sexual orientation, or health condition. No person shall enter, maintain, or transmit any abusive, profane, or offensive language.
• All computer equipment and peripherals (excepting laptop devices) shall remain on RACSB property and are not to be taken home by employees, except by prior agreement and arrangement between employee's program director and the IT department.
• Laptop PCs and USB Drives or other storage media containing confidential individual receiving services data must be handled and transported in the same manner as other individual receiving services information, as specified in the Confidentiality Agreement and in RACSB's General Policy and Procedure Manual. All portable USB drives must be encrypted by the IT office prior to distribution and use by RACSB staff.
• All computer equipment and peripherals, including but not limited to PCs, laptops, monitors, data communications equipment, mice, keyboards, cables, and printers, purchased by RACSB Area Programs will remain the sole property of RACSB and will only be used to support the business and clinical operations of RACSB during business hours.
4.1.1 Passcodes
• Personnel logging onto the system will ensure that no one observes the entry of their passcode.
• Personnel will neither log onto the system using another’s passcode nor permit another to log on with their passcode, with the exception of IT staff when setting up and troubleshooting equipment and software.
• Personnel shall not enter data under another person’s passcode.
• Personnel using the computer system will not write down their passcode and place it at or near the terminal, such as by putting their passcode on a yellow “sticky” on the screen or a piece of tape under the keyboard.
• Network passcode require at least 8 characters, with 1 uppercase, 1 lower case and a number or a special character.
• Passcodes have to be changed every 90 days.
4.1.2 Data Access
• Each person using the facility’s computers is responsible for the content of any data he or she inputs into the computer or transmits through or outside the facility’s system. No person may hide his or her identity as the author of the entry or represent that someone else entered the data or sent the message. All personnel will familiarize themselves with and comply with the facility’s email policy.
• No employees may access any confidential information regarding individuals receiving services or other information that they do not have a need to know. No employee may disclose confidential information regarding individuals receiving services or other information unless properly authorized (see RACSB’s Privacy Policy for more information on PHI disclosure).
4.1.3 Printers
• Employees must not leave printers unattended when they are printing confidential individuals receiving services or other information. This is especially important when two or more computers share a common printer or when the printer is in an area where unauthorized personnel have access to the printer.
• All hard-copy printouts, including who may generate such printouts and reports, what may be done with the printouts and reports, how to dispose of the printouts and reports, and how to maintain confidentiality of hard-copy printouts and reports must comply with RACSB’s Privacy policy.
4.1.4 Screen Savers
• Each computer will be programmed to generate a screen saver when the computer receives no input for a specified period. (Supervisors, in conjunction with the Information Technology office, may specify an appropriate period to protect confidentiality while keeping the computer available for use.)
• Users must log off the system if he or she leaves the computer terminal for any period of time.
4.1.5 Downloads
• No personnel may download data from the facility’s system onto diskette, CD, hard drive, fax, scanner, any network drive or any other hardware, software, or paper without the express permission of the department head with notice to the IT Coordinator.
• The Coordinator of Information Technology must approve any software that an employee wishes to download and the download will be done by Information Technology staff. This rule is necessary to protect against the transmission of computer viruses into the facility’s system. No illegal software may be placed on any of RACSB’s computer equipment.
• No user may, for any purpose, download, maintain, or transmit, confidential information regarding individuals receiving services or other information (PHI) on a personally owned computer without the written authorization of the Coordinator of Information Technology upon the recommendation of the department head.
4.1.6 Software
• To prevent computer viruses from being transmitted through the company’s computer system and obey federal copyright laws, unauthorized downloading of software from the Internet is strictly prohibited.
• According to applicable copyright law, persons involved in the illegal reproduction of software can be subject to civil damages and criminal penalties including fines and imprisonment. RACSB does not condone the illegal duplication of software. RACSB employees who make, acquire, or use unauthorized copies of computer software shall be disciplined as appropriate under the circumstances. Such discipline may include termination.
• All requests for software and software upgrades shall be submitted to the Program Director and then approved by the IT Coordinator. Any software and software upgrades not acquired in this manner shall be documented and identified to the IT Coordinator, who will verify that the agency has an appropriate license for the use of such software.
4.1.7 Virus Protection
• A Virus is a computer program that can copy itself and infect a computer without the permission or knowledge of the user. The term "virus" is also commonly but erroneously used to refer to other types of adware, grayware, spyware and malware programs that do not have the reproductive ability. A true virus can only spread from one computer to another when its host (some form of executable code) is taken to the target computer, for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, or USB drive. Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer.
• Adware is software that displays advertising banners on Web browsers such as Internet Explorer and Mozilla Firefox. While not categorized as malware, many users consider adware invasive. Adware programs often create unwanted effects on a system, such as annoying popup ads and the general degradation in either network connection or system performance. Adware programs are typically installed as separate programs that are bundled with certain free software. Many users inadvertently agree to install adware by accepting the End User License Agreement (EULA) on the free software. Adware is also often installed in tandem with spyware programs. Both programs feed off each other's functionalities - spyware programs profile users' Internet behavior, while adware programs display targeted ads that correspond to the gathered user profile.
• Grayware (or greyware) is a general term sometimes used as a classification for applications that behave in a manner that is annoying or undesirable, and yet less serious or troublesome than malware. Grayware encompasses spyware, adware, dialers, joke programs, remote access tools, and any other unwelcome files and programs apart from viruses that are designed to harm the performance of computers on your network
• Spyware is software that installs components on a computer for the purpose of recording Web surfing habits (primarily for marketing purposes). Spyware sends this information to its author or to other interested parties when the computer is online. Spyware often downloads with items identified as 'free downloads' and does not notify the user of its existence or ask for permission to install the components. The information spyware components gather can include user keystrokes, which means that private information such as login names, passcodes, and credit card numbers are vulnerable to theft. Spyware gathers data, such as account user names, passcodes, credit card numbers, and other confidential information, and transmits it to third parties.
• Malware, is software designed to infiltrate or damage a computer system without the owner's informed consent. Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, adware, crimeware and other malicious and unwanted software. Malware is not the same as defective software, that is, software which has a legitimate purpose but contains harmful bugs.
• Computer viruses are serious in today’s networked environments. IT maintains several anti-virus systems designed to prevent damage
• All computers issued by RACSB have Virus Protection software. Any USB Drive brought into RACSB needs to be scanned for viruses prior to reading or running any program. (Also see IT Disaster Recovery Policies) All USB drives with protected healthcare information need to be treated as confidential information and encrypted.
• All incoming email is checked for virus at the network level prior to being transmitted to individual workstations. If an email is determined to be infected with a virus the email is eliminated at the server level and will never reach the intended receiver.
• Employees should NOT download and install programs from the internet
• The helpdesk will make a best effort to fix computers with viruses, Malware, Spyware or Grayware. The technician may decide to reinstall Windows rather instead of attempting to spend a long period of fixing the problem. Users need to be aware that data on the workstations may be lost and unrecoverable and IT is not responsible for data that should have been stored on servers.
• Employees who have been provided a CSB computer for remote access, and their equipment has been determined to be infected, will have remote access terminated until the user can be verified and the computer “Cleaned” of any Virus, etc.
4.1.8 Personal Equipment/Software
• Employee personal equipment cannot be connected to RACSB’s computer hardware or network connections. In extreme circumstances, written permission may be given by the IT Coordinator for exceptions.
• Employee’s personal software cannot be loaded to RACSB computers due to copyright laws and additional software support needs. In extreme circumstances, exceptions may be made if it can be proved that the software is not loaded on any other computer and if the IT office can hold the licensing for that software. The software will be removed from the computer and the license for the software will be returned to the owner upon employment termination.
• Handheld electronic devices are convenient, and are becoming more prevalent. Unfortunately, the many benefits of handheld devices (cell phones, tablets, etc.) come with a great deal of complexity in terms of support. Considering the inconsistency within the handheld marketplace (hardware, software, and synchronizing) and our limited support staff to support these devices, we must take a position of not supporting or allowing the connection of personal handheld computing devices into the RACSB network at the current time.
4.1.9 Staff Terminations
When a staff member resigns from employment with RACSB, the IT Office will be notified by the Human Resources Office as to the last working day for the employee. The Human Resources Office will issue a letter to the employee telling them of the proper channels to return their computer and telecommunications equipment. Once the equipment is returned to the IT Office, the staff member login access will be revoked from the agency network. If the equipment is not turned in prior to 4:00 p.m. on the last working day, a notice will be sent by the IT Department to the person’s supervisor, Human Resources Manager and the Director of Operations advising them that the equipment has not been returned. At 5 pm, all network privileges will be removed for that staff member.
