Www.gahsc.org



Insert Agency Name and Address

_____________________________________

XYZ Agency includes XYZ Children's Center, XYZ Work Scholarship Connection, XYZ Children’s Foundation & Corporation, & XYZ Therapeutic Foster Care Program.

Privacy & Security Protected Health Information (PHI) & Clinical/Educational Records

I. Regulation References:

34 C.F.R. Section 99 JCAHO IM.2

42 C.F.R. Part 2 Public Health Law Article 27-F (2782)

45 C.F.R. Sections 160-164 Public Officers Law, Article 6-A.

5 U.S.C. Section 552a(b) 1977 Title 10 NYCRR Section 24.1, 63.6

20 U.S.C. 1232g Title 14 NYCRR Part 584, 633

Title 18 NYCRR

II. XYZ Agency’ Purpose Statement and Definitions:

1. This policy and procedure defines the privacy and security measures required of XYZ Agency (XYZ) and its affiliates. This policy and procedure strictly adheres to local, state, federal and funder regulations.

2. For the definitions to the policy and procedure, please refer to the XYZ HIPAA Glossary.

III. XYZ Agency’ Policy:

1. Applicability: This policy and procedure applies to XYZ inclusive of the affiliates identified above. This policy applies to all XYZ employees, independent contractors, consultants, and temporary users to XYZ written, electronic, oral PHI as well as informational/application systems, educational and clinical records. Anyone who violates this policy shall be subject to disciplinary action up to and including termination.

2. Notifications & Special Considerations: Special notifications and considerations exist for employee access & disclosure. Please refer to the XYZ Regulatory Policy and Procedure Cover Sheet for further explanation and/or contact a CIS or the Privacy Officer.

3. Verification: Please refer to the XYZ Regulatory Policy and Procedure Cover Sheet for further explanation and requirements and/or contact a CIS or the Privacy Officer.

4. Whistler Blower:

i. A XYZ employee shall have the ability and obligation to report, without fear of retaliation, any staff they feel is strongly breaching the privacy and security of PHI, clinical records and/or is inappropriately utilizing XYZ equipment (e.g., computer, internet, applications).

ii. In the event, a breech or abuse is identified, staff will cooperate with the Privacy and Security Officers of XYZ and/or their designees for investigations and assistance.

5. Physical Security:

i. All client records and PHI (e.g., electronic, written, floppys, discs) shall be housed and maintained at the clinical records department, regional office, local team offices, or other areas designated by the Clinical Records Committee/Clinical Information Roundtable and Leadership.

ii. All records shall be secured in locked room/cabinets.

iii. Only authorized staff may have access to the clinical records and PHI.

iv. At the close of the business day or when records are not being used, they shall be returned to the record room/cabinet and locked.

v. Records shall not be kept in service providers desks or locked offices when they are not in use. It may be necessary to access the records for emergency situations.

vi. Records/Information or portions of the records/information shall not be removed from the office unless:

a) The client is discharged.

b) The client is transferred for new XYZ services or has a new XYZ service provider.

c) The record is subpoenaed or court ordered. In which case, the entire record shall be given to the Clinical Information Specialists (CIS) immediately.

d) Copies of the record/information are needed for disclosure of information.

e) There are risk/legal issues and the record/information must be secured.

vii. If records/information are removed at any time, an out card and/or temporary removal form shall be completed.

viii. Historical records shall be kept with the Clinical Information Team when applicable and/or necessary. Historical records will contain any purging from the current records and/or is inclusive of closed prior service records.

ix. Discharged records shall be kept in the designated Clinical Information department for a period up to five years after the date of discharge (Due to space limitations, it may only be possible to keep records up to 3 years after the discharge). After the designated time, the chart is sent to long term off-site storage.

x. Records may also be stored on microfilm and/or off site storage. A log shall be kept indicating the microfilm roll number and/or the off site retrieval number. The microfilm rolls shall be kept in a locked cabinet in Clinical Information.