If a person terminates from RACSB without proper notice, the IT Office will be notified by either the Executive Director or the Human Resources Manager. The staff network privileges will be immediately revoked and the staff member’s supervisor(s) will be contacted to determine the location of the RACSB computer and telecommunication equipment.
If after 24 hours, the computer is not returned after the staff last day of work, the former staff is nonresponsive, and the supervisor of the terminated staff agrees, the laptop will be remotely wiped of all information on the hard drive.
Enforcement
All program managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination from employment, professional discipline, or criminal prosecution, in accordance with the CSB’s Personnel policies, Human Rights Policies and Privacy Policies.
4.1.10 Assistive Technology & Environmental Modifications for Staff
The Rappahannock Area Community Services Board (RACSB) shall use assistive technology to provide reasonable accommodations to individuals with documented disabilities. Accommodations shall be based upon individual circumstances, reasonableness and hardship of the request, and focus on the adaptation of existing resources.
For staff members that require assistive technology, the Human Resources Manager will collect appropriate documentation, including supporting medical certifications and recommendations from relevant healthcare providers, and determine eligibility as well as suitability for requested accommodations, with final approvals to be at the discretion of the respective Division Director and Executive Director. The Human Resources Manager will inform the Information Technology Coordinator of any and all approved accommodations. The Information Technology Office shall then be responsible for the set-up and maintenance of the assistive technology devices.
Staff members requiring or requesting assistive technology services will be immediately referred to Human Resources.
Staff members are responsible for informing their immediate supervisor and the Human Resources Manager that accommodations are needed. Such notification needs to allow for a reasonable amount of time for the accommodations to be reviewed, approved, and, if approved, implemented.
Individuals receiving services at RACSB who request assistive technology, the Program Manager will collect appropriate documentation; including supporting medical certifications and recommendations from relevant healthcare providers, and determine eligibility as well as suitability of the request. Funds to purchase the assistive technology will be identified at the program level or within the individual’s budget. Items will be purchased after approval by the respective Division Director.
IT Staff will help with the installation and recommendation of equipment as needed.
For information on the Virginia Relay System (communication system for individuals who are deaf, hard of hearing, deaf-blind, and/or people with speech disabilities as well as hearing people) and Purple Communications (Video Phones) refer to Appendix G.
4.2 Portable Computer Policy
[pic]
Introduction
Rappahannock Area Community Services Board (RACSB) has adopted this Portable Computer Policy to comply with HIPAA requirements to protect the security of electronic health information, as well as our duty to protect the confidentiality and integrity of confidential medical information as required by law, professional ethics, and accreditation requirements. All personnel of RACSB who use laptop, notebook, palm or other portable computers must be familiar with the policy. Demonstrated competence in the requirements of the policy is an important part of every RACSB employee’s responsibilities.
Assumptions
• Portable computers pose a significant security risk because they may contain confidential individuals receiving services information and, being portable, are more at risk for loss, theft, or other unauthorized access than the facility’s less easily movable computers.
• Portable computers may be more vulnerable to viruses and other such threats because the user may not regularly use virus protection software and other electronic safeguards the way the facility’s Information Technology department does on the facility’s network.
• Portable computer use is more difficult for the facility to audit; thus, security breaches may be more difficult to identify and correct.
Policy
Officers, agents, employees, contractors, and others using portable computers (users) must understand, and comply with this policy.
No user may, for any purpose, download, maintain, or transmit, confidential individuals receiving services or other information (PHI) on a personally owned computer without the written authorization of the Coordinator of Information Technology upon the recommendation of the department head.
Visiting portable computer equipment must not be plugged into any network port without the consent of the IT Coordinator. Non-approved network equipment could be disruptive or destructive to the RACSB’s network.
The user agrees to use the equipment solely for RACSB’s business purposes. The user further understands:
• Computers, associated equipment, and software are for business use only, not for the personal use of the user or any other person or entity.
• Users will not download any software onto the computer except as loaded by authorized staff of the Information Technology Department.
• Users will not insert any floppy disks, CDs, USB Flash Drives or other media containing computer software into the computer without the express authorization of the Information Technology Department.
• Users must not share their passcodes with any other person and must safeguard their passcodes and may not write them down so that an unauthorized person can obtain them.
• Users must report any breach of passcode security immediately to the Information Technology Coordinator.
• Users must maintain individuals’ receiving services confidentiality when using the computers, as specified in RACSB’s Workstation Policy and RACSB’s Privacy Policy. The screen must be protected from viewing by unauthorized personnel, and users must properly log out and turn off the computer when it is not in use.
• Portable computer users must follow all the same policies as apply to workstation usage.
4.1.1 Remote Access
• VPN (Virtual Private network) functions are restricted to connecting only into RACSB.
• VPN capability will only be allowed for equipment owned by RACSB and not for personal owned equipment
• User are not permitted to VPN into any other unauthorized services, Internet service providers (Such as AOL, MSN, etc.), or any other Internet access or to use the VPN capabilities in any other manner than as instructed. The user understands that the hardware has been disabled from performing any functions other than those intended for business use and that the user may not attempt to enable such other functions.
4.2.2 Physical Security of Equipment
• Users should not leave mobile computer units in cars or car trunks for an extended period in extreme weather (heat or cold) or leave them exposed to direct sunlight.
• Users must place portable computers and associated equipment in their proper carrying cases when transporting them.
• Users are responsible for securing the unit, all associated equipment, and all data, within their homes, cars, and other locations as instructed in the training provided. Cable locks will be provided with each laptop computer. These locks must be used to secure the computer, even when the computer is on RACSB property or in locked offices.
• Any illegal software or damage to the computer while in your possession (from the time removed from the IT Office until returned to the IT office) will be the user’s responsibility.
• Users may not leave mobile computer units unattended unless they are in a secured location.
• Users must immediately report any lost, damaged, malfunctioning, or stolen equipment or any breach of security or confidentiality to the Coordinator of Information Technology. After investigation, the IT office will remotely wipe all data off the stolen equipment.
• Any loss or damage to portable computer equipment due to negligence is a Standard of Conduct violation under RACSB’s Personnel Polices.
• The portable computer equipment is logged out to user(s). User(s) are responsible for returning the computer in the same condition it was issued to them.
• All portable computer equipment needs to be checked in and out thru the Information Technology office. Portable Computer equipment is not to be returned to supervisors without the approval of the IT Coordinator or the Assistant IT coordinator.
• Users must not alter the serial numbers and asset numbers of the equipment in any way.
• Users will not permit anyone else to use the computer for any purpose, including, but not limited to, the user’s family and/or associates, individuals receiving services, individuals receiving services families, or unauthorized officers, employees, and agents of RACSB.
• Users must use only batteries and power cables provided by RACSB and may not, for example, use their car’s adaptor power sources.
• Users will not connect any additional peripherals (keyboards, printers, modems, etc.) without the authorization of the IT staff.
• Portable computer property removal authorization forms can be found in Appendix D.
Enforcement
All program managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination from employment, professional discipline, or criminal prosecution, in accordance with RACSB Personnel policies (Employee Handbook), Human Rights Policies and Privacy Policies.
4.3 Computer Disposal
[pic]
Introduction
Rappahannock Area Community Services Board (RACSB) has adopted this computer disposal policy to comply with HIPAA requirements to protect the security of electronic behavioral health information, as well as to fulfill our duty to protect the confidentiality and integrity of confidential behavioral health information as required by law, professional ethics, and accreditation requirements. All IT personnel of RACSB must be familiar with the policy, and demonstrate competence in the requirements of the policy. It is an important part of every RACSB IT employee's responsibilities.
Definition
Rappahannock Area Community Services Board may at times possess computer equipment that is no longer required due to wear, damage, deterioration, excess cost of maintenance, obsolescence, and excess of useful life. An effort will be made to redistribute the computer equipment if practical. In this case, the computer equipment will be put back in service with very minimal modifications.
Any computer equipment that can be recycled or disassembled for parts and supplies for reuse will be done so if practical.
If it is deemed that the computer equipment cannot be reused or recycled, then it should be disposed of in compliance with RACSB’s Financial Policies and Procedures Manual for disposal of Fixed Assets. Computer equipment will be considered obsolete when they can no longer provide a “basic level of service” or have exceeded their useful life.
Obsolete computer equipment that has no residual financial value, but may still hold valuable information and/or software, will be handled with care to ensure protection of possible protected healthcare information (PHI) still contained on the equipment.
4.3.1 Servers / CPU’s / Laptop / Portable Computers:
Property tags will be removed, placed on a blank sheet of paper, and given along with the Asset Disposal Form (Appendix N) to the accounting department. The Disposal form includes a description of the items, disposal date, and the method of destruction. The destruction will be recorded in the IT Hardware database as well.
Before disposing of any computer system, it is vital to remove all traces of data files since data recovery software could be used by a new owner to “undelete” such files. The disk-space previously used by the deleted files needs to be overwritten with new meaningless data – either some fixed pattern (e.g. Binary Zeros) or random data. Similarly, reformatting the whole hard disk may not prevent the recovery of old data as it is possible for disks to be “unformatted.”
When computers are scrapped, an option to the above is physical destruction of the hard drive. The hard drive will be removed from all unwanted computers. The hard drive will be physically destroyed with a hammer, screwdriver or other like tool. This method being the fastest and least costly method to make sure that all Protected Healthcare Information (PHI) on RACSB’s surplus computers will not contain sensitive data.
RACSB uses, whenever practicable, Computer Recycling of Virginia to help with the recycling and removal of Protected Healthcare Information from our surplus equipment. See Appendix J for more information on this company. Computer Recycling of Virginia not only recycles all the items that are donated to them-they also make sure all data on every hard drive has been erased using software that meets or exceeds all industry standards, including NIST 800-88. Once the wipe process is complete, any hard drive that fails the wipe process is physically destroyed. An audit is then done of the equipment to make sure all data is removed from all the drives and provides a certificate of recycling and Data removal that is Department of Defense Compliant.
4.3.2 Printers
Property tags will be removed, placed on a sheet of paper, and given to the Purchasing Specialist with a note of the destruction date and the method of destruction. The destruction will be recorded in the IT Hardware database as well.
Any part that is salvageable will be saved, if practical. Any printer ribbon that can be read will be cut with scissors so any PHI contained will be destroyed.
4.3.3 Diskettes
If the diskette has or has ever contained Protected Healthcare Information or agency owned computer software, the shutter of the diskette will be removed from the diskette. The media in the interior of the diskette will be cut at least 2 times with scissors.
If the diskette can be proven never to have had any individuals receiving services data ever on it (in an unopened box), the diskette can be simply thrown in the trash.
4.3.4 Cassette Tapes
Tapes were used in the past by RACSB to make backup copies of agency servers. Old tapes are destroyed by pulling the tape from the cartage, and slicing the tape multiple times so that it is not readable.
4.3.5 DVD/CDs
If a DVD/CD contains Protected Health Care information or a copy written software then the CD will be destroyed by putting the CD thru a CD shredder. This shredder will make the CD unusable by scratching both sides of the CD.
4.3.6 USB Drives and Memory Cards
The USB drives and memory cards will be physically damaged to keep any Protected Health Care information from being able to be retrieved.
5 Email Policy
[pic]
Introduction
Rappahannock Area Community Services Board (RACSB) has adopted this Email Policy to comply with 42 CFR Part 2, HIPAA, and the HITECH Act requirements to protect the security of electronic behavioral health information, as well as to fulfill our duty to protect the confidentiality and integrity of confidential behavioral health information as required by law, professional ethics, and accreditation requirements. All personnel of RACSB must be familiar with the policy, and demonstrated competence in the requirements of the policy is an important part of every RACSB employee's responsibilities.
Assumptions
• The email system is part of RACSB's business equipment.
• Emails can facilitate communication.
• All email sent or received through RACSB domains @ or @racsb.state.va.us is copied and kept on an email archiving device and can be retrieved as needed.
• Email can be immediately broadcast worldwide and be received by many intended and unintended recipients.
• Internal email is sent from one RACSB email address to another RACSB email address.
• External email is from a RACSB email address to an outside, non-RACSB email address.
• Recipients can forward email messages to other recipients without the original sender's permission or knowledge.
• Users can easily misaddress an email.
• Email is easier to falsify than handwritten or signed documents.
• Backup copies of email may exist even after the sender or the recipient has deleted his or her copy.
• Email containing information pertaining to diagnosis and/or treatment of a person served is not a part of the medical record, unless uploaded in the correspondence section of a medical record
• All email may be discoverable in litigation regardless of whether it is in an individual’s medical record or not.
Definition
Protected Health Information (PHI) includes all individually identifiable health information that is transmitted or maintained in any form or medium. This includes paper, electronic and oral information. In this context, “individual” is defined as the person who is the subject of the individually identifiable health information.
Policy
RACSB encourages the business use of email to increase productivity. The email system and all messages generated by or handled by email, including back-up copies, are part of the business equipment of RACSB, are owned by the CSB, and are not the property of the users of the system. Consequently, email users do not have a right to privacy in their use of the computer system or its email component. RACSB reserves the right to monitor, audit, delete, and read email messages. The network administrator may override user passcodes. Although it is the policy of RACSB not to regularly monitor the contents of email communications, it may monitor the contents and usage to support operational, maintenance, auditing, security, and investigative activities. Users should use email with the knowledge that RACSB may from time to time examine the content of email communications. Nor can RACSB guarantee that email messages will be private. Email communications can be forwarded, intercepted, printed, and stored by others. Use of the email system constitutes consent to this policy.
5.1 General Use
Generally, email users should restrict their use of the email system to proper business purposes relating to the services of the persons served and related administrative matters. A user may not use their RACSB email account to send personal emails, to register for personal accounts (banking, shopping, YouTube, Facebook, etc.). Personal emails accounts (Gmail, Yahoo, Hotmail, etc.) should not be used to conduct RACSB Business.
Transmission must not involve any illegal or unethical activity. Transmission must not involve or disclose any activity that could adversely affect RACSB, its board and employees. Transmission must not involve solicitation. Employees may not use the CSB’s email system to solicit for outside business ventures, organizational campaigns, or political or religious causes.
Users must not transmit confidential or proprietary information to unauthorized recipients. Protected health information (PHI) or confidential information should not be sent over the Internet unless the message is encrypted (digital signature) within current encryption standards. Encryption is not automatic.
All email concerning protected health information of the persons served will contain the confidentiality statement below.
NOTICE: This communication and any attachments may contain privileged or other confidential information protected by HIPAA legislation (45 CFR, Parts 160 and 164). If you are not intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and deleted the copy you received. Thank you
Email that includes PHI should include only the minimum necessary information to complete the communication transaction.
Proprietary information is information that belongs to RACSB. Users must not transmit obscene, offensive, harassing, or hostile messages to any recipient. No person shall enter, transmit, or maintain messages with derogatory or inflammatory remarks about an individual's gender, race, age, disability, religion, national origin, physical attributes, sexual orientation, or health condition. No person shall enter, maintain, or transmit any abusive, profane, or offensive language.
Because some information is intended for specific individuals and may not be appropriate for general distribution, users should exercise caution when forwarding messages. Users must not forward sensitive information, including information of the persons served, to any party outside the RACSB system without the prior approval of the program manager or appropriate authorization. Senders may not engage in blanket forwarding of messages to parties outside the RACSB.
Email should not be used to send large files or programs between computers. This will slow down the network. If assistance is needed in moving large files, assistance from the IT staff should be sought. When large files need to be distributed to all staff, an email message to all staff members with links to where the files can be found on RACSB’s Intranet should be utilized.
All email needs to be signed at the end. Some readers may not recognize the user from the email address.
When asking a question in an email, users are encouraged to place the questions at the beginning of the email to ensure it is not overlooked.
Emails should be brief and to the point. Make sure email has a subject line. When responding to an email but with an unrelated topic, be sure to change the subject line to match your new topic.
Chain mail or email hoaxes should not be forwarded to other email accounts.
5.1.1 Forwarding of Email to Personal Accounts
The forwarding of Agency email to personal email accounts will not occur. This action creates too much of a risk to the agency, by allowing emails that possibly contain PHI out of the control of RACSB’s computer system.
5.1.2 Web Mail
RACSB has the ability to use Web mail and to check email from any computer that has Internet access. With this ability comes much risk. Protected Healthcare Information (PHI) must be protected. When using web mail, staff email never leaves RACSB computer equipment. The mail is just able to be viewed from other Internet connections.
5.1.3 Email on Personal Cell Phones
RACSB does not have a “bring your own device policy”. Agency email is NOT to be synced to personal cell phones. Agency cell phones may be synced with email as long as that phone has a passcode and has been set up for remote wipe if the phone is lost or stolen.
5.1.4 Security / Encryption of Email
The email system must employ user-IDs and associated passcodes to isolate the communications of different users, unless there are unusual circumstances and then such shared IDs and associated passcodes must be authorized. Users must never share passcodes or reveal them to anyone else. Employees may not intercept, or assist in intercepting and/or disclose email communications.