xi. Records of clients in the Juvenile Justice Service will be destroyed three years after the client’s 18th birthday by contract shredding in accordance with New York State Division for Youth regulations.

xii. Workstation Security & Access Control System:

a) When possible, computer screens shall be turned away for public view and access.

b) All computer workstations must use an access control system approved by XYZ. In most cases, this will involve password-enabled screen-savers with a time-out feature and a power on password for initial logon.

c) Active workstations are not to be left unattended for prolonged periods of time, when appropriate.

d) When a user leaves an workstation, that user is expected to properly log out of all applications and networks.

e) Users shall be held responsible for all actions taken under their sign-on.

f) Where appropriate, inactive workstations will be reset after a period of inactivity (typically 30 minutes). Users will then be required to re-log on to continue usage. This minimizes the opportunity for unauthorized users to assume the privileges of the intended user during the authorized user’s absence.

g) Passwords shall be made up of 5 alphanumeric combinations.

h) Passwords shall not be posted in a “logical” (e.g., under the computer key pad, on the computer, in an unlocked desk drawer, on the wall) and public area where it may be discovered by another.

i) Passwords shall not be shared with other XYZ staff.

6. Computer/Electronic Equipment, PHI, Records:

i. Authentication: Any employee granted access, viewing, creating, modifying, using, disclosing rights to XYZ PHI and/or records, networks and systems, must be authenticated. The level of authentication must be appropriate. Authentication may be (not all inclusive):

a) Written authorship

b) Automatic logoff

c) Unique user identifier

d) Passwords

e) telephone call back

ii. Confidential Client Data.

a) The importance of keeping the computer equipment secure not only applies to the cost of its hardware, but also to the data on it. Ramifications of stolen PHI could have a vast negative impact to Hillside.

b) If you are a LAN user (with a direct connection to the network), PHI shall be saved the w: drive.

c) If you are a dial-up user, PHI shall be saved to encrypted folders on your local c: drive.

d) Back-ups shall occur frequently. When connected to one of our networked locations (Monroe Ave, E.Main, Halpern, FLC, Mt.Hope, 2075 Scottsville Rd, Lockport), PHI shall be stored to the W:\ drive.

e) The Network Administrator automatically backs up the W:\drive.

f) If not connected to one of XYZ’s networked locations, then PHI shall be stored in the appropriate folder setup by IT and back them up to the W:\ drive no less than once per week

iii. Intranet:

a) Unauthorized users, users who have not been assigned a network id and password from the Technology Team, should never have access to this network.

b) Clients shall never use any PC if it is connected to the staff network.

c) Clients shall also never have access to staff utilized standalone PC's without appropriate staff supervision due to the possibility that confidential information may be stored on hard drives.

iv. Unattended PC's: Users shall logoff the XYZ Intranet when leaving their workstations unattended.

v. Laptop Users:

a) Laptops must be fastened with a security cable while unattended.

b) Laptops shall never be left on when not in use.

c) If the computer is left in an empty office, the office shall be locked.

d) Laptops are labeled with identification tags to make unauthorized tampering difficult. Users shall not tamper this tag in any way.

e) If a laptop is carried from one extreme temperature to another, allow several minutes for your laptop to come to "room temperature" before using it. In doing so, you can prevent a number of glitches and possible hardware damage from occurring.

f) Don’t leave any computer equipment exposed to direct sun or near any heat source for extended periods of time.

g) When traveling with a laptop, always keep it protected in a carrying case. A carrying case is provided with all XYZ laptops.

h) Before placing the laptop in its carrying case, it is important to remove all adapters, power cords, cables, mice, etc., to prevent damage to these devices and to the laptop’s ports that connect these devices. Particular attention should be paid when removing adapters that connect to LAN/modem cards.

i) Always keep your laptop with you when you are traveling outside your car. Thievery of any computer equipment has become big business, and precaution is a necessity.