Because some information is intended for specific individuals and may not be appropriate for general distribution, users should exercise caution when forwarding messages. Users must not forward sensitive information, including individuals receiving services information, to any party outside the RACSB system without using encryption software.
Users must not transmit confidential or proprietary information to unauthorized recipients.
Protected health information (PHI), or confidential information, should not be sent over the internet unless it is encrypted within current encryption standards. Email that includes PHI should include only the minimum necessary information to complete the communication transaction. RACSB has purchased encryption through Barracuda for all RACSB employee email accounts. In order for a RACSB email user to encrypt an email, #encrypt needs to be placed in the subject line or the text of the email. The system is sophisticated enough to only encrypt emails that are send outside of the RACSB email network. (More information on email Encryption can be found in Appendix P and Library of Virginia Email Management Guideline can be found in Appendix U)
Compliance
Users must immediately report violations of this policy to their program manager or supervisor and to the privacy or security officer.
Enforcement
All program managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline action, up to and including termination from employment, professional discipline, and/or criminal prosecution, in accordance with RACSB Personnel Policies, Human Rights Policies and Privacy Policies.
5.2 Email Consent (Individuals Receiving Services)
[pic]
Introduction
Rappahannock Area Community Services Board (RACSB) provides individuals’ receiving services the opportunity to communicate with staff by email. Transmitting confidential information by email, however, has a number of risks, both general and specific, that all persons should consider before using email.
It is the policy of RACSB that RACSB will make all email messages sent or received that concern the diagnosis or treatment of an individual receiving services part of the Electric Health Record (EHR) and will treat such email messages with the same degree of confidentiality as afforded other portions of the EHR. RACSB will use reasonable means to protect the security and confidentiality of email information. Because of the risks associated with email communications, RACSB cannot, however, guarantee the security and confidentiality of email communications.
Any individual receiving services wishing to communicate with RACSB staff must sign the Confidential Release of Information form and indicate email exchange. This form is in our Electronic Health Record.
If an individual sends an email to RACSB, staff will endeavor to read the email promptly and respond promptly, if warranted. However, RACSB can provide no assurance that the recipient of a particular email will read the message promptly. Because RACSB cannot assure individuals receiving services that staff will read their email promptly, email must not be used for emergency communications.
6 Internet Security Policies
[pic]
Introduction
Rappahannock Area Community Services Board (RACSB) has adopted this Internet Policy to comply with HIPAA requirements to protect the security of electronic behavioral health information, as well as to fulfill our duty to protect the confidentiality and integrity of confidential behavioral health information as required by law, professional ethics, and accreditation requirements. All personnel of RACSB must be familiar with the policy, and demonstrated competence in the requirements of the policy is an important part of every RACSB employee's responsibilities.
Assumptions
• RACSB can benefit from access to and use of the Internet and its resources.
• The resources, services, and interconnectivity available via the Internet provide significant resources to improve the efficiency of RACSB.
• Use of the Internet also involves more risks than an intranet.
• Improper use of the Internet puts RACSB and its employees at risk.
• The content of all web pages under RACSB’s jurisdiction must comply with local, state, and federal laws and RACSB’s policies and procedures.
• A policy for the proper use of the Internet is necessary to maintain the accuracy, security, and confidentiality of individually identifiable health information and other sensitive data.
• RACSB’s system used to access the Internet is the property of RACSB and is subject to RACSB’s control of such use.
• Data users have no expectation of privacy in RACSB’s system used to access the Internet. The web sites visited are logged in RACSB’s server files and can be accessed if necessary.
Definition
Protected Health Information (PHI) includes all individually identifiable health information that is transmitted or maintained in any form or medium. This includes paper, electronic and oral information. In this context, “individual” is defined as the person who is the subject of the individually identifiable health information.
The Internet is an electronic highway connecting thousands of computers all over the world and millions of individual users. It is a worldwide "network of networks." RACSB's internal network is connected to the Internet, so if you're connected to it, you're also connected to the Internet. Through the Internet, RACSB employees potentially have access to: electronic mail communication with people all over the world, access to tens of thousands of information resources, to include libraries, discussion groups, public information, corporate information sites, public domain software, and shareware of all types.
As a user of the network, a staff member may be allowed to access other networks (and/or the computer systems attached to those networks). Each network or system has its own set of policies and procedures. Actions, which are routinely allowed on one network/system, may be controlled, or even forbidden, on other networks. It is the user’s responsibility to abide by the policies and procedures of these other networks/systems. Remember, the fact that a user can perform a particular action does not imply that they should take that action.
Policy
This policy applies to all officers, employees, and independent contractors of the Rappahannock Area Community Services Board who use RACSB’s system for Internet access and governs all Internet access, communications, and storage using RACSB’s system. Department directors have discretion in establishing additional reasonable and appropriate conditions of use for Internet use by data users under their control. Such policies must be consistent with this policy and must be provided to the IT Coordinator for review.
All data users must strictly observe the following rules when using the Internet:
• Users may not access or use the Internet for personal business or personal commercial gain.
• Only authorized RACSB presences may use/engage in social networking sites from RACSB equipment during work time or at any time with agency equipment or property. See RACSB Employee Handbook Section 7.8 for more information on staff’s responsibilities when using social networking sites during their personal time on their personal equipment. See Appendix C for the RACSB Employee Handbook’s sections 7.8 on Online Social Media.
• Using the Internet to watch videos or listen to music is forbidden unless RACSB related. Using the Internet for these purposes slows down the network for all users of RACSB network resources.
• Users must have a proper business purpose for any access and use of the Internet.
• Users may not access pornographic or other offensive websites (including, but not limited to, sexist, racist, discriminatory, hate, or other sites that would offend a reasonable person in the same or similar circumstances). If the user has any doubt whether access to a specific site is proper, he or she should seek approval from his or her program director.
Access control:
• Users may not use any other user’s passcode or other identification to access the Internet.
• Users attempting to establish a connection with RACSB’s computer system via the Internet must authenticate themselves at a firewall before gaining access to RACSB’s internal network.
• Users may not establish modems, Internet, or other external network connections that could allow unauthorized users to access RACSB’s system or information without the prior approval of the IT Coordinator.
• Users may not establish or use new or existing Internet connections to establish new communications channels without the prior approval of the IT Coordinator.
• Users may not transfer individually identifiable health information or RACSB’s business information via the Internet without prior approval of the IT Coordinator. Before transmitting individually identifiable health information, the user will comply with RACSB’s Privacy Policy to ensure legal authority for the disclosure exists. The IT Coordinator is responsible for ensuring chain-of-trust partner agreements and Business Associates Agreements are in place to protect the security and confidentiality of information transmitted via the Internet when necessary.
• Rappahannock Area Community Services Board supports strict adherence to software vendors’ license agreements. Data users may not copy software in any manner that is inconsistent with the vendor’s license.
• RACSB will audit Internet access.
• No data user may attempt to probe computer security mechanisms at RACSB’s or other Internet sites unless part of an audit approved by the IT Coordinator.
• Data users will report security problems with Internet use, breach of confidentiality, and any violations of this or other RACSB policies and procedures occurring during Internet use to the Information Technology Coordinator.
Compliance and Enforcement
All program managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination from employment, professional discipline, or criminal prosecution, in accordance with the CSB’s Personnel policies, Human Rights Policies and Privacy Policies.
7 Telecommunications Policy
[pic]
Introduction
Rappahannock Area Community Services Board has adopted this Telecommunications Policy to comply with HIPAA, as well as our duty to protect the confidentiality and integrity of confidential behavioral health information as required by law, professional ethics, and accreditation requirements.
RACSB provides access to telephones to all staff. RACSB’s telephone system is available to conduct agency business. Abuse of the telephone system, including but not limited to charging personal long-distance calls to RACSB, conducting business related to outside employment or business ownership, making or receiving excessive personal calls, and disclosing confidential information over the phone may result in disciplinary action, including termination.
As a general rule, staff is discouraged from making or receiving personal telephone calls through the telephone system or using RACSB’s cellular telephones to make personal calls. RACSB recognizes that under certain circumstances, an employee will need to make or receive a telephone call of a personal nature from a business phone. Those calls must be held to a minimum in both time and number. Long distance personal phone calls are not allowed on agency phones. If you have to make a long-distance personal call, you must use your own phone credit card or cell phone.
Yearly, all phone numbers that are on our agency telecommunications bill will be called to make sure they are all still in working order and still being utilized. Any numbers found to no longer be needed will be canceled.
Assumptions
• Phone service and phones are supplied and paid for by the Rappahannock Area Community Services Board.
• That all voice calls may not be confidential and may be heard by passersby.
Definition
Protected Health Information (PHI) includes all individually identifiable health information that is transmitted or maintained in any form or medium. This includes paper, electronic and oral information. In this context, “individual” is defined as the person who is the subject of the individually identifiable health information.
Policy
Rappahannock Area Community Services Board issues business phones and telecommunication equipment to increase productivity and safety of our staff. Phones and telecommunications equipment are part of the business equipment of RACSB, are owned by the CSB, and are not the property of the authorized users. Users should use phones and telecommunications equipment with the knowledge that all of their calls may not be confidential. Phone calls can be overheard; thus, users must take the necessary actions to protect individuals receiving services’ Protected Health Information (PHI).
Appropriate use
7.1 Phones (landlines)
• If you leave your desk, forward your phone to voice mail.
• Record an “away from my desk” message. Don’t use your Voice Activated (V/A) or hands free (HF) option to record your message. The sound will not be good.
• Sample messages, for when you’re out of the office, on vacation, etc. are on RACSB’s Intranet.
• If you’re having a conversation or checking a voice mail that should be confidential, do not use your hands-free option.
• Keep personal phone calls to a minimum. Long distance personal phone calls are not allowed on agency phones. If you have to make a long-distance personal call, you must use your own phone credit card or personal cell phone to do so.
• If you have a direct phone number, it must be utilized.
• If you page someone, and do not have a direct phone number, remember to put your extension in the page by typing in the phone number, the * (star) key, and your four-digit extension. If you forget to put in your extension, call the operator and let her know that you are expecting a return call from a page.
• The operator's function is not to be a call screener. If you do not want to receive calls, or you’re in session, or away from your desk, etc, forward your phone to voice mail and use your Do Not Disturb Key on your phone.
• Phones, like computers, are not to be moved or removed by anyone other than IT. Telephone problems should be reported to IT.
• Because conversations over phones may not be confidential, staff will limit the amount of information regarding individuals receiving services or other confidential issues discussed over the airways and use initials, case numbers, or first name of individuals receiving services instead of full names when discussing individuals receiving services business.
• RACSB does NOT reimburse employees for business calls made on their home phones.
• For information on the Virginia Relay System (communication system for individuals who are deaf, hard of hearing, deaf-blind, and/or people with speech disabilities as well as hearing people) see Appendix G
7.2 Cellular Phones
• Record a voice mail message on the cell phone for when you are not able to answer calls.
• Because conversations over phones may not be confidential, staff will limit the number of individuals receiving services information and limit the amount of confidential issues discussed over the airways by using initials, case numbers, or first name only of individuals receiving services instead of full names when discussing individuals receiving services business.
• Agency cellular phones will be used only while conducting RACSB business.
• The authorized user of the cell phone is liable for any damage to, or unauthorized calls made to that phone
• To permanently check out a cellular phone for RACSB use, the potential user’s program must purchase a cellular phone. The user and the user’s supervisor must then complete a cellular phone check out form. This form can be found in the IT office or on the RACSB Intranet (under “Forms in Alpha Order”).
• RACSB has pool phones that can be checkout for a maximum of five (5) working days. Any additional days require the approval of the Executive Director.
• The phone should be charged fully prior to your work shift. The phone needs to be turned on so that you can receive calls and calls can be made when necessary.
• When the Cellular Phone is used for a personal emergency the user must reimburse RACSB for all charges involved with the phone’s usage. Personal emergency usage of the phone must be reported to the Emergency Services Coordinator or the IT Coordinator on the business day following usage.
• Employees should not use a cell phone while driving a motor vehicle on agency business without hands-free capability in the vehicle. The agency will provide hands-free equipment if needed. The employee’s greatest responsibility is to the safety of other drivers, pedestrians, and passengers.
• The phone should only be used when another phone is not readily available.
• After every call is made or received the END button should be pressed to ensure that the connection has ended and the charges for the call have stopped.
• Cellular phones are to never to be left unattended in a vehicle (where it may be susceptible to temperature extremes or loss).
• Cellular phones must be physically secured at all times when in use and when being carried.
• Damage or loss of cellular phones requires an incident report to be completed and submitted to your supervisor. Damage or loss of an agency cellular phone may result in disciplinary action.
• If the cellular phone is lost or stolen, the loss or theft should be reported to the IT Office or your supervisor IMMEDIATELY. This notification will enable us to deactivate the phone so that the agency will not be charged for illegal calls and to remotely wipe any data and email contained on the phone. An incident report must be completed and forwarded to the staff person’s supervisor. Replacement costs may be charged to the staff person responsible for the equipment.
• RACSB does NOT reimburse employees for business calls made on their personal cellular phones.
• Cell Phone Check Out Form can be found as Appendix F.
7.3 Smart Phones
• Smart Phones are cell phones with Internet and/or email access. Examples of smart phones include iPhones, and Androids.
• All rules for cell phones apply to smart phones as well.
• Agency smart phones must have a passcode on the phone for access to any function on the phone including the address book, phone, or email.
• Smart phones must be secure at all times.
• No personal smart phones may be used to receive (Sync) agency email. Web apps for reading and responding to email are allowed.
o Staff email may contain PHI.
o There is no control on personal cell phones to ensure that they have passcode protection in case the phone is lost or misplaced.
o There is no control that the personal cell phone is disposed of in a proper way to ensure that all PHI including phone numbers that have been dialed on the phone are completely removed from the phone.
• If the cellular phone is lost or stolen, the loss or theft should be reported to the IT Office or your supervisor IMMEDIATELY. This notification will enable us to deactivate the phone so that the agency will not be charged for illegal calls and to remotely wipe any data and email contained on the phone. An incident report must be completed and forwarded to the staff person’s supervisor. Replacement costs may be charged to the staff person responsible for the equipment.
7.4 Text Messaging
• Text messaging, or texting, is the act of composing and sending electronic messages between two or more mobile phones, or fixed or portable devices over a phone network. The term originally referred to messages sent using the Short Message Service (SMS). Text messaging continues to offer a simple, attractive, and cost-effective way to communicate.
• By virtue of how it is generated, transmitted, stored, and viewed, SMS texting of SMS text messages are not encrypted, Senders cannot authenticate recipients, Recipients cannot authenticate senders, and ePHI can remain stored on wireless carrier servers.
• Patient names and other PHI should not be sent through text messaging.
• Not all of RACSB owned Cell phones have Texting enabled.
• RACSB does NOT reimburse employees for business Texts made on their personal cellular phones.
Enforcement
All program managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline action, up to and including termination from employment, professional discipline, or criminal prosecution, in accordance with RACSB Personnel Policies, Human Rights Policies, and Privacy Policies.
8 Tele-facsimile (FAX) Policy
[pic]
Introduction
Rappahannock Area Community Services Board (RACSB) has adopted this Fax Policy to comply with HIPAA requirements for such a policy, as well as our duty to protect the confidentiality and integrity of confidential medical information as required by law, professional ethics, and accreditation requirements.
Assumptions
Often, RACSB personnel or organizations with which RACSB does business with have a real or a perceived need to transmit or receive confidential health and treatment information by tele-facsimile rather than by a slower method, such as mail. Personnel could misdirect faxes to unauthorized recipients, faxes could be intercepted or lost in transmission, or RACSB may not receive a fax intended for it because of one of these or other reasons. Thus, the potential for breach of individuals receiving services confidentiality exists every time someone uses such information.
Definition
Protected Health Information (PHI) includes all individually identifiable health information that is transmitted or maintained in any form or medium. This includes paper, electronic and oral information. In this context, “individual” is defined as the person who is the subject of the individually identifiable health information.
Procedures
All personnel must strictly observe the following standards relating to tele-facsimile communications of the medical records of persons served:
Protocol for Using the Tele-facsimile When Sending PHI:
A cover page must be used with every tele-facsimile. This cover page must include the confidentiality notice that includes instructions for the recipient if he/she receives a misdirected fax and a warning regarding the re-disclosure of PHI without written authorization. The fax cover sheet can be found in RACSB Privacy Policy (Appendix I).
Security:
a. Personnel must complete an incident report for any misdirected faxes that contain PHI.
b. Fax machines must be located in secure areas.
c. RACSB staff is responsible for ensuring that incoming faxes are properly handled, not left sitting on or near the machine, but rather are distributed to the proper recipient expeditiously while protecting confidentiality during distribution, as by sealing the fax in an envelope.
d. The security officer or designate will periodically and/or randomly check all speed-dial numbers to ensure their currency, validity, accuracy, and authorization to receive confidential information.
e. Users must immediately report violations of this policy to their program manager and information security officer.