j) When traveling in your car, it is important to hide any laptop or computer equipment in the trunk or keep it hidden under a blanket or cover. They should not be placed in car trunks overnight in extreme temperatures.

k) Computer equipment should be removed from your car when you get home.

l) The laptop’s Battery:

1. To charge the battery, simply plug the laptop with the battery in it into an electrical outlet. It can take several hours to fully charge and will charge quicker if you are not using it. On the keyboard on most laptops, the battery light will be an orange color while the battery is charging, and will change to green when it is fully charged. It is standard for the charge on a fully charged battery to last from 1-2 hours.

2. Batteries should not be removed from any computer equipment unless the computer equipment is not going to be used for a period of a month or so. Precaution must be taken if you do need to remove the battery of a laptop; never touch the metal terminals of a laptop battery to another metal object. The laptop battery could short circuit and cause permanent damage to the battery as well as to the laptop. The battery of a desktop should NEVER be removed without contacting the Technology Help Desk at (000) 000-0000.

vi. Powering-off PC's: Network users shall turn off their workstations at least once per day. It is imperative that you logoff the Hillside network when leaving your workstation for any period of time.

vii. Software:

a) Users shall not install/uninstall software on computer systems.

b) Users shall not distribute copies of software or violate copyright or patent laws concerning computer software, documentation or other tangible assets.

viii. Software on computer systems may only be installed/uninstalled by authorized Technology Team members.

ix. Applications: Users shall not create/alter any custom written applications without authorization from authorized Technology Team members.

x. Areas of Abuse: (not all inclusive)

a) Attempting to access another user's computer files without permission.

b) Unauthorized manipulation or attempted hacking of XYZ computer systems, programs or data.

c) Theft of computer hardware and/or software.

d) Vandalism of computer hardware and/or software.

e) Attempting to use XYZ computer systems for the purpose of promoting or conducting business for personal use.

f) Moving computers from one location to another without prior consent from an appropriate Technology Team member.

g) Repair of computers, facsimile machines, or telephones without prior consent from appropriate management.

h) Sending, receiving, storing or printing illegal, fraudulent, obscene or defamatory material.

i) Annoying or harassing other individuals.

xi. Antivirus.

a) If connected to a XYZ networked locations (Monroe Ave, E.Main, Halpern, FLC, Mt.Hope, 2075 Scottsville Rd, Lockport) each time you login, you shall automatically receive the newest updates to our antivirus software.

b) You’ll need to manually update your antivirus software if not connected to a XYZ networked location.

c) The update can be obtained from the XYZ internal website. Go to the Technology Help Desk page, _______________________.

d) New antivirus updates are available twice per month (the 1st and the 15th).

e) Users shall update at least monthly.

xii. Special Conditions:

a) Temperature comfort range: A safe temperature range for operating computer equipment is 50-90 degrees Fahrenheit.

b) Food and beverages shall be kept away from the computer equipment. Fluids can cause serious damage to the computer equipment’s electronics. Damage due to fluids is not covered by manufacturer’s warranties and the price for fixing the equipment can cost as much as purchasing new computer equipment.

c) Do not store near water. If you do spill something on your computer equipment, immediately turn it off and unplug it. Take time to blot out any standing fluid from the computer equipment and then call the Technology Help Desk at (000) 000-0000.

d) Don’t try to repair computer equipment. If you are experiencing a problem with the computer equipment, call the Technology Help Desk (000) 000-0000.

e) Keep computer equipment at least 12" away from electrical appliances that generate strong magnetic forces, such as refrigerators, TVs, motors, or large audio speakers. Don’t subject the computer equipment to any physical shock and do not place heavy objects on it.

xiii. Notification if Lost or Stolen:

a) To report a lost or stolen PC, notify your Service or Corporate Leader and the Technology Help Desk immediately. The Technology Help Desk can be reached by calling (000) 000-0000.