Enforcement:
All program managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination from employment, professional discipline, or criminal prosecution, in accordance with RACSB Personnel Policies, Human Rights Policies and Privacy Policies.
9 Data Protection / Integrity
[pic]
Introduction
The purpose of this policy is to explain how Rappahannock Area Community Services Board (RACSB) collects, protects, uses and ensures correct Protected Healthcare Information (PHI) in the computer systems. RACSB is committed to ensuring that any PHI supplied by its individuals receiving services or otherwise generated by its activities is collected and processed fairly and lawfully. RACSB needs certain personal data to enable it to provide and bill its services. The PHI collected will generally include: individual contact names, address and payment information.
RACSB obtains PHI either directly from individuals receiving services or their responsible parties. Data collected by RACSB is used for payment, treatment and healthcare operations and to report agate statistics for state, local and federal reporting.
RACSB takes individuals receiving services confidentiality, privacy and security very seriously. RACSB has implemented appropriate internal security procedures that restrict access to and disclosure of PHI to only individuals that need that information to complete their job tasks. These procedures will be reviewed yearly to determine whether they are being complied with and are effective.
9.1 Minimum Necessary
Purpose
The Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act requires covered entities to take reasonable steps to limit the use or disclosure of protected health information (PHI) to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
RACSB will adhere to the standards set by HIPAA, HITECH and the ethical principles of the agency to ensure that only information that is required to fulfill the stated purpose of the services, and that required by law, will be disclosed. In addition to the following please see RACSB’s Privacy Policy, appendix I.
Exceptions to the Minimum Necessary Standard
The minimum necessary standard does not apply in the following circumstances:
• Disclosures to or requests by healthcare providers for treatment purposes
• Disclosures to the individual who is the subject of the information
• Uses or disclosures made pursuant to an authorization requested by the individual
• Uses or disclosures required for compliance with the standardized HIPAA transactions
• Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the rule for enforcement purposes
• Uses or disclosures that are required by other law
Use and Disclosure of PHI Internal to the Agency
RACSB will insure the Minimum Necessary Standard is met by:
• Identifying the persons or classes of persons in the workforce who need access to PHI.
• Identifying the category(ies) of PHI to which access is needed.
• Developing and implementing procedures to ensure that disclosure of PHI is limited to the amount reasonably necessary to achieve the purpose of the disclosure
• Maintaining standards of good practice to assure reasonable precautions are taken to prevent inadvertent and unnecessary disclosure, such as eliminating computer screen viewing in public areas
• Developing and implementing procedures for review of requests for access and reporting.
1. Persons or Class of Persons Who Need Access to PHI and Category(ies) of PHI to Which Access is needed
In order to appropriately comply with Minimum Necessary Standards and effectively maintain healthcare operations, access will be determined by a role-based assessment and context-based assessment. For example:
• Complete access to an individual receiving services’ PHI will be routinely available to the direct service provider and his/her immediate supervisor. Other providers in the same program will be granted access as needed.
• Crisis Services and Intake staff will have access to all individual receiving services' PHI
• Quality Assurance staff will have complete access to all individual receiving services' PHI
• Reimbursement staff will have access to all individual receiving services' PHI, as needed, to handle billing transactions
• Data Entry staff will have access to PHI, as needed, to complete services and individual receiving services demographic entry
Management information software has the capability of electronically restricting access to PHI based on screen and transaction access. Agency staff are trained on the amount of access that their job requires and are required to sign acknowledgement of understanding of the agency's confidentiality policies regarding limiting access, and the agency will provide monitoring to assure compliance.
2. Procedures to Ensure Disclosure of PHI is Limited to the Amount Reasonably Necessary to Achieve the Purpose of the Disclosure
Internal to the agency, there are numerous and varied ways in which PHI is used and disclosed for treatment and healthcare operations. To ensure adherence to the standards, the following questions will be considered to determine appropriate safeguards are in place:
1) What PHI is necessary to complete the task?
2) What PHI can be omitted and healthcare operations continue unimpeded?
3) Who will have access to the information disclosed in the healthcare operation under review?
Procedures are also to be in place to ensure that the minimum necessary is disclosed:
1) Staff will be trained in HIPAA standards
2) Supervisors will be available for consultation
3) The agency’s Privacy Officer (Director of Compliance and Human Rights) will be available for consultation and will be responsible for handling any complaints
4) Periodic audits by Quality Assurance staff
3. Precautions to Prevent Inadvertent and Unnecessary Disclosure
Staff will be trained about the need to take reasonable precautions to prevent inadvertent and unnecessary disclosure, such as disclosure that can occur if discussions were held in areas with public access.
4. Procedures for Review of Request for Access
Quality Management/Health Information Management will periodically audit procedures to assure compliance with all confidentiality and Minimum Necessary standards. Corrective action will be taken as needed and appropriate.
Use and Disclosure of PHI External to the Agency
1. Authorization to Release Information
The Authorization form indicates the specific information to be disclosed or requested. Only the minimum necessary information needed to accomplish the intended purpose will be disclosed or requested. The form contains an explanation of confidentiality and Privacy Rule standards for the individual receiving services’ information. Individual receiving services must give informed, voluntary consent to any disclosure of PHI, and may revoke the authorization at any time.
2. Routine and Non-routine Requests and Disclosures
For routine and recurring requests and disclosure, individual review of each request is not necessary. Agency staff will limit information that is disclosed or requested to the minimum necessary to achieve the purpose of the disclosure. If a covered entity is requesting information, staff may rely on the judgment of the party requesting the disclosure as to the minimum necessary amount of information that is needed. However, if the agency staff member has concerns that more than the minimum necessary is requested to be disclosed, the staff member may, in consultation with his/her supervisor, make his/her own minimum necessary determination for disclosure.
For non-routine requests or disclosure, agency staff, with the guidance of their direct supervisor, shall determine the minimum necessary that is needed to achieve the purpose of the disclosure. Some guidelines are:
• The medical record in its entirety will not routinely be copied
• Portions of the medical record will not routinely be copied
• If a request or disclosure is for treatment information, a summary of individual receiving services contact may be prepared which includes:
o the individual receiving services’ name,
o date of birth,
o service dates,
o purpose for seeking services,
o diagnosis and assessment information,
o type and duration of services received,
o outcomes of services received, and
o Discharge summary information and referral, if appropriate.
• Substance abuse information will only be shared if the Authorization for Release of Information specifically states that information is to be disclosed or in accordance with 42 CFR.
• Medical information such as diagnosis of TB, AIDS, HIV or other infectious disease will only be shared if the Authorization for Release of Information specifically states that information is to be disclosed.
• Agency staff will not routinely list all options on the Authorization for Release of Information, for information to be disclosed or requested. Agency staff must be very specific as to what is being requested or disclosed, applying the minimum necessary standard.
• Third party information is to be considered part of the Designated Record Set, and may be disclosed in accordance with this policy and applicable law.
3. Monitoring
RACSB will monitor adherence to the Minimum Necessary Standards on a regular basis. Some examples of monitoring procedures are:
▪ supervisors review requests and disclosure with supervisees during probationary employment period
▪ periodic supervisory review throughout employment
▪ regular, ongoing supervisory review if performance issues are present
Compliance and Information Technology Management staff will periodically conduct audits to limit use, disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose.
9.2 Data Accuracy / Integrity
Many business decisions are based on accurate data. The state, federal and local governments require reports from RACSB and rely on those reports to be accurate. Accurate computer data is required for accurate billing and collections. RACSB IT department runs and distributes reports from our information system on a monthly basis so that errors in data can be corrected quickly.
When errors are found in computer data, they are corrected immediately so that decisions made using RACSB’s data are accurate.
A major task for any computer program that accepts data is to try to guarantee the accuracy of the input. Some kinds of errors cannot be caught but many of the most common kinds of mistakes can be spotted by a well-designed computer program.
Data Integrity items being tested:
• Test data for Type and format (2/a/96 is not a valid date)
• Test data for reasonableness (a person age should not be under three for an adult program)
• Test for data Consistency (a person’s opening date to the agency should be later than their birthday)
• Test for Transcription and Transposition errors (looking for the interchanging of 2 correct characters)
9.3 Billing and Reporting
RACSB bills many insurance companies using electronic transmission. RACSB has a Business Associates Agreement (BAA) with the Clearing house that we use for these transmissions.
RACSB uses a printing agency to print our individuals receiving services bills. We have a BAA with this company.
Refer to the RACSB Financial Policies and Procedures manual’s reimbursement chapter for more on agency billing.
9.4 Service Entry
The entry of service is de-centralized. Programs within the CSB use different types of service entry forms based on the type of service.
Recording how staff spend their time, what services are provided to individual receiving services, and assigning fund sources and fees to those services are critical activities for Rappahannock Area Community Services Board (RACSB). They provide a basis for both billing and costing, and help in the efficient management of resources.
Service entry forms (if paper forms are used) are distributed either daily, weekly or monthly based on program. Most programs service entry is done as part of the finalization process of the note in the Electronic Health Record.
Daily Service Entry Forms
Staff must sign and date the service entry form below the attestation statement “Signature below confirms that services were rendered as indicated and that timely and proper documentation of these services has been completed.” The services written on the form are the services that are billed, so the forms need to be double checked for Reporting Units (RUs) and service codes prior to submission.
To make sure service entry form data entry is as accurate as possible the individuals receiving services name (or portion of name) and the individuals receiving services ID number needs to be entered on the service entry form. Often there is more than one an individual receiving services in the system with the same or similar names.
Time recorded on Service entry forms needs to be in minute increments. Daily service entry forms must be returned back to data entry within three working days after the service date and keyed into the system within 24 hours of receipt
Extended Service Entry Forms (or Monthly Service Entry Forms)
Extended service entry forms are similar to daily service entry forms except they don't print scheduled activities. Instead, they allow the staff member to list activities that occur during an extended period of time (between 1 and 31 days), and then enter a one-character code for the days that the activity took place. This type of service entry form is commonly used in day treatment and residential programs.
Extended service entry forms need to be turned into the IT office by the third working day of the month if not entered by the program. If the program enters their services, backup documentation for the data entry will need to be turned in to the IT office by the fifth working day of the month.
Entry of Service Entry Forms
The staff entering the services on the service entry form must initial & date the service entry form after entry. This will allow for the reentry of the services if a disaster happens and the system must be restored from backup.
Late Service Entry Forms
A late service entry report is created each Monday for the previous week for unposted services. This report is distributed to the front desk staff, supervisors, directors and the Executive Director. Any front desk staff member or supervisor can run this report at any time during the month to identify the staff service entry forms that are outstanding.
Paper service entry forms that are later then 30 days have to be brought to the IT Coordinator for approval. The IT Coordinator or their designate has to enter the late service entry form. The person entering the service entry form needs to inform the Accounting manager, Reimbursement Manager and the Director of Finance and Administration of the late service entry form so that it can be accounted for in the month end reconciliation processing.
Program and Type of Service Entry Form Used
Daily Service Entry - Emergency Services, Outpatient individuals receiving services and Medical Services, Early Intervention, Substance Abuse Day Treatment, Project LINK, Intensive In-home Services, Transportation, Family Outreach and PATH.
Extended/Monthly Service Entry Forms - Case Management and Case Coordination Services, Day Support Services (RAAI & Kenmore Club), Residential Services, and Prevention.
Other type of Data Input
Inpatient Services, SA Primary Care, Detox, Halfway programs and ICC / LINK Child Care – These services are provided on a contractual basis and therefore services are entered based on an approved invoice from the vendor providing the services.
10 Electronic Healthcare Record (EHR)
[pic]
Introduction
Rappahannock Area Community Services Board (RACSB) has adopted this Electronic Healthcare Record (EHR) Policy to comply with HIPAA requirement to protect the security of electronic behavioral health information, as well as to fulfill our duty to protect the confidentiality and integrity of confidential behavioral health information as required by law, professional ethics, and accreditation requirements. All personnel of RACSB must be familiar with the policy, and demonstrated competence in the requirements of the policy is an important part of every RACSB employee's responsibilities.
Assumptions
• All clinicians and direct support staff are expected to use the RACSB EHR as the primary means to access and retrieve information, capture data, and be guided by clinical decision support.
• In many cases, it is expected that this use will occur in close proximity to the patient, such as to support positive patient identification, accurate and complete data capture, and appropriate communication of information to the patient.
• Electronically stored and/or printed protected health information is subject to the same medical and legal requirements as the hand-written information in the health record.
• Entries must be accurate, relevant, timely, and complete.
• Extraneous text needs to be omitted.
• Succinct notes are more readable than verbose, lengthy notes.
• When viewing DRAFT notes, there is a risk of clinical decision-making based on data that may be changed or deleted.
• RACSB’s EHR users should use language that is specific, rather than vague or generalized. Do not speculate. The record should always reflect factual information (what is known versus what is thought or presumed) and written using factual statements. Examples of generalizations/vague words: “patient doing well”, “appears to be confused”, “anxious, status quo, stable or as usual”. If a diagnosis is undetermined, the documentation should clearly identify the signs and symptoms of the condition.
• Chart the facts and avoid using personal opinions when documenting. By documenting what can be seen, heard, touched and smelled, entries will be specific and objective. Describe signs and symptoms, use quotation marks when quoting the patient, and document the patient’s response to care.
• Document the facts and pertinent information related to an event, course of treatment, patient condition, response to care, and deviation from standard treatment (including the reason for it). Make sure the entry is complete and contains all significant information. If the original entry is incomplete, follow guidelines for making an addendum or clarification in the EHR.
• Entries shall be made as soon as possible after an event or observation is made. An entry shall never be made in advance.
Definition
The Electronic Health Record (EHR) is a longitudinal electronic record of patient health information generated by one or more encounters in any care delivery setting. Included in this information are patient demographics, progress notes, problems, medications, vital signs, past medical history, immunizations, laboratory data and radiology reports. The EHR automates and streamlines the clinician's workflow. The EHR has the ability to generate a complete record of a clinical patient encounter - as well as supporting other care-related activities directly or indirectly via interface - including evidence-based decision support, quality management, and outcomes reporting.
Policy
It is the policy of RACSB to create and maintain health records such that, in addition to their primary intended purpose of clinical and patient care use, will also serve the business and legal needs of RACSB.
10.1 Electronic Signatures
Electronic signature is used for health records as a means of attestation of electronic health record entries. Properly executed electronic signatures are considered legally binding as a means to identify the author of health record entries, confirm content accuracy and completeness as intended by the author, and to ensure e-signature integrity is maintained for the life of the electronic health record.
It is the policy of the healthcare organization to accept electronic signatures as defined within this policy for author validation of documentation, content accuracy and completeness with all the associated ethical, business, and legal implications. This process operates within a secured infrastructure, ensuring integrity of process and minimizing risk of unauthorized activity in the design, use, and access of the electronic health record.
An e-signature event captures and displays the e-signature, author’s name, credentials, date, and time of application.
Once an entry has been electronically signed, the system prevents deletion or alteration of the entry and its related electronic signature for the life of the referenced documentation by the end user.
Types of Digital Signature used by RACSB
• Digital signature: a cryptographic signature (a digital key) that authenticates the user, provides nonrepudiation, and ensures message integrity. This is the strongest signature because it protects the signature by a type of “tamper-proof seal” that breaks if the message content were to be altered.
• Digitized signature: an electronic representation of a handwritten signature. The image of a handwritten signature created and saved using a signature pad. The signature will be “captured” in real time (at the time the user applies the signature). The digitized signature is useful for patient, staff, caregivers and internal\external treatment team member.
10.2 Downtime Procedures
In order to update the electronic health record software utilized by RACSB, there are occasional instances when the system needs to be inaccessible to staff. The updates are installed by the IT Department and downtime is arranged at a time when it affects the least number of working staff. It is preferably performed in the evening hours or early morning hours, and preferably limited to a maximum of 60 minutes. If possible, notice is given to staff 48 hours in advance with subsequent notice 24 hours and 1 hour prior to the downtime. During downtime, staff members are instructed to use paper forms if needed that can then be scanned into an individual’s electronic health record once the system is operational.
10.3 Electronic Applications
Related to the electronic health record is the implementation of OrderConnect, an electronic prescribing software application, for the purpose of electronically sending prescriptions to a pharmacy and/or updating an individual’s medication profile. Also incorporated into this software is the application of receiving laboratory results from designated laboratories in the community.
Access is controlled by the logins and passcodes that are distributed by the Information Technology Department.
10.3.1 Electronic Prescribing
The OrderConnect software enables authorized licensed physicians and nurse practitioners to directly and electronically transmit prescription medications to a pharmacy of the individual’s choice. This method provides safe and efficient delivery of the prescription to the dispensing pharmacy. This process operates within a secured infrastructure, ensuring integrity of the process and minimizing risk of unauthorized activity in the design, use and access of the electronically prescribing activity of this program.
Authorized licensed nurses are able to provide this service with a verbal order from an authorized, licensed physician or nurse practitioner. The program identifies the authorized prescriber and provides accurate information and completeness. The program includes an electronic representation of the handwritten signature of the ordering, authorized licensed physician or nurse practitioner. It records the individual staff person who is entering the information into the program. The program has the ability to alert the prescriber to any drug to drug or food to drug interactions, allergy alerts based on the individual’s profile and age and gender-based alerts.