b) Replacement of a PC without cost to the staff will be determined by the appropriate Corporate or Service Leader, based on each situation and the prudence used in its protection and care. Staff will be asked to use their own insurance coverage whenever possible.

xiv. System Access Controls: System access will not be granted to any user without appropriate approval. Team mentors, supervisors, leadership may request and notify in writing the Security Officer or technology team and report all significant changes in end-users duties or employment status. User access is to be immediately revoked if the individual has been terminated. In addition, user privileges are to be appropriately changed if the user is transferred to a different job.

xv. Limiting User Access: XYZ approved access controls, such as user logon scripts, menus, session managers and other access controls will be used to limit user access to only those network applications and function for which they have been authorized.

7. Telephone, Fax & E-mail:

i. Don’t forward an e-mail or voice mail to someone else without careful consideration. Respect the user’s privacy.

ii. Don’t send e-mail needlessly or to a whole group of people unless you have a really good reason.

iii. When using cellular telephones, staff shall follow the XYZ Confidentiality Guidelines for cell phone and cordless phones.

iv. Phone messages left on voice mail or answer machines, shall be kept short, direct, and discretion shall be used regarding the content left.

v. When listening to voice mail/answering machines, staff shall keep the volume at a reasonable and discreet volume.

vi. Electronic messages (e-mail) shall reflect the professionalism of XYZ and shall not include language that could be construed as profane, discriminatory, obscene, sexually harassing, threatening or retaliatory.

vii. Check e-mail regularly, i.e. daily, or as your volume dictates.

viii. Delete unwanted messages immediately.

ix. Keep messages in your mailbox to a minimum.

x. Mail messages can be archived or saved to the network or disks for future use.

xi. Messages should not be altered or forwarded without the sender’s permission.

xii. Use discretion when sending messages to the #Everyone Group or other e-mail distribution groups.

xiii. Only send messages with information that is relevant to everyone in the e-mail group.

xiv. E-mails to a grouping of clients/families, the blind copy feature shall be used.

xv. Obtaining a User-ID & e-mail:

Contact the Network Administrator to obtain a network User Id and password.

Access will be granted as defined in the XYZ Employee Access to PHI and clinical records.

f you are taking a leave of absence or you are terminating your employment with Hillside, contact the Network Administrator to have your User ID deleted.

Compliance Statements: Users who have access to XYZ’s PHI, information systems and clinical records must sign a compliance statement prior to the issuance of a user id or access to clinical records. A signature on the compliance statement indicates the user understands and agrees to abide by XYZ policies and procedures as well as local, state, federal and funder requirements. Annual statements will be required at the time the user/employee has their updated Confidentiality training.

8. Audit Trails:

i. Logging and auditing trails will be maintained primarily be the Privacy & Security Officers and/or their designees.

ii. Audit trails should be backed up and stored in accordance with XYZ back-up and disaster recovery plans.

iii. All system and application logs must be maintained in a form that cannot readily be viewed or altered by unauthorized staff.

iv. All logs shall be audited minimally every 6 months and the results shall be included in quarterly “management” reports.

XYZ Priv/Sec

2/27/03 ml

Insert Agency Name and Address

_____________________________________

XYZ Agency includes XYZ Children's Center, XYZ Work Scholarship Connection, XYZ Children’s Foundation & Corporation, & XYZ Therapeutic Foster Care Program.

 

XYZ Policy for Computer Equipment Usage

Acknowledgment of Receipt and Responsibilities

 

 

I have read the XYZ computer equipment usage policy and agree to the terms and conditions of this policy. I understand that the computer equipment assigned to me is the property of XYZ and I am responsible for any damage or loss of the equipment or component thereof if I am found to be negligent. I will not install any additional software or change in any way the configuration of this PC.

Print Name: ____________________________________           Location: ___________________

Signature:____________________________________

Date: ____________________________

 

XYZ statement

2/27/03 ml

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download