The program will also update an individual’s medication profile when a prescription is printed.
10.3.2 Electronic Receipt of Laboratory Results
The OrderConnect software has the capability to interface with contracted laboratories for the secure, electronic receipt of laboratory test results for individuals served by RACSB. Notification of a received laboratory result is identified by a designated icon within the individual’s Current Medication Profile as well as the Prescriber’s Desktop screen in OrderConnect.
This process operates within a secured infrastructure, ensuring integrity of the process and minimizing risk of unauthorized activity in the design, use and access of the electronically prescribing activity of this program. Only staff authorized to access OrderConnect will have the ability to access the laboratory results through OrderConnect.
10.4 Web Portal
RACSB has an active web-based patient portal for individuals, and guardians/parents of individuals served by RACSB. Upon check-in or at their request, RACSB staff will generate a PIN and supply instructions for the individual and/or guardian/parent to create an account in the portal. Upon accessing their account, there is access to appointments and the ability to create appointment reminders, medication lists and diagnoses.
10.5 Electronic Record Retention
Electronic Health Records will be retained in accordance with the guidelines of Library of Virginia Electronic Records Guidelines found in Appendix L.
Compliance
Users must immediately report violations of this policy to their program manager or supervisor and to the privacy or security officer.
Enforcement
All program managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to disciplinary action up to and including termination from employment, professional discipline, or criminal prosecution, in accordance with the CSB’s Personnel policies, Human Rights Policies and Privacy Policies.
11 Assistive Technology – Individuals Receiving Services [pic]
Introduction
Rappahannock Area Community Services Board (RACSB) has adopted this Assistive Technology Policy to comply with the HIPAA requirement to protect the security of electronic behavioral health information, as well as to fulfill our duty to protect the confidentiality and integrity of confidential behavioral health information as required by law, professional ethics, and accreditation requirements. RACSB’s Assistive Technology Policy is in place to ensure that the health and safety of individuals we serve as well as appropriate staff supports are always maintained while respecting the dignity of the individuals and serving their needs in the least restrictive environment.
Policy
It is the policy of RACSB to assist the individual served by supporting their experience and exposure to technical means of communication within RACSB’s programs. This includes, but is not limited to, the use of telehealth, services for the deaf through the use of video phones, the implementation of environmental modifications and the maintenance of technological equipment utilized by the individuals receiving services from RACSB.
11.1 Telehealth
RACSB has incorporated the use of telecommunications to deliver medical, case management and other services to individuals served by RACSB. The use of telehealth can improve access to health care services; improve individual compliance with treatment plans; provide services when an on-site provider is not available; and, provide earlier intervention for best outcomes of treatment. Please refer to the RACSB Medical Telepsychiatry Policies and Procedures
Confidentiality will be maintained through an encryption process. Our Polycom equipment implements this by using only Advanced Encryption Standard, Diffie-Hellman key exchange and X.509 certificates.
Individuals being seen through the use of telehealth will utilize the appropriate provider’s office where the equipment is located. They will have the assistance of staff if needed. Equipment functionality will be monitored by staff. The individual served and any accompanying persons will use protective equipment, such as gloves or masks, to minimize risks associated with the spreading of germs if determined necessary. The equipment will be maintained for cleanliness by the staff in the area using the equipment.
Assistive technology, in the form of Polycom software and equipment, will be utilized for the purpose of providing medical services and mental health case management services to individuals served by RACSB’s outpatient medical, case management and other programs. Services will include, but are not limited to, diagnostic evaluation appointments, medication management follow-up appointments, and hospital discharge appointments.
RASCB staff will receive training on equipment to include: features, set up, use, maintenance, safety considerations, infection control, and troubleshooting. RACSB staff will utilize the equipment to provide services in addition to providing support to the individual and/or their family or support system during the Telehealth appointment. See Appendix V for the Consent Form for Receiving Services via Telemedicine/Telehealth.
It will be the responsibility of the nursing staff and/or the case management staff (with support from the Information Technology department) to ensure that the equipment is available and is functioning properly on site. For medical appointments, the clinic nurse will be the facilitator at the clinic where the individual being served is located to facilitate connection between the originating and remote sites. The appointment will take place in a private office to maintain confidentiality and privacy. Prior to each session, the nurse will initiate the identification of all participants at both the originating site and the remote site. Information, either written and/or verbal will be provided to the individual being served to include the name and credentials of the provider, record keeping, structure and timing of services, contact between sessions including access to the Medline, privacy and security and confidentiality. The provider at the remote site will have full access to the electronic health record of the individual and will enter medical notes and assessments electronically and/or scanned if needed. The RACSB medical provider will have a license to access the electronic prescribing program. Prescriptions that are not able to be sent electronically or faxed to a pharmacy, will be printed and/or hand-written by the prescriber and mailed to the RACSB clinic in which the individual had their appointment for pickup by the individual. For case management appointments, the case manager will facilitate the connection between the originating and remote sites. The appointment will take place in a private office/room to maintain confidentiality and privacy. Prior to each session, the case manager will initiate the identification of all participants at both the originating site and the remote site.
Confidentiality will be maintained through an encryption process. Polycom implements this by using only Advanced Encryption Standard, Diffie-Hellman key exchange, and X.509 certificates.
11.2 Video Phone
The video phone is utilized by individuals served by RACSB who are deaf or hearing impaired. The video phone enables the individual to call in to RACSB and communicate with their therapist through a video connection so that they are able to visually use sign language. Individuals wishing to utilize this service are required to sign a Confidential Release of Information form to consent to this form of communication and are informed that secure messaging cannot be guaranteed through this methodology.
11.3 Environmental Modifications
Reasonable accommodations are made to address the needs of individuals served by RACSB. These include, but are not limited to, interpreters/translators and/or staff with special training regarding culturally competent service delivery and the unique needs of the individual being served by RACSB, modified equipment in regard to peripheral devices, such as trackballs instead of standard mice, external keyboards, headphones, etc.
11.4 Maintenance of Computers Utilized by Individuals Served by RACSB
Technical maintenance for equipment used by RACSB programs is supported by the IT Department. Daily infection control measures are the responsibility of the RACSB program in which the equipment is located. Approved disinfecting wipes are utilized to disinfect the equipment in between users.
Compliance
Users must immediately report violations of this policy to their program manager or supervisor and to the privacy or security officer.
Enforcement
All program managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination from employment, professional discipline, or criminal prosecution, in accordance with the CSB’s Personnel policies, Human Rights Policies and Privacy Policies.
12 Video Surveillance [pic]
Introduction
Rappahannock Area Community Services Board (RACSB) has adopted this Video Surveillance Policy to comply with the HIPAA requirement to protect the security of electronic behavioral health information, as well as to fulfill our duty to protect the confidentiality and integrity of confidential behavioral health information as required by law, professional ethics, and accreditation requirements. RACSB’s Video Surveillance equipment is in place to ensure that the health and safety of individual served as well as appropriate staff supports are always maintained while respecting the dignity of the individuals and serving their needs in the least restrictive environment. Video equipment may be installed in any RACSB facility and/or vehicles owned or operated by RACSB.
Assumptions
• Programs and vehicles at RACSB may have video surveillance cameras.
• These cameras are in place for the security of staff, property and the individuals served.
• Not all areas of all properties are covered and recorded. All cameras will be installed in public areas. They will not be allowed in private areas including bathrooms or bedrooms.
• Recordings are kept for 90 days or longer, if needed. The Cameras are monitored in staff offices on-site and can also be accessed remotely through the network with proper credentials.
• The cameras are motion sensitive and automatically record when activity occurs within the camera range of vision.
• RACSB employees working at any location with video surveillance will receive an initial orientation and annual training concerning policies and procedures in regards to the security system.
Policy
It is the policy of RACSB to have video cameras recording activity at our programs and our vehicles for the primary purpose of keeping the individuals we serve safe. The use of video cameras will also serve the business and legal needs of RACSB.
Compliance
Users must immediately report violations of this policy to their program manager or supervisor and to the privacy or security officer.
Enforcement
All program managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination from employment, professional discipline, or criminal prosecution, in accordance with the CSB’s Personnel policies, Human Rights Policies and Privacy Policies.
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- why is information technology important
- why information technology is important
- importance of information technology today
- information technology in today s world
- information technology topics for research
- information technology in business today
- information technology importance in busi
- information technology essay topics
- information technology importance in business
- importance of information technology essay
- information technology speeches
- benefits of information technology degree